Re: Client login with admin id and password
Hello Paul, this message would probably not help very much. People quite often restore files from one machine to a different one. This is possible if you know nodename and password and can be done without access as administrator. What I would like to get is a clear indication that someone accessed data using an administrator id. Best regards Gerhard --- Gerhard Rentschleremail:[EMAIL PROTECTED] Regional Computing Center tel. ++49/711/685 5806 University of Stuttgart fax: ++49/711/682357 Allmandring 30a D 70550 Stuttgart Germany > -Original Message- > From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED] Behalf Of > Baines, Paul > Sent: Friday, March 28, 2003 12:28 PM > To: [EMAIL PROTECTED] > Subject: Re: Client login with admin id and password > > > I just noticed this information message in TSM server 5.1.6.1: ANR1639I. > This seems to be an indication that a nodes IP address has > changed. Look at > the last three fields in a q node f=d. This message could > then be sent > to your monitoring software or you could run a daily script against the > actlog table to search for it, then you have a list of any client > connections that could be possible security breaches. I haven't > tested this, > just noticed it this second, but it looks like a nice feature. >
Re: Client login with admin id and password
I just noticed this information message in TSM server 5.1.6.1: ANR1639I. This seems to be an indication that a nodes IP address has changed. Look at the last three fields in a q node f=d. This message could then be sent to your monitoring software or you could run a daily script against the actlog table to search for it, then you have a list of any client connections that could be possible security breaches. I haven't tested this, just noticed it this second, but it looks like a nice feature. Date: Mar 17, 11:56 From: Paul Zarnowski <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> Dwight, What you say is true, but If an admin changes the node's password, they have left tracks. They cannot change the password back to what it was, unless they knew what it was to start with. The next time the client goes to use TSM, they will be aware that their password was changed. I was amazed to find out that admins could do this without leaving tracks. This is somewhat disconcerting. ..Paul At 09:03 AM 3/12/2003 -0800, Cook, Dwight E wrote: >Well, since a "system privileged admin id" could change the node's password >and then connect without using their admin id & password (use the one they >just set it to) I can see why the straight use of their id & password would >be allowed. > >Just another reason why management should pay their TSM admin's well ;-) > >Dwight > > > >-Original Message- >From: Gerhard Rentschler [mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>] >Sent: Wednesday, March 12, 2003 10:01 AM >To: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >Subject: Client login with admin id and password > > >Hello, >I always thought that a tsm admin does not have access to client data. I >think I learned something new. >Calling dsmc or dsm with -node=tarzan and specifying a valid admin id and >password (system privilege) gives access to node tarzan's data. At least it >is possible to list the files. I haven't tried to restore data. This is >indeed documented. However, I would prefer if there were a message in the >activity log saying that admin id was used. >Am I wrong? Could someone explain this feature in more detail? > >Best regards >Gerhard >--- >Gerhard Rentschleremail:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >Regional Computing Center tel. ++49/711/685 5806 >University of Stuttgart fax: ++49/711/682357 >Allmandring 30a >D 70550 >Stuttgart >Germany -- Paul Zarnowski Ph: 607-255-4757 719 Rhodes Hall, Cornell UniversityFx: 607-255-8521 Ithaca, NY 14853-3801 Em: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Any e-mail message from the European Central Bank (ECB) is sent in good faith but shall neither be binding nor construed as constituting a commitment by the ECB except where provided for in a written agreement. This e-mail is intended only for the use of the recipient(s) named above. Any unauthorised disclosure, use or dissemination, either in whole or in part, is prohibited. If you have received this e-mail in error, please notify the sender immediately via e-mail and delete this e-mail from your system.
Re: Client login with admin id and password
Don, DSMCAD isn't the only exposure With DSMCAD on, a help desk person can be working on node DESKTOP1 and cause files TO BE RESTORED to node PAYROLSERVER. But even with DSMCAD turned off, I can be on my node DESKTOP1 and do: dsm -virtualnodename=PAYROLSERVER I override the password popup with my admin id, and I can restore files from PAYROLSERVER to MY desktop. Now I have a copy of the payroll files, and nobody knows it but me. There is no footprint left on PAYROLSERVER (because its password was not changed). The only footprint in the TSM activity log is that the SESSION STARTED message in the activity log shows a different IP address (but with DHCP that may not be a reliable bit of information). Just wanted to make that clear. Personally, I would PREFER to see a server audit trail for any TSM access that is done by overriding the normal password. But I agree with you that most site's auditability requirements would be satisfied with having the admin id displayed in the SESSION STARTED message any time it is used to override the normal password. The inability of the TSM administrator to get at information without leaving a footprint was a SELLING point when we originally bought this software, and I was NOT happy when they added the "feature" that opened this hole. But, I haven't made a lot of noise about it. I just make sure not too many people have SYSTEM level access Thanks Wanda -Original Message- From: DFrance [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 19, 2003 2:31 PM To: [EMAIL PROTECTED] Subject: Re: Client login with admin id and password Some customers mitigate this security issue by eliminating the DSMCAD