Defending the Server: Proper Configuration and Setup of ... · Defending the Server: Proper...

VANGUARD SECURITY & COMPLIANCE 2016

John Hickman Vanguard Integrity Professionals

DTS-04

SECURITY & COMPLIANCE CONFERENCE 2016

Defending the Server:

Proper Configuration and

Setup of Parmlib Settings


Legal Notice

Copyright

©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license

to view these materials for your organization’s internal purposes. Any unauthorized

reproduction, distribution, exhibition or use of these copyrighted materials is expressly

prohibited.

Trademarks

The following are trademarks of Vanguard Integrity Professionals – Nevada:

Vanguard Administrator

Vanguard Advisor

Vanguard Analyzer

Vanguard SecurityCenter

Vanguard Offline

Vanguard Cleanup

Vanguard PasswordReset

Vanguard Authenticator

Vanguard inCompliance

Vanguard IAM

Vanguard GRC

Vanguard QuickGen

Vanguard Active Alerts

Vanguard Configuration Manager

Vanguard Configuration Manager Enterprise Edition

Vanguard Policy Manager

Vanguard Enforcer

Vanguard ez/Token

Vanguard Tokenless Authenticator

Vanguard ez/PIV Card Authenticator

Vanguard ez/Integrator

Vanguard ez/SignOn

Vanguard ez/Password Synchronization

Vanguard Security Solutions

Vanguard Security & Compliance

Vanguard zSecurity University


The following are trademarks or registered trademarks of the International Business Machines Corporation: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries.

Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.

Other company, product, and service names may be trademarks or service marks of others.

Trademarks

CICS

CICSPlex

DB2

eServer

IBM

IBM z

IBM z Systems

IBM z13

S/390

System z

System z9

System z10

System/390

VTAM

WebSphere

z Systems

z9

z10

z13

z/Architecture

z/OS

z/VM

zEnterprise

IMS

MQSeries

MVS

NetView

OS/390

Parallel Sysplex

RACF

RMF


IBM’s Statement of Integrity

First issued in 1973, IBM®’s MVS™ System Integrity Statement, and subsequent

statements for OS/390® and z/OS®, has stood for over three decades as a

symbol of IBM’s confidence in and commitment to the z/OS operating system. IBM

reaffirms its commitment to z/OS System Integrity.

IBM’s commitment includes design and development practices intended to prevent

unauthorized application programs, subsystems, and users from bypassing z/OS

security – that is, to prevent them from gaining access, circumventing, disabling,

altering, or obtaining control of key z/OS system processes and resources unless

allowed by the installation. Specifically, z/OS “System Integrity” is defined as the

inability of any program not authorized by a mechanism under the installation’s

control to circumvent or disable store or fetch protection, access a resource

protected by the z/OS Security Server (RACF®), or obtain control in an authorized

state; that is, in supervisor state, with a protection key less than eight (8), or

Authorized Program Facility (APF) authorized. In the event that an IBM System

Integrity problem is reported, IBM will always take action to resolve it.

IBM’s long-term commitment to System Integrity is unique in the industry, and

forms the basis of z/OS’ industry leadership in system security. z/OS is designed

to help you protect your system, data, transactions, and applications from

accidental or malicious modification. This is one of the many reasons IBM System

z™ remains the industry’s premier data server for mission-critical workloads.


IBM’s Statement of Integrity

• IBM assures us that they have delivered a system with all components required to run secured.

• What you choose to do with it after installation is up to you.

• System Authorization Facility (SAF) is an IBM Provided system interface which directs control to your External Security Manager(ESM).

• RACF

• ACF2

• Top-Secret


Objectives

• We will have a look at….

