1.4k likes | 1.42k Views
z/OS & zSeries Security. Security Home Page http://www.ibm.com/servers/eserver/zseries/zos/security RACF Home Page http://www.ibm.com/servers/eserver/zseries/zos/racf/. Trademarks. The following are trademarks of International Business Machines Corporation. ACF/VTAM AD/Cycle ADSM
E N D
z/OS & zSeries Security Security Home Page http://www.ibm.com/servers/eserver/zseries/zos/security RACF Home Page http://www.ibm.com/servers/eserver/zseries/zos/racf/
Trademarks • The following are trademarks of International Business Machines Corporation. • ACF/VTAM • AD/Cycle • ADSM • Advanced Function Printing • AFP • AIX* • AIX/ESA • AOEXPERT/MVS • Automated Operations Expert/MVS • CICS/ESA • DataHub • DATABASE 2 • DataTrade • DB2* • DFDSM • DFSMS • DFSMS/MVS • DFSMdfp • DFSMSdss • DFSMShsm • DFSMSrmm • Distributed Relational Database • Architecture • DRDA • Enterprise Systems Architecture/370 • Enterprise Systems Architecture/390 • Enterprise System/3090 Enterprise System/4381 Enterprise System/9000 Enterprise Systems Connection Architecture ES/3090 ES/4381 ES/9000 ESA/370 ESA/390 ESCON FASTService* FlowMark Hardware Configuration Definition Hiperbatch Hipersorting* Hiperspace IBM* IBM S/390 Parallel Enterprise Server IBM S/390 Parallel Enterprise Server - Generation 3 IMS/ESA LANRES Micro Channel* MQ Series MVS/DFP MVS/ESA NetView* NQS/MVS OPC Open Blueprint OpenEdition* OSA OSA 1 OSA 2 OS/2* OS/390 OS/400* Parallel Sysplex Power Prestige PR/SM PS/2* Processor Resource/Systems Manager RISC System/6000 S/360 S/370 S/390 SAA SAP R3 Sysplex Timer System/370 System/390 Systems Application Architecture* SystemView VM/ESA VSE/ESA VTAM 3090 Note: Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here. Actual performance and environmental costs will vary depending on individual customer configurations and conditions. Note: IBM hardware products are manufactured from new parts, or new and used parts. Regardless, our warranty terms apply. zCPO zClass Introduction to z/OS
Objectives • In this chapter you will learn to: • Explain security and integrity concepts • Explain RACF and its interface with the operating system • Authorize a program • Discuss integrity concepts • Explain the importance of change control • Explain the concept of risk assessment zCPO zClass Introduction to z/OS
Alphabet Soup Definitions: RACF: Resource Access Control Facility LDAP : Lightweight Directory Access Protocol DCE : Distributed Computing Environment OCEP: Open Cryptographic Enhanced Plug-ins =>Extensions to Open Cryptographic Services Facility of z/OS Base CDSA : Common Data Security Architecture => Standard API definition for crypto functions, certificate management and storage. Cross-industry. Cross platform. Intel and many vendors. Industry Standard Names zCPO zClass Introduction to z/OS
z/OS security architecture • Authenticate users and other accessors • UserID and Password • Digital Certificate • PassTicket • Kerberos Token • Protect resources from unauthorized usage • Access checking and Authorization points imbedded within z/OS • All accesses to all resources checked for user's authority • Link Pack Area (LPA) is write protected even from privileged programs • Address spaces are isolated from each other • Resources • Business data, databases, transaction systems, programs, batch jobs, operator functions, user commands, networks, print facilities, UNIX… zCPO zClass Introduction to z/OS
Introduction • An installation’s data and programs are among its most valuable assets and must be protected • At one time data was secure because no one knew how to access it • As more people become computer literate and able to use simple tools, unprotected data is becoming more accessible • Data security is now more important than ever and includes the prevention of inadvertent destruction zCPO zClass Introduction to z/OS
Why security • Any system security must allow authorized users the access they need and prevent unauthorized access. • Many companies’ critical data is now on computer and is easily stolen if not protected • SecureWay security server provides a framework of services to protect data zCPO zClass Introduction to z/OS
