security & compliance conference 2016€¦ · conference 2016 z/os unix security dustin hayes...
Post on 20-Jul-2020
2 Views
Preview:
TRANSCRIPT
SECURITY & COMPLIANCE CONFERENCE 2016
z/OS UNIX Security
Dustin Hayes
Professional Services Consultant
BTB03-BTB04
VANGUARD SECURITY & COMPLIANCE 2016
Legal Notice
Copyright
©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly
prohibited.
Trademarks
The following are trademarks of Vanguard Integrity Professionals – Nevada:
Vanguard Administrator
Vanguard Advisor
Vanguard Analyzer
Vanguard SecurityCenter
Vanguard Offline
Vanguard Cleanup
Vanguard PasswordReset
Vanguard Authenticator
Vanguard inCompliance
Vanguard IAM
Vanguard GRC
Vanguard QuickGen
Vanguard Active Alerts
Vanguard Configuration Manager
Vanguard Configuration Manager Enterprise Edition
Vanguard Policy Manager
Vanguard Enforcer
Vanguard ez/Token
Vanguard Tokenless Authenticator
Vanguard ez/PIV Card Authenticator
Vanguard ez/Integrator
Vanguard ez/SignOn
Vanguard ez/Password Synchronization
Vanguard Security Solutions
Vanguard Security & Compliance
Vanguard zSecurity University
2
VANGUARD SECURITY & COMPLIANCE 2016
Legal Notice
CICS
CICSPlex
DB2
eServer
IBM
IBM z
IBM z Systems
IBM z13
S/390
System z
System z9
System z10
System/390
VTAM
WebSphere
z Systems
z9
z10
z13
z/Architecture
z/OS
z/VM
zEnterprise
IMS
MQSeries
MVS
NetView
OS/390
Parallel Sysplex
RACF
RMF
The following are trademarks or registered trademarks of the International Business Machines Corporation in the United States, other countries, or both: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries. Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation. Other company, product, and service names may be trademarks or service marks of others.
3
VANGUARD SECURITY & COMPLIANCE 2016
Course Topics
• z/OS® UNIX® Overview
• Defining UNIX Users and Groups to RACF®
• UNIX Superusers
• Ensuring Unique UNIX Identities
• UNIX Default User and Group
• Protecting UNIX Files
• Security for Daemons and Servers
• Extended Attributes
• Auditing UNIX Security Events
• Working in the z/OS UNIX Environment
4
5
z/OS UNIX Overview
VANGUARD SECURITY & COMPLIANCE 2016
What is z/OS UNIX Used For?
6
CICS®, IMS™,
DB2®
Applications
Web
Server
UNIX
Kernel
Shell &
Utilities
HTTP Server or WebSphere AS
World Wide
Web
HFS
Web browser
Web browser Web
browser
VANGUARD SECURITY & COMPLIANCE 2016
Components of z/OS UNIX
• KERNEL - Low-level system code • SHELL - A command processor • FILE SYSTEM - Hierarchical File System (HFS)
– Directories – Files
• DAEMONS - Processes that run in background i.e. Started Tasks
• COMMUNICATION SERVICES - Methods of access – TSO/E – VTAM™ – TCP/IP
7
VANGUARD SECURITY & COMPLIANCE 2016
What is z/OS UNIX?
• API’s Programs can run in almost any environment: – Batch – Submitted by TSO User – As Started Tasks
• Programs can request:
– Only MVS™ services – Only z/OS UNIX – Both MVS and z/OS UNIX
• SHELL Interface is an execution environment
– Programs run by shell users – Shell commands and scripts run by shell users – Shell commands and scripts run as batch jobs
8
VANGUARD SECURITY & COMPLIANCE 2016
Hierarchical File System (HFS)
9
DIRECTORY
DIRECTORY DIRECTORY
DIRECTORY DIRECTORY DIRECTORY
FILE
FILE
FILE
FILE
FILE
FILE
FILE
FILE
FILE
FILE
FILE
FILE
/ - Root
VANGUARD SECURITY & COMPLIANCE 2016
UNIX Security
• UID identifies user
• GID identifies group to which user belongs
• Access rights determined by
– UID - if user is owner of file
– GID - if user is in group that owns file
– Other - if neither UID nor GID match
10
UID 0
UID 80 GID 3600
VANGUARD SECURITY & COMPLIANCE 2016
z/OS UNIX Security Functions
• User Validation – UID, GID
• File Access Checking – File Security Packet (FSP) containing File Permission
Bits and ACLS
• Auditing – FSP, File Audit Bits
– RACF Systemwide Options
– UNIXPRIV and FACILITY Classes
• Security Administration – RACF and UNIX Commands
11
VANGUARD SECURITY & COMPLIANCE 2016
z/OS UNIX File Security Packet
12
File Owner
UID
File Owner Group GID
Set UID
Set GID
Owner Group Other RACF
AUDITOR File
Owner
File Permission Bits
File Mode
r w x r w x r w x
Auditing Options
S t i c k y
Ex
ten
ded
Att
rib
ute
s
p a s
13
Defining UNIX Users and
Groups to RACF
VANGUARD SECURITY & COMPLIANCE 2016
Identifying the User
• UNIX represents each user by a single number
– UID - user identifier
• Assign each user a unique UID
• Operating system identifies user by UID number
– usernames are convenience
• The UID is assigned in the OMVS segment of the
RACF user profile
14
If two users are assigned same UID,
UNIX views them as same user.
UID 80
VANGUARD SECURITY & COMPLIANCE 2016
z/OS UNIX Groups
• User must belong to at least one group
– can be connected to additional groups
• All groups that UNIX user belongs to
should be assigned OMVS GID
• User's default group, or current connect
group, must have GID assigned
15
GID 3600
VANGUARD SECURITY & COMPLIANCE 2016
RACF Profiles
16
GROUPA GID
USERA UID HOME PROGRAM
FILEPROCMAX CPUTIMEMAX ASSIZEMAX
THREADSMAX PROCUSERMAX MMAPAREAMAX
RACF Group Profile
OMVS Segment
RACF User Profile
OMVS Segment
MEMLIMIT SHMEMMAX
VANGUARD SECURITY & COMPLIANCE 2016
USP – User Security Packet
17
USP
Real UID
Effective UID
Saved UID
Real GID
Effective GID
Saved GID
Supplemental Groups
Where does USP come from?