• System IPL Process

• Parameter library locations

• The system parameter libraries

• Select members of PARMLIB as they relate to:

• System security and integrity

• Dynamic change commands

• RACF protection


The System IPL Process

System IPL begins at the Hardware Management Console (HMC)

and or z/VM Console

Ensure access to the HMC is secure

Physical security

– Who has physical access to the actual console

• Default user definitions and passwords

– Should be removed and replaced by installation defined IDs

• User definitions

» Operator OPERATOR

» Advanced Operator ADVANCED

» System Programmer SYSPROG

» Access Administrator ACSADMIN

» Service Representative SERVICE

• Remote access Permissions

– Define and control what functions may be done from a

remote session


The System IPL Process

• System IPL parameters • LOAD 1A80

• Unit address of your SYSRES

• LOADPARM 1A82nnxx (1A82 nn x x)

• Characters 1-4 • 1A82 unit address of your IODF volume

• Characters 5-6 • nn Suffix of the LOADxx member

• Character 7 • IMSI – Initialization Message Suppression Indicator

• Character 8 • Alternate Nucleus


System IPL Process

• One of the first things the system does at IPL time is look at the IODF volume specified in the LOADPARM

• It will look for LOADxx in the following order • SYS0.IPLPARM through SYS9.IPLPARM on the IODF volume.

• SYS1.PARMLIB on the IODF volume.

• SYS1.PARMLIB on the SYSRES volume.

• The system will then use the IODF VSAM data set on the IODF volume.

• This is the hardware I/O configuration for the z/OS system

• The system will enter a disabled wait state if these components are not found


IPLINFO

• How can you, as an administrator or auditor tell which parameters are used for an IPL?

• MVS display command

• D IPLINFO


System Parameter Libraries

• SYSn.IPLPARM

• Resides on the IODF volume

• Contains one or more LOADxx members • Ensure proper protection of this data set

• LOADxx contains

• IODFxx

• Master Catalog and parms

• System Parms

• System Parmlib concatenation

• Nucleus information

• Sysplex Name

• Etc.


Sample LOAD00 member



• IODF 99 SYS1 • Your I/O configuration for the system

• Translates to SYS1.IODF99

• SYSCAT Z1SYS1113CCATALOG.Z21Z.MASTER • Your system master catalog volume, misc. parms, and name

• SYSPARM 00 or (xx,yy,zz….) System Parms • The suffix of the IEASYS member(s) to be used for this IPL

• IEASYM 00 or (xx,yy,zz….) Symbol table • The suffix of the IEASYM member(s) to be used for this IPL

• NUCLST 00 • Nucleus member of SYS1.IPLPARM



• PARMLIB USER.PARMLIB Z1SYS1

• PARMLIB ADCD.Z21Z.PARMLIB ******

• PARMLIB SYS1.PARMLIB *MCAT*

• NUCLEUS 1 • Translates to IEANUC01

• SYSPLEX ADCDPL • SYSPLEX name

• This is a VERY basic LOAD00 member. LOADxx can become extremely complex.

• A single LOADxx member may be used with filtering keywords. HWNAME, LPARNAME, and VMUSERID.


Parmlib SETLOAD

• The SETLOAD command may be used to modify the system symbols and / or the PARMLIB list after system IPL.

• This can change the order or the contents of the PARMLIB list used for system functions

• Care should be taken to secure the PARMLIB list.

• Dynamically Modified by • MVS command SETLOAD

• Protected by • OPERCMDS class MVS.SETLOAD.IEASYM

• OPERCMDS class MVS.SETLOAD.LOAD


Sample IEASYSxx

16 ©2015 Vanguard Integrity Professionals, Inc.


Sample IEASYSxx continued


PARMLIST

• IEASYSxx

• List of system parameters

• Can be single or multiple IEASYSxx members located in any or all of the PARMLIB libraries.

• Mostly a list of suffixes pointing to PARMLIB members.

• Paging data sets

• Storage parameters

• etc.

