security & compliance conference 2016€¦ · conference 2016 z/os unix security dustin hayes...

SECURITY & COMPLIANCE CONFERENCE 2016

z/OS UNIX Security

Dustin Hayes

Professional Services Consultant

BTB03-BTB04

VANGUARD SECURITY & COMPLIANCE 2016

Legal Notice

Copyright

©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited

license to view these materials for your organization’s internal purposes. Any unauthorized

reproduction, distribution, exhibition or use of these copyrighted materials is expressly

prohibited.

Trademarks

The following are trademarks of Vanguard Integrity Professionals – Nevada:

Vanguard Administrator

Vanguard Advisor

Vanguard Analyzer

Vanguard SecurityCenter

Vanguard Offline

Vanguard Cleanup

Vanguard PasswordReset

Vanguard Authenticator

Vanguard inCompliance

Vanguard IAM

Vanguard GRC

Vanguard QuickGen

Vanguard Active Alerts

Vanguard Configuration Manager

Vanguard Configuration Manager Enterprise Edition

Vanguard Policy Manager

Vanguard Enforcer

Vanguard ez/Token

Vanguard Tokenless Authenticator

Vanguard ez/PIV Card Authenticator

Vanguard ez/Integrator

Vanguard ez/SignOn

Vanguard ez/Password Synchronization

Vanguard Security Solutions

Vanguard Security & Compliance

Vanguard zSecurity University

2


Legal Notice

CICS

CICSPlex

DB2

eServer

IBM

IBM z

IBM z Systems

IBM z13

S/390

System z

System z9

System z10

System/390

VTAM

WebSphere

z Systems

z9

z10

z13

z/Architecture

z/OS

z/VM

zEnterprise

IMS

MQSeries

MVS

NetView

OS/390

Parallel Sysplex

RACF

RMF

The following are trademarks or registered trademarks of the International Business Machines Corporation in the United States, other countries, or both: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries. Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation. Other company, product, and service names may be trademarks or service marks of others.

3


Course Topics

• z/OS® UNIX® Overview

• Defining UNIX Users and Groups to RACF®

• UNIX Superusers

• Ensuring Unique UNIX Identities

• UNIX Default User and Group

• Protecting UNIX Files

• Security for Daemons and Servers

• Extended Attributes

• Auditing UNIX Security Events

• Working in the z/OS UNIX Environment

4

5

z/OS UNIX Overview


What is z/OS UNIX Used For?

6

CICS®, IMS™,

DB2®

Applications

Web

Server

UNIX

Kernel

Shell &

Utilities

HTTP Server or WebSphere AS

World Wide

Web

HFS

Web browser

Web browser Web

browser


Components of z/OS UNIX

• KERNEL - Low-level system code • SHELL - A command processor • FILE SYSTEM - Hierarchical File System (HFS)

– Directories – Files

• DAEMONS - Processes that run in background i.e. Started Tasks

• COMMUNICATION SERVICES - Methods of access – TSO/E – VTAM™ – TCP/IP

7


What is z/OS UNIX?

• API’s Programs can run in almost any environment: – Batch – Submitted by TSO User – As Started Tasks

• Programs can request:

– Only MVS™ services – Only z/OS UNIX – Both MVS and z/OS UNIX

• SHELL Interface is an execution environment

– Programs run by shell users – Shell commands and scripts run by shell users – Shell commands and scripts run as batch jobs

8


Hierarchical File System (HFS)

9

DIRECTORY

DIRECTORY DIRECTORY

DIRECTORY DIRECTORY DIRECTORY

FILE

FILE

FILE

FILE

FILE

FILE

FILE

FILE

FILE

FILE

FILE

FILE

/ - Root


UNIX Security

• UID identifies user

• GID identifies group to which user belongs

• Access rights determined by

– UID - if user is owner of file

– GID - if user is in group that owns file

– Other - if neither UID nor GID match

10

UID 0

UID 80 GID 3600


z/OS UNIX Security Functions

• User Validation – UID, GID

• File Access Checking – File Security Packet (FSP) containing File Permission

Bits and ACLS

• Auditing – FSP, File Audit Bits

– RACF Systemwide Options

– UNIXPRIV and FACILITY Classes

• Security Administration – RACF and UNIX Commands

11


z/OS UNIX File Security Packet

12

File Owner

UID

File Owner Group GID

Set UID

Set GID

Owner Group Other RACF

AUDITOR File

Owner

File Permission Bits

File Mode

r w x r w x r w x

Auditing Options

S t i c k y

Ex

ten

ded

Att

rib

ute

s

p a s

13

Defining UNIX Users and

Groups to RACF


Identifying the User

• UNIX represents each user by a single number

– UID - user identifier

• Assign each user a unique UID

• Operating system identifies user by UID number

– usernames are convenience

• The UID is assigned in the OMVS segment of the

RACF user profile

14

If two users are assigned same UID,

UNIX views them as same user.

UID 80


z/OS UNIX Groups

• User must belong to at least one group

– can be connected to additional groups

• All groups that UNIX user belongs to

should be assigned OMVS GID

• User's default group, or current connect

group, must have GID assigned

15

GID 3600


RACF Profiles

16

GROUPA GID

USERA UID HOME PROGRAM

FILEPROCMAX CPUTIMEMAX ASSIZEMAX

THREADSMAX PROCUSERMAX MMAPAREAMAX

RACF Group Profile

OMVS Segment

RACF User Profile

OMVS Segment

MEMLIMIT SHMEMMAX


USP – User Security Packet

17

USP

Real UID

Effective UID

Saved UID

Real GID

Effective GID

Saved GID

Supplemental Groups

Where does USP come from?

