Ted MacNEIL [EMAIL PROTECTED] wrote:
There is a directory structure and it is maintained by a
utility/command/service machine called DIRMAINT.
Invoking DIRMAINT is called EDITING.
Um...sort of. There is a directory structure, and it is maintained by hand (by
editing the source directory -- a
On 11/2/2005 4:30 PM, Mark Yuhas wrote:
Thanks for the suggestions.
However, like today, I was questioned about IEECB92S. I finally found
an APAR that describe what the module does.
I do not have the luxury of saying 'Because, IBM did it that way'. I
have to explain or we get another mark
Um...sort of. There is a directory structure, and it is maintained by hand
(by editing the source directory -- a flat file)
...
Isn't there a CMS/CP command called DIRMaint?
I seem to recall using that to set up my static connections to other CMS
mini-disks.
Invoking DIRMAINT is not called
In [EMAIL PROTECTED], on 11/02/2005
at 08:59 AM, Paul Gilmartin [EMAIL PROTECTED] said:
What's in a name?
In an operating system? Everything.
Doesn't VM/SP have (or was it earlier releases?) a file with similar
function?
Sure, but the auditor didn't ask for it and it might not have been
In [EMAIL PROTECTED], on 11/02/2005
at 02:06 PM, Walt Farrell [EMAIL PROTECTED] said:
I'm not sure I understand how you would expect an auditor to be able
to verify that a vendor hadn't shipped a trojan horse. You really
want all the auditors visiting all the vendors and personally
In [EMAIL PROTECTED], on 11/02/2005
at 02:15 PM, Patrick O'Keefe [EMAIL PROTECTED] said:
Unless I misunderstand what you said, I think we're saying about the
same thing.
No.
But if the vendor *does* require an authorized library then the
auditor might want to approach the vendor.
If the
In [EMAIL PROTECTED], on 11/02/2005
at 08:46 PM, Robert A. Rosenberg [EMAIL PROTECTED] said:
It is not a security breach if you are using Shadow Tables (where the
Password is NOT in the /etc/passwd file).
But does the auditor know that?
--
Shmuel (Seymour J.) Metz, SysProg and JOAT
On Thu, 3 Nov 2005 00:00:00 GMT Ted MacNEIL [EMAIL PROTECTED]
wrote:
:Um...sort of. There is a directory structure, and it is maintained by hand
(by editing the source directory -- a flat file)
:...
:Isn't there a CMS/CP command called DIRMaint?
I remember it as a service machine which would
At 07:53 -0500 on 11/03/2005, Shmuel Metz (Seymour J.) wrote about
Re: Module description:
In [EMAIL PROTECTED], on 11/02/2005
at 08:46 PM, Robert A. Rosenberg [EMAIL PROTECTED] said:
It is not a security breach if you are using Shadow Tables (where the
Password is NOT in the /etc/passwd
In a recent note, Robert A. Rosenberg said:
Date: Wed, 2 Nov 2005 00:38:45 -0500
At 09:02 -0800 on 11/01/2005, Mark Yuhas wrote about Module description:
We are going through a security audit and Sarbannes-Oxley compliance. I
keep getting questions about obscure [IBM] modules
In [EMAIL PROTECTED], on 11/01/2005
at 02:29 PM, Patrick O'Keefe [EMAIL PROTECTED] said:
I suppose an auditor might be trained to ask Does the vendor say
these modules have to be in an authorized library? and pass the
question to the vendor only if the answer is Yes.
That's reasonable if the
In
[EMAIL PROTECTED],
on 11/01/2005
at 12:54 PM, Farley, Peter x23353 [EMAIL PROTECTED] said:
Shouldn't any competent auditor who is asking about a vendor's
programs know that they have to ask the vendor, not the user?
Yes.
Shouldn't your only response have to be Ask IBM?
That response is
In [EMAIL PROTECTED], on
11/01/2005
at 04:41 PM, Thomas Kern [EMAIL PROTECTED] said:
My favorite auditor request was when an auditor asked for a printout
from my VM/SP system. I had to leave the meeting before my boss could
finish laughing.
The auditor wanted /etc/passwd.
Well that might
In a recent note, Thomas Kern said:
Date: Tue, 1 Nov 2005 16:41:50 -0800
My favorite auditor request was when an auditor asked for a printout from my
VM/SP system. I had to leave the meeting before my boss could finish laughing.
The auditor wanted /etc/passwd.
What's in a name?
The auditor wanted /etc/passwd.
IIRC on a traditional *NIX system, /etc/passwd contains the password in clear
text.
The act of giving the auditor a copy (hardcopy or other) would be an audit
violation.
Of course the fact that this is a VM system (which does not have /etc/passwd)
is
That response is not PC.
No, its mainframe gr
--
Bruce A. Black
Senior Software Developer for FDR
Innovation Data Processing 973-890-7300
personal: [EMAIL PROTECTED]
sales info: [EMAIL PROTECTED]
tech support: [EMAIL PROTECTED]
web: www.innovationdp.fdr.com
On 2 Nov 2005 08:26:35 -0800, [EMAIL PROTECTED] (Staller,
Allan) wrote:
IIRC on a traditional *NIX system, /etc/passwd contains the password in clear
text.
The act of giving the auditor a copy (hardcopy or other) would be an audit
violation.
I could see someone asking for this - and if given
In a recent note, Staller, Allan said:
Date: Wed, 2 Nov 2005 10:25:47 -0600
The auditor wanted /etc/passwd.
IIRC on a traditional *NIX system, /etc/passwd contains the password in clear
text.
