At 07:53 -0500 on 11/03/2005, Shmuel Metz (Seymour J.) wrote about
Re: Module description:
In <[EMAIL PROTECTED]>, on 11/02/2005
at 08:46 PM, "Robert A. Rosenberg" <[EMAIL PROTECTED]> said:
It is not a security breach if you are using Shadow Tables (where the
Passw
On Thu, 3 Nov 2005 00:00:00 GMT Ted MacNEIL <[EMAIL PROTECTED]>
wrote:
:>>Um...sort of. There is a directory structure, and it is maintained by hand
(by editing the source directory -- a flat file)
:>...
:>Isn't there a CMS/CP command called DIRMaint?
I remember it as a service machine which w
In <[EMAIL PROTECTED]>, on 11/02/2005
at 08:46 PM, "Robert A. Rosenberg" <[EMAIL PROTECTED]> said:
>It is not a security breach if you are using Shadow Tables (where the
> Password is NOT in the /etc/passwd file).
But does the auditor know that?
--
Shmuel (Seymour J.) Metz, SysProg an
In <[EMAIL PROTECTED]>, on 11/02/2005
at 02:15 PM, "Patrick O'Keefe" <[EMAIL PROTECTED]> said:
>Unless I misunderstand what you said, I think we're saying about the
>same thing.
No.
>But if the vendor *does* require an authorized library then the
>auditor might want to approach the vendor.
I
In <[EMAIL PROTECTED]>, on 11/02/2005
at 02:06 PM, Walt Farrell <[EMAIL PROTECTED]> said:
>I'm not sure I understand how you would expect an auditor to be able
>to verify that a vendor hadn't shipped a trojan horse. You really
>want all the auditors visiting all the vendors and personally
>in
In <[EMAIL PROTECTED]>, on 11/02/2005
at 08:59 AM, Paul Gilmartin <[EMAIL PROTECTED]> said:
>What's in a name?
In an operating system? Everything.
>Doesn't VM/SP have (or was it earlier releases?) a file with similar
>function?
Sure, but the auditor didn't ask for it and it might not have b
>Um...sort of. There is a directory structure, and it is maintained by hand
>(by editing the source directory -- a flat file)
...
Isn't there a CMS/CP command called DIRMaint?
I seem to recall using that to set up my static connections to other CMS
mini-disks.
>Invoking DIRMAINT is not calle
On 11/2/2005 4:30 PM, Mark Yuhas wrote:
Thanks for the suggestions.
However, like today, I was questioned about IEECB92S. I finally found
an APAR that describe what the module does.
I do not have the luxury of saying 'Because, IBM did it that way'. I
have to explain or we get another mark ag
Ted MacNEIL <[EMAIL PROTECTED]> wrote:
>There is a directory structure and it is maintained by a
>utility/command/service machine called DIRMAINT.
>Invoking DIRMAINT is called EDITING.
Um...sort of. There is a directory structure, and it is maintained by hand (by
editing the source directory --
At 11:11 -0700 on 11/02/2005, Paul Gilmartin wrote about Re: Module
description:
> IIRC on a traditional *NIX system, /etc/passwd contains the
password in clear text.
The act of giving the auditor a copy (hardcopy or other) would be
an audit violation.
No. Encrypted. Otherwise every
At 08:53 -0700 on 11/02/2005, Paul Gilmartin wrote about Re: Module
description:
In a recent note, Robert A. Rosenberg said:
> Date: Wed, 2 Nov 2005 00:38:45 -0500
> In my opinion, the Auditor has NO valid reason to be asking this
question about ANY IBM (or other
At 10:06 -0700 on 11/02/2005, Howard Brazee wrote about Re: Module description:
>IIRC on a traditional *NIX system, /etc/passwd contains the
password in clear text.
>The act of giving the auditor a copy (hardcopy or other) would be
an audit violation.
I could see someone asking fo
>Sorry, guys, but I have to take the other side.
>The vendor has *no* control over how you implement the software. Or if
you choose to remove a piece and replace it. Or if >you configure it
such that it does not behave as it is supposed to.
>So, take some auditors trying to grapple with a really
I'm sorry but your auditor is an idiot and may in fact be violating the
terms of your vendor's license agreements (at least partially).