User's OMVS Segment
OMVS segment of User's default group
OMVS segments of User's list-of-groups
VANGUARD SECURITY & COMPLIANCE 2016
z/OS UNIX System ID Requirements
• UNIX System User (OMVSKERN with UID=0)
• UNIX System Group (OMVSGRP)
• UNIX System Default Superuser ID BPXROOT
with UID=0 – Specified in BPXPRM00 SUPERUSER Keyword
– For processes to invoke setuid()
– For “su” command
18
VANGUARD SECURITY & COMPLIANCE 2016
z/OS UNIX Users/Groups RACF Profiles
ADDGROUP OMVSGRP OW(SECADM) SUPGROUP(SECADM)
OMVS(GID(1000))
ADDUSER OMVSKERN DFLTGRP(OMVSGRP) NOPASSWORD
OW(OMVSGRP) NAME(‘OMVS KERNEL ID’)
OMVS(UID(0) HOME('/') PROGRAM('/bin/sh'))
ADDUSER BPXROOT DFLTGRP(OMVSGRP) NOPASSWORD
OW(OMVSGRP) NAME(‘OMVS DEFAULT SUPERUSER’)
OMVS(UID(0) HOME('/') PROGRAM('/bin/sh'))
19
OMVS SEGMENT
IS CASE
SENSITIVE
VANGUARD SECURITY & COMPLIANCE 2016
STARTED Class Profiles
• Define as started tasks:
– OMVS – the z/OS UNIX kernel
– BPXOINIT – the UNIX initialization process
RDEF STARTED OMVS.* OW(SECADM)
STDATA(USER(OMVSKERN) GROUP(OMVSGRP)
TRUSTED(YES))
RDEF STARTED BPXOINIT.* OW(SECADM)
STDATA(USER(OMVSKERN) GROUP(OMVSGRP)
TRUSTED(NO))
SETROPTS RACLIST(STARTED) REFRESH
20
VANGUARD SECURITY & COMPLIANCE 2016
z/OS UNIX Regular User Requirements
• User must be defined to RACF
• User profiles can have an OMVS segment UID 1 - 2147483647 Ex. 100
HOME Current working directory Ex. /u/userid
PROGRAM Initial Pgm. to execute Ex. /bin/sh
• Current connect group can have an OMVS segment GID 0 - 2147483647 Ex. 1001
• UID should be unique
• GID recommended unique
21
VANGUARD SECURITY & COMPLIANCE 2016
z/OS UNIX Users/Groups RACF Profiles
AG GROUPA SUPGROUP(SECADM) OWNER(SECADM)
OMVS(GID(1001))
AU BILLYB DFLTGRP(GROUPA) OWNER(GROUPA)
NAME(‘BILLY BOB’) PASS(xxxxxxxx) TSO(…)
OMVS(UID(100) HOME(‘/u/billyb’) PROGRAM(‘/bin/sh’))
22
OMVS SEGMENT
IS CASE
SENSITIVE
VANGUARD SECURITY & COMPLIANCE 2016
Defining Home Directories
• Define users' home directory: – UNIX Command - mkdir /u/billyb
• MKDIR can be executed within TSO environment:
– TSO command – MKDIR '/u/billyb'
• Change ownership of directory
– UNIX command – chown billyb /u/billyb
– TSO command – OSHELL chown billyb /u/billyb
23
/ "Root Directory"
/ u
/ billyb
VANGUARD SECURITY & COMPLIANCE 2016
Defining Home Directories Using AUTOMOUNT
• An automount policy specifies the file systems that
are to be mounted
• User's home directory is managed by the automount
facility
• Automount performs a mkdir followed by a mount
whenever a file is accessed in a controlled directory
©2016 Vanguard Integrity Professionals, Inc. 24
OMVS.BILLYB.HFS
HFS
/ "Root Directory"
/ u
/ billyb
25
UNIX Superusers
VANGUARD SECURITY & COMPLIANCE 2016
z/OS UNIX Superuser Requirements
• What Makes a User ID a Superuser?
– UID 0
– READ access to BPX.SUPERUSER profile in the
FACILITY Class
– TRUSTED or PRIVILEGED Started Task
– Access to UNIXPRIV Class profiles
• What Can a Superuser Do?
– Perform any z/OS UNIX function
– Passes all z/OS UNIX security checks
– Change identity to another UID
• Ordinary User when accessing MVS resources
26
VANGUARD SECURITY & COMPLIANCE 2016
z/OS UNIX Superuser Requirements
• User must be defined to RACF
• User profile must have OMVS segment UID 0 Ex. 0 HOME Current working directory Ex. /u/userid PROGRAM Initial Pgm. to execute Ex. /bin/sh
• Default or current connect group has OMVS segment GID 0 - 2147483647 Ex. 1000
• UID must be 0 or non-zero if given ability to switch to Root (su command)
• GID recommended unique
27
VANGUARD SECURITY & COMPLIANCE 2016
• Recommendation: Don’t give human beings UID(0)
• Switching to Superuser (su command) is controlled
through RACF resource permissions.
– FACILITY Class Profile
BPX.SUPERUSER
Switching to Superuser
28
RDEF FACILITY BPX.SUPERUSER UACC(NONE)
PE BPX.SUPERUSER CL(FACILITY) ID(SUPERGRP) AC(READ)
VANGUARD SECURITY & COMPLIANCE 2016
Controlling Superuser Authorities
Using UNIXPRIV Class Profiles
• Use to authorize individual Superuser authorities
– granular approach
– users no longer need UID(0) or BPX.SUPERUSER
29
VANGUARD SECURITY & COMPLIANCE 2016
The UNIXPRIV Class Profiles
30
Resource Name Access Given
SUPERUSER.FILESYS
(READ access)
Allows a user to read any HFS file and read or search any HFS
directory.
SUPERUSER.FILESYS
(UPDATE access) Allows a user to write to any existing HFS file.
SUPERUSER.FILESYS
(CONTROL access) Allows a user to write to any HFS directory.
SUPERUSER.FILESYS.ACLOVERRIDE Specifies that ACL entries override SUPERUSER.FILESYS
SUPERUSER.FILESYS.CHANGEPERMS Allows users to change permission bits for any file.
SUPERUSER.FILESYS.CHOWN Allows a user to change ownership of any file.
SUPERUSER.FILESYS.MOUNT Allows a user to issue mount and unmount requests.
SUPERUSER.FILESYS.QUIESCE Allows user to issue quiesce and unquiesce commands for a file
system
SUPERUSER.FILESYS.PFSCTL Allows a user to call pfsctl().
SUPERUSER.FILESYS.VREGISTER Allows a user to issue vregister() to register as a vfs file server.
SUPERUSER.IPC.RMID Allows a user to do ipcrm calls to clean up leftover IPC
mechanisms.
SUPERUSER.PROCESS.GETPSENT Allows user to see all processes.
SUPERUSER.PROCESS.KILL Allows user to send signals to any process.
SUPERUSER.PROCESS.PTRACE Allows user to use dbx to trace any process.
SUPERUSER.SETPRIORITY Allows a user to increase his priority.
VANGUARD SECURITY & COMPLIANCE 2016
UNIXPRIV Examples
RDEF UNIXPRIV SUPERUSER.FILESYS UACC(NONE)
PE SUPERUSER.FILESYS CL(UNIXPRIV)
ID(SYSPROG) AC(CONTROL)
RDEF UNIXPRIV SUPERUSER.FILESYS.CHANGEPERMS
UACC(NONE)
PE SUPERUSER.FILESYS.CHANGEPERMS CL(UNIXPRIV)
ID(SECADMIN) AC(READ)
31
CHARLIE UID-1010
SYSPROG
VANGUARD SECURITY & COMPLIANCE 2016
RACF Profiles for Superuser
AU CHARLIE DFLT(OMVSADMG) OW(OMVSADMG) OMVS(UID(0))
or
CONNECT CHARLIE GROUP(SUPERGRP) Give SUPERGRP Access to BPX.SUPERUSER
to issue SU
or
RDEF UNIXPRIV SUPERUSER.*.** UA(NONE) PE SUPERUSER.*.** CL(UNIXPRIV)
ID(SUPERGRP) AC(CONTROL) Give SUPERGRP access to UNIXPRIV profiles
©2016 Vanguard Integrity Professionals, Inc. 32
33
Unique UNIX Identities
VANGUARD SECURITY & COMPLIANCE 2016
Unique UNIX Identity
UNIX Security Management Usability Enhancement
• Optional enhancement for managing and listing UID
and GID assignments
• Provides for automatic assignment of a unique UID
and/or unique GID value
• Provides a method to list all users with a specific
UID
• Provides a method to list all groups with a specific
GID
©2016 Vanguard Integrity Professionals, Inc. 34
VANGUARD SECURITY & COMPLIANCE 2016
Unique UNIX Identity
• UNIXPRIV SHARED.IDS acts as a system-wide switch to prevent assignment of a UID or GID that is already in use.