service, as a matter of policy; that's probably okay for some businesses -- not likely okay for help-desk when supporting desktop users. A number of requirements are being considered (thru SHARE) along the lines of better security and/or security-audit; with Windows, the TSM admin can do restores (via machine login) using his NT-network ID which is part of the backup operators group -- without the need for DSMCAD. Using DSMCAD (ie, remote-web-client) is where there is no auditability to indicate who accessed what data... and, this is ALSO the most convenient interface for remote/help-desk/TSMadmin restore assistance. We need to better articulate the requirement for the level of audit needed -- and where it applies -- such as, must there be audit file that shows every file/directory restored and/or even viewed using alternate/admin ID? The simplest (and minimal) solution might be to include the admin's ID in the activity log, at session start time, reflecting "session started for Node xxx (using admin-ID yyy)". But this only says who, and when, not what was accessed/downloaded. (And, of course, the ENCRYPT option, as Andy suggests.) Can you help? Don France Technical Architect -- Tivoli Certified Consultant Tivoli Storage Manager, WinNT/2K, AIX/Unix, OS/390 San Jose, Ca (408) 257-3037 mailto:[EMAIL PROTECTED] (change aye to a for replies) Professional Association of Contract Employees (P.A.C.E. -- www.pacepros.com) -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED] Behalf Of Gerhard Rentschler Sent: Tuesday, March 18, 2003 7:11 AM To: [EMAIL PROTECTED] Subject: Re: Client login with admin id and password Hello, > IMHO, the TSM server really needs to leave better tracks for this type of > activity. > > ..Paul> that's what I would like to have. In Germany we have a law which requires that access to data which is related to individuals must be restricted and logged. That means that on request it should be possible to tell who accessed the data. With TSM this is not possible. Is it possible to open a pmr on this ground? Best regards Gerhard --- Gerhard Rentschleremail:[EMAIL PROTECTED] Regional Computing Center tel. ++49/711/685 5806 University of Stuttgart fax: ++49/711/682357 Allmandring 30a D 70550 Stuttgart Germany
Re: Client login with admin id and password
>>Using DSMCAD (ie, remote-web-client) is where there is no auditability to indicate who accessed what data... >>and, this is ALSO the most convenient interface for remote/help-desk/TSMadmin restore assistance. Isn't this logged in dsmwebcl.log (userid and IP).
Re: Client login with admin id and password
Some customers mitigate this security issue by eliminating the DSMCAD service, as a matter of policy; that's probably okay for some businesses -- not likely okay for help-desk when supporting desktop users. A number of requirements are being considered (thru SHARE) along the lines of better security and/or security-audit; with Windows, the TSM admin can do restores (via machine login) using his NT-network ID which is part of the backup operators group -- without the need for DSMCAD. Using DSMCAD (ie, remote-web-client) is where there is no auditability to indicate who accessed what data... and, this is ALSO the most convenient interface for remote/help-desk/TSMadmin restore assistance. We need to better articulate the requirement for the level of audit needed -- and where it applies -- such as, must there be audit file that shows every file/directory restored and/or even viewed using alternate/admin ID? The simplest (and minimal) solution might be to include the admin's ID in the activity log, at session start time, reflecting "session started for Node xxx (using admin-ID yyy)". But this only says who, and when, not what was accessed/downloaded. (And, of course, the ENCRYPT option, as Andy suggests.) Can you help? Don France Technical Architect -- Tivoli Certified Consultant Tivoli Storage Manager, WinNT/2K, AIX/Unix, OS/390 San Jose, Ca (408) 257-3037 mailto:[EMAIL PROTECTED] (change aye to a for replies) Professional Association of Contract Employees (P.A.C.E. -- www.pacepros.com) -Original Message- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED] Behalf Of Gerhard Rentschler Sent: Tuesday, March 18, 2003 7:11 AM To: [EMAIL PROTECTED] Subject: Re: Client login with admin id and password Hello, > IMHO, the TSM server really needs to leave better tracks for this type of > activity. > > ..Paul> that's what I would like to have. In Germany we have a law which requires that access to data which is related to individuals must be restricted and logged. That means that on request it should be possible to tell who accessed the data. With TSM this is not possible. Is it possible to open a pmr on this ground? Best regards Gerhard --- Gerhard Rentschleremail:[EMAIL PROTECTED] Regional Computing Center tel. ++49/711/685 5806 University of Stuttgart fax: ++49/711/682357 Allmandring 30a D 70550 Stuttgart Germany
Re: Client login with admin id and password
Hi Andy, We backup about 450 Windows clients; all but 50 use DHCP, so the IP address isn't fixed. I think the requirement is probably to be able to tell WHO accessed the data, meaning at least the real userid, when the nodename has been overridden. But I think the people who have to conform to hippa will have to write the requirement. HIPPA doesn't apply to this particular site, so I only get bugged occasionally about auditing, I don't know what the full Hppa requirement actually is. But I suspect there are a lot more TSM users out there that don't realize they have the "feature" that lets admins access backup data without changing the password or creating an audit trail. Thanks (as always!) for your interest and participation... Wanda -Original Message- From: Andrew Raibeck [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 18, 2003 12:48 PM To: [EMAIL PROTECTED] Subject: Re: Client login with admin id and password Hi Wanda, True, but isn't the node name different in both messages? If XNBOSS is normally used (for example) from IP address 128.244.81.53 but now it is accessed from 128.244.81.137, then there is your "trail". Agreed it isn't ideal, but