Defending Voice over IP Networks Defending Voice over IP Networks
Defending the Server: Proper Configuration and Setup of ... · Defending the Server: Proper...
Transcript of Defending the Server: Proper Configuration and Setup of ... · Defending the Server: Proper...
VANGUARD SECURITY & COMPLIANCE 2016
John Hickman Vanguard Integrity Professionals
DTS-04
SECURITY & COMPLIANCE CONFERENCE 2016
Defending the Server:
Proper Configuration and
Setup of Parmlib Settings
VANGUARD SECURITY & COMPLIANCE 2016
Legal Notice
Copyright
©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license
to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly
prohibited.
Trademarks
The following are trademarks of Vanguard Integrity Professionals – Nevada:
Vanguard Administrator
Vanguard Advisor
Vanguard Analyzer
Vanguard SecurityCenter
Vanguard Offline
Vanguard Cleanup
Vanguard PasswordReset
Vanguard Authenticator
Vanguard inCompliance
Vanguard IAM
Vanguard GRC
Vanguard QuickGen
Vanguard Active Alerts
Vanguard Configuration Manager
Vanguard Configuration Manager Enterprise Edition
Vanguard Policy Manager
Vanguard Enforcer
Vanguard ez/Token
Vanguard Tokenless Authenticator
Vanguard ez/PIV Card Authenticator
Vanguard ez/Integrator
Vanguard ez/SignOn
Vanguard ez/Password Synchronization
Vanguard Security Solutions
Vanguard Security & Compliance
Vanguard zSecurity University
VANGUARD SECURITY & COMPLIANCE 2016
The following are trademarks or registered trademarks of the International Business Machines Corporation: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries.
Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.
Other company, product, and service names may be trademarks or service marks of others.
Trademarks
CICS
CICSPlex
DB2
eServer
IBM
IBM z
IBM z Systems
IBM z13
S/390
System z
System z9
System z10
System/390
VTAM
WebSphere
z Systems
z9
z10
z13
z/Architecture
z/OS
z/VM
zEnterprise
IMS
MQSeries
MVS
NetView
OS/390
Parallel Sysplex
RACF
RMF
VANGUARD SECURITY & COMPLIANCE 2016
IBM’s Statement of Integrity
First issued in 1973, IBM®’s MVS™ System Integrity Statement, and subsequent
statements for OS/390® and z/OS®, has stood for over three decades as a
symbol of IBM’s confidence in and commitment to the z/OS operating system. IBM
reaffirms its commitment to z/OS System Integrity.
IBM’s commitment includes design and development practices intended to prevent
unauthorized application programs, subsystems, and users from bypassing z/OS
security – that is, to prevent them from gaining access, circumventing, disabling,
altering, or obtaining control of key z/OS system processes and resources unless
allowed by the installation. Specifically, z/OS “System Integrity” is defined as the
inability of any program not authorized by a mechanism under the installation’s
control to circumvent or disable store or fetch protection, access a resource
protected by the z/OS Security Server (RACF®), or obtain control in an authorized
state; that is, in supervisor state, with a protection key less than eight (8), or
Authorized Program Facility (APF) authorized. In the event that an IBM System
Integrity problem is reported, IBM will always take action to resolve it.
IBM’s long-term commitment to System Integrity is unique in the industry, and
forms the basis of z/OS’ industry leadership in system security. z/OS is designed
to help you protect your system, data, transactions, and applications from
accidental or malicious modification. This is one of the many reasons IBM System
z™ remains the industry’s premier data server for mission-critical workloads.
VANGUARD SECURITY & COMPLIANCE 2016
IBM’s Statement of Integrity
• IBM assures us that they have delivered a system with all components required to run secured.
• What you choose to do with it after installation is up to you.
• System Authorization Facility (SAF) is an IBM Provided system interface which directs control to your External Security Manager(ESM).
• RACF
• ACF2
• Top-Secret
VANGUARD SECURITY & COMPLIANCE 2016
Objectives
• We will have a look at….