• Available on z/OS 1.4 -or- OS/390 2.10 and z/OS 1.2 and z/OS 1.3 via APAR OW52135
• Must be using Application Identity Mapping (AIM) stage 2 or 3
• FACILITY Class discrete profile BPX.NEXT.USER defined with APPLDATA to indicate next available UID or GID value to be automatically assigned
©2016 Vanguard Integrity Professionals, Inc. 35
VANGUARD SECURITY & COMPLIANCE 2016
Prevention of Shared IDs
©2016 Vanguard Integrity Professionals, Inc. 36
RDEF UNIXPRIV SHARED.IDS UA(NONE)
SETROPTS RACLIST(UNIXPRIV) REFRESH
AU CAROL . . . OMVS(UID(1515)) IRR52174I Incorrect UID 1515. This value is already in use by TOM.
AG GROUPA . . . OMVS(GID(3250)) IRR52174I Incorrect GID 3250. This value is already in use by USRGRP.
VANGUARD SECURITY & COMPLIANCE 2016
Exception to Unique IDs
• Why assign a non-unique UID/GID?
– Assigning UID(0) to started task IDs (daemons)
• Requires the use of SHARED keyword in the OMVS
segment
– ADDUSER, ALTUSER
– ADDGROUP, ALTGROUP
• Use of SHARED keyword requires SPECIAL or
READ access to SHARED.IDS profile.
©2016 Vanguard Integrity Professionals, Inc. 37
VANGUARD SECURITY & COMPLIANCE 2016
Using the SHARED Keyword
©2016 Vanguard Integrity Professionals, Inc. 38
PE SHARED.IDS CL(UNIXPRIV)
ID(UNIXGRP) AC(READ)
SETR RACLIST(UNIXPRIV) REFRESH
UNIXGRP
JULIE
AU KNGKONG . . . OMVS(UID(0) SHARED)
AG GROUPA . . . OMVS(GID(3250) SHARED)
JIMM
SPECIAL
VANGUARD SECURITY & COMPLIANCE 2016
Enhancements to SEARCH Command
• Using the SEARCH (SR) Command – Identify Userids associated with specific UID
– Identify Groups associated with specific GID
– UID/GID parameter must be discrete
Example 1 – Identify all users with UID of 0
SR CLASS(USER) UID(0)
Example 2 – Identify all groups with GID of 222
SR CLASS(GROUP) GID(222)
©2016 Vanguard Integrity Professionals, Inc. 39
VANGUARD SECURITY & COMPLIANCE 2016
Automatic UID/GID Assignment
• New AUTOUID keyword in OMVS segment
– ADDUSER & ALTUSER commands
• New AUTOGID keyword in OMVS segment
– ADDGROUP & ALTGROUP commands
©2016 Vanguard Integrity Professionals, Inc. 40
AG USSGRP . . . OMVS(AUTOGID)
IRR52177I Group USSGRP was assigned an OMVS GID value of 5001
AU CAROL . . . DFLT(USSGRP) OMVS(AUTOUID)
IRR52177I User CAROL was assigned an OMVS UID of 3001
VANGUARD SECURITY & COMPLIANCE 2016
Defining Automatic Values
• BPX.NEXT.USER in FACILITY class
– APPLDATA info used to determine UID/GID values
– Establishes initial UID and/or GID values
– Can specify a range of UID and/or GID values
– UACC and Access List are not used
– First value in APPLDATA represents UID
– Second value in APPLDATA represents GID
– Values are automatically updated by RACF
– Can negate automatic assignment of UID or GID
©2016 Vanguard Integrity Professionals, Inc. 41
RDEF FACILITY BPX.NEXT.USER APPLDATA(‘5000/500’)
SETR RACLIST(FACILITY) REFRESH
VANGUARD SECURITY & COMPLIANCE 2016
Defining Automatic Values - Examples
Example 1 – Start UID at 1 and GID at 0 (No
previous UIDs/GIDs)
RDEF FACILITY BPX.NEXT.USER APPLDATA(‘1/0’)
SETR RACLIST(FACILITY) REFRESH
(RACLIST Optional for FACILITY Class)
Example 2 – Start UID at 100 and GID at 100
(Existing UIDs/GIDs < 100)
RDEF FACILITY BPX.NEXT.USER APPLDATA(‘100/100’)
SETR RACLIST(FACILITY) REFRESH
©2016 Vanguard Integrity Professionals, Inc. 42
VANGUARD SECURITY & COMPLIANCE 2016
Defining Automatic Values - Examples
Example 3 – Specify ranges for both UIDs and GIDs
RDEF FACILITY BPX.NEXT.USER APPLDATA(‘500-9999/1000-3999’)
SETR RACLIST(FACILITY) REFRESH
Example 4 – Specify range for UIDs but don’t assign
GIDs automatically
RDEF FACILITY BPX.NEXT.USER APPLDATA(‘300-500/NOAUTO’)
SETR RACLIST(FACILITY) REFRESH
Example 5 – Set range for GIDs but leave UIDs as is
RALT FACILITY BPX.NEXT.USER APPLDATA(‘/500-1000’)
SETR RACLIST(FACILITY) REFRESH
©2016 Vanguard Integrity Professionals, Inc. 43
VANGUARD SECURITY & COMPLIANCE 2016
SHARED.IDS Considerations
• Auditing UNIXPRIV Class SHARED.IDS profile
options – FAILURES(READ) will show attempt to assign UID/GID
explicitly for non-SPECIAL administrator
• CLISTs and REXX Execs – Creating new UID/GID will require modifications for
SHARED parameter
– Modifying existing UID/GID may or may not require
modifications
©2016 Vanguard Integrity Professionals, Inc. 44
VANGUARD SECURITY & COMPLIANCE 2016
Other Considerations
• Common Command Exit (IRREVX01) – Postprocessing Exit will see generated UID/GID
• RRSF Environments – Use non-overlapping ranges on each node in APPLDATA
of BPX.NEXT.USER profile in FACILITY Class
– Use ONLYAT when defining ranges
– All nodes have UNIXPRIV Class SHARED.IDS defined
– Automatically generated UID/GID values will be
propagated explicitly as created
– AUTOUID keyword will not be included in propagated
command
©2016 Vanguard Integrity Professionals, Inc. 45
VANGUARD SECURITY & COMPLIANCE 2016
Automatic Assignment of UIDs and GIDs
• Problem: It is not practical to assign a unique UID or
unique GID for a large number of users defined
without OMVS segments who need access to z/OS
UNIX services, such as FTP.
• Solution: With z/OS V1R11, you can assign a unique
UID for each user and a unique GID for each group
that needs access to z/OS UNIX functions and
resources.
©2016 Vanguard Integrity Professionals, Inc. 46
Note: This option replaces BPX.DEFAULT.USER
VANGUARD SECURITY & COMPLIANCE 2016
Requirements for Automatic Unique IDs
1. The RACF database is enabled for application
identity mapping (AIM) stage 3
2. The UNIXPRIV class profile SHARED.IDS is
defined, and the UNIXPRIV class is active and
RACLISTed
3. The FACILITY class profile BPX.NEXT.USER is
defined and its APPLDATA field has valid ID values
or ranges
4. The FACILITY class profile BPX.UNIQUE.USER is
defined
5. No OMVS segment is defined in the user or group
profile
©2016 Vanguard Integrity Professionals, Inc. 47
VANGUARD SECURITY & COMPLIANCE 2016
Automatic Assignment of UIDs and GIDs
• The UID is assigned from the BPX.NEXT.USER
profile for any user that does not have an OMVS
Segment.
• The GID is assigned from the BPX.NEXT.USER
profile for any user whose default group does not
have an OMVS Segment.