• We will focus on several security related PARMLIB members


Parmlib members we will look at

• AUTORxx – Auto-reply specifications

• BPXPRMxx – Unix System Services

• COMMNDxx – System commands

• IEAAPFxx – Authorized Program Facility

• IEACMDxx – System Commands (IBM Supplied)

• IEAFIXxx – Fixed LPA List

• IEALPAxx – Modified LPA List

• IEASVCxx – Installation-defined SVC

• IEASYMxx – Symbol Definitions

• IEASYSxx – System Parameter List


Parmlib Members

• IEFSSNxx – Subsystem Definitions

• IKJTSOxx – TSO/E Commands and Programs

• LNKLSTxx – LNKLST Concatenation

• LPALSTxx – LPA Library List

• MSTJCLxx – Master Scheduler JCL

• NUCLSTxx – Customized Nucleus region

• PROGxx – APF, LNKLST, LPA, exits

• SCHEDxx – Program Properties Table

• SMFPRMxx – System Management Facilities


PARMLIB Members

• AUTORxx – Auto-reply specifications

• IBM supplied policy, IBM suggests not modifying

• Create your own member for installation defined replies

• Could allow undesired automatic replies, bypassing operator intervention.

• Dynamically Modified by • MVS command SET AUTOR=xx

• Protected by • OPERCMDS class MVS.SET.AUTOR


PARMLIB Members

• BPXPRMxx – Unix System Services

• One or multiple members may be specified • OMVS=XX (xx,yy,zz…)

• Contains multiple parameters relative to USS setup, security, performance, and TCP/IP parms.

• Security related parameters • SUPERUSER(BPXROOT)

• STEPLIBLIST ‘/etc/steplib’

• MAXUIDS

• MAXTHREADS

• USERIDALIASTABLE

• ROOT – SETUID

• MOUNT – NOSETUID / SECURITY

• STARTUP_PROC(OMVS)


PARMLIB Members

• Contains multiple filesystem mount parameters • Filesystem names

• mount points

• mount attributes • SETUID

• SECURITY

• r/o vs. r/w

• Dynamically Modified by • MVS Command SETOMVS

• Protected by • OPERCMDS class MVS.SETOMVS.OMVS


OMVS

• Let’s not forget inside USS

• The /etc directory is the USS “PARM” file – ensure proper protections.

• /etc/auto.master • Automount specifications for user filesystems

• /etc/rc • Executes at USS start time, is like an automatic commands

file

• /etc/*.conf file • There are numerous configuration files in the /etc directory

• hosts

• services

• profile • umask 077

• readonly LOGNAME


PARMLIB Members

• COMMNDxx – System commands

• Defines user commands to be executed at IPL time

• ANY commands - this member should be reviewed regularly


PARMLIB Members

• IEAAPFxx – Authorized Program Facility

• Defines a “static” APF list

• Only modified at IPL

• Maximum 255 entries

• PROGxx is provided for dynamic APF list

• IEACMDxx – System Commands (IBM Supplied)

• IBM suggests not changing this list • Use COMMNDxx for user supplied commands


PARMLIB Members

• IEAFIXxx – Fixed LPA List (FLPA)

• Modules to be fixed in storage for the duration of an IPL

• Ensure modules in IEAFIXxx are in libraries properly secured by RACF.

• IEALPAxx – Modified LPA List (MLPA)

• Modules to be temporally added to PLPA

• Like FLPA, are only for the duration of the IPL

• Modules in MLPA will be treated as though they are APF-authorized

• Ensure these libraries are properly protected


PARMLIB Members

• IEASVCxx – Installation-defined SVC

• Numbered 200-255

• Loaded at IPL time

• CICS, IMS, ISV provided, etc.


PARMLIB Members

• IEASYMxx – Symbol Definitions

• These entries can completely change the characteristics of your operating system

• System name, volumes, and many other references

• These can be VERY difficult to interpret, using HWNAME, LPARNAME, and VMUSERID filter logic.

• This member should be reviewed regularly


PARMLIB Members

• IEFSSNxx – Subsystem Definitions

• Defines subsystems to your installation • SMS, JES, DB2, MQ, RACF, etc.