User's OMVS Segment

OMVS segment of User's default group

OMVS segments of User's list-of-groups


z/OS UNIX System ID Requirements

• UNIX System User (OMVSKERN with UID=0)

• UNIX System Group (OMVSGRP)

• UNIX System Default Superuser ID BPXROOT

with UID=0 – Specified in BPXPRM00 SUPERUSER Keyword

– For processes to invoke setuid()

– For “su” command

18


z/OS UNIX Users/Groups RACF Profiles

ADDGROUP OMVSGRP OW(SECADM) SUPGROUP(SECADM)

OMVS(GID(1000))

ADDUSER OMVSKERN DFLTGRP(OMVSGRP) NOPASSWORD

OW(OMVSGRP) NAME(‘OMVS KERNEL ID’)

OMVS(UID(0) HOME('/') PROGRAM('/bin/sh'))

ADDUSER BPXROOT DFLTGRP(OMVSGRP) NOPASSWORD

OW(OMVSGRP) NAME(‘OMVS DEFAULT SUPERUSER’)

OMVS(UID(0) HOME('/') PROGRAM('/bin/sh'))

19

OMVS SEGMENT

IS CASE

SENSITIVE


STARTED Class Profiles

• Define as started tasks:

– OMVS – the z/OS UNIX kernel

– BPXOINIT – the UNIX initialization process

RDEF STARTED OMVS.* OW(SECADM)

STDATA(USER(OMVSKERN) GROUP(OMVSGRP)

TRUSTED(YES))

RDEF STARTED BPXOINIT.* OW(SECADM)

STDATA(USER(OMVSKERN) GROUP(OMVSGRP)

TRUSTED(NO))

SETROPTS RACLIST(STARTED) REFRESH

20


z/OS UNIX Regular User Requirements

• User must be defined to RACF

• User profiles can have an OMVS segment UID 1 - 2147483647 Ex. 100

HOME Current working directory Ex. /u/userid

PROGRAM Initial Pgm. to execute Ex. /bin/sh

• Current connect group can have an OMVS segment GID 0 - 2147483647 Ex. 1001

• UID should be unique

• GID recommended unique

21


z/OS UNIX Users/Groups RACF Profiles

AG GROUPA SUPGROUP(SECADM) OWNER(SECADM)

OMVS(GID(1001))

AU BILLYB DFLTGRP(GROUPA) OWNER(GROUPA)

NAME(‘BILLY BOB’) PASS(xxxxxxxx) TSO(…)

OMVS(UID(100) HOME(‘/u/billyb’) PROGRAM(‘/bin/sh’))

22

OMVS SEGMENT

IS CASE

SENSITIVE


Defining Home Directories

• Define users' home directory: – UNIX Command - mkdir /u/billyb

• MKDIR can be executed within TSO environment:

– TSO command – MKDIR '/u/billyb'

• Change ownership of directory

– UNIX command – chown billyb /u/billyb

– TSO command – OSHELL chown billyb /u/billyb

23

/ "Root Directory"

/ u

/ billyb


Defining Home Directories Using AUTOMOUNT

• An automount policy specifies the file systems that

are to be mounted

• User's home directory is managed by the automount

facility

• Automount performs a mkdir followed by a mount

whenever a file is accessed in a controlled directory

©2016 Vanguard Integrity Professionals, Inc. 24

OMVS.BILLYB.HFS

HFS

/ "Root Directory"

/ u

/ billyb

25

UNIX Superusers


z/OS UNIX Superuser Requirements

• What Makes a User ID a Superuser?

– UID 0

– READ access to BPX.SUPERUSER profile in the

FACILITY Class

– TRUSTED or PRIVILEGED Started Task

– Access to UNIXPRIV Class profiles

• What Can a Superuser Do?

– Perform any z/OS UNIX function

– Passes all z/OS UNIX security checks

– Change identity to another UID

• Ordinary User when accessing MVS resources

26


z/OS UNIX Superuser Requirements

• User must be defined to RACF

• User profile must have OMVS segment UID 0 Ex. 0 HOME Current working directory Ex. /u/userid PROGRAM Initial Pgm. to execute Ex. /bin/sh

• Default or current connect group has OMVS segment GID 0 - 2147483647 Ex. 1000

• UID must be 0 or non-zero if given ability to switch to Root (su command)

• GID recommended unique

27


• Recommendation: Don’t give human beings UID(0)

• Switching to Superuser (su command) is controlled

through RACF resource permissions.

– FACILITY Class Profile

BPX.SUPERUSER

Switching to Superuser

28

RDEF FACILITY BPX.SUPERUSER UACC(NONE)

PE BPX.SUPERUSER CL(FACILITY) ID(SUPERGRP) AC(READ)


Controlling Superuser Authorities

Using UNIXPRIV Class Profiles

• Use to authorize individual Superuser authorities

– granular approach

– users no longer need UID(0) or BPX.SUPERUSER

29


The UNIXPRIV Class Profiles

30

Resource Name Access Given

SUPERUSER.FILESYS

(READ access)

Allows a user to read any HFS file and read or search any HFS

directory.

SUPERUSER.FILESYS

(UPDATE access) Allows a user to write to any existing HFS file.

SUPERUSER.FILESYS

(CONTROL access) Allows a user to write to any HFS directory.

SUPERUSER.FILESYS.ACLOVERRIDE Specifies that ACL entries override SUPERUSER.FILESYS

SUPERUSER.FILESYS.CHANGEPERMS Allows users to change permission bits for any file.

SUPERUSER.FILESYS.CHOWN Allows a user to change ownership of any file.

SUPERUSER.FILESYS.MOUNT Allows a user to issue mount and unmount requests.

SUPERUSER.FILESYS.QUIESCE Allows user to issue quiesce and unquiesce commands for a file

system

SUPERUSER.FILESYS.PFSCTL Allows a user to call pfsctl().

SUPERUSER.FILESYS.VREGISTER Allows a user to issue vregister() to register as a vfs file server.

SUPERUSER.IPC.RMID Allows a user to do ipcrm calls to clean up leftover IPC

mechanisms.

SUPERUSER.PROCESS.GETPSENT Allows user to see all processes.

SUPERUSER.PROCESS.KILL Allows user to send signals to any process.

SUPERUSER.PROCESS.PTRACE Allows user to use dbx to trace any process.

SUPERUSER.SETPRIORITY Allows a user to increase his priority.