©2016 Vanguard Integrity Professionals, Inc. 48
VANGUARD SECURITY & COMPLIANCE 2016
Defining the Model Profile
• Define the model profile (optional)
ADDUSER UNXMODEL NAME('UNIX Model User Profile')
OMVS(HOME('/tmp') PROGRAM('/bin/sh')) NOPASSWORD
RESTRICTED
• Define the BPX.UNIQUE.USER profile
RDEFINE FACILITY BPX.UNIQUE.USER
APPLDATA('UNXMODEL')
• Refresh the FACILITY class
SETROPTS RACLIST(FACILITY) REFRESH
©2016 Vanguard Integrity Professionals, Inc. 49
VANGUARD SECURITY & COMPLIANCE 2016
&RACUID in BPX.UNIQUE.USER
• Define the model profile
ADDUSER UNXMODEL NAME('UNIX Model User')
OMVS(HOME('/u/&racuid') PROGRAM('/bin/sh'))
NOPASSWORD RESTRICTED
• Define the BPX.UNIQUE.USER profile
RDEFINE FACILITY BPX.UNIQUE.USER
APPLDATA('UNXMODEL')
• Refresh the FACILITY class
SETROPTS RACLIST(FACILITY) REFRESH
©2016 Vanguard Integrity Professionals, Inc. 50
Enhanced
z/OS 2.1
51
Protecting UNIX Directories and Files
VANGUARD SECURITY & COMPLIANCE 2016
DATASET Class Profiles
• OMVS started task needs:
– UPDATE access to the data sets that contain UNIX files
or
– OMVS task is defined as Trusted
ADDSD ‘OMVS.**’ UA(NONE) OW(DATASETS)
PE ‘OMVS.**’ ID(OMVSKERN) AC(UPDATE)
52
OMVS.CAROL.HFS
zFS
OMVS.BILLYB.HFS
zFS
OMVS.ROOT.HFS
zFS
VANGUARD SECURITY & COMPLIANCE 2016
UNIX File Systems
• UNIX File Systems are mounted – HFS - Hierarchical file system
– zFS - zSeries file system
– TFS - temporary (or toy) file system
– DFS - distributed file system
– NFS - network file system
53
HFS Data Sets
HFS Data Set
Root File System
D1 D2
D3 D4 F F
D4
F
F F F
F F
D3
VANGUARD SECURITY & COMPLIANCE 2016
UNIX File System
54
DIRECTORY
DIRECTORY DIRECTORY
DIRECTORY DIRECTORY DIRECTORY
FILE
FILE
FILE
FILE
FILE
FILE
FILE
FILE
FILE
FILE
FILE
FILE
/ - Root
VANGUARD SECURITY & COMPLIANCE 2016
Protecting z/OS UNIX Files
• RACF profiles not used for file protection
• RACF Interfaces with UNIX
• File Security Packets (FSPs) are stored with file
• Access is controlled by permission bits – OWNER - Owning UID
– GROUP - Owning GID
– OTHER - All other UID/GID
• 3 levels of authority - READ, WRITE and EXECUTE
55
VANGUARD SECURITY & COMPLIANCE 2016
File Security Packet (FSP)
56
File Owner
UID
File Owner Group GID
Set UID
Set GID
Owner Group Other RACF
AUDITOR File
Owner
File Permission Bits
File Mode
r w x r w x r w x
Auditing Options
Owner or
Superuser
Owner or
Superuser
Auditor
S t i c k y
chaudit chaudit chmod
Superuser
chown/chgrp chmod
Ex
ten
ded
Att
rib
ute
s
extattr
p a s
Superuser
(And Owner – If UNIXPRIV CHOWN.UNRESTRICTED defined)
VANGUARD SECURITY & COMPLIANCE 2016
Using Groups to Access Files
• RACF List-of-Groups Checking is honored
• Groups other than a User’s Current Connect
Group are referred to as Supplemental Groups
• Supplemental Groups should have an OMVS
Segment with a GID
• User’s Supplemental Groups are first 300 Groups
the User is connected to
57
VANGUARD SECURITY & COMPLIANCE 2016
Levels of Access
READ WRITE
EXECUTE
or
SEARCH
ACCESS r w x
OCTAL 4 2 1
Files Read or print
the contents of
the file
Change, add
to, or delete
from the
contents of the
file
Applies to
executable
files
Permission to
run the file
Directories Read but not
search the
directory
Change, add
to, or delete
directory
entries
Search the
directory
58
VANGUARD SECURITY & COMPLIANCE 2016
Reading File Permissions
59
r w x r w x r w x
4 2 1 4 2 1 4 2 1
7 7 7
Owner Permissions
Group Permissions
Other Permissions
Octal Notation
Symbolic
Notation
VANGUARD SECURITY & COMPLIANCE 2016
File Permission Examples
-rwxrwxrwx = 777
A file anyone can read, write, execute
-rw-r--r-- = 644
A file the owner can read, write & anyone else can read
-rwx--x--- = 710
A file the owner can read, write, execute & group can execute
-rwxrw-rw- = 766
A file the owner can read, write, execute & anyone else can read, write (Update & Delete)
-rwxr-xr-x = 755
A file the owner can read, write, execute & anyone can read, execute
60
VANGUARD SECURITY & COMPLIANCE 2016
File Authorization Checking
61
VANGUARD SECURITY & COMPLIANCE 2016
Setting Permission Bits
• Setting Permission Bits is done through UNIX functions
• Three Methods – Through the ISPF Shell (ISHELL)
– The chmod shell command
– The chmod() function in a program
• Who can set the Permission Bits? – File Owner
– Superuser with UID(0)
– User with READ Access to UNIXPRIV Class profile SUPERUSER.FILESYS.CHANGEPERMS
62
VANGUARD SECURITY & COMPLIANCE 2016
Chmod command
chmod command sets file protection attributes
• Using Octal notation:
chmod 755 /u/billyb/file/myfile – Owner - read, write, execute permissions
– Group - read, execute permissions
– Others - read, execute permissions
• Using Symbolic notation:
chmod -R g+x /u/billyb – adds group execute permissions to the directory /u/billyb and
all files below the directory /u/billyb
63
VANGUARD SECURITY & COMPLIANCE 2016
chmod Command Examples
-rwxr-xr-x = 755
A file the owner can read, write, execute & anyone can read & execute
chmod 755 /u/joe/filea
-rw-r--r-- = 644
A file the owner can read, write & anyone can read chmod 644 /u/joe/fileb
-rwxr-x--- = 750
A file the owner can read, write, execute & group can read, execute
chmod 750 /u/joe/filec
64
VANGUARD SECURITY & COMPLIANCE 2016
Displaying File Permissions
Output of the ls command
65
Permissions Owning
User
Owning
Group
File Name
File Type
VANGUARD SECURITY & COMPLIANCE 2016
When a New File is Created . . .