Most license agreements expressly prohibit reverse engineering licensed
code and the copyright notification makes it pretty clear that you don't
have any author
Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Farley, Peter x23353
Sent: Tuesday, November 01, 2005 11:54 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Module description
Shouldn't any competent auditor who is asking about a vendor's programs
know
that they have to ask the
>Is there an organization that rates security
auditors? If not, is it time to create one?
...
My first experience with an auditor was at the Ontario Government.
I asked him what he knew about IT.
He said: “I don't have to know anything about it. I'm a chartered accountant.”
I said: “OKAY! I'm no
On 1 Nov 2005 09:57:53 -0800, in bit.listserv.ibm-main
(Message-ID:<[EMAIL PROTECTED]>)
[EMAIL PROTECTED] (McKown, John) wrote:
Reminds me of an actual request from an auditor many years ago:
List all possible exits in every piece of software
installed on your MVS
system. Futher detail ever
Mark Yuhas wrote:
However, like today, I was questioned about IEECB92S. I finally found
an APAR that describe what the module does.
I do not have the luxury of saying 'Because, IBM did it that way'. I
have to explain or we get another mark against us in the audit report.
I wonder what C
Thanks for the suggestions.
However, like today, I was questioned about IEECB92S. I finally found
an APAR that describe what the module does.
I do not have the luxury of saying 'Because, IBM did it that way'. I
have to explain or we get another mark against us in the audit report.
I thought i
On Wed, 2 Nov 2005 14:06:40 -0500, Walt Farrell <[EMAIL PROTECTED]>
wrote:
>...
>I'm not sure I understand how you would expect an auditor to be able to
>verify that a vendor hadn't shipped a trojan horse. You really want all
>the auditors visiting all the vendors and personally inspecting all th
On Wed, 2 Nov 2005 11:08:26 -0500, Shmuel Metz (Seymour J.) wrote:
>>...
>>I suppose an auditor might be trained to ask "Does the vendor say
>>these modules have to be in an authorized library?" and pass the
>>question to the vendor only if the answer is "Yes".
>
>That's reasonable if the auditor
On 11/2/2005 11:16 AM, Shmuel Metz , Seymour J. wrote:
In <[EMAIL PROTECTED]>, on 11/01/2005
at 02:29 PM, "Patrick O'Keefe" <[EMAIL PROTECTED]> said:
I suppose an auditor might be trained to ask "Does the vendor say
these modules have to be in an authorized library?" and pass the
question to
>Doesn't VM/SP have (or was it earlier releases?) a file with similar
function? I've heard my sysprog speak of editing "The Directory"
to add a user.
...
There is a directory structure and it is maintained by a
utility/command/service machine called DIRMAINT.
Invoking DIRMAINT is called EDITING.
>IIRC on a traditional *NIX system, /etc/passwd contains the password in clear
>text.
...
The version I used in 1976 at the University of Waterloo, did not.
As a matter of fact, we cracked it by running the encryption algorithm against
the online dictionary used for a spell check application.
(I
>No. They are, alas, rare. It is a joy to be audited by someone who
actually knows enough to be useful; if there are problems, I want to
know about them.
...
I know of two SYSPROGs that moved to audit.
They both immediately shut down holes they were using when they supported the
systems.
And, th
In a recent note, Staller, Allan said:
> Date: Wed, 2 Nov 2005 10:25:47 -0600
>
>
>
> IIRC on a traditional *NIX system, /etc/passwd contains the password in clear
> text.
> The act of giving the auditor a copy (hardcopy or other) would be an audit
> violation.
>
No. Encrypted. Oth
On 2 Nov 2005 08:26:35 -0800, [EMAIL PROTECTED] (Staller,
Allan) wrote:
>
>IIRC on a traditional *NIX system, /etc/passwd contains the password in clear
>text.
>The act of giving the auditor a copy (hardcopy or other) would be an audit
>violation.
I could see someone asking for this - and if g
That response is not PC.