if you suspected that someone was covertly accessing XNBOSS's data, the different IP address would be a clue. Don't get me wrong, like I said, there is other work that we can do. I am not an expert on security issues in general, and have only heard vaguely about hPPA (or whatever it is)... but I would encourage customers who would like to see more security/audit trails in TSM to let their marketing reps know (and maybe this is something that can be taken up via a SHARE requirement). Please provide as much detail as possible in describing the requirement (i.e. how *exactly* do you want TSM to behave?) so that we can better understand the need. In the mean time, users concerned with this should consider using the INCLUDE.ENCRYPT option to encrypt sensitive data. This will prevent anyone else from restoring it (provided that the originating node owner doesn't give out the encryption key). Just don't forget the key, or else you won't be able to get the data back! Regards, Andy Andy Raibeck IBM Software Group Tivoli Storage Manager Client Development Internal Notes e-mail: Andrew Raibeck/Tucson/[EMAIL PROTECTED] Internet e-mail: [EMAIL PROTECTED] (change eye to i to reply) The only dumb question is the one that goes unasked. The command line is your friend. "Good enough" is the enemy of excellence. "Prather, Wanda" <[EMAIL PROTECTED]> Sent by: "ADSM: Dist Stor Manager" <[EMAIL PROTECTED]> 03/18/2003 10:04 Please respond to "ADSM: Dist Stor Manager" To: [EMAIL PROTECTED] cc: Subject:Re: Client login with admin id and password Andy, ANR0406 just shows the nodename for the client: 03/18/2003 11:51:39 ANR0406I Session 70211 started for node PRATHW1 (WinNT) (Tcp/Ip 128.244.81.137(1160)). When I access data from another machine (not my own) using dsm -virtualnodename and override the clients password with my admin id, the text for ANR0406 STILL just shows the nodename: 03/18/2003 11:51:39 ANR0406I Session 70211 started for node XNBOSS (WinNT) (Tcp/Ip 128.244.81.137(1160)). You can't see that I (as administrator) accessed the data from that node and restored it to my own machine, thereby gaining access to data I normally don't have the rights to see. I think that's why people who have to comply with the new hPPA (? I don't remember the exact acronym) privacy laws are concerned about auditing for this access. But then I'm still at 4.2.1.15. Is it different in 5.1? -----Original Message----- From: Andrew Raibeck [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 18, 2003 10:38 AM To: [EMAIL PROTECTED] Subject: Re: Client login with admin id and password TSM does leave some footprints. Refer to messages ANR0406I and ANR1639I. With that said, I suppose that TSM could be made even more secure (at the cost of flexibility), but I would say that this falls into the area of "requirement", not "defect". Regards, Andy Andy Raibeck IBM Software Group Tivoli Storage Manager Client Development Internal Notes e-mail: Andrew Raibeck/Tucson/[EMAIL PROTECTED] Internet e-mail: [EMAIL PROTECTED] (change eye to i to reply) The only dumb question is the one that goes unasked. The command line is your friend. "Good enough" is the enemy of excellence. Gerhard Rentschler <[EMAIL PROTECTED]> Sent by: "ADSM: Dist Stor Manager" <[EMAIL PROTECTED]> 03/18/2003 08:11 Please respond to "ADSM: Dist Stor Manager" To: [EMAIL PROTECTED] cc: Subject:Re: Client login with admin id and password Hello, > IMHO, the TSM
Re: Client login with admin id and password
Hi Wanda, True, but isn't the node name different in both messages? If XNBOSS is normally used (for example) from IP address 128.244.81.53 but now it is accessed from 128.244.81.137, then there is your "trail". Agreed it isn't ideal, but if you suspected that someone was covertly accessing XNBOSS's data, the different IP address would be a clue. Don't get me wrong, like I said, there is other work that we can do. I am not an expert on security issues in general, and have only heard vaguely about hPPA (or whatever it is)... but I would encourage customers who would like to see more security/audit trails in TSM to let their marketing reps know (and maybe this is something that can be taken up via a SHARE requirement). Please provide as much detail as possible in describing the requirement (i.e. how *exactly* do you want TSM to behave?) so that we can better understand the need. In the mean time, users concerned with this should consider using the INCLUDE.ENCRYPT option to encrypt sensitive data. This will prevent anyone else from restoring it (provided that the originating node owner doesn't give out the encryption key). Just don't forget the key, or else you won't be able to get the data back! Regards, Andy Andy Raibeck IBM Software Group Tivoli Storage Manager Client Development Internal Notes e-mail: Andrew Raibeck/Tucson/[EMAIL PROTECTED] Internet e-mail: [EMAIL PROTECTED] (change eye to i to reply) The only dumb question is the one that goes unasked. The command line is your friend. "Good enough" is the enemy of excellence. "Prather, Wanda" <[EMAIL PROTECTED]> Sent by: "ADSM: Dist Stor Manager" <[EMAIL PROTECTED]> 03/18/2003 10:04 Please respond to "ADSM: Dist Stor Manager" To: [EMAIL PROTECTED] cc: Subject:Re: Client login with admin id and password Andy, ANR0406 just shows the nodename for the client: 03/18/2003 11:51:39 ANR0406I Session 70211 started for node PRATHW1 (WinNT) (Tcp/Ip 128.244.81.137(1160)). When I access data from another machine (not my own) using dsm -virtualnodename and override the clients password with my admin id, the text for ANR0406 STILL just shows the nodename: 03/18/2003 11:51:39 ANR0406I Session 70211 started for node XNBOSS (WinNT) (Tcp/Ip 128.244.81.137(1160)). You can't see that I (as administrator) accessed the data from that node and restored it to my own machine, thereby gaining access to data I normally don't have the rights to see. I think that's why people who have to comply with the new hPPA (? I don't remember the exact acronym) privacy laws are concerned about auditing for this access. But then I'm still at 4.2.1.15. Is it different in 5.1? -Original Message- From: Andrew Raibeck [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 18, 2003 10:38 AM To: [EMAIL PROTECTED] Subject: Re: Client login with admin id and password TSM does leave some footprints. Refer to messages ANR0406I and ANR1639I. With that said, I suppose that TSM could be made even more secure (at the cost of flexibility), but I would say that this falls into the area of "requirement", not "defect". Regards, Andy Andy Raibeck IBM Software Group Tivoli Storage Manager Client Development Internal Notes e-mail: Andrew Raibeck/Tucson/[EMAIL PROTECTED] Internet e-mail: [EMAIL PROTECTED] (change eye to i to reply) The only dumb question is the one that goes unasked. The command line is your friend. "Good enough" is the enemy of excellence. Gerhard Rentschler <[EMAIL PROTECTED]> Sent by: "ADSM: Dist Stor Manager" <[EMAIL PROTECTED]> 03/18/2003 08:11 Please respond to "ADSM: Dist Stor Manager" To: [EMAIL PROTECTED] cc: Subject:Re: Client login with admin id and password Hello, > IMHO, the TSM server really needs to leave better tracks for this type of > activity. > > ..Paul> that's what I would like to have. In Germany we have a law which requires that access to data which is related to individuals must be restricted and logged. That means that on request it should be possible to tell who accessed the data. With TSM this is not possible. Is it possible to open a pmr on this ground? Best regards Gerhard --- Gerhard Rentschleremail:[EMAIL PROTECTED] Regional Computing Center tel. ++49/711/685 5806 University of Stuttgart fax: ++49/711/682357 Allmandring 30a D 70550 Stuttgart Germany
Re: Client login with admin id and password
Andy, ANR0406 just shows the nodename for the client: 03/18/2003 11:51:39 ANR0406I Session 70211 started for node PRATHW1 (WinNT) (Tcp/Ip 128.244.81.137(1160)). When I access data from another machine (not my own) using dsm -virtualnodename and override the clients password with my admin id, the text for ANR0406 STILL just shows the nodename: 03/18/2003 11:51:39 ANR0406I Session 70211 started for node XNBOSS (WinNT) (Tcp/Ip 128.244.81.137(1160)). You can't see that I (as administrator) accessed the data from that node and restored it to my own machine, thereby gaining access to data I normally don't have the rights to see. I think that's why people who have to comply with the new hPPA (? I don't remember the exact acronym) privacy laws are concerned about auditing for this access. But then I'm still at 4.2.1.15. Is it different in 5.1? -Original Message- From: Andrew Raibeck [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 18, 2003 10:38 AM To: [EMAIL PROTECTED] Subject: Re: Client login with admin id and password TSM does leave some footprints. Refer to messages ANR0406I and ANR1639I. With that said, I suppose that TSM could be made even more secure (at the cost of flexibility), but I would say that this falls into the area of "requirement", not "defect". Regards, Andy Andy Raibeck IBM Software Group Tivoli Storage Manager Client Development Internal Notes e-mail: Andrew Raibeck/Tucson/[EMAIL PROTECTED] Internet e-mail: [EMAIL PROTECTED] (change eye to i to reply) The only dumb question is the one that goes unasked. The command line is your friend. "Good enough" is the enemy of excellence. Gerhard Rentschler <[EMAIL PROTECTED]> Sent by: "ADSM: Dist Stor Manager" <[EMAIL PROTECTED]> 03/18/2003 08:11 Please respond to "ADSM: Dist Stor Manager" To: [EMAIL PROTECTED] cc: Subject:Re: Client login with admin id and password Hello, > IMHO, the TSM server really needs to leave better tracks for this type of > activity. > > ..Paul> that's what I would like to have. In Germany we have a law which requires that access to data which is related to individuals must be restricted and logged. That means that on request it should be possible to tell who accessed the data. With TSM this is not possible. Is it possible to open a pmr on this ground? Best regards Gerhard --- Gerhard Rentschleremail:[EMAIL PROTECTED] Regional Computing Center tel. ++49/711/685 5806 University of Stuttgart fax: ++49/711/682357 Allmandring 30a D 70550 Stuttgart Germany
Re: Client login with admin id and password
TSM does leave some footprints. Refer to messages ANR0406I and ANR1639I. With that said, I suppose that TSM could be made even more secure (at the cost of flexibility), but I would say that this falls into the area of "requirement", not "defect". Regards, Andy Andy Raibeck IBM Software Group Tivoli Storage Manager Client Development Internal Notes e-mail: Andrew Raibeck/Tucson/[EMAIL PROTECTED] Internet e-mail: [EMAIL PROTECTED] (change eye to i to reply) The only dumb question is the one that goes unasked. The command line is your friend. "Good enough" is the enemy of excellence. Gerhard Rentschler <[EMAIL PROTECTED]> Sent by: "ADSM: Dist Stor Manager" <[EMAIL PROTECTED]> 03/18/2003 08:11 Please respond to "ADSM: Dist Stor Manager" To: [EMAIL PROTECTED] cc: Subject:Re: Client login with admin id and password Hello, > IMHO, the TSM server really needs to leave better tracks for this type of > activity. > > ..Paul> that's what I would like to have. In Germany we have a law which requires that access to data which is related to individuals must be restricted and logged. That means that on request it should be possible to tell who accessed the data. With TSM this is not possible. Is it possible to open a pmr on this ground? Best regards Gerhard --- Gerhard Rentschleremail:[EMAIL PROTECTED] Regional Computing Center tel. ++49/711/685 5806 University of Stuttgart fax: ++49/711/682357 Allmandring 30a D 70550 Stuttgart Germany
Re: Client login with admin id and password
Hello, > IMHO, the TSM server really needs to leave better tracks for this type of > activity. > > ..Paul> that's what I would like to have. In Germany we have a law which requires that access to data which is related to individuals must be restricted and logged. That means that on request it should be possible to tell who accessed the data. With TSM this is not possible. Is it possible to open a pmr on this ground? Best regards Gerhard --- Gerhard Rentschleremail:[EMAIL PROTECTED] Regional Computing Center tel. ++49/711/685 5806 University of Stuttgart fax: ++49/711/682357 Allmandring 30a D 70550 Stuttgart Germany