UNIXPRIV Examples

RDEF UNIXPRIV SUPERUSER.FILESYS UACC(NONE)

PE SUPERUSER.FILESYS CL(UNIXPRIV)

ID(SYSPROG) AC(CONTROL)

RDEF UNIXPRIV SUPERUSER.FILESYS.CHANGEPERMS

UACC(NONE)

PE SUPERUSER.FILESYS.CHANGEPERMS CL(UNIXPRIV)

ID(SECADMIN) AC(READ)

31

CHARLIE UID-1010

SYSPROG


RACF Profiles for Superuser

AU CHARLIE DFLT(OMVSADMG) OW(OMVSADMG) OMVS(UID(0))

or

CONNECT CHARLIE GROUP(SUPERGRP) Give SUPERGRP Access to BPX.SUPERUSER

to issue SU

or

RDEF UNIXPRIV SUPERUSER.*.** UA(NONE) PE SUPERUSER.*.** CL(UNIXPRIV)

ID(SUPERGRP) AC(CONTROL) Give SUPERGRP access to UNIXPRIV profiles


33

Unique UNIX Identities


Unique UNIX Identity

UNIX Security Management Usability Enhancement

• Optional enhancement for managing and listing UID

and GID assignments

• Provides for automatic assignment of a unique UID

and/or unique GID value

• Provides a method to list all users with a specific

UID

• Provides a method to list all groups with a specific

GID



Unique UNIX Identity

• UNIXPRIV SHARED.IDS acts as a system-wide switch to prevent assignment of a UID or GID that is already in use.

• Available on z/OS 1.4 -or- OS/390 2.10 and z/OS 1.2 and z/OS 1.3 via APAR OW52135

• Must be using Application Identity Mapping (AIM) stage 2 or 3

• FACILITY Class discrete profile BPX.NEXT.USER defined with APPLDATA to indicate next available UID or GID value to be automatically assigned



Prevention of Shared IDs


RDEF UNIXPRIV SHARED.IDS UA(NONE)

SETROPTS RACLIST(UNIXPRIV) REFRESH

AU CAROL . . . OMVS(UID(1515)) IRR52174I Incorrect UID 1515. This value is already in use by TOM.

AG GROUPA . . . OMVS(GID(3250)) IRR52174I Incorrect GID 3250. This value is already in use by USRGRP.


Exception to Unique IDs

• Why assign a non-unique UID/GID?

– Assigning UID(0) to started task IDs (daemons)

• Requires the use of SHARED keyword in the OMVS

segment

– ADDUSER, ALTUSER

– ADDGROUP, ALTGROUP

• Use of SHARED keyword requires SPECIAL or

READ access to SHARED.IDS profile.



Using the SHARED Keyword


PE SHARED.IDS CL(UNIXPRIV)

ID(UNIXGRP) AC(READ)

SETR RACLIST(UNIXPRIV) REFRESH

UNIXGRP

JULIE

AU KNGKONG . . . OMVS(UID(0) SHARED)

AG GROUPA . . . OMVS(GID(3250) SHARED)

JIMM

SPECIAL


Enhancements to SEARCH Command

• Using the SEARCH (SR) Command – Identify Userids associated with specific UID

– Identify Groups associated with specific GID

– UID/GID parameter must be discrete

Example 1 – Identify all users with UID of 0

SR CLASS(USER) UID(0)

Example 2 – Identify all groups with GID of 222

SR CLASS(GROUP) GID(222)



Automatic UID/GID Assignment

• New AUTOUID keyword in OMVS segment

– ADDUSER & ALTUSER commands

• New AUTOGID keyword in OMVS segment

– ADDGROUP & ALTGROUP commands


AG USSGRP . . . OMVS(AUTOGID)

IRR52177I Group USSGRP was assigned an OMVS GID value of 5001

AU CAROL . . . DFLT(USSGRP) OMVS(AUTOUID)

IRR52177I User CAROL was assigned an OMVS UID of 3001


Defining Automatic Values

• BPX.NEXT.USER in FACILITY class

– APPLDATA info used to determine UID/GID values

– Establishes initial UID and/or GID values

– Can specify a range of UID and/or GID values

– UACC and Access List are not used

– First value in APPLDATA represents UID

– Second value in APPLDATA represents GID

– Values are automatically updated by RACF

– Can negate automatic assignment of UID or GID


RDEF FACILITY BPX.NEXT.USER APPLDATA(‘5000/500’)

SETR RACLIST(FACILITY) REFRESH


Defining Automatic Values - Examples

Example 1 – Start UID at 1 and GID at 0 (No

previous UIDs/GIDs)



(RACLIST Optional for FACILITY Class)

Example 2 – Start UID at 100 and GID at 100

(Existing UIDs/GIDs < 100)





Defining Automatic Values - Examples

Example 3 – Specify ranges for both UIDs and GIDs

RDEF FACILITY BPX.NEXT.USER APPLDATA(‘500-9999/1000-3999’)


Example 4 – Specify range for UIDs but don’t assign

GIDs automatically

RDEF FACILITY BPX.NEXT.USER APPLDATA(‘300-500/NOAUTO’)


Example 5 – Set range for GIDs but leave UIDs as is

RALT FACILITY BPX.NEXT.USER APPLDATA(‘/500-1000’)




SHARED.IDS Considerations

• Auditing UNIXPRIV Class SHARED.IDS profile

options – FAILURES(READ) will show attempt to assign UID/GID

explicitly for non-SPECIAL administrator

• CLISTs and REXX Execs – Creating new UID/GID will require modifications for

SHARED parameter

– Modifying existing UID/GID may or may not require

modifications



Other Considerations

• Common Command Exit (IRREVX01) – Postprocessing Exit will see generated UID/GID

• RRSF Environments – Use non-overlapping ranges on each node in APPLDATA

of BPX.NEXT.USER profile in FACILITY Class

– Use ONLYAT when defining ranges

– All nodes have UNIXPRIV Class SHARED.IDS defined

– Automatically generated UID/GID values will be

propagated explicitly as created

– AUTOUID keyword will not be included in propagated

command



Automatic Assignment of UIDs and GIDs

• Problem: It is not practical to assign a unique UID or

unique GID for a large number of users defined

without OMVS segments who need access to z/OS

UNIX services, such as FTP.

• Solution: With z/OS V1R11, you can assign a unique

UID for each user and a unique GID for each group

that needs access to z/OS UNIX functions and

resources.


Note: This option replaces BPX.DEFAULT.USER


Requirements for Automatic Unique IDs

1. The RACF database is enabled for application

identity mapping (AIM) stage 3

2. The UNIXPRIV class profile SHARED.IDS is

defined, and the UNIXPRIV class is active and

RACLISTed

3. The FACILITY class profile BPX.NEXT.USER is

defined and its APPLDATA field has valid ID values

or ranges

4. The FACILITY class profile BPX.UNIQUE.USER is

defined

5. No OMVS segment is defined in the user or group

profile



Automatic Assignment of UIDs and GIDs

• The UID is assigned from the BPX.NEXT.USER

profile for any user that does not have an OMVS

Segment.

