Re: Automated Logoff of CMS user
On Tuesday, 06/08/2010 at 11:11 EDT, Michael Coffin michaelcof...@mccci.com wrote: NIST SP 800-53 Control: The information system automatically terminates a session after 15 minutes of inactivity. We argued that, in it?s literal sense, Session Termination means forcing the z/VM virtual machine off (not FORCE DSC, since the ?session? is arguably still active when disconnected), and that this ?heavy handed? action would result in potential data loss and lost work (e.g. open Xedit sessions, TDisk/VDisk usage, etc. ? any number of things). Why would you argue that session means server? When you ssh into a server and terminate the ssh session after 15 minutes of activity, do you terminate the server? You do not. All you are terminating is the ssh session. Look at all uses of the word session in 800-53; none of them could be construed to mean server. We were not successful in getting (Federal) auditors to waive the requirement, but once they understood the environment they agreed that taking such action is inappropriate in a z/VM environment. We took what is called a ?Risk Based Decision? (RBD) that can be easily defended to both Management and Security types. Even if you argue that session in the context of 800-53 means any network connection to The Server, excluding server-server and user-server connections necessary to fulfill the primary function of The Server in a manner appropriate to and consistent with established SLAs, data loss still may occur if you were to cause the 15-minute time bomb to start ticking. So you either must take action in response to lit-fuse conditions (see *VMEVENT system service), or disable the time bomb completely. It?s very unfortunate, but these ?security standards? that ALL Information Systems are supposed to adhere to were written WITHOUT consideration of individual platform architecture(s) and capabilities. We spend the majority of our time during Federal security audits explaining WHY the control is not applicable to z/VM systems. The standard should be blind to the implementation. Inherent in that statement is that the standard cannot be, then, tuned in a way that prefers a particular implementation. I should live so long. One of my favorites is the requirement to regularly run software approved for the purpose of identifying and controlling ?malicious code?. There is no such thing in a z/VM CMS environment, since there is no ?malicious code? no ?malicious code scanning program? has ever been written. I beg to differ. Before you discard it out of hand, consider the effect of the requirement on your ability to host e-mail using z/VM IMAP. In that case you would be actively looking for an e-mail scanner that could read the IMAP data store. Since it's in SFS, that means you need a CMS-based scanner. Or you might instead have a compensating control that inspects traffic flowing to/from IMAP. Your claim that there is no such thing as malicious code for CMS does not exist is [at least] philosophically untrue. (You can't prove something does not exist.) That reminds me. The Chuckster has this CMS program that puts up pictures of cute little kittens and puppies on your 3270 session. It's s cute! Aww! He will send it right away. Heh heh heh. }:-p (Down, Chuckie, Down!) But I would agree that the bar to *effective* malicious code on CMS is sufficiently high that it makes no business sense to worry about it. After all, everyone has a POLICY that sysadmins may not run non-business-related or any unvalidated code on their privileged accounts (without regard to platform), right? crickets chirping Some do not even allow freeware, with or without exceptions for the semi-trusted VM Download Library. And even if allowed, it goes without saying that one always reads/scans/peruses/glances at the source code and/or runs things downloaded from the Library on a test system first to verify that they do only what is claimed. Unless, of course, all your friends are doing it. In which case it must be alright. Ahem. We always have to take an RBD on a control this simply does not apply, and spend hours explaining how ?files? might be transmitted to a virtual machine, but require explicit user interaction to load/run them and/or receive them from the virtual card reader. All cases of z/VM Evildoing by class G users upon others requires the willing participation of the victim. I'm not aware of any actions an unprivileged user can take to coerce another virtual machine to do something it has not been [pre-]configured to do. (This is claim #3 of the z/VM Integrity Statement.) Alan Altmark z/VM Development IBM Endicott
Re: Automated Logoff of CMS user
Why would you argue that session means server? When you ssh into a server and terminate the ssh session after 15 minutes of activity, do you terminate the server? You do not. All you are terminating is the ssh session. Look at all uses of the word session in 800-53; none of them could be construed to mean server. I wouldn't argue that session means server, I would argue that session means user. To remove the user's session you must remove the active user. In this example z/VM is the server. Perhaps I wasn't clear that we are a traditional interactive CMS shop that have users that log on via TN3270 and run CMS applications. I beg to differ. Before you discard it out of hand, consider the effect of the requirement on your ability to host e-mail using z/VM IMAP. In that case you would be actively looking for an e-mail scanner that could read the IMAP data store. Since it's in SFS, that means you need a CMS-based scanner. Or you might instead have a compensating control that inspects traffic flowing to/from IMAP. We DO host email using z/VM-based POP and SMTP servers. I'm still unclear how PEEK is going to be compromised such that it downloads and executes a CMS file (although I suppose IBM might modify PEEK in the future, accidentally open a back door that would allow something like that to happen - the fact that they haven't done so in 40+ years notwithstanding). :) Your claim that there is no such thing as malicious code for CMS does not exist is [at least] philosophically untrue. (You can't prove something does not exist.) That reminds me. The Chuckster has this CMS program that puts up pictures of cute little kittens and puppies on your 3270 session. It's s cute! Aww! He will send it right away. Heh heh heh. }:-p (Down, Chuckie, Down!) Well, I WAS going to mention XMASCARD EXEC ... :) -Mike