• System IPL Process
• Parameter library locations
• The system parameter libraries
• Select members of PARMLIB as they relate to:
• System security and integrity
• Dynamic change commands
• RACF protection
VANGUARD SECURITY & COMPLIANCE 2016
The System IPL Process
System IPL begins at the Hardware Management Console (HMC)
and or z/VM Console
Ensure access to the HMC is secure
Physical security
– Who has physical access to the actual console
• Default user definitions and passwords
– Should be removed and replaced by installation defined IDs
• User definitions
» Operator OPERATOR
» Advanced Operator ADVANCED
» System Programmer SYSPROG
» Access Administrator ACSADMIN
» Service Representative SERVICE
• Remote access Permissions
– Define and control what functions may be done from a
remote session
VANGUARD SECURITY & COMPLIANCE 2016
The System IPL Process
• System IPL parameters • LOAD 1A80
• Unit address of your SYSRES
• LOADPARM 1A82nnxx (1A82 nn x x)
• Characters 1-4 • 1A82 unit address of your IODF volume
• Characters 5-6 • nn Suffix of the LOADxx member
• Character 7 • IMSI – Initialization Message Suppression Indicator
• Character 8 • Alternate Nucleus
VANGUARD SECURITY & COMPLIANCE 2016
System IPL Process
• One of the first things the system does at IPL time is look at the IODF volume specified in the LOADPARM
• It will look for LOADxx in the following order • SYS0.IPLPARM through SYS9.IPLPARM on the IODF volume.
• SYS1.PARMLIB on the IODF volume.
• SYS1.PARMLIB on the SYSRES volume.
• The system will then use the IODF VSAM data set on the IODF volume.
• This is the hardware I/O configuration for the z/OS system
• The system will enter a disabled wait state if these components are not found
VANGUARD SECURITY & COMPLIANCE 2016
IPLINFO
• How can you, as an administrator or auditor tell which parameters are used for an IPL?
• MVS display command
• D IPLINFO
VANGUARD SECURITY & COMPLIANCE 2016
System Parameter Libraries
• SYSn.IPLPARM
• Resides on the IODF volume
• Contains one or more LOADxx members • Ensure proper protection of this data set
• LOADxx contains
• IODFxx
• Master Catalog and parms
• System Parms
• System Parmlib concatenation
• Nucleus information
• Sysplex Name
• Etc.
VANGUARD SECURITY & COMPLIANCE 2016
Sample LOAD00 member
VANGUARD SECURITY & COMPLIANCE 2016
Sample LOAD00 member
• IODF 99 SYS1 • Your I/O configuration for the system
• Translates to SYS1.IODF99
• SYSCAT Z1SYS1113CCATALOG.Z21Z.MASTER • Your system master catalog volume, misc. parms, and name
• SYSPARM 00 or (xx,yy,zz….) System Parms • The suffix of the IEASYS member(s) to be used for this IPL
• IEASYM 00 or (xx,yy,zz….) Symbol table • The suffix of the IEASYM member(s) to be used for this IPL
• NUCLST 00 • Nucleus member of SYS1.IPLPARM
VANGUARD SECURITY & COMPLIANCE 2016
Sample LOAD00 member
• PARMLIB USER.PARMLIB Z1SYS1
• PARMLIB ADCD.Z21Z.PARMLIB ******
• PARMLIB SYS1.PARMLIB *MCAT*
• NUCLEUS 1 • Translates to IEANUC01
• SYSPLEX ADCDPL • SYSPLEX name
• This is a VERY basic LOAD00 member. LOADxx can become extremely complex.
• A single LOADxx member may be used with filtering keywords. HWNAME, LPARNAME, and VMUSERID.
VANGUARD SECURITY & COMPLIANCE 2016
Parmlib SETLOAD
• The SETLOAD command may be used to modify the system symbols and / or the PARMLIB list after system IPL.
• This can change the order or the contents of the PARMLIB list used for system functions
• Care should be taken to secure the PARMLIB list.
• Dynamically Modified by • MVS command SETLOAD
• Protected by • OPERCMDS class MVS.SETLOAD.IEASYM
• OPERCMDS class MVS.SETLOAD.LOAD
VANGUARD SECURITY & COMPLIANCE 2016
Sample IEASYSxx
16 ©2015 Vanguard Integrity Professionals, Inc.
VANGUARD SECURITY & COMPLIANCE 2016
Sample IEASYSxx continued
VANGUARD SECURITY & COMPLIANCE 2016
PARMLIST
• IEASYSxx
• List of system parameters
• Can be single or multiple IEASYSxx members located in any or all of the PARMLIB libraries.
• Mostly a list of suffixes pointing to PARMLIB members.
• Paging data sets
• Storage parameters
• etc.