• The GID is assigned from the BPX.NEXT.USER

profile for any user whose default group does not

have an OMVS Segment.



Defining the Model Profile

• Define the model profile (optional)

ADDUSER UNXMODEL NAME('UNIX Model User Profile')

OMVS(HOME('/tmp') PROGRAM('/bin/sh')) NOPASSWORD

RESTRICTED

• Define the BPX.UNIQUE.USER profile

RDEFINE FACILITY BPX.UNIQUE.USER

APPLDATA('UNXMODEL')

• Refresh the FACILITY class

SETROPTS RACLIST(FACILITY) REFRESH



&RACUID in BPX.UNIQUE.USER

• Define the model profile

ADDUSER UNXMODEL NAME('UNIX Model User')

OMVS(HOME('/u/&racuid') PROGRAM('/bin/sh'))

NOPASSWORD RESTRICTED

• Define the BPX.UNIQUE.USER profile

RDEFINE FACILITY BPX.UNIQUE.USER

APPLDATA('UNXMODEL')

• Refresh the FACILITY class

SETROPTS RACLIST(FACILITY) REFRESH


Enhanced

z/OS 2.1

51

Protecting UNIX Directories and Files


DATASET Class Profiles

• OMVS started task needs:

– UPDATE access to the data sets that contain UNIX files

or

– OMVS task is defined as Trusted

ADDSD ‘OMVS.**’ UA(NONE) OW(DATASETS)

PE ‘OMVS.**’ ID(OMVSKERN) AC(UPDATE)

52

OMVS.CAROL.HFS

zFS

OMVS.BILLYB.HFS

zFS

OMVS.ROOT.HFS

zFS


UNIX File Systems

• UNIX File Systems are mounted – HFS - Hierarchical file system

– zFS - zSeries file system

– TFS - temporary (or toy) file system

– DFS - distributed file system

– NFS - network file system

53

HFS Data Sets

HFS Data Set

Root File System

D1 D2

D3 D4 F F

D4

F

F F F

F F

D3


UNIX File System

54

DIRECTORY

DIRECTORY DIRECTORY

DIRECTORY DIRECTORY DIRECTORY

FILE

FILE

FILE

FILE

FILE

FILE

FILE

FILE

FILE

FILE

FILE

FILE

/ - Root


Protecting z/OS UNIX Files

• RACF profiles not used for file protection

• RACF Interfaces with UNIX

• File Security Packets (FSPs) are stored with file

• Access is controlled by permission bits – OWNER - Owning UID

– GROUP - Owning GID

– OTHER - All other UID/GID

• 3 levels of authority - READ, WRITE and EXECUTE

55


File Security Packet (FSP)

56

File Owner

UID


Set UID

Set GID


AUDITOR File

Owner


File Mode

r w x r w x r w x

Auditing Options

Owner or

Superuser

Owner or

Superuser

Auditor

S t i c k y

chaudit chaudit chmod

Superuser

chown/chgrp chmod

Ex

ten

ded

Att

rib

ute

s

extattr

p a s

Superuser

(And Owner – If UNIXPRIV CHOWN.UNRESTRICTED defined)


Using Groups to Access Files

• RACF List-of-Groups Checking is honored

• Groups other than a User’s Current Connect

Group are referred to as Supplemental Groups

• Supplemental Groups should have an OMVS

Segment with a GID

• User’s Supplemental Groups are first 300 Groups

the User is connected to

57


Levels of Access

READ WRITE

EXECUTE

or

SEARCH

ACCESS r w x

OCTAL 4 2 1

Files Read or print

the contents of

the file

Change, add

to, or delete

from the

contents of the

file

Applies to

executable

files

Permission to

run the file

Directories Read but not

search the

directory

Change, add

to, or delete

directory

entries

Search the

directory

58


Reading File Permissions

59

r w x r w x r w x

4 2 1 4 2 1 4 2 1

7 7 7

Owner Permissions

Group Permissions

Other Permissions

Octal Notation

Symbolic

Notation


File Permission Examples

-rwxrwxrwx = 777

A file anyone can read, write, execute

-rw-r--r-- = 644

A file the owner can read, write & anyone else can read

-rwx--x--- = 710

A file the owner can read, write, execute & group can execute

-rwxrw-rw- = 766

A file the owner can read, write, execute & anyone else can read, write (Update & Delete)

-rwxr-xr-x = 755

A file the owner can read, write, execute & anyone can read, execute

60


File Authorization Checking

61


Setting Permission Bits

• Setting Permission Bits is done through UNIX functions

• Three Methods – Through the ISPF Shell (ISHELL)

– The chmod shell command

– The chmod() function in a program

• Who can set the Permission Bits? – File Owner

– Superuser with UID(0)

– User with READ Access to UNIXPRIV Class profile SUPERUSER.FILESYS.CHANGEPERMS

62


Chmod command

chmod command sets file protection attributes

• Using Octal notation:

chmod 755 /u/billyb/file/myfile – Owner - read, write, execute permissions

– Group - read, execute permissions

– Others - read, execute permissions

• Using Symbolic notation:

chmod -R g+x /u/billyb – adds group execute permissions to the directory /u/billyb and

all files below the directory /u/billyb

63


chmod Command Examples

-rwxr-xr-x = 755

A file the owner can read, write, execute & anyone can read & execute

chmod 755 /u/joe/filea

-rw-r--r-- = 644

A file the owner can read, write & anyone can read chmod 644 /u/joe/fileb

-rwxr-x--- = 750

A file the owner can read, write, execute & group can read, execute

chmod 750 /u/joe/filec

64


Displaying File Permissions

Output of the ls command

65

Permissions Owning

User

Owning

Group

File Name

File Type


When a New File is Created . . .