Re: Automated Logoff of CMS user
My concern about the requirement to run an anti-virus type program on z/VM is not that we don't need one, but that we don't have one to run. We do run a z/VM-CMS based webserver and with it we deliver binary files to end-users. Yes, this can and will be replaced by a linux/x86 solution, but our source of the data is currently z/VM-CMS based and under different circumstances the z/VM-CMS environment would be exploited more not less. Without a z/VM-CMS based anti-virus type program to run against a specific set of files that are intended for delivery to end-users, I cannot promote the use of z/VM-CMS based webservers. /Tom Kern Alan Altmark wrote: ... snipped... On Tuesday, 06/08/2010 at 11:11 EDT, Michael Coffin michaelcof...@mccci.com wrote: One of my favorites is the requirement to regularly run software approved for the purpose of identifying and controlling ?malicious code?. There is no such thing in a z/VM CMS environment, since there is no ?malicious code? no ?malicious code scanning program? has ever been written. I beg to differ. Before you discard it out of hand, consider the effect of the requirement on your ability to host e-mail using z/VM IMAP. In that case you would be actively looking for an e-mail scanner that could read the IMAP data store. Since it's in SFS, that means you need a CMS-based scanner. Or you might instead have a compensating control that inspects traffic flowing to/from IMAP. ...more snipped...
Re: Automated Logoff of CMS user
Of course, VM's ability to disconnect the session from the virtual machine accomplishes the same thing, but it's rather heavy handed. Alan Altmark z/VM Development IBM Endicott _ There are actually two different controls being discussed here (both under NIST SP 800-53): 1.1.1AC-11: Session Lock NIST SP 800-53 Control: The information system prevents further access to the system by initiating a session lock that remains in effect until the user reestablishes access using appropriate identification and authentication procedures. NIST SP 800-53 Control Enhancements: None. We have successfully argued that the workstation screensaver provides this functionality and satisfies this control. Hence, it is an inherited control. 1.1.2AC-12: Session Termination NIST SP 800-53 Control: The information system automatically terminates a session after 15 minutes of inactivity. NIST SP 800-53 Control Enhancements: None. We argued that, in it's literal sense, Session Termination means forcing the z/VM virtual machine off (not FORCE DSC, since the session is arguably still active when disconnected), and that this heavy handed action would result in potential data loss and lost work (e.g. open Xedit sessions, TDisk/VDisk usage, etc. - any number of things). We were not successful in getting (Federal) auditors to waive the requirement, but once they understood the environment they agreed that taking such action is inappropriate in a z/VM environment. We took what is called a Risk Based Decision (RBD) that can be easily defended to both Management and Security types. It's very unfortunate, but these security standards that ALL Information Systems are supposed to adhere to were written WITHOUT consideration of individual platform architecture(s) and capabilities. We spend the majority of our time during Federal security audits explaining WHY the control is not applicable to z/VM systems. One of my favorites is the requirement to regularly run software approved for the purpose of identifying and controlling malicious code. There is no such thing in a z/VM CMS environment, since there is no malicious code no malicious code scanning program has ever been written. We always have to take an RBD on a control this simply does not apply, and spend hours explaining how files might be transmitted to a virtual machine, but require explicit user interaction to load/run them and/or receive them from the virtual card reader. Federal audits are NOT fun, Federal audits of z/VM systems are the hardest of the bunch! J -Mike
Re: Automated Logoff of CMS user
-Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Alan Altmark Natch. One must always challenge a flawed finding. Likewise, one must accept the valid ones. Wisdom is knowing the difference. [With apologies to Dr. Niebuhr.] I tend to fall into the discretion is the greater part of valour camp, but again, YMMV. I guess I've reached the point in life where crusades are less fun than they used to be. No, key lock is not reported, being a completely local phenomenon. I was thinking along the lines of the host causing the emulator to enable the workstation's (or its own) lock program just by sending a special order or structured field. When the user types a password, the data flows back to the host for validation. Kind of like an http challenge. It would have to be inside the terminal emulator itself. Screen lock in most desktop systems is separate from individual applications and you wouldn't have the ability to modify/trigger it. Too bad about the key lock. That would have been elegant. VM -- just turn the key. Of course, VM's ability to disconnect the session from the virtual machine accomplishes the same thing, but it's rather heavy handed. I've always found auditors to err on the side of the solution that has the potential to annoy the most number of people with the least likelihood of being traced back to them. 8-) -- db
