Previous Topic: Important AUTOLOG and XAUTOLOG InformationNext Topic: The GRPLOGON Privilege: Logging onto Group Machines

Protecting Special ResourcesAUTOLOG or XAUTOLOG Implementation

AUTOLOG or XAUTOLOG Implementation

Three steps are required to implement VM AUTOLOG support:

  1. Establish AUTOLOG and XAUTOLOG command limiting controls, if necessary. Decide on whether to implement AUTOLOG and XAUTOLOG command limiting to restrict unauthorized attempts to execute this command. XAUTOLOG is a CP privilege class A, B, and G command. With CA ACF2 for VM, the command syntax for XAUTOLOG is identical for class A, B, and G users. For complete information on how to use command limiting, to the Command and Diagnose Limiting Guide.
  2. Assign the appropriate logonid privileges for AUTOLOG and XAUTOLOG execution. Determine when you can execute the AUTOLOG or XAUTOLOG commands without a password. Assign the AUTONOPW privilege to the appropriate target machines and the AUTOALL privilege to the appropriate initiator machines. Also, decide which target virtual machines should have the AUTOONLY privilege so that nobody can log onto them (they can only be autologged). Assign this attribute appropriately.

    If you are installing CA ACF2 for VM for the first time, assign the AUTOALL privilege to the AUTOLOG1 virtual machine. This lets it autolog subsequent machines after coming up, generating SMF logging records in the process. You can write AUTOLOG resource rules to control the precise nature of how you want to autolog this machine.

    You can also assign the AUTOALL privilege to include the IBM VMBATCH machine and the System Center VMSCHEDULE machine.

    To turn on the AUTONOPW, AUTOALL, or AUTOONLY privilege bits for a virtual machine, a user with the appropriate privilege must enter the ACF CHANGE subcommand.

  3. Establish AUTOLOG resource rule sets. Every time someone tries to autolog a virtual machine, CA ACF2 for VM automatically validates an AUTOLOG resource rule. The CA ACF2 for VM access mode setting and CA ACF2 for VM SECURITY privilege have no bearing on the AUTOLOG resource rule validation process.

    You need a separate rule for each machine that is autologged. In each rule, you must specify the logonid of the target machine as the $KEY value. The UID portion of the rule entry is the initiator machine.

    You can execute the ACFCVALG utility that converts your AUTOLOG CP directory statements into resource rules to create AUTOLOG resource rules. For complete details on this utility, see the Reports and Utilities Guide. You can also issue the COMPILE subcommand of the RESOURCE setting to store individual resource rules or many rules from a file.