66
Create filea in dirx
JSMITH
USP for JSMITH
UID EUID
307 307
GID EGID
1078 1078
Supplemental Groups
1234 4567 9876
FSP for filea
UID GID Permissions
FSP for dirx
UID GID Permissions
55 4567 rwx r-x r-x
VANGUARD SECURITY & COMPLIANCE 2016
Default File Permissions
mkdir rwx rwx rwx
MKDIR rwx r-x r-x
OEDIT rwx rwx rwx
vi editor rw- rw- rw-
ed editor rw- rw- rw-
Redirection (>) rw- rw- rw-
cp output = input
OCOPY --- --- ---
OPUT/OPUTX rw- --- ---
OPUT/OPUTX rwx --- ---
67
Process Default Permissions
VANGUARD SECURITY & COMPLIANCE 2016
UMASK
• Used to modify the file initial access permissions
• A default umask can be specified
• For a user or process, set the umask manually or as part of login script - (default is 000/rwx)
• Example:
– umask a=rx (allow only read, execute for all)
– umask 027 (disallow write for group and any for other)
– umask (display current settings)
68
VANGUARD SECURITY & COMPLIANCE 2016
Changing the File Owner
• Changing the file owner (UID) or group name (GID) – chown used to change file owner UID – chown or chgrp used to change file owner GID
chown bobysue /u/billyb/file/myfile
chown bobysue:groupa /u/billyb/file/myfile
• Who can change the file ownership and group name? – File Owner if CHOWN.UNRESTRICTED is defined in
UNIXPRIV Class
– Superuser either through UID(0) or READ access to SUPERUSER.FILESYS.CHOWN in UNIXPRIV Class
69
VANGUARD SECURITY & COMPLIANCE 2016
Relevant UNIXPRIV Class Profiles
70
Resource Name Access Given
CHOWN.UNRESTRICTED
Allows users to use the chown
command to transfer ownership of
their own files
FILE.GROUPOWNER.SETGID Controls the default group owner of
a new HFS file
RESTRICTED.FILESYS.ACCESS RESTRICTED users cannot use the
'other' bits
SHARED.IDS Allows users to assign UID and GID
values that are not unique
VANGUARD SECURITY & COMPLIANCE 2016
Access Control Lists (ACLs)
AND
THEN
IT
ALL
CHANGED
©2016 Vanguard Integrity Professionals, Inc. 71
ACLs were first available in z/OS 1.3
VANGUARD SECURITY & COMPLIANCE 2016
Access Control Lists (ACLs)
72
What is an ACL?
Base ACLs
Extended ACLs
Access ACLs
File Default ACLs
Directory Default ACLs
VANGUARD SECURITY & COMPLIANCE 2016
Access Control Lists (ACLs)
• Access Control Lists are enabled with
SETROPTS CLASSACT(FSSEC)
• ACLs are created, modified, and deleted with the
setfacl UNIX command – Must be UID(0), file owner, or have READ access to
SUPERUSER.FILESYS.CHANGEPERMS in UNIXPRIV
resource class
• ACLs are displayed with the getfacl UNIX
command
• ACLs are checked by RACF and not by the file
system or kernel
73
VANGUARD SECURITY & COMPLIANCE 2016
Types of ACL Entries
• Base ACL Entries – aka Permission Bits – These are the permission bits (Owner, Group, Other)
– Can be changed using chmod or setfacl
– Not part of the ACL although they can be managed and displayed using setfacl and getfacl
• Extended ACL Entries – Entries for individual users or groups
– Stored with the file like the FSP
– Each extended ACL can contain 1024 entries
– Standard access levels can be granted: Read, Write and Execute
– setfacl can specify the access using names or numerics
74
VANGUARD SECURITY & COMPLIANCE 2016
ACL Entries
• An entry consists of a type (user or group) and
identifier (UID or GID) and permissions (read,
write, and execute)
75
File Owner
UID
File Owner Group GID
Set UID
Set GID
Owner Group Other Auditing
File Permission Bits
File Mode
r w x r w x r w x
S t i c k y
Ex
ten
ded
Att
rib
ute
s
p a s
UID1 rwx
UID2 rwx
UIDn rwx
GID1 rwx
GID2 rwx
GIDn rwx
Extended ACL ACL Entry
ACL Entry
ACL Entry
Base ACL
VANGUARD SECURITY & COMPLIANCE 2016
Activating ACLs
• The FSSEC class must be active to allow access authorizations via ACLs
• ACLs can be defined before the FSSEC is activated
• Standard access checking is done if the FSSEC class is inactive and ACLs are defined
• You can still display ACL information if the FSSEC class is inactive
76
VANGUARD SECURITY & COMPLIANCE 2016
Working With ACLs
• Example: Permit user TSGMW and Group
#TECH Read and Write access to the file
/etc/inetd.conf
• The -m option modifies ACL entries, or adds
them if they don’t exist
• The ACL is coded as three qualifiers
– type: user or group
– userid or groupid
– permission bits
77
setfacl -m user:tsgmw:rw-,group:#tech:rw- /etc/inetd.conf
VANGUARD SECURITY & COMPLIANCE 2016
Displaying ACLs
• Example: display the ACL for the file
/etc/inetd.conf
78
getfacl /etc/inetd.conf #file: /etc/inetd.conf #owner BPXROOT #group OMVSGRP user::rwx group::r-- other::r-- user:TSGMW:rw- group:#TECH:rw-
VANGUARD SECURITY & COMPLIANCE 2016
Changing the Base ACLs
• Grant the same access as previously performed,
however, set the base permission bits to prevent
access by anyone other than the file owner
• The -s option replaces the contents of the ACL as
specified in the command. Note, the base
permissions must be specified.
79
setfacl -s user::rwx,group::---,other::---, user:tsgmw:rw-,group:#tech:rw- /etc/inetd.conf
VANGUARD SECURITY & COMPLIANCE 2016
Deleting ACLs
• Delete a previously defined extended ACL
• The base permission bits remain in place
• The -x option deletes a specific ACL entry
setfacl -x user:tsgmw /etc/inetd.conf
• The -D option deletes the entire section of an ACL -a = Access ACL
-d = Directory Default ACL
-f = File Default ACL
setfacl -D a /etc/inetd.conf
• Remember: Deleting an object deletes it security
80
VANGUARD SECURITY & COMPLIANCE 2016
Limiting Superuser Access to ACLs
• UNIXPRIV Profile SUPERUSER.FILESYS can override an ACL entry
• SUPERUSER.FILESYS.ACLOVERRIDE in UNIXPRIV resource class used to limit
SUPERUSER.FILESYS
• Override profile only checked if an ACL entry (user or group) denies file access
81
VANGUARD SECURITY & COMPLIANCE 2016
File Access Flow With ACLs
82
VANGUARD SECURITY & COMPLIANCE 2016
Default or Model ACLs
• Access ACLs – Used to provide resource
protection for a file system object
– Explained in previous visuals
• File Default ACLs – Used as a model when a file is
created within a parent directory. The term used is inheritance
• Directory Default ACLs – Used as a model when a directory
is created under a parent directory. The term used is inheritance
83
What, more ACLs?
VANGUARD SECURITY & COMPLIANCE 2016
Working with Default ACLs
• Sometimes referred to as Model ACLs
• File default ACLs are copied when a new file is
created
• Directory default ACLs are copied when a new
directory is created
• Acts like umask for ACL’s
• Can be modified after creation of new object
• Example: Define a default ACL for the directory
named /usr/etc
84
setfacl -m default:group:admins:r-x,default:group:dirgrp:rwx /usr/etc
VANGUARD SECURITY & COMPLIANCE 2016
Working with Default ACLs
• Display the default ACL for /usr/etc
• The -d option displays only the extended ACL
entries in the directory default ACL
85
getfacl -d /usr/etc
#file: /ust/etc
#owner: TSGMW
#group: SYS1
Default:group:admins:r-x
Default:group:dirgrp:rwx
VANGUARD SECURITY & COMPLIANCE 2016
Some Useful TSO/E Commands
86
VANGUARD SECURITY & COMPLIANCE 2016
Some Useful UNIX Commands
87
88
Security for Daemons and Servers
VANGUARD SECURITY & COMPLIANCE 2016
UNIX Level Security for Daemons
89
setuid(39)
Superuser? No
Fail Yes
OMVSCRON
UID = 0
OMVSCRON
UID = 0
Run pgm1
for Mary
exec pgm1
Change Identity to Mary
Set User = Mary
UID = 39
Mary’s Data
read write print
pgm1
Clone of cron cron daemon
VANGUARD SECURITY & COMPLIANCE 2016
z/OS UNIX Level Security for Daemons
90
setuid(39)
Clean Environment
? Fail
Auth to BPX.DAEMON
? Yes
No
Superuser?
