Auditing UN!

X on zfOS
Vanguard Enterprise Security Expo 2007
Session AUD1
Nark S Hahn - Nark.S.Hahn@us.ibm.com
Bruce Wells - brwells@us.ibm.com
The information contained in this document is distributed on as "as is" basis,
without any warranty either express or implied. The customer is responsible
for use of this information and/or implementation of any techniques
mentioned. IBM has reviewed the information for accuracy, but there is no
guarantee that a customer using the information or techniques will obtain the
same or similar results in its own operational environment.
In this document, any references made to an IBM licensed program are not
intended to state or imply that only IBM's licensed program may be used.
Functionally equivalent programs that do not infringe IBM's intellectual
property rights may be used instead. Any performance data contained in this
document was determined in a controlled environment and therefore, the
results which may be obtained in other operating environments may vary
significantly. Users of this document should verify the applicable data for their
specific environment.
It is possible that this material may contain references to, or information
about, IBM products (machines and programs), programming, or services that
are not announced in your country. Such references or information must not
be construed to mean that IBM intends to announce such IBM Products,
programming or services in your country.
IBM retains the title to the copyright in this paper as well as title to the
copyright in all underlying works. IBM retains the right to make derivative
works and to republish and distribute this paper to whomever it chooses.
Disclaimer
The following are trademarks of the International Business Machines Corporation in the United States and/or other countries.
The following are trademarks or registered trademarks of other companies.
* Registered trademarks of IBM Corporation
* All other products may be trademarks or registered trademarks of their respective companies.
Java and all Java-related trademarks and logos are trademarks of Sun Microsystems, Inc., in the United States and other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.
UNIX is a registered trademark of The Open Group in the United States and other countries.
SET and Secure Electronic Transaction are trademarks owned by SET Secure Electronic Transaction LLC.
Notes:
Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any user will experience will vary depending upon
considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput
improvements equivalent to the performance ratios stated here.
IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply.
All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance
characteristics will vary depending on individual customer configurations and conditions.
This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to change without notice. Consult your local IBM business
contact for information on the product or services available in your area.
All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.
Information about non-IBM products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the performance, compatibility, or any other claims related to non-
IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography.
Trademarks
z/OS
RACF
Agenda
RACF
Userids
Classes
Profiles
Datasets
Where to find more information
Gain System Access
Request TSO userid
RACF AUD!TOR
ONvS: uid or default?
Build data set to hold working papers
Ensure spool viewer (SDSF, !OF, etc) can save
to PDS
Prepare batch TNP (PGN=!KJEFT01)
jobstream
What class SYSOUT is held?
Broad Brush Overview
Prepare batch TNP job with
SR CLASS(USER) U!D(0)
SR CLASS(UN!XNAP) NASK(U0)
SR CLASS(FAC!L!TY) NASK(BPX)
SR CLASS(UN!XPR!v) NONASK
SR CLASS(SURROGAT) NASK(BPX.SRv)
SR CLASS(PROGRAN) NONASK
Collect RL!ST commands following for batch TNP
Alternate: browse !RRDBU00 unload
Alternate: RACF!CE reports
Alternate: zfAudit reports
Alternate: 3
rd
party General Resource reports
User Review
Objective: document how many
humans, who and why, have uid(0)?
Review STARTED profiles, looking for
TRUSTED and PR!v!LEGED
Review default started task userid
STARTED (* or **) - is it uid(0)?