66

Create filea in dirx

JSMITH

USP for JSMITH

UID EUID

307 307

GID EGID

1078 1078

Supplemental Groups

1234 4567 9876

FSP for filea

UID GID Permissions

FSP for dirx

UID GID Permissions

55 4567 rwx r-x r-x


Default File Permissions

mkdir rwx rwx rwx

MKDIR rwx r-x r-x

OEDIT rwx rwx rwx

vi editor rw- rw- rw-

ed editor rw- rw- rw-

Redirection (>) rw- rw- rw-

cp output = input

OCOPY --- --- ---

OPUT/OPUTX rw- --- ---

OPUT/OPUTX rwx --- ---

67

Process Default Permissions


UMASK

• Used to modify the file initial access permissions

• A default umask can be specified

• For a user or process, set the umask manually or as part of login script - (default is 000/rwx)

• Example:

– umask a=rx (allow only read, execute for all)

– umask 027 (disallow write for group and any for other)

– umask (display current settings)

68


Changing the File Owner

• Changing the file owner (UID) or group name (GID) – chown used to change file owner UID – chown or chgrp used to change file owner GID

chown bobysue /u/billyb/file/myfile

chown bobysue:groupa /u/billyb/file/myfile

• Who can change the file ownership and group name? – File Owner if CHOWN.UNRESTRICTED is defined in

UNIXPRIV Class

– Superuser either through UID(0) or READ access to SUPERUSER.FILESYS.CHOWN in UNIXPRIV Class

69


Relevant UNIXPRIV Class Profiles

70

Resource Name Access Given

CHOWN.UNRESTRICTED

Allows users to use the chown

command to transfer ownership of

their own files

FILE.GROUPOWNER.SETGID Controls the default group owner of

a new HFS file

RESTRICTED.FILESYS.ACCESS RESTRICTED users cannot use the

'other' bits

SHARED.IDS Allows users to assign UID and GID

values that are not unique


Access Control Lists (ACLs)

AND

THEN

IT

ALL

CHANGED


ACLs were first available in z/OS 1.3



72

What is an ACL?

Base ACLs

Extended ACLs

Access ACLs

File Default ACLs

Directory Default ACLs



• Access Control Lists are enabled with

SETROPTS CLASSACT(FSSEC)

• ACLs are created, modified, and deleted with the

setfacl UNIX command – Must be UID(0), file owner, or have READ access to

SUPERUSER.FILESYS.CHANGEPERMS in UNIXPRIV

resource class

• ACLs are displayed with the getfacl UNIX

command

• ACLs are checked by RACF and not by the file

system or kernel

73


Types of ACL Entries

• Base ACL Entries – aka Permission Bits – These are the permission bits (Owner, Group, Other)

– Can be changed using chmod or setfacl

– Not part of the ACL although they can be managed and displayed using setfacl and getfacl

• Extended ACL Entries – Entries for individual users or groups

– Stored with the file like the FSP

– Each extended ACL can contain 1024 entries

– Standard access levels can be granted: Read, Write and Execute

– setfacl can specify the access using names or numerics

74


ACL Entries

• An entry consists of a type (user or group) and

identifier (UID or GID) and permissions (read,

write, and execute)

75

File Owner

UID


Set UID

Set GID

Owner Group Other Auditing


File Mode

r w x r w x r w x

S t i c k y

Ex

ten

ded

Att

rib

ute

s

p a s

UID1 rwx

UID2 rwx

UIDn rwx

GID1 rwx

GID2 rwx

GIDn rwx

Extended ACL ACL Entry

ACL Entry

ACL Entry

Base ACL


Activating ACLs

• The FSSEC class must be active to allow access authorizations via ACLs

• ACLs can be defined before the FSSEC is activated

• Standard access checking is done if the FSSEC class is inactive and ACLs are defined

• You can still display ACL information if the FSSEC class is inactive

76


Working With ACLs

• Example: Permit user TSGMW and Group

#TECH Read and Write access to the file

/etc/inetd.conf

• The -m option modifies ACL entries, or adds

them if they don’t exist

• The ACL is coded as three qualifiers

– type: user or group

– userid or groupid

– permission bits

77

setfacl -m user:tsgmw:rw-,group:#tech:rw- /etc/inetd.conf


Displaying ACLs

• Example: display the ACL for the file

/etc/inetd.conf

78

getfacl /etc/inetd.conf #file: /etc/inetd.conf #owner BPXROOT #group OMVSGRP user::rwx group::r-- other::r-- user:TSGMW:rw- group:#TECH:rw-


Changing the Base ACLs

• Grant the same access as previously performed,

however, set the base permission bits to prevent

access by anyone other than the file owner

• The -s option replaces the contents of the ACL as

specified in the command. Note, the base

permissions must be specified.

79

setfacl -s user::rwx,group::---,other::---, user:tsgmw:rw-,group:#tech:rw- /etc/inetd.conf


Deleting ACLs

• Delete a previously defined extended ACL

• The base permission bits remain in place

• The -x option deletes a specific ACL entry

setfacl -x user:tsgmw /etc/inetd.conf

• The -D option deletes the entire section of an ACL -a = Access ACL

-d = Directory Default ACL

-f = File Default ACL

setfacl -D a /etc/inetd.conf

• Remember: Deleting an object deletes it security

80


Limiting Superuser Access to ACLs

• UNIXPRIV Profile SUPERUSER.FILESYS can override an ACL entry

• SUPERUSER.FILESYS.ACLOVERRIDE in UNIXPRIV resource class used to limit

SUPERUSER.FILESYS

• Override profile only checked if an ACL entry (user or group) denies file access

81


File Access Flow With ACLs

82


Default or Model ACLs

• Access ACLs – Used to provide resource

protection for a file system object

– Explained in previous visuals

• File Default ACLs – Used as a model when a file is

created within a parent directory. The term used is inheritance

• Directory Default ACLs – Used as a model when a directory

is created under a parent directory. The term used is inheritance

83

What, more ACLs?


Working with Default ACLs

• Sometimes referred to as Model ACLs

• File default ACLs are copied when a new file is

created

• Directory default ACLs are copied when a new

directory is created

• Acts like umask for ACL’s

• Can be modified after creation of new object

• Example: Define a default ACL for the directory

named /usr/etc

84

setfacl -m default:group:admins:r-x,default:group:dirgrp:rwx /usr/etc


Working with Default ACLs

• Display the default ACL for /usr/etc

• The -d option displays only the extended ACL

entries in the directory default ACL

85

getfacl -d /usr/etc

#file: /ust/etc

#owner: TSGMW

#group: SYS1

Default:group:admins:r-x

Default:group:dirgrp:rwx


Some Useful TSO/E Commands

86


Some Useful UNIX Commands

87

88

Security for Daemons and Servers


UNIX Level Security for Daemons

89

setuid(39)

Superuser? No

Fail Yes

OMVSCRON

UID = 0

OMVSCRON

UID = 0

Run pgm1

for Mary

exec pgm1

Change Identity to Mary

Set User = Mary

UID = 39

Mary’s Data

read write print

pgm1

Clone of cron cron daemon


z/OS UNIX Level Security for Daemons

90

setuid(39)

Clean Environment

? Fail

Auth to BPX.DAEMON

? Yes

No

Superuser?