No
No
Fail
Fail
Yes
OMVSCRON
UID = 0
OMVSCRON
UID = 0
Clone of cron
Run pgm1
for Mary
exec pgm1
Change Identity to Mary
Set User = Mary
UID = 39
Mary’s Data
read write print
pgm1
Yes
cron daemon
VANGUARD SECURITY & COMPLIANCE 2016
BPX.DAEMON Profile
RDEF FACILITY BPX.DAEMON OW(SECADM)
UA(NONE)
PE BPX.DAEMON CL(FACILITY) ID(OMVSCRON)
AC(READ)
Allows daemon userid OMVSCRON to issue
“setuid” and “seteuid” commands to change its
identify to perform an action on behalf of another
user. All programs in the daemon address
space must be RACF program controlled.
91
Enable program to change its security identity
VANGUARD SECURITY & COMPLIANCE 2016
Server Overview
92
PGMA
Main
UID=0 Data
Server Address Space
pthread_create( )
pthread_create( )
pthread_create( )
PGMA Thread1
PGMA Thread2
PGMA Thread3
Tom UID=17
Fred UID=34
Dave UID=46
User = ANYSERV
UID = 0
VANGUARD SECURITY & COMPLIANCE 2016
UNIX Level Security for Servers
93
PGMA
Main
UID=0
Data
Server Address Space
pthread_security_np
PGMA Thread1 UID=17
PGMA Thread2
PGMA Thread3
Superuser?
Fail
No
Yes
User = ANYSERV
UID = 0 Tom UID=17
Fred UID=34
Dave UID=46
VANGUARD SECURITY & COMPLIANCE 2016
z/OS UNIX Level Security for Servers
94
PGMA
Main
UID=99 Data
Server Address Space
pthread_security_np
PGMA Thread1
User=Tom UID=17
PGMA Thread2
PGMA Thread3
Clean Environment
?
Fail
Yes
Auth to BPX.SERVER
?
Yes
No
No
User = ANYSERV
UID = 99 Tom UID=17
Fred UID=34
Dave UID=46
VANGUARD SECURITY & COMPLIANCE 2016
BPX.SERVER Profile
RDEF FACILITY BPX.SERVER OW(SECADM) UA(NONE)
PE BPX.SERVER CL(FACILITY) ID(ANYSERV) AC(UPD)
Allows a “server” task with a userid ANYSERV to change
the security profile of a thread (program) executing
under the server. READ access requires presentation
of the thread’s password or passticket while UPDATE
access allows the server to act as a surrogate for the
thread program. All programs in the address space
must be RACF Program Controlled.
95
Enable Server to change a thread’s security identity
VANGUARD SECURITY & COMPLIANCE 2016
BPX.SRV.client-id Profile
RDEF SURROGAT BPX.SRV.CLIENT OW(SECADM) UA(NONE)
PE BPX.SRV.CLIENT CL(SURROGAT) ID(ANYSERV)
AC(READ) SETROPTS RACLIST(SURROGAT) REFRESH Allows Server ANYSERV to change the security
identity for thread for user CLIENT without providing a password or passticket for user CLIENT.
96
97
Extended Attributes
VANGUARD SECURITY & COMPLIANCE 2016
Extended Attribute Bits
• Extended Attribute Bits
p - The program is considered program controlled
a - The program runs APF-authorized if linked AC=1
s - The program is enabled to run in a shared address
space
• Display the extended attribute bits: ls -E
98
File Owner
UID
File Owner Group GID
Set UID
Set GID
Owner Group Other RACF
AUDITOR File
Owner
r w x r w x r w x
S t i c k y
Ex
ten
ded
Att
rib
ute
s
p s a
VANGUARD SECURITY & COMPLIANCE 2016
Is Program Control Needed for USS?
• Yes, some environments need it – Daemons and Servers
• Ensure only “trusted” programs are loaded – Prevent any rogue programs from being executed – PADS not needed
• Two Methods – Sticky bit – Extended Attribute bit (OS/390 V2R4 and later)
• What programs should be trusted (Program Controlled)? – CEE.SCEERUN - C Run Time Library – SYS1.LINKLIB - Some system daemons – SYS1.SEZALINK - Daemons for TCP/IP – tcpip.SEZALOAD - Daemons for TCP/IP
99
VANGUARD SECURITY & COMPLIANCE 2016
Program Control via the Sticky Bit
• Program Control Using the Sticky Bit
– Improves performance for frequently used programs
– Program copied to external load module
– PROGRAM profiles controls access to execute
– Issue chmod command to set "sticky bit" in File
Security Packet
100
File Owner
UID
File Owner Group GID
Set UID
Set GID
Owner Group Other RACF
AUDITOR File
Owner
r w x r w x r w x
S t i c k y
Ex
ten
ded
Att
rib
ute
s
p s a
VANGUARD SECURITY & COMPLIANCE 2016
Program Control via the Sticky Bit
101
Frank Owner or Superuser
HFS
/u/frank/pgmb
ANY.LOADLIB
PGMB
Linkedit
chmod o+t /u/frank/pgmb
Sets the Sticky Bit in the FSP to force use
of z/OS search sequence for PGMB
ADDSD ‘ANY.LOADLIB’ UACC(READ)
RDEF PROGRAM PGMB ADDMEM(‘ANY.LOADLIB’//NOPADCHK)
SETROPTS WHEN(PROGRAM) REFRESH
VANGUARD SECURITY & COMPLIANCE 2016
PROGRAM Class Profiles
• Activate program control and ensure that the daemon programs and Language Environment run-time library are in a library that is controlled by z/OS.
SETROPTS WHEN(PROGRAM)
RDEF PROGRAM ** OW(SECADM) UACC(READ) ADDMEM(‘SYS1.LINKLIB’//NOPADCHK,
‘CEE.SCREERUN’//NOPADCHK,
‘SYS1.SEZALINK’//NOPADCHK)
102
Makes all programs “program controlled” for daemon authority
VANGUARD SECURITY & COMPLIANCE 2016
Program Class Profiles
• Activate program control for individual
programs
RDEF PROGRAM PROGB OW(SECADM)
UA(READ)
ADDMEM(‘ANY.LOADLIB’//NOPADCHK)
SETROPTS WHEN(PROGRAM) REFRESH
103
Makes individual programs “program controlled” for daemon authority
VANGUARD SECURITY & COMPLIANCE 2016
Program Control via Extended Attributes
• The Program Control Extended Attribute Bit
– Available beginning with OS/390® V2R4
– Program loaded from HFS
– Issue extattr command to set bit “p” in File Security
Packet
104
File Owner
UID
File Owner Group GID
Set UID
Set GID
Owner Group Other RACF
AUDITOR File
Owner
r w x r w x r w x
S t i c k y
Ex
ten
ded
Att
rib
ute
s
p s a
VANGUARD SECURITY & COMPLIANCE 2016
Program Control via Extended Attributes
105
C89 compiler
Option -WI
Batch C compiler
or
HFS
FSP
/u/frank/pgmb
p a s
Frank Superuser
or BPX.FILEATTR.PROGCTL
extattr +p /u/frank/pgmb
VANGUARD SECURITY & COMPLIANCE 2016
Using BPX.FILEATTR.PROGCTL Profile
• Allow user FRANK to use the Extended Attributes in
the FSP to identify a program as being Program
Controlled . The “extattr” command is used to identify
the program via the pathname.
