On Friday, 04/22/2011 at 01:49 EDT, "Martin, Terry R. (CMS/CTR) (CTR)" <terry.mar...@cms.hhs.gov> wrote: > We have be told by the auditors to set the AUTOLOG and LINK to in the > PASSWORD_ON_CMDS parameter to ?NO? on the SYSTEM CONFIG Features statement. It > seems that we tried this the last time the auditors mentioned this and we had > problems and did not change it. I can?t remember what the issues were. > > Can anyone comment on what I would need to be aware of if this change was made? > I do XAUTOLOG our z/Linux guests at startup time so would I need to change > anything there?
In a fully secured VM system (i.e. with an ESM), the only command that requires a password is LOGON. All other actions (LINK, XAUTOLOG) are (should be) managed by the ESM without a dependency on passwords. Without an ESM, passwords are avoided for LINK and AUTOLOG by putting the LINK and AUTOLOG statements in the appropriate directory entry. If you simply MUST make a disk vulnerable to improper access by storing its password on some other disk (i.e. in an exec), then use ADDRESS COMMAND "LINK..." as that will override the no-password-on-LINK directive. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