No

No

Fail

Fail

Yes

OMVSCRON

UID = 0

OMVSCRON

UID = 0

Clone of cron

Run pgm1

for Mary

exec pgm1

Change Identity to Mary

Set User = Mary

UID = 39

Mary’s Data

read write print

pgm1

Yes

cron daemon


BPX.DAEMON Profile

RDEF FACILITY BPX.DAEMON OW(SECADM)

UA(NONE)

PE BPX.DAEMON CL(FACILITY) ID(OMVSCRON)

AC(READ)

Allows daemon userid OMVSCRON to issue

“setuid” and “seteuid” commands to change its

identify to perform an action on behalf of another

user. All programs in the daemon address

space must be RACF program controlled.

91

Enable program to change its security identity


Server Overview

92

PGMA

Main

UID=0 Data

Server Address Space

pthread_create( )

pthread_create( )

pthread_create( )

PGMA Thread1

PGMA Thread2

PGMA Thread3

Tom UID=17

Fred UID=34

Dave UID=46

User = ANYSERV

UID = 0


UNIX Level Security for Servers

93

PGMA

Main

UID=0

Data


pthread_security_np

PGMA Thread1 UID=17

PGMA Thread2

PGMA Thread3

Superuser?

Fail

No

Yes

User = ANYSERV

UID = 0 Tom UID=17

Fred UID=34

Dave UID=46


z/OS UNIX Level Security for Servers

94

PGMA

Main

UID=99 Data


pthread_security_np

PGMA Thread1

User=Tom UID=17

PGMA Thread2

PGMA Thread3

Clean Environment

?

Fail

Yes

Auth to BPX.SERVER

?

Yes

No

No

User = ANYSERV

UID = 99 Tom UID=17

Fred UID=34

Dave UID=46


BPX.SERVER Profile

RDEF FACILITY BPX.SERVER OW(SECADM) UA(NONE)

PE BPX.SERVER CL(FACILITY) ID(ANYSERV) AC(UPD)

Allows a “server” task with a userid ANYSERV to change

the security profile of a thread (program) executing

under the server. READ access requires presentation

of the thread’s password or passticket while UPDATE

access allows the server to act as a surrogate for the

thread program. All programs in the address space

must be RACF Program Controlled.

95

Enable Server to change a thread’s security identity


BPX.SRV.client-id Profile

RDEF SURROGAT BPX.SRV.CLIENT OW(SECADM) UA(NONE)

PE BPX.SRV.CLIENT CL(SURROGAT) ID(ANYSERV)

AC(READ) SETROPTS RACLIST(SURROGAT) REFRESH Allows Server ANYSERV to change the security

identity for thread for user CLIENT without providing a password or passticket for user CLIENT.

96

97

Extended Attributes


Extended Attribute Bits

• Extended Attribute Bits

p - The program is considered program controlled

a - The program runs APF-authorized if linked AC=1

s - The program is enabled to run in a shared address

space

• Display the extended attribute bits: ls -E

98

File Owner

UID


Set UID

Set GID


AUDITOR File

Owner

r w x r w x r w x

S t i c k y

Ex

ten

ded

Att

rib

ute

s

p s a


Is Program Control Needed for USS?

• Yes, some environments need it – Daemons and Servers

• Ensure only “trusted” programs are loaded – Prevent any rogue programs from being executed – PADS not needed

• Two Methods – Sticky bit – Extended Attribute bit (OS/390 V2R4 and later)

• What programs should be trusted (Program Controlled)? – CEE.SCEERUN - C Run Time Library – SYS1.LINKLIB - Some system daemons – SYS1.SEZALINK - Daemons for TCP/IP – tcpip.SEZALOAD - Daemons for TCP/IP

99


Program Control via the Sticky Bit

• Program Control Using the Sticky Bit

– Improves performance for frequently used programs

– Program copied to external load module

– PROGRAM profiles controls access to execute

– Issue chmod command to set "sticky bit" in File

Security Packet

100

File Owner

UID


Set UID

Set GID


AUDITOR File

Owner

r w x r w x r w x

S t i c k y

Ex

ten

ded

Att

rib

ute

s

p s a


Program Control via the Sticky Bit

101

Frank Owner or Superuser

HFS

/u/frank/pgmb

ANY.LOADLIB

PGMB

Linkedit

chmod o+t /u/frank/pgmb

Sets the Sticky Bit in the FSP to force use

of z/OS search sequence for PGMB

ADDSD ‘ANY.LOADLIB’ UACC(READ)

RDEF PROGRAM PGMB ADDMEM(‘ANY.LOADLIB’//NOPADCHK)

SETROPTS WHEN(PROGRAM) REFRESH


PROGRAM Class Profiles

• Activate program control and ensure that the daemon programs and Language Environment run-time library are in a library that is controlled by z/OS.

SETROPTS WHEN(PROGRAM)

RDEF PROGRAM ** OW(SECADM) UACC(READ) ADDMEM(‘SYS1.LINKLIB’//NOPADCHK,

‘CEE.SCREERUN’//NOPADCHK,

‘SYS1.SEZALINK’//NOPADCHK)

102

Makes all programs “program controlled” for daemon authority


Program Class Profiles

• Activate program control for individual

programs

RDEF PROGRAM PROGB OW(SECADM)

UA(READ)

ADDMEM(‘ANY.LOADLIB’//NOPADCHK)

