Performing a z/OS Vulnerability Assessment Part 3 ... · Performing a z/OS Vulnerability Assessment...
Transcript of Performing a z/OS Vulnerability Assessment Part 3 ... · Performing a z/OS Vulnerability Assessment...
Performing a z/OS® Vulnerability Assessment
Part 3 - Remediation
Presented by
Vanguard Integrity Professionals
Legal Notice
Copyright
©2014 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have
a limited license to view these materials for your organization’s internal
purposes. Any unauthorized reproduction, distribution, exhibition or use of these
copyrighted materials is expressly prohibited.
Trademarks
IBM, RACF, System z, and z/OS are trademarks or registered trademarks of
International Business Machines Corporation in the United States, other countries,
or both. UNIX is a registered trademark of The Open Group in the United States
and other countries. Vanguard Administrator, Vanguard Analyzer, Vanguard
Advisor, Vanguard Offline, Vanguard QuickGen, Vanguard zSecurity University,
and Vanguard Security & Compliance are trademarks of Vanguard Integrity
Professionals – Nevada.
2
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Agenda
3
This section wraps up the webinar series. 3
Wrap Up
2
Exposure Remediation
This section discusses the remedial activity required to reduce the security exposures identified in the environment
1
Introduction
This section re-introduces this vulnerability assessment webinar series and relationship between the three (3) episodes.
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
INTRODUCTION
Performing a z/OS Vulnerability Assessment – Remediation
4
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Webinar Series Overview - Reminder
5
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Session 1 Session 2 Session 3
Data Collection
• Review this session anytime from the
go2vanguard.com website
Data Analysis
• Review this session anytime from the
go2vanguard.com website
Remediation
• April 10th 8am Pacific / 11am Eastern
• April 16th 11am Pacific / 2pm Eastern
• April 22nd Noon Pacific / 3pm Eastern
Vulnerability Assessment Approach
6
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Data Collectection
This is the data collection phase to be
able to assess the environment.
Data Analysis
This is the data analysis phase where the data
collected is analyzed for any potential
vulnerabilities.
Report
This is the report phase where the consultant
creates a findings reports and discusses
the findings and recommendations with
the customer.
Remediation
This is remediation phase where the
Vanguard consultant explains the results of the data analysis and provides remediation
advice.
1 2 3 4
Today’s Webinar
EXPOSURE REMEDIATION
Performing a z/OS Vulnerability Assessment – Remediation
7
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Vulnerability Assessment Scope
8
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Scope: Vanguard Top 10 z/OS Risks Identified in Customer Security Assessment
Note: Data collected from hundreds of security assessments performed by Vanguard Integrity Professionals.
Excessive Number
of User IDs with
No Password
Interval
Inappropriate
Usage of z/OS
UNIX® Superuser
Privilege UID(0)
Started Task IDs
are not Defined
as PROTECTED
IDs
Dataset Profiles
with UACC
Greater than
READ
Improper Use or
Lack of
UNIXPRIV
Profiles
Dataset Profiles with
UACC of READ
Excessive Access to
the SMF Data Sets
1 2 3 4 5
6 7 8 9 10 RACF® Database is
not Adequately
Protected
Excessive Access to
APF Libraries
Inappropriate
Access to FACILITY
BPX.DAEMON
Profile
Vanguard Tools for Remediation
9
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Vanguard
Provides Identity & Access Management
solutions and Governance, Risk &
Compliance solutions for z/OS and other
enterprose platforms.
Vanguard Offline™
Tests and analyzes how changes to the RACF database will impact users and processes before commands are executed in a production environment
Vanguard Administrator™
Simplify and Enhance Security Management Functions on systems running IBM® Security Server™ (RACF)
Vanguard Advisor™
Offers the most comprehensive Event Detection, Analysis and Reporting package for the z/OS environment
Vanguard Analyzer™
Delivers expert-level Vulnerability Assessments and Audit results for System z® in minutes
Finding #1 – Remediation
Finding
Risk - Severe
Recommended
Best Practice and
Remediation
Excessive Number of User IDs with No Password
Interval
User IDs with no password Interval are not required to change their
passwords. Since passwords do not need to be changed
periodically, people who knew a password for an ID could still
access that ID even if they are no longer authorized users.
Review each of the personal user profiles to determine why they
require NOINTERVAL. Their passwords should adhere to the
company policy regarding password changes. If the user ID is being
used for started tasks or surrogate, it should be reviewed and
changed to PROTECTED. If the user ID is being used for off
platform process, then review controls for where the passwords are
stored and consider converting to usage of digital certificates or
other alternatives.
