I just noticed this information message in TSM server 5.1.6.1: ANR1639I.
This seems to be an indication that a nodes IP address has changed. Look at
the last three fields in a q node xxxx f=d. This message could then be sent
to your monitoring software or you could run a daily script against the
actlog table to search for it, then you have a list of any client
connections that could be possible security breaches. I haven't tested this,
just noticed it this second, but it looks like a nice feature.


Date: Mar 17, 11:56 
From: Paul Zarnowski <vkm AT CORNELLC.CIT.CORNELL DOT EDU
<mailto:vkm AT CORNELLC.CIT.CORNELL DOT EDU>> 
Dwight,  What you say is true, but....  If an admin changes the node's
password, they have left tracks.  They cannot change the password back to
what it was, unless they knew what it was to start with.  The next time the
client goes to use TSM, they will be aware that their password was changed.
I was amazed to find out that admins could do this without leaving tracks.
This is somewhat disconcerting.  ..Paul  At 09:03 AM 3/12/2003 -0800, Cook,
Dwight E wrote: >Well, since a "system privileged admin id" could change the
node's password >and then connect without using their admin id & password
(use the one they >just set it to) I can see why the straight use of their
id & password would >be allowed. > >Just another reason why management
should pay their TSM admin's well ;-) > >Dwight > > > >-----Original
Message----- >From: Gerhard Rentschler
[mailto:g.rentschler AT RUS.UNI-STUTTGART DOT DE
<mailto:g.rentschler AT RUS.UNI-STUTTGART DOT DE>] >Sent: Wednesday, March 12, 
2003
10:01 AM >To: ADSM-L AT VM.MARIST DOT EDU <mailto:ADSM-L AT VM.MARIST DOT EDU> 
>Subject:
Client login with admin id and password > > >Hello, >I always thought that a
tsm admin does not have access to client data. I >think I learned something
new. >Calling dsmc or dsm with -node=tarzan and specifying a valid admin id
and >password (system privilege) gives access to node tarzan's data. At
least it >is possible to list the files. I haven't tried to restore data.
This is >indeed documented. However, I would prefer if there were a message
in the >activity log saying that admin id was used. >Am I wrong? Could
someone explain this feature in more detail? > >Best regards >Gerhard >---
>Gerhard Rentschler            email:g.rentschler AT rus.uni-stuttgart DOT de
<mailto:g.rentschler AT rus.uni-stuttgart DOT de> >Regional Computing Center
tel.   ++49/711/685 5806 >University of Stuttgart       fax:
++49/711/682357 >Allmandring 30a >D 70550 >Stuttgart >Germany   -- Paul
Zarnowski                         Ph: 607-255-4757 719 Rhodes Hall, Cornell
University    Fx: 607-255-8521 Ithaca, NY 14853-3801                  Em:
psz1 AT cornell DOT edu <mailto:psz1 AT cornell DOT edu>        





Any e-mail message from the European Central Bank (ECB) is sent in good faith 
but shall neither be binding nor construed as constituting a commitment by the 
ECB except where provided for in a written agreement.
This e-mail is intended only for the use of the recipient(s) named above. Any 
unauthorised disclosure, use or dissemination, either in whole or in part, is 
prohibited.
If you have received this e-mail in error, please notify the sender immediately 
via e-mail and delete this e-mail from your system.