Re: Client login with admin id and password
Zlatko, What you say is of course true, but in many environments, the TSM administrator is not assumed to have root access to all of the systems that are backed up into TSM. This security "feature" is not akin to having root access on a system. Rather, it is akin to having root access to ALL systems backed up into a TSM server. Not the same thing at all in many environments. Paul Baines said: One could always export a node's data and import it on a different TSM server. There you can change the password without anyone knowing. This is also true, and I did think of that, but an export would leave tracks in the actlog on the source TSM server. IMHO, the TSM server really needs to leave better tracks for this type of activity. ..Paul At 03:35 AM 3/18/2003 +0200, Zlatko Krastev/ACIT wrote: Paul, if I am UNIX root I would be able to perform "su " and act on his behalf. I fully agree with you that TSM ought to provide some kind of logging in this case (just to write in actlog admin's name instead of node ought to be enough). OTOH going back to UNIX I can edit the /var/adm/sulog file. Zlatko Krastev IT Consultant Paul Zarnowski <[EMAIL PROTECTED]> Sent by: "ADSM: Dist Stor Manager" <[EMAIL PROTECTED]> 17.03.2003 18:53 Please respond to "ADSM: Dist Stor Manager" To: [EMAIL PROTECTED] cc: Subject:Re: Client login with admin id and password Dwight, What you say is true, but If an admin changes the node's password, they have left tracks. They cannot change the password back to what it was, unless they knew what it was to start with. The next time the client goes to use TSM, they will be aware that their password was changed. I was amazed to find out that admins could do this without leaving tracks. This is somewhat disconcerting. ..Paul At 09:03 AM 3/12/2003 -0800, Cook, Dwight E wrote: >Well, since a "system privileged admin id" could change the node's password >and then connect without using their admin id & password (use the one they >just set it to) I can see why the straight use of their id & password would >be allowed. > >Just another reason why management should pay their TSM admin's well ;-) > >Dwight > > > >-Original Message----- >From: Gerhard Rentschler [mailto:[EMAIL PROTECTED] >Sent: Wednesday, March 12, 2003 10:01 AM >To: [EMAIL PROTECTED] >Subject: Client login with admin id and password > > >Hello, >I always thought that a tsm admin does not have access to client data. I >think I learned something new. >Calling dsmc or dsm with -node=tarzan and specifying a valid admin id and >password (system privilege) gives access to node tarzan's data. At least it >is possible to list the files. I haven't tried to restore data. This is >indeed documented. However, I would prefer if there were a message in the >activity log saying that admin id was used. >Am I wrong? Could someone explain this feature in more detail? > >Best regards >Gerhard >--- >Gerhard Rentschleremail:[EMAIL PROTECTED] >Regional Computing Center tel. ++49/711/685 5806 >University of Stuttgart fax: ++49/711/682357 >Allmandring 30a >D 70550 >Stuttgart >Germany -- Paul Zarnowski Ph: 607-255-4757 719 Rhodes Hall, Cornell UniversityFx: 607-255-8521 Ithaca, NY 14853-3801 Em: [EMAIL PROTECTED] -- Paul Zarnowski Ph: 607-255-4757 719 Rhodes Hall, Cornell UniversityFx: 607-255-8521 Ithaca, NY 14853-3801 Em: [EMAIL PROTECTED]
Re: Client login with admin id and password
One could always export a node's data and import it on a different TSM server. There you can change the password without anyone knowing. -Original Message- From: Paul Zarnowski [mailto:[EMAIL PROTECTED] Sent: 17 March 2003 17:54 To: [EMAIL PROTECTED] Subject: Re: Client login with admin id and password Dwight, What you say is true, but If an admin changes the node's password, they have left tracks. They cannot change the password back to what it was, unless they knew what it was to start with. The next time the client goes to use TSM, they will be aware that their password was changed. I was amazed to find out that admins could do this without leaving tracks. This is somewhat disconcerting. ..Paul At 09:03 AM 3/12/2003 -0800, Cook, Dwight E wrote: >Well, since a "system privileged admin id" could change the node's password >and then connect without using their admin id & password (use the one they >just set it to) I can see why the straight use of their id & password would >be allowed. > >Just another reason why management should pay their TSM admin's well ;-) > >Dwight > > > >-Original Message- >From: Gerhard Rentschler [mailto:[EMAIL PROTECTED] >Sent: Wednesday, March 12, 2003 10:01 AM >To: [EMAIL PROTECTED] >Subject: Client login with admin id and password > > >Hello, >I always thought that a tsm admin does not have access to client data. I >think I learned something new. >Calling dsmc or dsm with -node=tarzan and specifying a valid admin id and >password (system privilege) gives access to node tarzan's data. At least it >is possible to list the files. I haven't tried to restore data. This is >indeed documented. However, I would prefer if there were a message in the >activity log saying that admin id was used. >Am I wrong? Could someone explain this feature in more detail? > >Best regards >Gerhard >--- >Gerhard Rentschleremail:[EMAIL PROTECTED] >Regional Computing Center tel. ++49/711/685 5806 >University of Stuttgart fax: ++49/711/682357 >Allmandring 30a >D 70550 >Stuttgart >Germany -- Paul Zarnowski Ph: 607-255-4757 719 Rhodes Hall, Cornell UniversityFx: 607-255-8521 Ithaca, NY 14853-3801 Em: [EMAIL PROTECTED] Any e-mail message from the European Central Bank (ECB) is sent in good faith but shall neither be binding nor construed as constituting a commitment by the ECB except where provided for in a written agreement. This e-mail is intended only for the use of the recipient(s) named above. Any unauthorised disclosure, use or dissemination, either in whole or in part, is prohibited. If you have received this e-mail in error, please notify the sender immediately via e-mail and delete this e-mail from your system.
