X-no-Archive:yes
This is the difference between the ability, being able to access without
authorization, and the act, actually accessing without authorization, right?
As you pointed out, by definition, an operator can create a file in their
own area, back it up, and restore it, anywhere else, so proving that only
authorized personnel changed something is different from making it
impossible to do so.

Tracking every keystroke does seem onerous, unless the modem lines are
rarely used (wouldn't you love to read a log from an HPRC upload to TELESUP?
Can a keystroke tracker distinguish between keystrokes and uploads?). The
person who can access the keystroke tracker can also cover their own
tracks... I would think that logging file writes would do the trick. So
would source management that can audit code (including job streams and
command files) for consistency with what is 'official', which again assumes
the integrity of its manager. In addition to VeSoft's SECURITY / 3000, I
understand SAFE / 3000 is similar to RACF on mainframe, so might evidence
the integrity of your system, but have no experience with SAFE / 3000 or
RACF.

Greg Stigers
http://www.cgiusa.com