Re: Automated Logoff of CMS user
Actually he had been the junior on audit team two years before. He remembered arguing with me and gave up earlier than his boss had done. But winning these audit battles doesn't really help you with the audit te am themselves, but helps your boss remember that you really do know what you are talking about, and they might back you up a bit more. /Tom Kern On Tue, 1 Jun 2010 19:42:54 -0500, Marcy Cortes marcy.d.cor...@wellsfargo.com wrote: Wah? Someone has gotten the same auditor 2x? And one that knows how to spell VM? That sounds like an exposure right there :P ) Marcy -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Thomas Kern Sent: Tuesday, June 01, 2010 5:32 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] Automated Logoff of CMS user If they come back and say LOGOFF, then argue with them on the real secur ity of the terminate communications path and the requirement for reauthentication prior to any user interaction with programs in that virtual machine. If you win, it may be a small victory but it will help you the next time you need to argue bigger things with them. /Tom Kern
Automated Logoff of CMS user
Hi, This may have been asked before but I was wondering the best way to Automatically log off a CMS user after a designated time frame. This is to address an Audit finding. Thank! Thank You, Terry Martin Lockheed Martin - Citic z/OS and z/VM Performance Tuning and Operating Systems Support Office - 443 348-2102 Cell - 443 632-4191
Re: Automated Logoff of CMS user
If you have the Performance Toolkit, it's got the FC FORCEUSR commands. From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Martin, Terry R. (CMS/CTR) (CTR) Sent: Tuesday, June 01, 2010 9:47 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Automated Logoff of CMS user Hi, This may have been asked before but I was wondering the best way to Automatically log off a CMS user after a designated time frame. This is to address an Audit finding. Thank! Thank You, Terry Martin Lockheed Martin - Citic z/OS and z/VM Performance Tuning and Operating Systems Support Office - 443 348-2102 Cell - 443 632-4191 cid:image001.jpg@01C97FB5.5EAFD6C0
Re: Automated Logoff of CMS user
This may have been asked before but I was wondering the best way to Automatically log off a CMS user after a designated time frame. This is to address an Audit finding. If your users log in via tn3270, you can use idle timeouts in the TCPIP virtual machine to kill idle connections, and let the CP READ time bomb take care of it. Otherwise, if you have PERFKIT or something similar, there is a idle timer in those products where you can use the information gathered by the performance monitor to determine when a user has been idle for a period of time, and take a useful action (eg, detach devices and then force them off).
Re: Automated Logoff of CMS user
On Tuesday, 06/01/2010 at 10:27 EDT, David Boyes dbo...@sinenomine.net wrote: If your users log in via tn3270, you can use idle timeouts in the TCPIP virtual machine to kill idle connections, and let the CP READ time bomb take care of it. With care, as an idle terminal does not imply an idle virtual machine. Alan Altmark z/VM Development IBM Endicott
Re: Automated Logoff of CMS user
Have you looked at the TUNEFRC function, part of zVPS (Velocity Performance Suite)? Martin, Terry R. (CMS/CTR) (CTR) wrote: Hi, This may have been asked before but I was wondering the best way to Automatically log off a CMS user after a designated time frame. This is to address an Audit finding. Thank! /Thank You,/ / / /Terry Martin/ /Lockheed Martin - Citic/ /z/OS and z/VM Performance Tuning and Operating Systems Support/ /Office - 443 348-2102/ /Cell - 443 632-4191/ / / /cid:image001.jpg@01C97FB5.5EAFD6C0///
Re: Automated Logoff of CMS user
On Tuesday, 06/01/2010 at 09:51 EDT, Martin, Terry R. (CMS/CTR) (CTR) terry.mar...@cms.hhs.gov wrote: This may have been asked before but I was wondering the best way to Automatically log off a CMS user after a designated time frame. This is to address an Audit finding. You opened the door, Terry, so I will walk through it: What policy would drive an auditor to create such a finding? I just have trouble with a policy that says After a CMS user has been logged on for [n] minutes, log them off. To what end? And is it really only CMS users? In Linux systems the CMS users are the admins and SVMs, none of whom should be logged off (IMO). (I might buy FORCE DISC, but not logoff.) Alan Altmark z/VM Development IBM Endicott
Re: Automated Logoff of CMS user
What exactly is the audit finding you're trying to fix? The answer may vary based on the wording of the finding... Scott Rohling On Tue, Jun 1, 2010 at 7:47 AM, Martin, Terry R. (CMS/CTR) (CTR) terry.mar...@cms.hhs.gov wrote: Hi, This may have been asked before but I was wondering the best way to Automatically log off a CMS user after a designated time frame. This is to address an Audit finding. Thank! *Thank You,* * * *Terry Martin* *Lockheed Martin - Citic* *z/OS and z/VM Performance Tuning and Operating Systems Support* *Office - 443 348-2102* *Cell - 443 632-4191* * * *[image: cid:image001.jpg@01C97FB5.5EAFD6C0]***
Re: Automated Logoff of CMS user
With care, as an idle terminal does not imply an idle virtual machine. Indeed, although I suspect his auditor is whining about terminals left unattended.