• We will focus on several security related PARMLIB members
VANGUARD SECURITY & COMPLIANCE 2016
Parmlib members we will look at
• AUTORxx – Auto-reply specifications
• BPXPRMxx – Unix System Services
• COMMNDxx – System commands
• IEAAPFxx – Authorized Program Facility
• IEACMDxx – System Commands (IBM Supplied)
• IEAFIXxx – Fixed LPA List
• IEALPAxx – Modified LPA List
• IEASVCxx – Installation-defined SVC
• IEASYMxx – Symbol Definitions
• IEASYSxx – System Parameter List
VANGUARD SECURITY & COMPLIANCE 2016
Parmlib Members
• IEFSSNxx – Subsystem Definitions
• IKJTSOxx – TSO/E Commands and Programs
• LNKLSTxx – LNKLST Concatenation
• LPALSTxx – LPA Library List
• MSTJCLxx – Master Scheduler JCL
• NUCLSTxx – Customized Nucleus region
• PROGxx – APF, LNKLST, LPA, exits
• SCHEDxx – Program Properties Table
• SMFPRMxx – System Management Facilities
VANGUARD SECURITY & COMPLIANCE 2016
PARMLIB Members
• AUTORxx – Auto-reply specifications
• IBM supplied policy, IBM suggests not modifying
• Create your own member for installation defined replies
• Could allow undesired automatic replies, bypassing operator intervention.
• Dynamically Modified by • MVS command SET AUTOR=xx
• Protected by • OPERCMDS class MVS.SET.AUTOR
VANGUARD SECURITY & COMPLIANCE 2016
PARMLIB Members
• BPXPRMxx – Unix System Services
• One or multiple members may be specified • OMVS=XX (xx,yy,zz…)
• Contains multiple parameters relative to USS setup, security, performance, and TCP/IP parms.
• Security related parameters • SUPERUSER(BPXROOT)
• STEPLIBLIST ‘/etc/steplib’
• MAXUIDS
• MAXTHREADS
• USERIDALIASTABLE
• ROOT – SETUID
• MOUNT – NOSETUID / SECURITY
• STARTUP_PROC(OMVS)
VANGUARD SECURITY & COMPLIANCE 2016
PARMLIB Members
• Contains multiple filesystem mount parameters • Filesystem names
• mount points
• mount attributes • SETUID
• SECURITY
• r/o vs. r/w
• Dynamically Modified by • MVS Command SETOMVS
• Protected by • OPERCMDS class MVS.SETOMVS.OMVS
VANGUARD SECURITY & COMPLIANCE 2016
OMVS
• Let’s not forget inside USS
• The /etc directory is the USS “PARM” file – ensure proper protections.
• /etc/auto.master • Automount specifications for user filesystems
• /etc/rc • Executes at USS start time, is like an automatic commands
file
• /etc/*.conf file • There are numerous configuration files in the /etc directory
• hosts
• services
• profile • umask 077
• readonly LOGNAME
VANGUARD SECURITY & COMPLIANCE 2016
PARMLIB Members
• COMMNDxx – System commands
• Defines user commands to be executed at IPL time
• ANY commands - this member should be reviewed regularly
VANGUARD SECURITY & COMPLIANCE 2016
PARMLIB Members
• IEAAPFxx – Authorized Program Facility
• Defines a “static” APF list
• Only modified at IPL
• Maximum 255 entries
• PROGxx is provided for dynamic APF list
• IEACMDxx – System Commands (IBM Supplied)
• IBM suggests not changing this list • Use COMMNDxx for user supplied commands
VANGUARD SECURITY & COMPLIANCE 2016
PARMLIB Members
• IEAFIXxx – Fixed LPA List (FLPA)
• Modules to be fixed in storage for the duration of an IPL
• Ensure modules in IEAFIXxx are in libraries properly secured by RACF.
• IEALPAxx – Modified LPA List (MLPA)
• Modules to be temporally added to PLPA
• Like FLPA, are only for the duration of the IPL
• Modules in MLPA will be treated as though they are APF-authorized
• Ensure these libraries are properly protected
VANGUARD SECURITY & COMPLIANCE 2016
PARMLIB Members
• IEASVCxx – Installation-defined SVC
• Numbered 200-255
• Loaded at IPL time
• CICS, IMS, ISV provided, etc.
VANGUARD SECURITY & COMPLIANCE 2016
PARMLIB Members
• IEASYMxx – Symbol Definitions
• These entries can completely change the characteristics of your operating system
• System name, volumes, and many other references
• These can be VERY difficult to interpret, using HWNAME, LPARNAME, and VMUSERID filter logic.
• This member should be reviewed regularly
VANGUARD SECURITY & COMPLIANCE 2016
PARMLIB Members
• IEFSSNxx – Subsystem Definitions
• Defines subsystems to your installation • SMS, JES, DB2, MQ, RACF, etc.