RACF • RACF (part of Security Server) and the other available packages are add-on products which provide the basic security framework on a z/OS mainframe. They: • Identify and authenticate users • Authorize users to access protected resources • Log and report attempted unauthorized access • Control means of access to resources zCPO zClass Introduction to z/OS
RACF functions overview zCPO zClass Introduction to z/OS
Identification and verification of users • RACF uses a user ID and system encrypted password to perform its user identification and verification • The user ID identifies the person to the system • The password verifies the user’s identity • Passwords should not be trivial and exits can be used to enforce policies. zCPO zClass Introduction to z/OS
Protection Levels • RACF works on a hierarchical structure • ALLOC allows data set creation and destruction • CONTROL allows VSAM repro • WRITE allows update of data • READ allows read of data • NONE no access • A higher permission implies all those below zCPO zClass Introduction to z/OS
Protecting a dataset • A data set profile is built and stored in the database • It will give users or groups an access level • A universal access level will also be set • The profile can be specific or generic, with or without wild cards zCPO zClass Introduction to z/OS
RACF typical display INFORMATION FOR DATASET SYS1.*.** (G) LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE ----- -------- --------- ------- -------- ------ 00 SYS1 READ NO NO AUDITING -------- FAILURES(READ) NOTIFY -------- NO USER TO BE NOTIFIED YOUR ACCESS CREATION GROUP DATASET TYPE -------------------- --------------------- ------------- ALTER SYS1 NON-VSAM zCPO zClass Introduction to z/OS
RACF access list for SYS1.*.** ID ACCESS -------- ------- SYS1 ALTER KARRAS ALTER WANDRER ALTER SCHUBER ALTER KURTKR UPDATE KURTKR2 UPDATE KURTKR3 NONE CICSRS1 ALTER CICSRS2 ALTER HEISIG UPDATE JUSTO UPDATE GERALD READ zCPO zClass Introduction to z/OS
Protecting general resources • Many system resources can be protected • DASD volumes • Tapes • CICS or IMS transactions • JES spool datasets • System commands • Application resources and many more • RACF is flexible and more can be added zCPO zClass Introduction to z/OS
System Authorization Facility • SAF is part of z/OS • Uses RACF if it is present • Can also use an optional exit routine • SAF is a system service and is a common focal point for all products providing resource control. • SAF is invoked at control points within the code of the resource manager zCPO zClass Introduction to z/OS
RACF Structure • Userid • Group • Every userid belongs to at least one group • Group structures are often used for access to resources • Resource • Resource classes • Class descriptor table – used to customize zCPO zClass Introduction to z/OS
RACF Functions zCPO zClass Introduction to z/OS
User Identification • RACF identifies you when you logon • Userid and password are required • Each RACF userid has a unique password • Password is one way encrypted so no one else can get your password not even the administrator • Userid is revoked after a preset number of invalid password attempts zCPO zClass Introduction to z/OS
Logging and reporting • RACF maintains statistical information • RACF writes a security log when it detects: • Unauthorized attempts to enter the system • Access to resources • This depends on the settings for the resource • For example AUDIT(ALL(UPDATE) will record all updates to a resource • Issuing of commands zCPO zClass Introduction to z/OS
Security Administration • Interpret the security policy to: • Determine which RACF functions to use • Identify the level of RACF protection • Identify which data to protect • Identify administrative structures and users zCPO zClass Introduction to z/OS
RACF sysplex data sharing and RRSF • If many systems share a RACF database there can be contention problems • RACF will propagate commands throughout a sysplex • RACF can use a coupling facility in a parallel sysplex to improve performance • RRSF can be used to keep distributed RACF databases in line zCPO zClass Introduction to z/OS
Authorized programs • Authorized tasks running authorized programs are allowed to access sensitive system functions • Unauthorized programs may only use standard functions to avoid integrity problems zCPO zClass Introduction to z/OS
Authorized Program Facility zCPO zClass Introduction to z/OS