No, its mainframe
--
Bruce A. Black
Senior Software Developer for FDR
Innovation Data Processing 973-890-7300
personal: [EMAIL PROTECTED]
sales info: [EMAIL PROTECTED]
tech support: [EMAIL PROTECTED]
web: www.innovationdp.fdr.com
IIRC on a traditional *NIX system, /etc/passwd contains the password in clear
text.
The act of giving the auditor a copy (hardcopy or other) would be an audit
violation.
Of course the fact that this is a VM system (which does not have /etc/passwd)
is laughable.
Obviously this auditor did (i
In a recent note, Thomas Kern said:
> Date: Tue, 1 Nov 2005 16:41:50 -0800
>
> My favorite auditor request was when an auditor asked for a printout from my
> VM/SP system. I had to leave the meeting before my boss could finish laughing.
>
> The auditor wanted /etc/passwd.
>
What's in a
In <[EMAIL PROTECTED]>, on
11/01/2005
at 04:41 PM, Thomas Kern <[EMAIL PROTECTED]> said:
>My favorite auditor request was when an auditor asked for a printout
>from my VM/SP system. I had to leave the meeting before my boss could
>finish laughing.
>The auditor wanted /etc/passwd.
Well that
In
<[EMAIL PROTECTED]>,
on 11/01/2005
at 12:54 PM, "Farley, Peter x23353" <[EMAIL PROTECTED]> said:
>Shouldn't any competent auditor who is asking about a vendor's
>programs know that they have to ask the vendor, not the user?
Yes.
>Shouldn't your only response have to be "Ask IBM"?
That res
In <[EMAIL PROTECTED]>, on 11/01/2005
at 02:29 PM, "Patrick O'Keefe" <[EMAIL PROTECTED]> said:
>I suppose an auditor might be trained to ask "Does the vendor say
>these modules have to be in an authorized library?" and pass the
>question to the vendor only if the answer is "Yes".
That's reason
In a recent note, Robert A. Rosenberg said:
> Date: Wed, 2 Nov 2005 00:38:45 -0500
>
> At 09:02 -0800 on 11/01/2005, Mark Yuhas wrote about Module description:
>
> >We are going through a security audit and Sarbannes-Oxley compliance. I
> >keep getting ques
At 09:02 -0800 on 11/01/2005, Mark Yuhas wrote about Module description:
We are going through a security audit and Sarbannes-Oxley compliance. I
keep getting questions about obscure [IBM] modules and their functions.
In my opinion, the Auditor has NO valid reason to be asking this
question
My favorite auditor request was when an auditor asked for a printout from my
VM/SP system. I had to leave the meeting before my boss could finish laughing.
The auditor wanted /etc/passwd.
/Tom Kern
--- "McKown, John" <[EMAIL PROTECTED]> wrote:
> > Shouldn't any competent auditor who is asking
On Tue, 1 Nov 2005 12:54:03 -0500, Farley, Peter x23353
<[EMAIL PROTECTED]> wrote:
>Shouldn't any competent auditor who is asking about a vendor's programs
know
>that they have to ask the vendor, not the user? Shouldn't your only
>response have to be "Ask IBM"?
>...
I suppose an auditor might be
> -Original Message-
> From: IBM Mainframe Discussion List
> [mailto:[EMAIL PROTECTED] On Behalf Of Farley, Peter x23353
> Sent: Tuesday, November 01, 2005 11:54 AM
> To: IBM-MAIN@BAMA.UA.EDU
> Subject: Re: Module description
>
>
> Shouldn't any compete
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 01, 2005 12:37 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Module description
I don't know how many releases ago, but, IBM published a manual called
Module Descriptions. The manual contained concise information about m
> -Original Message-
> From: IBM Mainframe Discussion List
> [mailto:[EMAIL PROTECTED] On Behalf Of Mark Yuhas
> Sent: Tuesday, November 01, 2005 11:02 AM
> To: IBM-MAIN@BAMA.UA.EDU
> Subject: Module description
>
>
> I don't know how many releases
I don't know how many releases ago, but, IBM published a manual called
Module Descriptions. The manual contained concise information about
modules and some of the attributes.
Does IBM have anything similar now?
We are going through a security audit and Sarbannes-Oxley compliance. I
keep getti
41 matches
Mail list logo