|
Re: Client login with admin id and password
2003-03-18 12:48:55
Hi Wanda,
True, but isn't the node name different in both messages? If XNBOSS is
normally used (for example) from IP address 128.244.81.53 but now it is
accessed from 128.244.81.137, then there is your "trail". Agreed it isn't
ideal, but if you suspected that someone was covertly accessing XNBOSS's
data, the different IP address would be a clue.
Don't get me wrong, like I said, there is other work that we can do. I am
not an expert on security issues in general, and have only heard vaguely
about hPPA (or whatever it is)... but I would encourage customers who
would like to see more security/audit trails in TSM to let their marketing
reps know (and maybe this is something that can be taken up via a SHARE
requirement). Please provide as much detail as possible in describing the
requirement (i.e. how *exactly* do you want TSM to behave?) so that we can
better understand the need.
In the mean time, users concerned with this should consider using the
INCLUDE.ENCRYPT option to encrypt sensitive data. This will prevent anyone
else from restoring it (provided that the originating node owner doesn't
give out the encryption key). Just don't forget the key, or else you won't
be able to get the data back!
Regards,
Andy
Andy Raibeck
IBM Software Group
Tivoli Storage Manager Client Development
Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS
Internet e-mail: storman AT us.eyebm DOT com (change eye to i to reply)
The only dumb question is the one that goes unasked.
The command line is your friend.
"Good enough" is the enemy of excellence.
"Prather, Wanda" <Wanda.Prather AT JHUAPL DOT EDU>
Sent by: "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU>
03/18/2003 10:04
Please respond to "ADSM: Dist Stor Manager"
To: ADSM-L AT VM.MARIST DOT EDU
cc:
Subject: Re: Client login with admin id and password
Andy,
ANR0406 just shows the nodename for the client:
03/18/2003 11:51:39 ANR0406I Session 70211 started for node PRATHW1
(WinNT)
(Tcp/Ip 128.244.81.137(1160)).
When I access data from another machine (not my own) using dsm
-virtualnodename and override the clients password with my admin id, the
text for ANR0406 STILL just shows the nodename:
03/18/2003 11:51:39 ANR0406I Session 70211 started for node XNBOSS
(WinNT)
(Tcp/Ip 128.244.81.137(1160)).
You can't see that I (as administrator) accessed the data from that node
and
restored it to my own machine, thereby gaining access to data I normally
don't have the rights to see.
I think that's why people who have to comply with the new hPPA (? I don't
remember the exact acronym) privacy laws are concerned about auditing for
this access.
But then I'm still at 4.2.1.15. Is it different in 5.1?
-----Original Message-----
From: Andrew Raibeck [mailto:storman AT US.IBM DOT COM]
Sent: Tuesday, March 18, 2003 10:38 AM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Re: Client login with admin id and password
TSM does leave some footprints. Refer to messages ANR0406I and ANR1639I.
With that said, I suppose that TSM could be made even more secure (at the
cost of flexibility), but I would say that this falls into the area of
"requirement", not "defect".
Regards,
Andy
Andy Raibeck
IBM Software Group
Tivoli Storage Manager Client Development
Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS
Internet e-mail: storman AT us.eyebm DOT com (change eye to i to reply)
The only dumb question is the one that goes unasked.
The command line is your friend.
"Good enough" is the enemy of excellence.
Gerhard Rentschler <g.rentschler AT RUS.UNI-STUTTGART DOT DE>
Sent by: "ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU>
03/18/2003 08:11
Please respond to "ADSM: Dist Stor Manager"
To: ADSM-L AT VM.MARIST DOT EDU
cc:
Subject: Re: Client login with admin id and password
Hello,
> IMHO, the TSM server really needs to leave better tracks for this type
of
> activity.
>
> ..Paul>
that's what I would like to have. In Germany we have a law which requires
that access to data which is related to individuals must be restricted and
logged. That means that on request it should be possible to tell who
accessed the data. With TSM this is not possible. Is it possible to open a
pmr on this ground?
Best regards
Gerhard
---
Gerhard Rentschler email:g.rentschler AT rus.uni-stuttgart DOT de
Regional Computing Center tel. ++49/711/685 5806
University of Stuttgart fax: ++49/711/682357
Allmandring 30a
D 70550
Stuttgart
Germany
|
| <Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: Client login with admin id and password, (continued)
- Re: Client login with admin id and password, Prather, Wanda
- Re: Client login with admin id and password, Cook, Dwight E
- Re: Client login with admin id and password, Paul Zarnowski
- Re: Client login with admin id and password, Zlatko Krastev/ACIT
- Re: Client login with admin id and password, Baines, Paul
- Re: Client login with admin id and password, Paul Zarnowski
- Re: Client login with admin id and password, Andrew Raibeck
- Re: Client login with admin id and password, Prather, Wanda
- Re: Client login with admin id and password,
Andrew Raibeck <=
- Re: Client login with admin id and password, Prather, Wanda
- Re: Client login with admin id and password, Rushforth, Tim
- Re: Client login with admin id and password, Prather, Wanda
- Re: Client login with admin id and password, Baines, Paul
|
|
|