• Dynamically Modified by • MVS Command SETSSI ACTIVATE

• MVS Command SETSSI ADD

• MVS Command SETSSI DEACTIVATE

• Protected by • OPERCMDS class MVS.SETSSI.ACTIVATE

• OPERCMDS class MVS.SETSSI.ADD

• OPERCMDS class MVS.SETSSI.DEACTIVATE


Sample IEFSSNxx


PARMLIB Members

• IKJTSOxx – TSO/E Commands and Programs

• AUTHCMDS • Specifies the authorized TSO/E commands

• AUTHPGM • Specifies authorized programs

• AUTHTSF • Specifies the APF-authorized programs that may be called

through the TSO service facility

• PASSPHRASE

• LOGON LOGONHERE


IKJTSOxx

• VERIFYAPPL • Specifies whether TSO passes the APPLID to RACF for

verification at logon time.

• Send/Receive parameters

• Dynamically Modified by • TSO Command PARMLIB UPDATE

• MVS Command SET IJKJTSO=xx

• Protected by • TSOAUTH class PARMLIB

• OPERCMDS class MVS.SET.IKJTSO


TSO

• Be sure to protect your TSO environment

• TSOPROC class • Permit the proper logon procedures to avoid “renegade”

PROCS

• TSOAUTH class • Grant only the required TSO authorizations

• These next two can be a real quick exploitation. • PROCLIB library protection

• Review the JES startup PROC to understand which libraries are included in the concatenation

• Or $D PROCLIB for dynamic JES procs

• CLIST library protection • Where TSO LOGON CLISTS are executed


PARMLIB Members

• LNKLSTxx – LNKLST Concatenation

• Defines “static” LNKLST for the duration of the IPL

• PROGxx is provided for dynamic LNKLST updates

• PROGxx with LNKLST ACTIVATE overrides LNKLSTxx

• LPALSTxx – LPA Library List

• Concatenation of installation read-only reenterable programs to be shared among all system users

• LPA libraries need not be APF-authorized

• Modules will be treated as APF-authorized

• Ensure the libraries in LPALSTxx are properly protected


LPALSTxx Sample


PARMLIB Members

• MSTJCLxx – Master Scheduler JCL

• Controls system initialization and processing

• Any task started with SUB=MSTR

• JES2 or JES3 subsystems JCL will be in the IEFPDSI DD concatenation

• Note the optional SYSRACF DD • Yes, I can start this system with any RACF data base I want.


PARMLIB Members

• NUCLSTxx – Customized Nucleus region

• Add your installation's modules to the nucleus region.

• Delete nucleus-resident modules and replace them with alternate versions of the modules.

• Modules must reside as members of SYS1.NUCLEUS

• Ensure proper protection of SYS1.NUCLEUS


PARMLIB Members

• PROGxx – APF, LNKLST, LPA, exits • PROGxx is one of the reasons systems can go without IPL for

months and even years.

• APF • SYS1.LINKLIB and SYS1.SVCLIB are automatic at IPL.

• Any module linked AC=1 in the link pack area (PLPA, MLPA, FLPA, or Dynamic LPA) will be treated by the system as an APF-authorized module.

• Ensure that you have proper protection for ANY library that contributes modules to the LPA to avoid system integrity exposures.

• The system does not care if a library in the APF list exists. Be careful not to define libraries that do not exist. At the moment they do exist, all modules within are AFP-authorized.

• SMS managed libraries in the APF list should be defined as such • Libraries defined as SMS will retain their authorization should the

library move to another volume


PROGxx APF sample


PARMLIB Members

• APF • Library concatenations such as //STEPLIB, containing

unauthorized libraries will cause the entire concatenation to be unauthorized. Caution should be used when adding additional AFP libraries to “remedy” this case. Ensure all APF libraries are properly protected.

• Dynamically Modified by • SETPROG APF

• SET PROG=xx

• Protected by • OPERCMDS class MVS.SET.PROG

• OPERCMDS class MVS.SETPROG

• FACILITY class CSVAPF.*


PROGxx LINKLIST sample


PARMLIB Members

• LNKLST

• LNKLST libraries are an ordered list (concatenation) of data sets for processing.

