Walt, May the wind be at your back...god bless enjoy your much earned retirement
Sent from my iPad Scott Ford Senior Systems Engineer www.identityforge.com On Mar 28, 2012, at 8:28 AM, Walt Farrell <[email protected]> wrote: > On Tue, 27 Mar 2012 11:09:23 -0700, Skip Robinson <[email protected]> > wrote: > >> The reason I brought up this 'vulnerability' is that we hired a consultant >> a while back to look for weaknesses. Of course they were able to logon >> with a vanilla userid that had no special authority. And this is what they >> did. >> >> We all spend a lot of time and mental energy focused on how to protect >> ourselves from sophisticated attack. We look at APF. We look at SVC >> screening. We look at access to sensitive libraries. But this particular >> 'denial of service' can be accomplished by anyone with a valid userid and >> password. And *only* because we lock up users for invalid password >> attempts. I'm just sayin'... > > It's just another form of disaster you have to plan for, Skip. > > It's easy, for example, to setup an STC that runs with an ID that has > SPECIAL, or that is the OWNER of some IDs that have SPECIAL, and have that > STC run IKJEFT01 and issue ALTUSER ... RESUME for one or more other IDs that > have SPECIAL. > > If they all get locked out, you just run the STC and that set of IDs is > RESUMED. > > The STC itself will be able to run, even if its ID has been revoked, and so > it provides protection against the issue you're suggesting. > > But yes, you need to be prepared for this, just as for anything that can > compromise your system. > > (Other alternatives exist, by the way, including emergency copies of the RACF > database that you can make available in such an emergency situation, but the > STC approach is the simplest, in my opinion. Nonetheless, I would also > recommend having an emergency RACF DB available, too, but that also goes > along with having emergency system residence volumes available.) > > -- > Walt Farrell > IBM STSM, z/OS Security Design (for another half-hour or so) > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