Re: Automated Logoff of CMS user
And an idle virtual machine doesn't imply that it's not waiting for something important to happen, or NOT happen! Audit findings don't come from the Deity! Les Alan Altmark wrote: On Tuesday, 06/01/2010 at 10:27 EDT, David Boyes dbo...@sinenomine.net wrote: If your users log in via tn3270, you can use idle timeouts in the TCPIP virtual machine to kill idle connections, and let the CP READ time bomb take care of it. With care, as an idle terminal does not imply an idle virtual machine. Alan Altmark z/VM Development IBM Endicott
Re: Automated Logoff of CMS user
On Tue, Jun 1, 2010 at 5:02 PM, Alan Altmark alan_altm...@us.ibm.com wrote: On Tuesday, 06/01/2010 at 09:51 EDT, Martin, Terry R. (CMS/CTR) (CTR) terry.mar...@cms.hhs.gov wrote: This may have been asked before but I was wondering the best way to Automatically log off a CMS user after a designated time frame. This is to address an Audit finding. You opened the door, Terry, so I will walk through it: What policy would drive an auditor to create such a finding? I just have trouble with a policy that says After a CMS user has been logged on for [n] minutes, log them off. To what end? And is it really only CMS users? In Linux systems the CMS users are the admins and SVMs, none of whom should be logged off (IMO). (I might buy FORCE DISC, but not logoff.) This requirement was very popular in the old days with real terminals that were left unattended. Now that people use a termulator program on their desktop, I think the reboot of the desktop satisifies the requirement well enough :-) On the serious side - when the auditors already require screen saver with password on the desktop to protect the desktop applications from unauthorized fingers poking in, would that not also address your open tn3270 session? Rob
Re: Automated Logoff of CMS user
On Tuesday, 06/01/2010 at 09:51 EDT, Martin, Terry R. (CMS/CTR) (CTR) terry.mar...@cms.hhs.gov wrote: This may have been asked before but I was wondering the best way to Automatically log off a CMS user after a designated time frame. This is to address an Audit finding. You opened the door, Terry, so I will walk through it: What policy would drive an auditor to create such a finding? I just have trouble with a policy that says After a CMS user has been logged on for [n] minutes, log them off. To what end? And is it really only CMS users? In Linux systems the CMS users are the admins and SVMs, none of whom should be logged off (IMO). (I might buy FORCE DISC, but not logoff.) Many orgs have a policy that unattended sessions be automatically terminated after X minutes of inactivity, regardless of OS. Most if not all US govt agencies have such policies. For other OSes, that means logoff (or equivalent), since most of the other OSes don't have a disconnect/reconnect option (other than using screen...).
Re: Automated Logoff of CMS user
In which case the solution could be a locking screensaver... That's why we need to hear the exact wording of the policy -- I think we're all assuming too much. ;-) Scott Rohling On Tue, Jun 1, 2010 at 9:07 AM, David Boyes dbo...@sinenomine.net wrote: With care, as an idle terminal does not imply an idle virtual machine. Indeed, although I suspect his auditor is whining about terminals left unattended.
Re: Automated Logoff of CMS user
That's a line managers and policy enforcement problem. Les David Boyes wrote: With care, as an idle terminal does not imply an idle virtual machine. Indeed, although I suspect his auditor is whining about terminals left unattended.
