ADSM-L

Re: security

2000-05-08 21:00:17
Subject: Re: security
From: Bill Colwell <bcolwell AT DRAPER DOT COM>
Date: Mon, 8 May 2000 21:00:17 -0400
If you are on the 3.7 tsm server, an auditor could notice.  There is a
summary table which records data about most activities (maybe all, I
haven't seen a list of all the events it will record).  The table  can be
selected from and is purged
according to a value set by the set statement.  So if auditing TSM
activity is important to a company, your export could be found out.

If there is anything for development to do, I think they should close any
loopholes in the audit trail.  One thing that I don't know if it is
tracked is the client's use of the 'grant access' feature.  I don't know
any way to disable this.

Another thing IBM/Tivoli should do is to write 'An Auditors Guide to TSM',
and maybe offer a course on it.


--
--------------------------
--------------------------
Bill Colwell
Bill Colwell
C. S. Draper Lab
Cambridge, Ma.
bcolwell AT draper DOT com
--------------------------
In <14614.26572.252739.139753 AT MERSCHWS.UNI-MUENSTER DOT DE>, on 05/08/00
In <14614.26572.252739.139753 AT MERSCHWS.UNI-MUENSTER DOT DE>, on 05/08/00
   at 09:00 PM, Reinhard Mersch <mersch AT UNI-MUENSTER DOT DE> said:

>Bill Colwell writes:
> > If 'passwordaccess generate' is used and the node is defined with
> > 'forcepw=yes', when the first connection is made and the initial
>password
> > is entered, a new password is generated.  This password is unknown to
> > everyone including the user and all administrators.  I know the
>dsmcutil
> > program can display it, but if physical security to the user machine
>is
> > maintained these parameters provide decent security for the adsm
>backups.
> >
> > An administrator would need to reset the password to give
> > others access and this leaves an
> > audit trail plus the user may notice that his client doesn't work
>anymore.

>An administrator could export the data, import it to a separate *SM
>server and access the data from there. Nobody would notice.

>--
>Reinhard Mersch                        Westfaelische
>Wilhelms-Universitaet Zentrum fuer Informationsverarbeitung - ehemals
>Universitaetsrechenzentrum Roentgenstrasse 9-13, D-48149 Muenster,
>Germany      Tel: +49(251)83-31583 E-Mail: mersch AT uni-muenster DOT de
>Fax: +49(251)83-31653
<Prev in Thread] Current Thread [Next in Thread>