Authorized Libraries • A task is authorized when the executing program has the following characteristics: • It runs in supervisor state • It runs in PSW key 0 to 7 • All previous programs in the same task were APF programs • The module was loaded from an APF library zCPO zClass Introduction to z/OS
Problem Programs • Normal programs are known as problem programs as they run in problem state (as opposed to supervisor state) • They run in the problem key – 8 • They may or may not be in an APF library zCPO zClass Introduction to z/OS
APF Libraries • Authorized libraries are defined by the APF list in SYS1.PARMLIB • SYS1.LINKLIB, SYS1.SVCLIB and SYS1.LPALIB are automatically authorized • Installation libraries are defined in PROGxx • By default all libraries in the linklist are authorized but many installations set LNKAUTH=APFTAB, often prompted by auditors, so that this is no longer the case and only those in the list are authorized zCPO zClass Introduction to z/OS
Authorizing a program • The first, and only the first, load module of the program must be linked with the authorization code AC=1 • It and all subsequent modules must be loaded from an authorized library • APF libraries must be protected so that only authorized users can store programs there zCPO zClass Introduction to z/OS
Authorizing libraries zCPO zClass Introduction to z/OS
Operator Console Security • Consoles are assigned authority levels in CONSOLxx parmlib member • Commands are grouped: • INFO informational commands • SYS system control commands • IO I/O commands • CONS console control commands • MASTER master console commands • Each console may have one or more levels zCPO zClass Introduction to z/OS
Consoles • At least one console must have master authority • In a sysplex consoles are shared • It is possible to require logon to consoles using RACF • All extended MCS consoles should require a logon zCPO zClass Introduction to z/OS
Security Roles • Systems programmer sets up RACF • Systems administrator implements the policies • Security Manager sets the policies • Separation of duties is required to prevent uncontrolled access zCPO zClass Introduction to z/OS
Alphabet Soup Definitions: RACF: Resource Access Control Facility LDAP : Lightweight Directory Access Protocol DCE : Distributed Computing Environment OCEP: Open Cryptographic Enhanced Plug-ins =>Extensions to Open Cryptographic Services Facility of z/OS Base CDSA : Common Data Security Architecture => Standard API definition for crypto functions, certificate management and storage. Cross-industry. Cross platform. Intel and many vendors. Industry Standard Names zCPO zClass Introduction to z/OS
z/OS security architecture • Authenticate users and other accessors • UserID and Password • Digital Certificate • PassTicket • Kerberos Token • Protect resources from unauthorized usage • Access checking and Authorization points imbedded within z/OS • All accesses to all resources checked for user's authority • Link Pack Area (LPA) is write protected even from privileged programs • Address spaces are isolated from each other • Resources • Business data, databases, transaction systems, programs, batch jobs, operator functions, user commands, networks, print facilities, UNIX, Consoles zCPO zClass Introduction to z/OS
zSeries “Security” Architecture • Hardware storage isolation: helps protect programs from each other • Storage protect keys • Address spaces • Data Spaces • Program execution states: helps protect operating system from unauthorized program actions • Hardware Logical Partitions (LPAR): allows multiple operating system images within one processor box • A complete, isolated, operating system image space zCPO zClass Introduction to z/OS
Basics of z/OS Security zCPO zClass Introduction to z/OS
z/OS Security • z/OS provides more security features than most people realize. • You can run a firewall on z/OS (if you wanted to) • PKI services are fully supported (you can create a digital certificate if you wanted to) • Kerberos can be used as an authentication server. • LDAP server and client are supported. • There is a security server called RACF (Resource Access Control Facility) • There is thread level access support and more… zCPO zClass Introduction to z/OS