• Users need not know the libraries where these programs reside to use them.

• LNKLST is searched when modules are not found in • STEPLIB

• JOBLIB

• LPA


PARMLIB Members

• IEASYSxx PARM LNKAUTH • This parameter specifies whether all libraries in the LNKLST

are to be treated as APF authorized when accessed as part of the concatenation.

• LNKLST (default)

• Indicates all libraries are treated as APF-Authorized

• APFTAB

• Indicates only libraries in the APF list are APF-Authorized

• Dynamically Modified by • SETPROG LNKLST

• SET PROG=xx

• Protected by • OPERCMDS class MVS.SETPROG

• OPERCMDS class MVS.SET.PROG

• FACILITY class CSVDYNL.*


PARMLIB Members

• LPA

• For modules to be added to LPA at the end on an IPL

• Generally for modules residing in PDSE

• Or modules to be deleted from LPA following an IPL

• Dynamically Modified by • SETPROG LPA

• SET PROG=xx



• FACILITY class CSVDYLPA.*


PARMLIB Members

• EXITS • Add or remove an exit on the system

• Replace exit routines.

• Modify exit routines.

• Change the attributes of an exit.

• Dynamically Modified by • SETPROG EXIT

• SET PROG=xx



• FACILITY class CSVDYNEX.*


PARMLIB Members

• SCHEDxx – Program Properties Table • IBM supplies a PPT.

• You cannot remove the supplied entries, but you can remove attributes by adding entries into your SCHEDxx.

• CANCEL | NOCANCEL

• KEY(n)

• SWAP | NOSWAP

• PASS | NOPASS

• All programs listed in the PPT must be in APF-Authorized libraries

• Dynamically Modified by • SET SCH=xx

• Protected by • OPERCMDS class MVS.SET.SCH


SCHEDxx Sample


PARMLIB Members

• SMFPRMxx – System Management Facilities

• SMFPRM defines a large number of variables • SID – system identifier

• SMF type and subtype records to be recorded

• Data sets or logstreams to be used for SMF recording

• Installation defined MEMLIMIT

• JWT, SWT, TWT wait times allowed

• Exits that are to receive control at various points in SMF processing.

• Dynamically Modified by • SET SMF=xx

• Protected by • OPERCMDS class MVS.SET.SMF


PARMLIB Baseline

• It is recommended that installations perform a regular baseline of the system parameters

• Turn on auditing for all of the PARMLIB data sets • ALD ‘YOUR.PARMLIB’ AUDIT(SUCC(UPDATE) FAIL(READ))

• Include • SYSn.IPLPARM

• All libraries In the PARMLIB list

• D PARMLIB


MVS Display Commands

• How do you see what has been dynamically changed or added?

• D IPLINFO

• D PROG,APF or LINKLIST or EXITS, or LPA

• D SMF,OPTIONS

• Etc.

• Refer to the MVS System Commands for a complete list of display commands.

• It is recommended to protect the system DISPLAY commands. Do not allow unauthorized users to perform discovery against your system parameters, APF libraries, etc.. Display commands are not as innocent as they may sound.

• Refer to Table 10 of the MVS System Commands for a complete list of MVS SET commands, including the RACF protection requirements.


References

• MVS System Commands • http://www-

01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.ieag100/toc.htm

• MVS Planning Operations • http://www-

01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.ieag300/abstract.htm

• MVS Initialization and Tuning Reference • http://www-

01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.ieae200/toc.htm

http://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.ieag100/toc.htm




http://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.ieag300/abstract.htm




http://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.ieae200/toc.htm





Questions?


Thank you!

SECURITY & COMPLIANCE CONFERENCE 2016

Defending the Server: Proper Configuration and Setup of ... · Defending the Server: Proper...

Documents

Transcript of Defending the Server: Proper Configuration and Setup of ... · Defending the Server: Proper...