• Dynamically Modified by • MVS Command SETSSI ACTIVATE
• MVS Command SETSSI ADD
• MVS Command SETSSI DEACTIVATE
• Protected by • OPERCMDS class MVS.SETSSI.ACTIVATE
• OPERCMDS class MVS.SETSSI.ADD
• OPERCMDS class MVS.SETSSI.DEACTIVATE
VANGUARD SECURITY & COMPLIANCE 2016
Sample IEFSSNxx
VANGUARD SECURITY & COMPLIANCE 2016
PARMLIB Members
• IKJTSOxx – TSO/E Commands and Programs
• AUTHCMDS • Specifies the authorized TSO/E commands
• AUTHPGM • Specifies authorized programs
• AUTHTSF • Specifies the APF-authorized programs that may be called
through the TSO service facility
• PASSPHRASE
• LOGON LOGONHERE
VANGUARD SECURITY & COMPLIANCE 2016
IKJTSOxx
• VERIFYAPPL • Specifies whether TSO passes the APPLID to RACF for
verification at logon time.
• Send/Receive parameters
• Dynamically Modified by • TSO Command PARMLIB UPDATE
• MVS Command SET IJKJTSO=xx
• Protected by • TSOAUTH class PARMLIB
• OPERCMDS class MVS.SET.IKJTSO
VANGUARD SECURITY & COMPLIANCE 2016
TSO
• Be sure to protect your TSO environment
• TSOPROC class • Permit the proper logon procedures to avoid “renegade”
PROCS
• TSOAUTH class • Grant only the required TSO authorizations
• These next two can be a real quick exploitation. • PROCLIB library protection
• Review the JES startup PROC to understand which libraries are included in the concatenation
• Or $D PROCLIB for dynamic JES procs
• CLIST library protection • Where TSO LOGON CLISTS are executed
VANGUARD SECURITY & COMPLIANCE 2016
PARMLIB Members
• LNKLSTxx – LNKLST Concatenation
• Defines “static” LNKLST for the duration of the IPL
• PROGxx is provided for dynamic LNKLST updates
• PROGxx with LNKLST ACTIVATE overrides LNKLSTxx
• LPALSTxx – LPA Library List
• Concatenation of installation read-only reenterable programs to be shared among all system users
• LPA libraries need not be APF-authorized
• Modules will be treated as APF-authorized
• Ensure the libraries in LPALSTxx are properly protected
VANGUARD SECURITY & COMPLIANCE 2016
LPALSTxx Sample
VANGUARD SECURITY & COMPLIANCE 2016
PARMLIB Members
• MSTJCLxx – Master Scheduler JCL
• Controls system initialization and processing
• Any task started with SUB=MSTR
• JES2 or JES3 subsystems JCL will be in the IEFPDSI DD concatenation
• Note the optional SYSRACF DD • Yes, I can start this system with any RACF data base I want.
VANGUARD SECURITY & COMPLIANCE 2016
PARMLIB Members
• NUCLSTxx – Customized Nucleus region
• Add your installation's modules to the nucleus region.
• Delete nucleus-resident modules and replace them with alternate versions of the modules.
• Modules must reside as members of SYS1.NUCLEUS
• Ensure proper protection of SYS1.NUCLEUS
VANGUARD SECURITY & COMPLIANCE 2016
PARMLIB Members
• PROGxx – APF, LNKLST, LPA, exits • PROGxx is one of the reasons systems can go without IPL for
months and even years.
• APF • SYS1.LINKLIB and SYS1.SVCLIB are automatic at IPL.
• Any module linked AC=1 in the link pack area (PLPA, MLPA, FLPA, or Dynamic LPA) will be treated by the system as an APF-authorized module.
• Ensure that you have proper protection for ANY library that contributes modules to the LPA to avoid system integrity exposures.
• The system does not care if a library in the APF list exists. Be careful not to define libraries that do not exist. At the moment they do exist, all modules within are AFP-authorized.
• SMS managed libraries in the APF list should be defined as such • Libraries defined as SMS will retain their authorization should the
library move to another volume
VANGUARD SECURITY & COMPLIANCE 2016
PROGxx APF sample
VANGUARD SECURITY & COMPLIANCE 2016
PARMLIB Members
• APF • Library concatenations such as //STEPLIB, containing
unauthorized libraries will cause the entire concatenation to be unauthorized. Caution should be used when adding additional AFP libraries to “remedy” this case. Ensure all APF libraries are properly protected.
• Dynamically Modified by • SETPROG APF
• SET PROG=xx
• Protected by • OPERCMDS class MVS.SET.PROG
• OPERCMDS class MVS.SETPROG
• FACILITY class CSVAPF.*
VANGUARD SECURITY & COMPLIANCE 2016
PROGxx LINKLIST sample
VANGUARD SECURITY & COMPLIANCE 2016
PARMLIB Members
• LNKLST
• LNKLST libraries are an ordered list (concatenation) of data sets for processing.