The act of giving the auditor a copy (hardcopy or other) would be an audit
violation.
No. They are, alas, rare. It is a joy to be audited by someone who
actually knows enough to be useful; if there are problems, I want to
know about them.
...
I know of two SYSPROGs that moved to audit.
They both immediately shut down holes they were using when they supported the
systems.
And,
IIRC on a traditional *NIX system, /etc/passwd contains the password in clear
text.
...
The version I used in 1976 at the University of Waterloo, did not.
As a matter of fact, we cracked it by running the encryption algorithm against
the online dictionary used for a spell check application.
Doesn't VM/SP have (or was it earlier releases?) a file with similar
function? I've heard my sysprog speak of editing The Directory
to add a user.
...
There is a directory structure and it is maintained by a
utility/command/service machine called DIRMAINT.
Invoking DIRMAINT is called EDITING.
On 11/2/2005 11:16 AM, Shmuel Metz , Seymour J. wrote:
In [EMAIL PROTECTED], on 11/01/2005
at 02:29 PM, Patrick O'Keefe [EMAIL PROTECTED] said:
I suppose an auditor might be trained to ask Does the vendor say
these modules have to be in an authorized library? and pass the
question to the
On Wed, 2 Nov 2005 11:08:26 -0500, Shmuel Metz (Seymour J.) shmuel+ibm-
[EMAIL PROTECTED] wrote:
...
I suppose an auditor might be trained to ask Does the vendor say
these modules have to be in an authorized library? and pass the
question to the vendor only if the answer is Yes.
That's
On Wed, 2 Nov 2005 14:06:40 -0500, Walt Farrell [EMAIL PROTECTED]
wrote:
...
I'm not sure I understand how you would expect an auditor to be able to
verify that a vendor hadn't shipped a trojan horse. You really want all
the auditors visiting all the vendors and personally inspecting all the
Thanks for the suggestions.
However, like today, I was questioned about IEECB92S. I finally found
an APAR that describe what the module does.
I do not have the luxury of saying 'Because, IBM did it that way'. I
have to explain or we get another mark against us in the audit report.
I thought
Mark Yuhas wrote:
However, like today, I was questioned about IEECB92S. I finally found
an APAR that describe what the module does.
I do not have the luxury of saying 'Because, IBM did it that way'. I
have to explain or we get another mark against us in the audit report.
I wonder what
Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Farley, Peter x23353
Sent: Tuesday, November 01, 2005 11:54 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Module description
Shouldn't any competent auditor who is asking about a vendor's programs
know
that they have to ask the vendor, not the user
I'm sorry but your auditor is an idiot and may in fact be violating the
terms of your vendor's license agreements (at least partially).
Most license agreements expressly prohibit reverse engineering licensed
code and the copyright notification makes it pretty clear that you don't
have any
Sorry, guys, but I have to take the other side.
The vendor has *no* control over how you implement the software. Or if
you choose to remove a piece and replace it. Or if you configure it
such that it does not behave as it is supposed to.
So, take some auditors trying to grapple with a really
At 08:53 -0700 on 11/02/2005, Paul Gilmartin wrote about Re: Module
description:
In a recent note, Robert A. Rosenberg said:
Date: Wed, 2 Nov 2005 00:38:45 -0500
In my opinion, the Auditor has NO valid reason to be asking this
question about ANY IBM (or other Vendor) supplied
At 11:11 -0700 on 11/02/2005, Paul Gilmartin wrote about Re: Module
description:
IIRC on a traditional *NIX system, /etc/passwd contains the
password in clear text.
The act of giving the auditor a copy (hardcopy or other) would be
an audit violation.
No. Encrypted. Otherwise everyone
I don't know how many releases ago, but, IBM published a manual called
Module Descriptions. The manual contained concise information about
modules and some of the attributes.
Does IBM have anything similar now?
We are going through a security audit and Sarbannes-Oxley compliance. I
keep
-Original Message-
From: IBM Mainframe Discussion List
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Yuhas
Sent: Tuesday, November 01, 2005 11:02 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Module description
I don't know how many releases ago, but, IBM published a manual called
Module
:[EMAIL PROTECTED]
Sent: Tuesday, November 01, 2005 12:37 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Module description
I don't know how many releases ago, but, IBM published a manual called
Module Descriptions. The manual contained concise information about modules
and some of the attributes.
Does IBM
-Original Message-
From: IBM Mainframe Discussion List
[mailto:[EMAIL PROTECTED] On Behalf Of Farley, Peter x23353
Sent: Tuesday, November 01, 2005 11:54 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Module description
Shouldn't any competent auditor who is asking about a
vendor's
On Tue, 1 Nov 2005 12:54:03 -0500, Farley, Peter x23353
[EMAIL PROTECTED] wrote:
Shouldn't any competent auditor who is asking about a vendor's programs
know
that they have to ask the vendor, not the user? Shouldn't your only
response have to be Ask IBM?
...
I suppose an auditor might be
My favorite auditor request was when an auditor asked for a printout from my
VM/SP system. I had to leave the meeting before my boss could finish laughing.
The auditor wanted /etc/passwd.
/Tom Kern
--- McKown, John [EMAIL PROTECTED] wrote:
Shouldn't any competent auditor who is asking about
At 09:02 -0800 on 11/01/2005, Mark Yuhas wrote about Module description:
We are going through a security audit and Sarbannes-Oxley compliance. I
keep getting questions about obscure [IBM] modules and their functions.
In my opinion, the Auditor has NO valid reason to be asking this
question
38 matches
Mail list logo