SETROPTS WHEN(PROGRAM) REFRESH

103

Makes individual programs “program controlled” for daemon authority


Program Control via Extended Attributes

• The Program Control Extended Attribute Bit

– Available beginning with OS/390® V2R4

– Program loaded from HFS

– Issue extattr command to set bit “p” in File Security

Packet

104

File Owner

UID


Set UID

Set GID


AUDITOR File

Owner

r w x r w x r w x

S t i c k y

Ex

ten

ded

Att

rib

ute

s

p s a


Program Control via Extended Attributes

105

C89 compiler

Option -WI

Batch C compiler

or

HFS

FSP

/u/frank/pgmb

p a s

Frank Superuser

or BPX.FILEATTR.PROGCTL

extattr +p /u/frank/pgmb


Using BPX.FILEATTR.PROGCTL Profile

• Allow user FRANK to use the Extended Attributes in

the FSP to identify a program as being Program

Controlled . The “extattr” command is used to identify

the program via the pathname.

extattr +p pathname

RDEF FACILITY BPX.FILEATTR.PROGCTL

OW(SECADM) UACC(NONE)

PE BPX.FILEATTR.PROGCTL CLASS(FACILITY)

ID(FRANK) ACCESS(READ)

106


APF Authorization for UNIX Programs

• The APF Authorized Extended Attribute Bit

– Available beginning with OS/390 V2R4

– Program loaded from HFS

– Issue extattr command to set bit “a” in File Security

Packet

107

File Owner

UID


Set UID

Set GID


AUDITOR File

Owner

r w x r w x r w x

S t i c k y

Ex

ten

ded

Att

rib

ute

s

p a s


APF Authorization via Extended Attributes

108

extattr +a /u/frank/pgma

C89 compiler

Option -WI,AC=1

Batch C compiler Linkedit AC=1

or

Note that AC=1 is only required if program will

be executed as an authorized job step program

HFS

FSP

/u/frank/pgma

p a s

Allow an HFS program to run APF authorized

Frank Superuser

or BPX.FILEATTR.APF


Using the BPX.FILEATTR.APF Profile


the FSP to make a program APF Authorized. The

“extattr” command is used to identify the program via

the pathname.

extattr +a pathname

RDEF FACILITY BPX.FILEATTR.APF OW(SECADM )

UACC(NONE)

PE BPX.FILEATTR.APF CLASS(FACILITY) ID(FRANK)

ACCESS(READ)

109


Shared Library Programs

• The Shared Library Extended Attribute Bit

– Available beginning with OS/390 V2R4

– Sharing large executables across many address

spaces

– Use the +l option of the extattr command to set bit "s" in

File Security Packet

110

File Owner

UID


Set UID

Set GID


AUDITOR File

Owner

r w x r w x r w x

S t i c k y

Ex

ten

ded

Att

rib

ute

s

p s a


Setting the Shared Library Attribute

111

HFS

FSP

/u/frank/pgmb

p a s Frank

Superuser or

BPX.FILEATTR.SHARELIB

extattr +l /u/frank/pgmb


The BPX.FILEATTR.SHARELIB Profile


the FSP to mark a program as being shared when

loaded. The “extattr” command is used to identify the

program via the pathname.

extattr +l pathname

RDEF FACILITY BPX.FILEATTR.SHARELIB

OW(SECADM ) UACC(NONE)

PE BPX.FILEATTR.SHARELIB CLASS(FACILITY)

ID(FRANK) ACCESS(READ)

112


FACILITY Class Profiles

113


Catch All BPX.** Profile

• This is a general catch all profile and ensures that whenever IBM® creates more BPX profiles they will be covered.

• Setup this profile with a UACC(NONE) and no entries in the access list.

RDEF FACILITY BPX.** OWNER(SECADM) UACC(NONE)

• Do this after setting up more specific BPX profiles to provide explicit control on the features for the other BPX profiles.

114

Covers any new BPX profile created by IBM

115

Auditing z/OS UNIX

Security Events


What is Always Audited

• Failed Mounts and Unmounts are always audited – BPXF031I messages

• When a user not defined as a z/OS UNIX user

tries to dub a process

116


What Can Optionally Be Audited

• HFS Files and Directories protected with Permission Bits – ICH408I messages

• HFS Files and Directories have Audit Options for File Owner and Auditor – Set with chaudit, not with RALTER or ALTDSD

• Superuser activity - through UNIXPRIV Class

• All changes to File Security Packet and Access Control Lists (ACLs)

• All activities of a user via the UAUDIT attribute

117


File Security Packet

118

File Owner

UID


Set UID

Set GID


AUDITOR File

Owner


File Mode

r w x r w x r w x

Auditing Options

Owner or

Superuser

RACF Auditor

S t i c k y

chaudit chaudit

Ex

ten

ded

Att

rib

ute

s

p a s


UNIX Commands to Implement Auditing

119

File Owner Sets Auditing:

chaudit w+s file1

chaudit rwx=sf file1

chaudit r-s,x-f file1

RACF AUDITOR Sets Auditing:

chaudit -a r+f,w+sf,x+f file1

chaudit -a r-f,x-f file1

chaudit -a rwx=f file1

Legend: failures, successes, all

f f f default

default f f f

f f f

f f f

f f f

f a f

_ _ _

_ _ _

_ _ _

_ _ _

f a f

a a a

f a s

_ _ _

_ a _

f f f


Auditing the Superuser

• Only through RACF UNIXPRIV Class Profiles

– Only SUCCESSes except for SHARED.IDS

RALT UNIXPRIV ** AUDIT(SUCCESS(READ))

• SHARED.IDS creates audit records for

FAILURES

– Use default of FAILURES(READ)

• RACF UAUDIT attribute can be used

120

Could Cause

Excessive SMF

Records


Classes for z/OS UNIX Auditing

• Classes for UNIX Auditing – DIRSRCH, DIRACC, FSOBJ, FSSEC, PROCESS,

PROCACT, IPCOBJ

• CLASSACT and NOCLASSACT has no effect on

above classes except FSSEC for ACLs

• No profiles can be defined in the Classes

121


RACF Classes for Auditing USS

122

Directory Events DIRSRCH directory searches

DIRACC read/write accesses to directories

File System Events FSOBJ access checks for files and directories

FSSEC changes to security data - FSP and

ACL

Processes IPCOBJ auditing of InterProcess

Communication (IPC) access

PROCESS changes to process UIDs & GIDs

PROCACT functions that look at data from other

processes or effect other processes


RACF Commands to Implement Auditing

• Create SMF Record based on attempts to perform

the specific request

– DIRSRCH: Directory searches

– DIRACC: Access checks for read/write accesses to

directories

SETROPTS LOGOPTIONS(FAILURES(DIRSRCH, DIRACC))