Re: Automated Logoff of CMS user
Here's an example of one such policy A session must be suspended after a period of inactivity not to exceed fifteen minutes. Reauthentication must be required to resume the session. Now, one could argue that all the desktops/laptops have this capability, but some auditors will read this as needed on each system that has the ability to authenticate. One can argue (and likely lose), or just setup velocity tunefrc or the perftk equiv. We use FORCE DISC which is kinder, gentler. Marcy This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Alan Altmark Sent: Tuesday, June 01, 2010 8:02 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] Automated Logoff of CMS user On Tuesday, 06/01/2010 at 09:51 EDT, Martin, Terry R. (CMS/CTR) (CTR) terry.mar...@cms.hhs.gov wrote: This may have been asked before but I was wondering the best way to Automatically log off a CMS user after a designated time frame. This is to address an Audit finding. You opened the door, Terry, so I will walk through it: What policy would drive an auditor to create such a finding? I just have trouble with a policy that says After a CMS user has been logged on for [n] minutes, log them off. To what end? And is it really only CMS users? In Linux systems the CMS users are the admins and SVMs, none of whom should be logged off (IMO). (I might buy FORCE DISC, but not logoff.) Alan Altmark z/VM Development IBM Endicott
Re: Automated Logoff of CMS user
On Tuesday, 06/01/2010 at 11:08 EDT, David Boyes dbo...@sinenomine.net wrote: With care, as an idle terminal does not imply an idle virtual machine. Indeed, although I suspect his auditor is whining about terminals left unattended. Back in 1970 we had no other solution. Things have progressed somewhat since then and a properly mandated and managed end station screen lock will suffice. I say somewhat since I think that the 3270 datastream is ripe for the host to be able send an enable/disable/query screen lock to the emulator, independent of any OS-level locks, and potentially appropriate to the specific application. (Some apps access more sensitive data than others.) Alan Altmark z/VM Development IBM Endicott
Re: Automated Logoff of CMS user
Yes, I would be arguing with the auditor (and I have actually won a few (but lost more)) .. since anyone with a laptop can also run a keystroke generator to foil inactivity monitors - the security should exist at the workstation level (locking screensaver). If you can't control it (monitoring of inactivity as a security measure) -- it's not secure and not worth any effort. Scott Rohling On Tue, Jun 1, 2010 at 9:17 AM, Marcy Cortes marcy.d.cor...@wellsfargo.comwrote: Here's an example of one such policy A session must be suspended after a period of inactivity not to exceed fifteen minutes. Reauthentication must be required to resume the session. Now, one could argue that all the desktops/laptops have this capability, but some auditors will read this as needed on each system that has the ability to authenticate. One can argue (and likely lose), or just setup velocity tunefrc or the perftk equiv. We use FORCE DISC which is kinder, gentler. Marcy This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Alan Altmark Sent: Tuesday, June 01, 2010 8:02 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] Automated Logoff of CMS user On Tuesday, 06/01/2010 at 09:51 EDT, Martin, Terry R. (CMS/CTR) (CTR) terry.mar...@cms.hhs.gov wrote: This may have been asked before but I was wondering the best way to Automatically log off a CMS user after a designated time frame. This is to address an Audit finding. You opened the door, Terry, so I will walk through it: What policy would drive an auditor to create such a finding? I just have trouble with a policy that says After a CMS user has been logged on for [n] minutes, log them off. To what end? And is it really only CMS users? In Linux systems the CMS users are the admins and SVMs, none of whom should be logged off (IMO). (I might buy FORCE DISC, but not logoff.) Alan Altmark z/VM Development IBM Endicott
Re: Automated Logoff of CMS user
With care, as an idle terminal does not imply an idle virtual machine. Indeed, although I suspect his auditor is whining about terminals left unattended. Back in 1970 we had no other solution. Things have progressed somewhat since then and a properly mandated and managed end station screen lock will suffice. Depends on the auditor. For some, it will. For others, it won't. YMMV. I say somewhat since I think that the 3270 datastream is ripe for the host to be able send an enable/disable/query screen lock to the emulator, independent of any OS-level locks, and potentially appropriate to the specific application. (Some apps access more sensitive data than others.) I don't remember -- is the state of the key lock reported? If so, you could probably overload the screen lock state onto that 3270 state without having to reengineer stuff.
Re: Automated Logoff of CMS user
I'm with Marcy on this one. You could argue it, but it's trivially easy to do with several methods, so save the effort for something bigger. -- db From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Scott Rohling Sent: Tuesday, June 01, 2010 11:29 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Automated Logoff of CMS user Yes, I would be arguing with the auditor (and I have actually won a few (but lost more)) .. since anyone with a laptop can also run a keystroke generator to foil inactivity monitors - the security should exist at the workstation level (locking screensaver). If you can't control it (monitoring of inactivity as a security measure) -- it's not secure and not worth any effort.