Re: Client login with admin id and password
Paul, if I am UNIX root I would be able to perform "su " and act on his behalf. I fully agree with you that TSM ought to provide some kind of logging in this case (just to write in actlog admin's name instead of node ought to be enough). OTOH going back to UNIX I can edit the /var/adm/sulog file. Zlatko Krastev IT Consultant Paul Zarnowski <[EMAIL PROTECTED]> Sent by: "ADSM: Dist Stor Manager" <[EMAIL PROTECTED]> 17.03.2003 18:53 Please respond to "ADSM: Dist Stor Manager" To: [EMAIL PROTECTED] cc: Subject:Re: Client login with admin id and password Dwight, What you say is true, but If an admin changes the node's password, they have left tracks. They cannot change the password back to what it was, unless they knew what it was to start with. The next time the client goes to use TSM, they will be aware that their password was changed. I was amazed to find out that admins could do this without leaving tracks. This is somewhat disconcerting. ..Paul At 09:03 AM 3/12/2003 -0800, Cook, Dwight E wrote: >Well, since a "system privileged admin id" could change the node's password >and then connect without using their admin id & password (use the one they >just set it to) I can see why the straight use of their id & password would >be allowed. > >Just another reason why management should pay their TSM admin's well ;-) > >Dwight > > > >-Original Message- >From: Gerhard Rentschler [mailto:[EMAIL PROTECTED] >Sent: Wednesday, March 12, 2003 10:01 AM >To: [EMAIL PROTECTED] >Subject: Client login with admin id and password > > >Hello, >I always thought that a tsm admin does not have access to client data. I >think I learned something new. >Calling dsmc or dsm with -node=tarzan and specifying a valid admin id and >password (system privilege) gives access to node tarzan's data. At least it >is possible to list the files. I haven't tried to restore data. This is >indeed documented. However, I would prefer if there were a message in the >activity log saying that admin id was used. >Am I wrong? Could someone explain this feature in more detail? > >Best regards >Gerhard >--- >Gerhard Rentschleremail:[EMAIL PROTECTED] >Regional Computing Center tel. ++49/711/685 5806 >University of Stuttgart fax: ++49/711/682357 >Allmandring 30a >D 70550 >Stuttgart >Germany -- Paul Zarnowski Ph: 607-255-4757 719 Rhodes Hall, Cornell UniversityFx: 607-255-8521 Ithaca, NY 14853-3801 Em: [EMAIL PROTECTED]
Re: Client login with admin id and password
Dwight, What you say is true, but If an admin changes the node's password, they have left tracks. They cannot change the password back to what it was, unless they knew what it was to start with. The next time the client goes to use TSM, they will be aware that their password was changed. I was amazed to find out that admins could do this without leaving tracks. This is somewhat disconcerting. ..Paul At 09:03 AM 3/12/2003 -0800, Cook, Dwight E wrote: Well, since a "system privileged admin id" could change the node's password and then connect without using their admin id & password (use the one they just set it to) I can see why the straight use of their id & password would be allowed. Just another reason why management should pay their TSM admin's well ;-) Dwight -Original Message- From: Gerhard Rentschler [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 10:01 AM To: [EMAIL PROTECTED] Subject: Client login with admin id and password Hello, I always thought that a tsm admin does not have access to client data. I think I learned something new. Calling dsmc or dsm with -node=tarzan and specifying a valid admin id and password (system privilege) gives access to node tarzan's data. At least it is possible to list the files. I haven't tried to restore data. This is indeed documented. However, I would prefer if there were a message in the activity log saying that admin id was used. Am I wrong? Could someone explain this feature in more detail? Best regards Gerhard --- Gerhard Rentschleremail:[EMAIL PROTECTED] Regional Computing Center tel. ++49/711/685 5806 University of Stuttgart fax: ++49/711/682357 Allmandring 30a D 70550 Stuttgart Germany -- Paul Zarnowski Ph: 607-255-4757 719 Rhodes Hall, Cornell UniversityFx: 607-255-8521 Ithaca, NY 14853-3801 Em: [EMAIL PROTECTED]
Re: Client login with admin id and password
So right Wanda ! I just tried in 4.2 using my sys admin id and its password to connect with, then tried to look at a backup of tsm> q backup /usr/tivoli/tsm/client/ba/bin/dsm.sys ANS1092E No files matching search criteria were found tsm> q backup /usr/tivoli/tsm/client/ba/bin/dsm.sys -inact ANS1092E No files matching search criteria were found tsm> quit [EMAIL PROTECTED]/home/zdec23 > ls -l /usr/tivoli/tsm/client/ba/bin/dsm.sys -rw-r--r-- 1 root system 5086 Oct 29 06:09 /usr/tivoli/tsm/client/ba/ bin/dsm.sys Then I tried as myself with the proper node password, still couldn't see the backup copy of the file... Then tried as "root" with the proper node password, worked just fine :-) Size Backup DateMgmt Class A/I File ----- --- 5,086 10/30/2002 06:07:46DEFAULT A /usr/tivoli/tsm/client/ba/bin/dsm.sys tsm> Yet another reason to stay current on code ! Dwight -Original Message- From: Prather, Wanda [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 12:23 PM To: [EMAIL PROTECTED] Subject: Re: Client login with admin id and password That USED to be true. The ability to access client data using the admin id and password was added as a feature somewhere, maybe 3.7, don't remember. -Original Message- From: Gerhard Rentschler [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 11:01 AM To: [EMAIL PROTECTED] Subject: Client login with admin id and password Hello, I always thought that a tsm admin does not have access to client data. I think I learned something new. Calling dsmc or dsm with -node=tarzan and specifying a valid admin id and password (system privilege) gives access to node tarzan's data. At least it is possible to list the files. I haven't tried to restore data. This is indeed documented. However, I would prefer if there were a message in the activity log saying that admin id was used. Am I wrong? Could someone explain this feature in more detail? Best regards Gerhard --- Gerhard Rentschleremail:[EMAIL PROTECTED] Regional Computing Center tel. ++49/711/685 5806 University of Stuttgart fax: ++49/711/682357 Allmandring 30a D 70550 Stuttgart Germany
Re: Client login with admin id and password
That USED to be true. The ability to access client data using the admin id and password was added as a feature somewhere, maybe 3.7, don't remember. -Original Message- From: Gerhard Rentschler [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 11:01 AM To: [EMAIL PROTECTED] Subject: Client login with admin id and password Hello, I always thought that a tsm admin does not have access to client data. I think I learned something new. Calling dsmc or dsm with -node=tarzan and specifying a valid admin id and password (system privilege) gives access to node tarzan's data. At least it is possible to list the files. I haven't tried to restore data. This is indeed documented. However, I would prefer if there were a message in the activity log saying that admin id was used. Am I wrong? Could someone explain this feature in more detail? Best regards Gerhard --- Gerhard Rentschleremail:[EMAIL PROTECTED] Regional Computing Center tel. ++49/711/685 5806 University of Stuttgart fax: ++49/711/682357 Allmandring 30a D 70550 Stuttgart Germany
Re: Client login with admin id and password
I am presenting TSM as a solution to a local hospital and I expect they will have lots of security questions. Thanks in advance for all input Has anyone used the include.encrypt option on production system? Have you seen CPU processing significantly change on the client or server? Does it require more LAN/WAN bandwidth to backup / restore? Is it available for all supported platforms? sal Sal Mangiapane Vital Data Systems, LLC > -Original Message- > From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED] Behalf Of > Andrew Raibeck > Sent: Wednesday, March 12, 2003 12:38 PM > To: [EMAIL PROTECTED] > Subject: Re: Client login with admin id and password > > > Data backed up by the client can be encrypted via the include.encrypt > option. Unless you know the encryption key, you can not restore the data. > > CAUTION: If the user who encrypted the data loses/forgets the key, then > the data can not be restored, and there is nothing IBM can do to help. > > Regards, > > Andy > > Andy Raibeck > IBM Software Group > Tivoli Storage Manager Client Development > Internal Notes e-mail: Andrew Raibeck/Tucson/[EMAIL PROTECTED] > Internet e-mail: [EMAIL PROTECTED] (change eye to i to reply) > > The only dumb question is the one that goes unasked. > The command line is your friend. > "Good enough" is the enemy of excellence. > -- snip --
Re: Client login with admin id and password
Data backed up by the client can be encrypted via the include.encrypt option. Unless you know the encryption key, you can not restore the data. CAUTION: If the user who encrypted the data loses/forgets the key, then the data can not be restored, and there is nothing IBM can do to help. Regards, Andy Andy Raibeck IBM Software Group Tivoli Storage Manager Client Development Internal Notes e-mail: Andrew Raibeck/Tucson/[EMAIL PROTECTED] Internet e-mail: [EMAIL PROTECTED] (change eye to i to reply) The only dumb question is the one that goes unasked. The command line is your friend. "Good enough" is the enemy of excellence. "Cook, Dwight E" <[EMAIL PROTECTED]> Sent by: "ADSM: Dist Stor Manager" <[EMAIL PROTECTED]> 03/12/2003 10:03 Please respond to "ADSM: Dist Stor Manager" To: [EMAIL PROTECTED] cc: Subject:Re: Client login with admin id and password Well, since a "system privileged admin id" could change the node's password and then connect without using their admin id & password (use the one they just set it to) I can see why the straight use of their id & password would be allowed. Just another reason why management should pay their TSM admin's well ;-) Dwight -Original Message- From: Gerhard Rentschler [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 10:01 AM To: [EMAIL PROTECTED] Subject: Client login with admin id and password Hello, I always thought that a tsm admin does not have access to client data. I think I learned something new. Calling dsmc or dsm with -node=tarzan and specifying a valid admin id and password (system privilege) gives access to node tarzan's data. At least it is possible to list the files. I haven't tried to restore data. This is indeed documented. However, I would prefer if there were a message in the activity log saying that admin id was used. Am I wrong? Could someone explain this feature in more detail? Best regards Gerhard --- Gerhard Rentschleremail:[EMAIL PROTECTED] Regional Computing Center tel. ++49/711/685 5806 University of Stuttgart fax: ++49/711/682357 Allmandring 30a D 70550 Stuttgart Germany