• Users need not know the libraries where these programs reside to use them.
• LNKLST is searched when modules are not found in • STEPLIB
• JOBLIB
• LPA
VANGUARD SECURITY & COMPLIANCE 2016
PARMLIB Members
• IEASYSxx PARM LNKAUTH • This parameter specifies whether all libraries in the LNKLST
are to be treated as APF authorized when accessed as part of the concatenation.
• LNKLST (default)
• Indicates all libraries are treated as APF-Authorized
• APFTAB
• Indicates only libraries in the APF list are APF-Authorized
• Dynamically Modified by • SETPROG LNKLST
• SET PROG=xx
• Protected by • OPERCMDS class MVS.SETPROG
• OPERCMDS class MVS.SET.PROG
• FACILITY class CSVDYNL.*
VANGUARD SECURITY & COMPLIANCE 2016
PARMLIB Members
• LPA
• For modules to be added to LPA at the end on an IPL
• Generally for modules residing in PDSE
• Or modules to be deleted from LPA following an IPL
• Dynamically Modified by • SETPROG LPA
• SET PROG=xx
• Protected by • OPERCMDS class MVS.SETPROG
• OPERCMDS class MVS.SET.PROG
• FACILITY class CSVDYLPA.*
VANGUARD SECURITY & COMPLIANCE 2016
PARMLIB Members
• EXITS • Add or remove an exit on the system
• Replace exit routines.
• Modify exit routines.
• Change the attributes of an exit.
• Dynamically Modified by • SETPROG EXIT
• SET PROG=xx
• Protected by • OPERCMDS class MVS.SETPROG
• OPERCMDS class MVS.SET.PROG
• FACILITY class CSVDYNEX.*
VANGUARD SECURITY & COMPLIANCE 2016
PARMLIB Members
• SCHEDxx – Program Properties Table • IBM supplies a PPT.
• You cannot remove the supplied entries, but you can remove attributes by adding entries into your SCHEDxx.
• CANCEL | NOCANCEL
• KEY(n)
• SWAP | NOSWAP
• PASS | NOPASS
• All programs listed in the PPT must be in APF-Authorized libraries
• Dynamically Modified by • SET SCH=xx
• Protected by • OPERCMDS class MVS.SET.SCH
VANGUARD SECURITY & COMPLIANCE 2016
SCHEDxx Sample
VANGUARD SECURITY & COMPLIANCE 2016
PARMLIB Members
• SMFPRMxx – System Management Facilities
• SMFPRM defines a large number of variables • SID – system identifier
• SMF type and subtype records to be recorded
• Data sets or logstreams to be used for SMF recording
• Installation defined MEMLIMIT
• JWT, SWT, TWT wait times allowed
• Exits that are to receive control at various points in SMF processing.
• Dynamically Modified by • SET SMF=xx
• Protected by • OPERCMDS class MVS.SET.SMF
VANGUARD SECURITY & COMPLIANCE 2016
PARMLIB Baseline
• It is recommended that installations perform a regular baseline of the system parameters
• Turn on auditing for all of the PARMLIB data sets • ALD ‘YOUR.PARMLIB’ AUDIT(SUCC(UPDATE) FAIL(READ))
• Include • SYSn.IPLPARM
• All libraries In the PARMLIB list
• D PARMLIB
VANGUARD SECURITY & COMPLIANCE 2016
MVS Display Commands
• How do you see what has been dynamically changed or added?
• D IPLINFO
• D PROG,APF or LINKLIST or EXITS, or LPA
• D SMF,OPTIONS
• Etc.
• Refer to the MVS System Commands for a complete list of display commands.
• It is recommended to protect the system DISPLAY commands. Do not allow unauthorized users to perform discovery against your system parameters, APF libraries, etc.. Display commands are not as innocent as they may sound.
• Refer to Table 10 of the MVS System Commands for a complete list of MVS SET commands, including the RACF protection requirements.
VANGUARD SECURITY & COMPLIANCE 2016
References
• MVS System Commands • http://www-
01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.ieag100/toc.htm
• MVS Planning Operations • http://www-
01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.ieag300/abstract.htm
• MVS Initialization and Tuning Reference • http://www-
01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.ieae200/toc.htm
VANGUARD SECURITY & COMPLIANCE 2016
Questions?
VANGUARD SECURITY & COMPLIANCE 2016
Thank you!
SECURITY & COMPLIANCE CONFERENCE 2016