z/OS …and more • SSL is supported… • IBM has a communication server a.k.a TCP/IP that is honestly probably the best overall TCP implementation in the industry. • From a security standpoint • Dynamic VPN, IPSec, and VIPA are supported. • Supports cross platform identity mapping • Called EIM – Enterprise Identity Mapping • MLS – Multi-Level Security • RACF Controls Unix Super User functions zCPO zClass Introduction to z/OS
RACF the Security Server • RACF is used for the basic identification, authentication, access and audit control functions. • It is more than that, but hold on for a bit… • With RACF you can do at least the following: • Local or remote security administration • User identification and authentication • Resource authorization checking and system access control • Audit reports and integrity reports • Violation reporting zCPO zClass Introduction to z/OS
RACF has changed brand names • It confuses me what is what… • It started out as RACF • Went to OS/390 Security Server • Then morphed to SecureWay Security Server for OS/390 • Now it might SecureWay Security Server for z/OS (RACF) • To me it is RACF… zCPO zClass Introduction to z/OS
RACF User Identification & Authentication for USS • z/OS UNIX user identification • RACF user profile with OMVS segment • RACF group profile with OMVS segment • no /etc/passwd file • User authentication • RACF password • RACF PassTicket • z/OS UNIX logon • TSO • r_login, telnet zCPO zClass Introduction to z/OS
From Resource Managers to RACF and back for USS zCPO zClass Introduction to z/OS
RACF Control of Superuser Functions • Better security through RACF control instead of superuser authority • BPX.FILEATTR.* • Less need for superuser authority through RACF control • Class UNIXPRIV • Improved accountability by switching into superuser mode only when needed • BPX.SUPERUSER • also used by SMP/E zCPO zClass Introduction to z/OS
RACF Control of User Identity Changes • BPX.DAEMON • Ability to validate and assume RACF identities • Dæmon programs can only change identity if authorized • BPX.SERVER • Surrogate assignment for POSIX threads • Daemons can create threads with surrogate Userids if authorized: • UPDATE: client needs access authority to MVS resources • READ: client and server both need access authority zCPO zClass Introduction to z/OS
Protection of Daemons Against Modification and Misuse • Dæmon programs typically run with UID 0 (Superuser) • Switch Userids (UIDs) or authenticate user identities • Open TCP/IP ports below 1024 • Invoke system commands of functions • If code can be modified or modules can be replaced, daemons can be misused • Modules are loaded from MVS search order (STEPLIB, LPA, LNKLSTxx, ...) if sticky bit is set in HFS executable • Critical functions can only be performed if program environment is controlled: • Modules loaded from library defined with RACF Program Control • Modules loaded from HFS files with PROGCTL attribute set zCPO zClass Introduction to z/OS
More Secure than UNIX - USS • BPX.DAEMON - restricts the use of sensitive services • BPX.DEBUG - allows debugging of authorized programs • BPX.FILEATTR.APF - controls marking files authorized • BPX.FILEATTR.PROGCTL - controls marking files program controlled • BPX.SERVER - restricts the use of sensitive services • BPX.SMF - allows the writing of SMF records • BPX.STOR.SWAP - controls making address spaces non-swappable • BPX.WLMSERVER - controls access to WLM interface • BPX.SAFFASTPATH - improves performance but prevents auditing of successful events zCPO zClass Introduction to z/OS
UNIXPRIV Resource Names zCPO zClass Introduction to z/OS
UNIXPRIV for Mount and Quiesce • Mount and Quiesce File Systems • SUPERUSER.FILESYS.MOUNT • READ : Mount or unmount file system with nosetuid attribute • UPDATE : Mount or unmount file system with setuid attribute • SUPERUSER.FILESYS.QUIESCE • READ : Quiesce or unquiesce a file system mounted with nosetuid • UPDATE : Quiesce or unquiesce a file system mounted with setuid zCPO zClass Introduction to z/OS
UNIXPRIV for other file actions • SUPERUSER.FILESYS.CHOWN • READ : Use chown to change owner of any file • SUPERUSER.FILESYS.PFSCTL • READ : Allows use of the pfsctl() service • SUPERUSER.FILESYS.VREGISTER • READ : Allows use of vreg() service to register as a VFS file server zCPO zClass Introduction to z/OS
Program Controlled Environment zCPO zClass Introduction to z/OS