Re: Automated Logoff of CMS user
We also use FORCE DISC because of the very same situation. The auditors did give ground when we pointed out that the only access to our VM system was via terminal emulator running on a desktop or laptop that was logged on to our development network. They actually did not know that there was already protection in place that met their requirement. After admitting that, they came up with a But then ... saying that they were not completely convinced. That is when we proposed the gentler solution that broke the connection between the userid and termulator. Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Marcy Cortes Sent: Tuesday, June 01, 2010 8:17 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Automated Logoff of CMS user Here's an example of one such policy A session must be suspended after a period of inactivity not to exceed fifteen minutes. Reauthentication must be required to resume the session. Now, one could argue that all the desktops/laptops have this capability, but some auditors will read this as needed on each system that has the ability to authenticate. One can argue (and likely lose), or just setup velocity tunefrc or the perftk equiv. We use FORCE DISC which is kinder, gentler. Marcy This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Alan Altmark Sent: Tuesday, June 01, 2010 8:02 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] Automated Logoff of CMS user On Tuesday, 06/01/2010 at 09:51 EDT, Martin, Terry R. (CMS/CTR) (CTR) terry.mar...@cms.hhs.gov wrote: This may have been asked before but I was wondering the best way to Automatically log off a CMS user after a designated time frame. This is to address an Audit finding. You opened the door, Terry, so I will walk through it: What policy would drive an auditor to create such a finding? I just have trouble with a policy that says After a CMS user has been logged on for [n] minutes, log them off. To what end? And is it really only CMS users? In Linux systems the CMS users are the admins and SVMs, none of whom should be logged off (IMO). (I might buy FORCE DISC, but not logoff.) Alan Altmark z/VM Development IBM Endicott
Re: Automated Logoff of CMS user
Hi Sorry for the late response I did not have connectivity for awhile. Anyway yes basically what Marcy mentioned is about what the requirement read. The emulater forcing locking of the desk top did not seem to please them. So I will look into TUNEFR from velocity. I say LOGOFF because it was their terminology but I will being using FORCE DISC instead. Thanks for all of the information! Thank You, Terry Martin Lockheed Martin - Citic z/OS and z/VM Performance Tuning and Operating Systems Support Office - 443 348-2102 Cell - 443 632-4191 -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Schuh, Richard Sent: Tuesday, June 01, 2010 11:49 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Automated Logoff of CMS user We also use FORCE DISC because of the very same situation. The auditors did give ground when we pointed out that the only access to our VM system was via terminal emulator running on a desktop or laptop that was logged on to our development network. They actually did not know that there was already protection in place that met their requirement. After admitting that, they came up with a But then ... saying that they were not completely convinced. That is when we proposed the gentler solution that broke the connection between the userid and termulator. Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Marcy Cortes Sent: Tuesday, June 01, 2010 8:17 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Automated Logoff of CMS user Here's an example of one such policy A session must be suspended after a period of inactivity not to exceed fifteen minutes. Reauthentication must be required to resume the session. Now, one could argue that all the desktops/laptops have this capability, but some auditors will read this as needed on each system that has the ability to authenticate. One can argue (and likely lose), or just setup velocity tunefrc or the perftk equiv. We use FORCE DISC which is kinder, gentler. Marcy This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Alan Altmark Sent: Tuesday, June 01, 2010 8:02 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] Automated Logoff of CMS user On Tuesday, 06/01/2010 at 09:51 EDT, Martin, Terry R. (CMS/CTR) (CTR) terry.mar...@cms.hhs.gov wrote: This may have been asked before but I was wondering the best way to Automatically log off a CMS user after a designated time frame. This is to address an Audit finding. You opened the door, Terry, so I will walk through it: What policy would drive an auditor to create such a finding? I just have trouble with a policy that says After a CMS user has been logged on for [n] minutes, log them off. To what end? And is it really only CMS users? In Linux systems the CMS users are the admins and SVMs, none of whom should be logged off (IMO). (I might buy FORCE DISC, but not logoff.) Alan Altmark z/VM Development IBM Endicott
Re: Automated Logoff of CMS user
Be careful with FORCE DISC. If the user has any VM:Schedule jobs scheduled for his userid, they won't run if the userid has been left idle and disconnected. Dennis O'Brien 4 8 15 16 23 42 -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Martin, Terry R. (CMS/CTR) (CTR) Sent: Tuesday, June 01, 2010 09:13 To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] Automated Logoff of CMS user Hi Sorry for the late response I did not have connectivity for awhile. Anyway yes basically what Marcy mentioned is about what the requirement read. The emulater forcing locking of the desk top did not seem to please them. So I will look into TUNEFR from velocity. I say LOGOFF because it was their terminology but I will being using FORCE DISC instead. Thanks for all of the information! Thank You, Terry Martin Lockheed Martin - Citic z/OS and z/VM Performance Tuning and Operating Systems Support Office - 443 348-2102 Cell - 443 632-4191 -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Schuh, Richard Sent: Tuesday, June 01, 2010 11:49 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Automated Logoff of CMS user We also use FORCE DISC because of the very same situation. The auditors did give ground when we pointed out that the only access to our VM system was via terminal emulator running on a desktop or laptop that was logged on to our development network. They actually did not know that there was already protection in place that met their requirement. After admitting that, they came up with a But then ... saying that they were not completely convinced. That is when we proposed the gentler solution that broke the connection between the userid and termulator. Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Marcy Cortes Sent: Tuesday, June 01, 2010 8:17 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Automated Logoff of CMS user Here's an example of one such policy A session must be suspended after a period of inactivity not to exceed fifteen minutes. Reauthentication must be required to resume the session. Now, one could argue that all the desktops/laptops have this capability, but some auditors will read this as needed on each system that has the ability to authenticate. One can argue (and likely lose), or just setup velocity tunefrc or the perftk equiv. We use FORCE DISC which is kinder, gentler. Marcy This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Alan Altmark Sent: Tuesday, June 01, 2010 8:02 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] Automated Logoff of CMS user On Tuesday, 06/01/2010 at 09:51 EDT, Martin, Terry R. (CMS/CTR) (CTR) terry.mar...@cms.hhs.gov wrote: This may have been asked before but I was wondering the best way to Automatically log off a CMS user after a designated time frame. This is to address an Audit finding. You opened the door, Terry, so I will walk through it: What policy would drive an auditor to create such a finding? I just have trouble with a policy that says After a CMS user has been logged on for [n] minutes, log them off. To what end? And is it really only CMS users? In Linux systems the CMS users are the admins and SVMs, none of whom should be logged off (IMO). (I might buy FORCE DISC, but not logoff.) Alan Altmark z/VM Development IBM Endicott
Re: Automated Logoff of CMS user
We only disconnect ordinary users that have been idle for 30 minutes. I know of no VM:Schedule jobs here that (a) run on an ordinary CMS userid and (b) sit completely idle for 30 minutes. If someone comes up with such a requirement, then we will address it (probably by helping them change their process). Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of O'Brien, Dennis L Sent: Tuesday, June 01, 2010 10:12 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Automated Logoff of CMS user Be careful with FORCE DISC. If the user has any VM:Schedule jobs scheduled for his userid, they won't run if the userid has been left idle and disconnected. Dennis O'Brien 4 8 15 16 23 42 -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Martin, Terry R. (CMS/CTR) (CTR) Sent: Tuesday, June 01, 2010 09:13 To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] Automated Logoff of CMS user Hi Sorry for the late response I did not have connectivity for awhile. Anyway yes basically what Marcy mentioned is about what the requirement read. The emulater forcing locking of the desk top did not seem to please them. So I will look into TUNEFR from velocity. I say LOGOFF because it was their terminology but I will being using FORCE DISC instead. Thanks for all of the information! Thank You, Terry Martin Lockheed Martin - Citic z/OS and z/VM Performance Tuning and Operating Systems Support Office - 443 348-2102 Cell - 443 632-4191 -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Schuh, Richard Sent: Tuesday, June 01, 2010 11:49 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Automated Logoff of CMS user We also use FORCE DISC because of the very same situation. The auditors did give ground when we pointed out that the only access to our VM system was via terminal emulator running on a desktop or laptop that was logged on to our development network. They actually did not know that there was already protection in place that met their requirement. After admitting that, they came up with a But then ... saying that they were not completely convinced. That is when we proposed the gentler solution that broke the connection between the userid and termulator. Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Marcy Cortes Sent: Tuesday, June 01, 2010 8:17 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Automated Logoff of CMS user Here's an example of one such policy A session must be suspended after a period of inactivity not to exceed fifteen minutes. Reauthentication must be required to resume the session. Now, one could argue that all the desktops/laptops have this capability, but some auditors will read this as needed on each system that has the ability to authenticate. One can argue (and likely lose), or just setup velocity tunefrc or the perftk equiv. We use FORCE DISC which is kinder, gentler. Marcy This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Alan Altmark Sent: Tuesday, June 01, 2010 8:02 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] Automated Logoff of CMS user On Tuesday, 06/01/2010 at 09:51 EDT, Martin, Terry R. (CMS/CTR) (CTR) terry.mar...@cms.hhs.gov wrote: This may have been asked before but I was wondering the best way to Automatically log off a CMS user after a designated time frame. This is to address an Audit finding. You opened the door, Terry, so I will walk through it: What policy would drive an auditor to create such a finding? I just have trouble with a policy that says After a CMS user has been logged on for [n] minutes, log them off. To what end? And is it really only CMS users? In Linux systems the CMS users are the admins and SVMs, none of whom should be logged off (IMO). (I might buy FORCE DISC, but not logoff.) Alan Altmark z/VM Development IBM Endicott
Re: Automated Logoff of CMS user
If they are whining about unattended terminals, I try to appease them with disconnecting the terminal session, not forcing/killing the user. It applies more directly to their whine and not a broad shotgun type blast. /Tom Kern David Boyes wrote: With care, as an idle terminal does not imply an idle virtual machine. Indeed, although I suspect his auditor is whining about terminals left unattended.