extattr +p pathname
RDEF FACILITY BPX.FILEATTR.PROGCTL
OW(SECADM) UACC(NONE)
PE BPX.FILEATTR.PROGCTL CLASS(FACILITY)
ID(FRANK) ACCESS(READ)
106
VANGUARD SECURITY & COMPLIANCE 2016
APF Authorization for UNIX Programs
• The APF Authorized Extended Attribute Bit
– Available beginning with OS/390 V2R4
– Program loaded from HFS
– Issue extattr command to set bit “a” in File Security
Packet
107
File Owner
UID
File Owner Group GID
Set UID
Set GID
Owner Group Other RACF
AUDITOR File
Owner
r w x r w x r w x
S t i c k y
Ex
ten
ded
Att
rib
ute
s
p a s
VANGUARD SECURITY & COMPLIANCE 2016
APF Authorization via Extended Attributes
108
extattr +a /u/frank/pgma
C89 compiler
Option -WI,AC=1
Batch C compiler Linkedit AC=1
or
Note that AC=1 is only required if program will
be executed as an authorized job step program
HFS
FSP
/u/frank/pgma
p a s
Allow an HFS program to run APF authorized
Frank Superuser
or BPX.FILEATTR.APF
VANGUARD SECURITY & COMPLIANCE 2016
Using the BPX.FILEATTR.APF Profile
• Allow user FRANK to use the Extended Attributes in
the FSP to make a program APF Authorized. The
“extattr” command is used to identify the program via
the pathname.
extattr +a pathname
RDEF FACILITY BPX.FILEATTR.APF OW(SECADM )
UACC(NONE)
PE BPX.FILEATTR.APF CLASS(FACILITY) ID(FRANK)
ACCESS(READ)
109
VANGUARD SECURITY & COMPLIANCE 2016
Shared Library Programs
• The Shared Library Extended Attribute Bit
– Available beginning with OS/390 V2R4
– Sharing large executables across many address
spaces
– Use the +l option of the extattr command to set bit "s" in
File Security Packet
110
File Owner
UID
File Owner Group GID
Set UID
Set GID
Owner Group Other RACF
AUDITOR File
Owner
r w x r w x r w x
S t i c k y
Ex
ten
ded
Att
rib
ute
s
p s a
VANGUARD SECURITY & COMPLIANCE 2016
Setting the Shared Library Attribute
111
HFS
FSP
/u/frank/pgmb
p a s Frank
Superuser or
BPX.FILEATTR.SHARELIB
extattr +l /u/frank/pgmb
VANGUARD SECURITY & COMPLIANCE 2016
The BPX.FILEATTR.SHARELIB Profile
• Allow user FRANK to use the Extended Attributes in
the FSP to mark a program as being shared when
loaded. The “extattr” command is used to identify the
program via the pathname.
extattr +l pathname
RDEF FACILITY BPX.FILEATTR.SHARELIB
OW(SECADM ) UACC(NONE)
PE BPX.FILEATTR.SHARELIB CLASS(FACILITY)
ID(FRANK) ACCESS(READ)
112
VANGUARD SECURITY & COMPLIANCE 2016
FACILITY Class Profiles
113
VANGUARD SECURITY & COMPLIANCE 2016
Catch All BPX.** Profile
• This is a general catch all profile and ensures that whenever IBM® creates more BPX profiles they will be covered.
• Setup this profile with a UACC(NONE) and no entries in the access list.
RDEF FACILITY BPX.** OWNER(SECADM) UACC(NONE)
• Do this after setting up more specific BPX profiles to provide explicit control on the features for the other BPX profiles.
114
Covers any new BPX profile created by IBM
115
Auditing z/OS UNIX
Security Events
VANGUARD SECURITY & COMPLIANCE 2016
What is Always Audited
• Failed Mounts and Unmounts are always audited – BPXF031I messages
• When a user not defined as a z/OS UNIX user
tries to dub a process
116
VANGUARD SECURITY & COMPLIANCE 2016
What Can Optionally Be Audited
• HFS Files and Directories protected with Permission Bits – ICH408I messages
• HFS Files and Directories have Audit Options for File Owner and Auditor – Set with chaudit, not with RALTER or ALTDSD
• Superuser activity - through UNIXPRIV Class
• All changes to File Security Packet and Access Control Lists (ACLs)
• All activities of a user via the UAUDIT attribute
117
VANGUARD SECURITY & COMPLIANCE 2016
File Security Packet
118
File Owner
UID
File Owner Group GID
Set UID
Set GID
Owner Group Other RACF
AUDITOR File
Owner
File Permission Bits
File Mode
r w x r w x r w x
Auditing Options
Owner or
Superuser
RACF Auditor
S t i c k y
chaudit chaudit
Ex
ten
ded
Att
rib
ute
s
p a s
VANGUARD SECURITY & COMPLIANCE 2016
UNIX Commands to Implement Auditing
119
File Owner Sets Auditing:
chaudit w+s file1
chaudit rwx=sf file1
chaudit r-s,x-f file1
RACF AUDITOR Sets Auditing:
chaudit -a r+f,w+sf,x+f file1
chaudit -a r-f,x-f file1
chaudit -a rwx=f file1
Legend: failures, successes, all
f f f default
default f f f
f f f
f f f
f f f
f a f
_ _ _
_ _ _
_ _ _
_ _ _
f a f
a a a
f a s
_ _ _
_ a _
f f f
VANGUARD SECURITY & COMPLIANCE 2016
Auditing the Superuser
• Only through RACF UNIXPRIV Class Profiles
– Only SUCCESSes except for SHARED.IDS
RALT UNIXPRIV ** AUDIT(SUCCESS(READ))
• SHARED.IDS creates audit records for
FAILURES
– Use default of FAILURES(READ)
• RACF UAUDIT attribute can be used
120
Could Cause
Excessive SMF
Records
VANGUARD SECURITY & COMPLIANCE 2016
Classes for z/OS UNIX Auditing
• Classes for UNIX Auditing – DIRSRCH, DIRACC, FSOBJ, FSSEC, PROCESS,
PROCACT, IPCOBJ
• CLASSACT and NOCLASSACT has no effect on
above classes except FSSEC for ACLs
• No profiles can be defined in the Classes
121
VANGUARD SECURITY & COMPLIANCE 2016
RACF Classes for Auditing USS
122
Directory Events DIRSRCH directory searches
DIRACC read/write accesses to directories
File System Events FSOBJ access checks for files and directories
FSSEC changes to security data - FSP and
ACL
Processes IPCOBJ auditing of InterProcess
Communication (IPC) access
PROCESS changes to process UIDs & GIDs
PROCACT functions that look at data from other
processes or effect other processes
VANGUARD SECURITY & COMPLIANCE 2016
RACF Commands to Implement Auditing
• Create SMF Record based on attempts to perform
the specific request
– DIRSRCH: Directory searches
– DIRACC: Access checks for read/write accesses to
directories
SETROPTS LOGOPTIONS(FAILURES(DIRSRCH, DIRACC))
123
VANGUARD SECURITY & COMPLIANCE 2016
RACF Commands to Implement Auditing
124
• Create SMF records based on File System Objects and File
Permissions and ACL changes
– FSOBJ: Successful creation and deletion of file system objects