Re: Client login with admin id and password
Well, since a "system privileged admin id" could change the node's password and then connect without using their admin id & password (use the one they just set it to) I can see why the straight use of their id & password would be allowed. Just another reason why management should pay their TSM admin's well ;-) Dwight -Original Message- From: Gerhard Rentschler [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 10:01 AM To: [EMAIL PROTECTED] Subject: Client login with admin id and password Hello, I always thought that a tsm admin does not have access to client data. I think I learned something new. Calling dsmc or dsm with -node=tarzan and specifying a valid admin id and password (system privilege) gives access to node tarzan's data. At least it is possible to list the files. I haven't tried to restore data. This is indeed documented. However, I would prefer if there were a message in the activity log saying that admin id was used. Am I wrong? Could someone explain this feature in more detail? Best regards Gerhard --- Gerhard Rentschleremail:[EMAIL PROTECTED] Regional Computing Center tel. ++49/711/685 5806 University of Stuttgart fax: ++49/711/682357 Allmandring 30a D 70550 Stuttgart Germany
Re: Client login with admin id and password
With a tsm client (same clientlevel or higher), same OS (or compatible), an admin user (system priv) and valid password you can restore any data from the client to the place you want it to go. Yep, it can be a security issue. We like to use dsm(c) -optfile=(name of one of our tsm servers).opt -virtualnodename=(name of node). Make life very easy. -Oorspronkelijk bericht- Van: Sal Mangiapane [mailto:[EMAIL PROTECTED] Verzonden: woensdag 12 maart 2003 17:26 Aan: [EMAIL PROTECTED] Onderwerp: Re: Client login with admin id and password That is very interesting. In the US government has some "acts" that are concerned with privacy. There is HIPAA for health care industry patient data protection and GLBA for the financial industry consumer data protection. Is anyone using TSM to protect data that is affected by either HIPAA or GLBA? If so, have you taken any specific measures to comply with the requirements. sal Sal Mangiapane Vital Data Systems, LLC > > Hello, > I always thought that a tsm admin does not have access to client data. I > think I learned something new. > Calling dsmc or dsm with -node=tarzan and specifying a valid admin id and > password (system privilege) gives access to node tarzan's data. At least it > is possible to list the files. I haven't tried to restore data. This is > indeed documented. However, I would prefer if there were a message in the > activity log saying that admin id was used. > Am I wrong? Could someone explain this feature in more detail? > > Best regards > Gerhard > --- > Gerhard Rentschleremail:[EMAIL PROTECTED] > Regional Computing Center tel. ++49/711/685 5806 > University of Stuttgart fax: ++49/711/682357 > Allmandring 30a > D 70550 > Stuttgart > Germany >
Re: Client login with admin id and password
That is very interesting. In the US government has some "acts" that are concerned with privacy. There is HIPAA for health care industry patient data protection and GLBA for the financial industry consumer data protection. Is anyone using TSM to protect data that is affected by either HIPAA or GLBA? If so, have you taken any specific measures to comply with the requirements. sal Sal Mangiapane Vital Data Systems, LLC > > Hello, > I always thought that a tsm admin does not have access to client data. I > think I learned something new. > Calling dsmc or dsm with -node=tarzan and specifying a valid admin id and > password (system privilege) gives access to node tarzan's data. At least it > is possible to list the files. I haven't tried to restore data. This is > indeed documented. However, I would prefer if there were a message in the > activity log saying that admin id was used. > Am I wrong? Could someone explain this feature in more detail? > > Best regards > Gerhard > --- > Gerhard Rentschleremail:[EMAIL PROTECTED] > Regional Computing Center tel. ++49/711/685 5806 > University of Stuttgart fax: ++49/711/682357 > Allmandring 30a > D 70550 > Stuttgart > Germany >
Client login with admin id and password
Hello, I always thought that a tsm admin does not have access to client data. I think I learned something new. Calling dsmc or dsm with -node=tarzan and specifying a valid admin id and password (system privilege) gives access to node tarzan's data. At least it is possible to list the files. I haven't tried to restore data. This is indeed documented. However, I would prefer if there were a message in the activity log saying that admin id was used. Am I wrong? Could someone explain this feature in more detail? Best regards Gerhard --- Gerhard Rentschleremail:[EMAIL PROTECTED] Regional Computing Center tel. ++49/711/685 5806 University of Stuttgart fax: ++49/711/682357 Allmandring 30a D 70550 Stuttgart Germany