Re: Automated Logoff of CMS user
Our auditors would indeed insist that the inactive session is not suspended by the screensaver at the desktop because the session is really between the mainframe and the terminal emulator not all the way to the person at the keyboard. The screensaver suspends the session between the person and desktop program. /Tom Kern Marcy Cortes wrote: Here's an example of one such policy A session must be suspended after a period of inactivity not to exceed fifteen minutes. Reauthentication must be required to resume the session. Now, one could argue that all the desktops/laptops have this capability, but some auditors will read this as needed on each system that has the ability to authenticate. One can argue (and likely lose), or just setup velocity tunefrc or the perftk equiv. We use FORCE DISC which is kinder, gentler. Marcy
Re: Automated Logoff of CMS user
If they come back and say LOGOFF, then argue with them on the real security of the terminate communications path and the requirement for reauthentication prior to any user interaction with programs in that virtual machine. If you win, it may be a small victory but it will help you the next time you need to argue bigger things with them. /Tom Kern Martin, Terry R. (CMS/CTR) (CTR) wrote: Hi Sorry for the late response I did not have connectivity for awhile. Anyway yes basically what Marcy mentioned is about what the requirement read. The emulater forcing locking of the desk top did not seem to please them. So I will look into TUNEFR from velocity. I say LOGOFF because it was their terminology but I will being using FORCE DISC instead. Thanks for all of the information! Thank You, Terry Martin Lockheed Martin - Citic z/OS and z/VM Performance Tuning and Operating Systems Support Office - 443 348-2102 Cell - 443 632-4191
Re: Automated Logoff of CMS user
Wah? Someone has gotten the same auditor 2x? And one that knows how to spell VM? That sounds like an exposure right there :P ) Marcy -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Thomas Kern Sent: Tuesday, June 01, 2010 5:32 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] Automated Logoff of CMS user If they come back and say LOGOFF, then argue with them on the real security of the terminate communications path and the requirement for reauthentication prior to any user interaction with programs in that virtual machine. If you win, it may be a small victory but it will help you the next time you need to argue bigger things with them. /Tom Kern Martin, Terry R. (CMS/CTR) (CTR) wrote: Hi Sorry for the late response I did not have connectivity for awhile. Anyway yes basically what Marcy mentioned is about what the requirement read. The emulater forcing locking of the desk top did not seem to please them. So I will look into TUNEFR from velocity. I say LOGOFF because it was their terminology but I will being using FORCE DISC instead. Thanks for all of the information! Thank You, Terry Martin Lockheed Martin - Citic z/OS and z/VM Performance Tuning and Operating Systems Support Office - 443 348-2102 Cell - 443 632-4191
Re: Automated Logoff of CMS user
On Tuesday, 06/01/2010 at 11:42 EDT, David Boyes dbo...@sinenomine.net wrote: Depends on the auditor. For some, it will. For others, it won't. YMMV. Natch. One must always challenge a flawed finding. Likewise, one must accept the valid ones. Wisdom is knowing the difference. [With apologies to Dr. Niebuhr.] I say somewhat since I think that the 3270 datastream is ripe for the host to be able send an enable/disable/query screen lock to the emulator, independent of any OS-level locks, and potentially appropriate to the specific application. (Some apps access more sensitive data than others.) I don't remember -- is the state of the key lock reported? If so, you could probably overload the screen lock state onto that 3270 state without having to reengineer stuff. No, key lock is not reported, being a completely local phenomenon. I was thinking along the lines of the host causing the emulator to enable the workstation's (or its own) lock program just by sending a special order or structured field. When the user types a password, the data flows back to the host for validation. Kind of like an http challenge. Of course, VM's ability to disconnect the session from the virtual machine accomplishes the same thing, but it's rather heavy handed. Alan Altmark z/VM Development IBM Endicott