– FSSEC: Successful changes to the FSP and ACL file permissions
SETROPTS AUDIT(FSOBJ FSSEC)
• Create SMF records based on PROCESS Dubbing,
Undubbing, and Server Registration of Processes for
PROCESS Class
– PROCESS: Successful dubbing and undubbing of z/OS UNIX
processes
SETROPTS AUDIT(PROCESS) Could Cause
Excessive SMF
Records
VANGUARD SECURITY & COMPLIANCE 2016
SMF Records as a Result of Auditing
• Type 80 SMF records
• RACF Report Writer output is limited
• Need IRRADU00 to gather all auditing data for
reporting
• SYS1.SAMPLIB contains examples of how to use
DB2 with IRRADU00 output
• ICETOOL
• User-written programs
• Vendor-supplied products – Vanguard Advisor™
125
©2016 Vanguard Integrity Professionals, Inc. 126
Interpreting USS Related Messages
VANGUARD SECURITY & COMPLIANCE 2016
Interpreting ICH408I Messages
User Attempted to Open a File
ICH408I USER(CAROL ) GROUP(GROUPA) NAME(CAROL JONES)
/u/tom/myfile
CL(FSOBJ ) FID(01D6E2F3F9C8F7000204000028060000)
INSUFFICIENT AUTHORITY TO OPEN
ACCESS INTENT(RW-) ACCESS ALLOWED(OTHER ---)
EFFECTIVE UID(0000001010) EFFECTIVE GID(0000005050)
• Attempt to open the file for READ and WRITE
• userid does not “own” the file /u/tom/myfile
• group does not “own” the file /u/tom/myfile
• other public access is “none”
©2016 Vanguard Integrity Professionals, Inc. 127
VANGUARD SECURITY & COMPLIANCE 2016
Interpreting ICH408I Messages
User Attempted to Open a File
ICH408I USER(CAROL ) GROUP(GROUPA) NAME(CAROL JONES)
/u/bill/files/data
CL(DIRSRCH ) FID(01E9C4E2E8E2F2000213000004F50000)
INSUFFICIENT AUTHORITY TO STAT
ACCESS INTENT(--X) ACCESS ALLOWED(GROUP ---)
EFFECTIVE UID(0000001010) EFFECTIVE GID(0000005050)
• Attempt to open the file /u/bill/files/data
• User’s group does not have search authority to a
directory in the file path
©2016 Vanguard Integrity Professionals, Inc. 128
VANGUARD SECURITY & COMPLIANCE 2016
Interpreting ICH408I Messages
User Attempted to Create a Directory
ICH408I USER(CAROL ) GROUP(GROUPA) NAME(CAROL JONES)
/u/frank
CL(FSOBJ ) FID(01C8C6E2E4E2F1000204000000000003)
INSUFFICIENT AUTHORITY TO MKDIR
ACCESS INTENT(-W-) ACCESS ALLOWED(OTHER --X)
EFFECTIVE UID(0000001010) EFFECTIVE GID(0000005050)
• Attempt to create a directory which requires WRITE
access to the ‘/u’ directory
• userid does not “own” the /u directory
• group does not “own” the /u directory
• other public access is “SEARCH”
©2016 Vanguard Integrity Professionals, Inc. 129
130
Working in the UNIX System Services
Environment
VANGUARD SECURITY & COMPLIANCE 2016
UNIX Shell & Utilities
131
HFS
Shell
Commands
&
Utilities
C Programs
VANGUARD SECURITY & COMPLIANCE 2016
Interoperability
132
TSO/E
z/OS UNIX
MVS
Data Sets
HFS
Files
Shell MVS-Like
Interface
UNIX-Like
Interface
VANGUARD SECURITY & COMPLIANCE 2016
TSO / UNIX Command Interaction
133
TSO/E Shell
• Logon to TSO/E • Issue any TSO/E Command • Issue the OMVS Command • • • • Issue any TSO Command • Return to the shell • • • Issue any TSO/E Command • Logoff •
• • • • Become a logged-on shell user • Run any shell command • Escape to TSO mode • • • Continue shell commands • Exit shell • •
OMVS
PF6
PA1
EXIT
VANGUARD SECURITY & COMPLIANCE 2016
Entering z/OS UNIX
134
VANGUARD SECURITY & COMPLIANCE 2016
The OMVS Shell
135
$
Indicates a
regular user
VANGUARD SECURITY & COMPLIANCE 2016
The pwd Command
136
$ pwd
/u/johnh
$
VANGUARD SECURITY & COMPLIANCE 2016
The ls Command
137
$ ls -l
total 8
drwxr-xr-x 2 JOHNH VANGUARD 0 Dec 3 04:25 files
drwxr-xr-x 2 JOHNH VANGUARD 0 Nov 19 15:16 doc
-rw-rwxrwx 2 JOHNH VANGUARD 250 Nov 17 23:07 stuff
-rw-r--r-- 2 JOHNH VANGUARD 17 Nov 17 23:07 mydata
-rw-r--r-- 5 JOHNH VANGUARD 1605 Dec 3 16:38 namesfile
-rw-r--r-- 2 JOHNH VANGUARD 472 Nov 17 23:15 myscript
drwxr-xr-x 2 JOHNH VANGUARD 0 Nov 17 23:07 unixdata
drwxr-xr-x 2 JOHNH VANGUARD 0 Dec 3 20:37 projecta
$
VANGUARD SECURITY & COMPLIANCE 2016
Switching to Superuser
138
$ ls -l
total 8
drwxr-xr-x 2 JOHNH VANGUARD 0 Dec 3 04:25 files
drwxr-xr-x 2 JOHNH VANGUARD 0 Nov 19 15:16 doc
-rw-rwxrwx 2 JOHNH VANGUARD 250 Nov 17 23:07 stuff
-rw-r--r-- 2 JOHNH VANGUARD 17 Nov 17 23:07 mydata
-rw-r--r-- 5 JOHNH VANGUARD 1605 Dec 3 16:38 namesfile
-rw-r--r-- 2 JOHNH VANGUARD 472 Nov 17 23:15 myscript
drwxr-xr-x 2 JOHNH VANGUARD 0 Nov 17 23:07 unixdata
drwxr-xr-x 2 JOHNH VANGUARD 0 Dec 3 20:37 projecta
$ su
#
Indicates a
superuser
VANGUARD SECURITY & COMPLIANCE 2016
Exiting the Superuser Authority
139
#
VANGUARD SECURITY & COMPLIANCE 2016
Exiting the OMVS Shell
140
# exit
$
Back to a
regular user
VANGUARD SECURITY & COMPLIANCE 2016
Exiting the OMVS Shell
141
$ exit
VANGUARD SECURITY & COMPLIANCE 2016
Invoking ISHELL
142
VANGUARD SECURITY & COMPLIANCE 2016
Using the ISHELL
143
VANGUARD SECURITY & COMPLIANCE 2016
Using the Action Bar - File
144
VANGUARD SECURITY & COMPLIANCE 2016
Setting the Options
145
VANGUARD SECURITY & COMPLIANCE 2016
Directory List Options
146
VANGUARD SECURITY & COMPLIANCE 2016
Using the Action Bar - Directory
147
VANGUARD SECURITY & COMPLIANCE 2016
The Directory List
148
VANGUARD SECURITY & COMPLIANCE 2016
Switching to Superuser
149
VANGUARD SECURITY & COMPLIANCE 2016
Superuser Obtained
150
Indicates a superuser
VANGUARD SECURITY & COMPLIANCE 2016
Using ISPF Split Screen
151
TSO
USS
VANGUARD SECURITY & COMPLIANCE 2016
References
• z/OS Security Server (RACF) Security Administrator’s Guide
SA22-7683
• z/OS Security Server (RACF) Security Auditors Guide
SA22-7684
• z/OS UNIX System Services Planning - GA22-7800
• z/OS UNIX System Services User’s Guide - SA22-7801
• z/OS UNIX System Services Command Reference
SA22-7802
• z/OS UNIX System Services Home Page
http://www-1.ibm.com/servers/eserver/zseries/zos/unix/
• HFS Unload Utililty – irrhfsu (Download from RACF home page)
• mvs-oe listserv - http://www2.marist.edu/htbin/wlvindex?mvs-oe
• z/OS SYS1.SAMPLIB member BPXISEC1
152
top related