[RLIST STARTED ** STDATA NORACF
LU userid NORACF OMVS|
zfOS Unix Classes
7 basic classes added
Use SETROPTS L!ST and review
LOGOPT!ONS and AUD!T class lists
No profiles
Appear in !CH+08! messages, but informational as
to action requested, not profile specific
Set audit flags (LOGOPTNS and AUD!T)
FSSEC (File System Security) must be ACT!vE
for ACLs to be checked, otherwise
(!N)ACT!vE not checked
zfOS Unix Classes
D!RACC (Directory Access)
D!RSRCH (Directory Search)
FSOBJ (File System Objects)
FSSEC (Files System Security)
!PCOBJ (!nterProcess Communication)
PROCACT (Process Actions)
PROCESS
Unix File-Level Audit Settings
Same concept as RACF profile settings
Separate set for owner and AUD!TOR
Log failures by default
!nteract with SETROPTS same as datasets
Set with chaudit [-a| shell command
view settings with
ls -W
find [-audit| [-aaudit|
HFS Unload utility (RACF downloads page)
FAC!L!TY Class: BPX.DAENON
Serves two purposes
Upgrades zfOS Unix security to zfOS level
Requires PROGRAN profiles for all authorized programs
Grants daemon privileges to READ users
!BN recommendation: the only person to have
BPX.DAENON access should be systems programmer
responsible for restarting daemons.
Daemon privileges include changing uid to any person's
uid without password
[RLIST FACILITY BPX.DAEMON ALL|
FAC!L!TY Class: BPX.SERvER
Serves two purposes
Switch to zfOS security if present (should be)
Based on READ or UPDATE authority,
authorization path to be taken (server + client,
client only)
[RLIST FACILITY BPX.SERVER ALL|
FAC!L!TY Class: BPX.SUPERUSER
First alternative to uid(0)
Superuser status on demand"
Some processes (e.g. SNPfE will
accept in lieu of uid(0))
[RLIST FACILITY BPX.SUPERUSER ALL|
FAC!L!TY Class: BPX.DEFAULT.USER
Default userfgroup for those needing uidfgid
without an ONvS segment
Access list ignored
Only used if ONvS segment needed
Partial f broken ONvS segment blocks its use
For users needing ONvS segment for
general" service: ftp, etc
Not a good idea if your users use the shell and
own files
[RLIST FACILITY BPX.DEFAULT.USER ALL]
and inspect the APPLDATA
FAC!L!TY Class: BPX.SAFFASTPATH
Trigger profile
!f present, successful UN!X file accesses
are not logged to SNF
valuable during system maintenance
Requires SET ONvS=xx to activate, null
member okay
[RLIST FACILITY BPX.SAFFASTPATH
ALL|
FAC!L!TY Class: BPX.F!LEATTR.*
Authorization to issue zfOS Unix specific command:
extattr
Command sets extended authorization attributes on
program files including program control and APF
(Authorized Program Facility)
Review who is authorized to use command
[RLIST FACILITY BPX.FILEATTR.APF ALL|
[RLIST FACILITY BPX.FILEATTR.PROGCTL ALL|
[RLIST FACILITY BPX.FILEATTR.SHARELIB ALL|
UN!XPR!v Class: SUPERUSER
Preferred means of granting superuser
privileges (over BPX.SUPERUSER over uid(0))
Designed to allow granular superuser
privileges
SUPERUSER.F!LESYS
SUPERUSER.F!LESYS.**
CHOWN, NOUNT, ACLOvERR!DE, CHANGEPERNS
SUPERUSER.PROCESS.**
GETPSENT, K!LL, PTRACE
[RLIST UNIXPRIV * ALL|
UN!XPR!v Class: SHARED.!DS
Special profile
Triggers suppression of duplicate uid f gid
!f RACF database restructured to !RR!RA00 Stage 2 or 3
Authorizes use of SHARED keyword on
AUfALUfAGfALG command if user has READ
Nost common shared uid? 0
Profile included in RL!ST command output
from previous slide
SURROGAT Class: BPX.SRv.userid
Allows su command to switch to userid
without requiring password for new userid (if
issuer has READ access) - normally issuer
must supply new userid's password
Carefully review users authorized to switch
without password
Usage can be audited (APAR OA18016)
[RLIST SURROGAT BPX.SRV.* ALL|
PROGRAN Class: **
PROGRAN profiles help define controlled programs -
needed by daemons, servers and APF users
Can list singular programs
Should restrict access to: !RRDP!00, !CHDSN00, !EH!N!TT
using separate discrete profiles
PROGRAN ** acceptable
Preferred over PROGRAN * (okay if present)
Daemons may fail if profiles not defined
Review libraries listed -
Nust be current f remove obsolete data set names
Should not be user libraries - authorized exception
[RLIST PROGRAM * ALL|
DATASETS: parmlib
Generally SYS1.PARNL!B, could be other dataset in
parmlib sequence
!ssue [D PARMLIB] operator command for list of
dsns
Sequence important, as is protection of dsn where
BPXPRNxx members found
BPXPRNxx members
Specified by ONvS= keyword
SET ONvS=xx operator command
SETONvS command does NOT reference parmlib
Using !SPF 3.1 list all BPXPRNxx and add to working
papers (exit, Keep and allocate new list file), add old
list file to working papers PDS
parmlib(BPXPRNxx)
Pairs of parameter members
recommended
One for system limits and parameters
One for file system definitions
Empty member advantageous
Select options require SET ONvS=xx to
activate - null member works (e.g.