123


RACF Commands to Implement Auditing

124

• Create SMF records based on File System Objects and File

Permissions and ACL changes

– FSOBJ: Successful creation and deletion of file system objects

– FSSEC: Successful changes to the FSP and ACL file permissions

SETROPTS AUDIT(FSOBJ FSSEC)

• Create SMF records based on PROCESS Dubbing,

Undubbing, and Server Registration of Processes for

PROCESS Class

– PROCESS: Successful dubbing and undubbing of z/OS UNIX

processes

SETROPTS AUDIT(PROCESS) Could Cause

Excessive SMF

Records


SMF Records as a Result of Auditing

• Type 80 SMF records

• RACF Report Writer output is limited

• Need IRRADU00 to gather all auditing data for

reporting

• SYS1.SAMPLIB contains examples of how to use

DB2 with IRRADU00 output

• ICETOOL

• User-written programs

• Vendor-supplied products – Vanguard Advisor™

125


Interpreting USS Related Messages


Interpreting ICH408I Messages

User Attempted to Open a File

ICH408I USER(CAROL ) GROUP(GROUPA) NAME(CAROL JONES)

/u/tom/myfile

CL(FSOBJ ) FID(01D6E2F3F9C8F7000204000028060000)

INSUFFICIENT AUTHORITY TO OPEN

ACCESS INTENT(RW-) ACCESS ALLOWED(OTHER ---)

EFFECTIVE UID(0000001010) EFFECTIVE GID(0000005050)

• Attempt to open the file for READ and WRITE

• userid does not “own” the file /u/tom/myfile

• group does not “own” the file /u/tom/myfile

• other public access is “none”




User Attempted to Open a File


/u/bill/files/data

CL(DIRSRCH ) FID(01E9C4E2E8E2F2000213000004F50000)

INSUFFICIENT AUTHORITY TO STAT

ACCESS INTENT(--X) ACCESS ALLOWED(GROUP ---)


• Attempt to open the file /u/bill/files/data

• User’s group does not have search authority to a

directory in the file path




User Attempted to Create a Directory


/u/frank

CL(FSOBJ ) FID(01C8C6E2E4E2F1000204000000000003)

INSUFFICIENT AUTHORITY TO MKDIR

ACCESS INTENT(-W-) ACCESS ALLOWED(OTHER --X)


• Attempt to create a directory which requires WRITE

access to the ‘/u’ directory

• userid does not “own” the /u directory

• group does not “own” the /u directory

• other public access is “SEARCH”


130

Working in the UNIX System Services

Environment


UNIX Shell & Utilities

131

HFS

Shell

Commands

&

Utilities

C Programs


Interoperability

132

TSO/E

z/OS UNIX

MVS

Data Sets

HFS

Files

Shell MVS-Like

Interface

UNIX-Like

Interface


TSO / UNIX Command Interaction

133

TSO/E Shell

• Logon to TSO/E • Issue any TSO/E Command • Issue the OMVS Command • • • • Issue any TSO Command • Return to the shell • • • Issue any TSO/E Command • Logoff •

• • • • Become a logged-on shell user • Run any shell command • Escape to TSO mode • • • Continue shell commands • Exit shell • •

OMVS

PF6

PA1

EXIT


Entering z/OS UNIX

134


The OMVS Shell

135

$

Indicates a

regular user


The pwd Command

136

$ pwd

/u/johnh

$


The ls Command

137

$ ls -l

total 8

drwxr-xr-x 2 JOHNH VANGUARD 0 Dec 3 04:25 files

drwxr-xr-x 2 JOHNH VANGUARD 0 Nov 19 15:16 doc

-rw-rwxrwx 2 JOHNH VANGUARD 250 Nov 17 23:07 stuff

-rw-r--r-- 2 JOHNH VANGUARD 17 Nov 17 23:07 mydata

-rw-r--r-- 5 JOHNH VANGUARD 1605 Dec 3 16:38 namesfile

-rw-r--r-- 2 JOHNH VANGUARD 472 Nov 17 23:15 myscript

drwxr-xr-x 2 JOHNH VANGUARD 0 Nov 17 23:07 unixdata

drwxr-xr-x 2 JOHNH VANGUARD 0 Dec 3 20:37 projecta

$



138

$ ls -l

total 8

drwxr-xr-x 2 JOHNH VANGUARD 0 Dec 3 04:25 files

drwxr-xr-x 2 JOHNH VANGUARD 0 Nov 19 15:16 doc

-rw-rwxrwx 2 JOHNH VANGUARD 250 Nov 17 23:07 stuff

-rw-r--r-- 2 JOHNH VANGUARD 17 Nov 17 23:07 mydata

-rw-r--r-- 5 JOHNH VANGUARD 1605 Dec 3 16:38 namesfile

-rw-r--r-- 2 JOHNH VANGUARD 472 Nov 17 23:15 myscript

drwxr-xr-x 2 JOHNH VANGUARD 0 Nov 17 23:07 unixdata

drwxr-xr-x 2 JOHNH VANGUARD 0 Dec 3 20:37 projecta

$ su

#

Indicates a

superuser


Exiting the Superuser Authority

139

#


Exiting the OMVS Shell

140

# exit

$

Back to a

regular user


Exiting the OMVS Shell

141

$ exit


Invoking ISHELL

142


Using the ISHELL

143


Using the Action Bar - File

144


Setting the Options

145


Directory List Options

146


Using the Action Bar - Directory

147


The Directory List

148



149


Superuser Obtained

150

Indicates a superuser


Using ISPF Split Screen

151

TSO

USS


References

• z/OS Security Server (RACF) Security Administrator’s Guide

SA22-7683

• z/OS Security Server (RACF) Security Auditors Guide

SA22-7684

• z/OS UNIX System Services Planning - GA22-7800

• z/OS UNIX System Services User’s Guide - SA22-7801

• z/OS UNIX System Services Command Reference

SA22-7802

• z/OS UNIX System Services Home Page

http://www-1.ibm.com/servers/eserver/zseries/zos/unix/

• HFS Unload Utililty – irrhfsu (Download from RACF home page)

• mvs-oe listserv - http://www2.marist.edu/htbin/wlvindex?mvs-oe

• z/OS SYS1.SAMPLIB member BPXISEC1

152

security & compliance conference 2016€¦ · conference 2016 z/os unix security dustin hayes...

Documents