BPX.SAFFASTPATH activation)
parmlib(BPXPRNxx)
Review ROOT and F!LESYSTEN statements
HfzFS data sets should be system owned, not user owned
ONvS kernel need not be TRUSTED if authorized to HfzFS
datasets
SNS restriction lifted
Consider multiple system xFS files:
protection from runaway logging or other process
ROOT (mountpoint `f')
ETC (mountpoint `fetc')
TNP (mountpoint `ftmp') or better TFS
Temporary file system - storage resident, non-persistent data
Consider automount for user filesystems (still system
owned) - not audit requirement
[LD DA(xxx.yyy) ALL|
for all datasets named in all BPXPRNxx members and for
parmlib datasets housing the BPXPRNxx members
Publications - !TSO Redbooks
zfOS UN!X Security Fundamentals
http:ffwww.redbooks.ibm.comfabstractsfredp+193.html?Open
UN!X System Services zfOS version 1 Release 7
!mplementation
http:ffwww.redbooks.ibm.comfabstractsfsg2+7035.html?Open
ABCs of zfOS System Programming volume 9
http:ffwww.redbooks.ibm.comfabstractsfsg2+6989.html?Open
Publications - zfOS UN!X
Overall library (R8):
http:ffpublibz.boulder.ibm.comfcgi-binfbookmgr_OS390fShelvesfBPXZSH70
zfOS UN!X System Services Planning
Chapter + has a complete security overview
zfOS UN!X System Services Command Reference
Syntax and required authority for commands
zfOS UN!X System Services Programming Assembler
Callable Services Reference
See authority required for various services like setuid()
Publications - RACF
Overall library (R8):
http:ffpublibz.boulder.ibm.comfcgi-binfbookmgr_OS390fShelvesf!CHZBK70
Security Administrator's Guide
Chapter 20 - UN!X Security. Some overlap wf UN!X Planning
Auditor's Guide
Chapter 2 contains sections relating to UN!X audit controls
Callable Services
Nore technical, and low-level, but contains authority required for various
UN!X functions
Publications - CfC++
Overall library (R8):
http:ffpublibz.boulder.ibm.comfcgi-binfbookmgr_OS390fShelvesfCBCBS170
Run-time Library Reference
Again, technical and low-level, but can be used to cross-check against
USS Assembler Callable Services and RACF Callable Services, and maybe
even glean some subtly different (and hopefully correct!) information.
!nternet Resources
RACF web page
http:ffwww-03.ibm.comfserversfeserverfzseriesfzosfracff
Click on Presentations link
racf-l list server
See Other sources of information" section in the front-
matter of any RACF book for instructions on joining
mvs-oe list server
See Where to find more information" section in the front-
matter of any USS book for instructions on joining
Summary
Tools exist to collect working papers online or
via batch TNP
Alternative data sources include the RACF
Data Base Unload (!RRDBU00) or other
products
Nuch of the zfOS UN!X security resides in
RACF - via profiles
Collect and review RACF protections to
ensure access to sensitive features is
controlled (using RACF SEARCH, RACF RL!ST,
zAdmin, zAudit, or 3rd party tools)