10
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Vanguard Administrator™
11
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Report Generation Vanguard
Administrator™:
User Profile Summary
(Fastpath 3;1;1)
Mask:
Protected: N
PWD Interval: 0
Revoked: N
Excessive Number of User IDs with No Password
Interval
Remediate the Finding
12
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Vanguard
QuickGen™ Use QuickGen to Change
Password Interval
Excessive Number of User IDs with No Password
Interval
Remediate the Finding
13
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Vanguard
QuickGen™ Use QuickGen to Make
User IDs PROTECTED
Excessive Number of User IDs with No Password
Interval
Finding #2 – Remediation
Finding
Risk - High
Recommended
Best Practice and
Remediation
Inappropriate Usage of z/OS UNIX Superuser
Privilege UID(0)
User IDs with z/OS UNIX superuser authority, UID(0), have full
access to all UNIX directories and files and full authority to
administer z/OS UNIX.
The assignment of UID(0) authority should be minimized by
managing superuser privileges through profiles in the UNIXPRIV
class. For those user IDs that do not require unrestricted superuser
authority, but do require some privileged UNIX authority, UID(0)
should be changed to a non-zero UID and access should be
granted to one or more of the ‘BPX.qualifier’ profiles in the
FACILITY class and/or access to one or more profiles in the
UNIXPRIV class. For user IDs associated with started tasks, other
than those for which UID(0) is appropriate, product documentation
should be reviewed to determine what specific UNIX authority is
required, grant only that authority, and then replace UID(0) in their
respective OMVS segments with a non-zero value.
14
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
FACILITY Class Profiles
15
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Resource Name Authority Granted
BPX.CF Controls the use of the Coupling Facility sizer tool (_cpl())
BPX.CONSOLE Controls access to authorized features of the _console() service
BPX.DAEMON Controls the change of MVS identities without knowing the target user ID’s password
BPX.DAEMON.HFSCTL Controls the loading of uncontrolled programs from MVS libraries into their address space
BPX.DEBUG Controls the use of ptrace (via dbx) to debug programs
BPX.FILEATTR.APF Controls the setting of the APF-authorized attribute in an HFS file
BPX.FILEATTR.PROGCTL Controls the setting of the program control attribute in an HFS file
BPX.FILEATTR.SHARELIB Controls setting the shared library extended attribute in an HFS file
BPX.JOBNAME Controls which users are allowed to set their own job names
BPX.POE Controls the use of Port-of-Entry for MLS security checks (_poe)
BPX.SERVER Restricts the use of the pthread_security_np() service
BPX.SHUTDOWN Controls special treatment at shutdown
BPX.STOR.SWAP Controls which users can make address spaces nonswappable
BPX.SUPERUSER Allows users to switch to superuser authority
BPX.UNLIMITED.OUTPUT Allows users to override the default spooled output limits for processes
BPX.WLMSERVER Controls access to the WLM server functions
Creating the Report
16
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Report Generation Vanguard
Administrator™:
User OMVS Segment
(Fastpath 3;5;9;1)
Mask:
UID: 0
Inappropriate Usage of z/OS UNIX Superuser
Privilege UID(0)
Using EXCLUDE / REBUILD
17
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Using
Exclude/Rebuild Exclude is used to select
the fields you do NOT
want in the Rebuild
Inappropriate Usage of z/OS UNIX Superuser
Privilege UID(0)
Using EXCLUDE / REBUILD
18
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Using
Exclude/Rebuild Exclude all fields except
UID
Inappropriate Usage of z/OS UNIX Superuser
Privilege UID(0)
Using EXCLUDE / REBUILD
19
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Using
Exclude/Rebuild Rebuild all of the profiles
Inappropriate Usage of z/OS UNIX Superuser
Privilege UID(0)
Remediate the Finding
20
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Change the UIDs Use AUTOUID for the
assignment of unique
UIDs
Inappropriate Usage of z/OS UNIX Superuser
Privilege UID(0)
Finding #3 – Remediation
Finding
Risk - High
Recommended
Best Practice and
Remediation
Started Task IDs are not Defined as PROTECTED IDs
User IDs associated with started tasks should be defined as
PROTECTED which will exempt them from revocation due to
inactivity or excessive invalid password attempts, as well as being
used to sign on to an application.
Review all started task user IDs that are not protected. Determine if
the user IDs are used for any other function that might require a
password. Define the started task user IDs as PROTECTED for
those tasks that do not require a password.
21
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Creating the Report
22
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Report Generation Vanguard
Administrator™:
User Profile Summary
(Fastpath 3;1;1)
Mask:
Protected: N
Owner: STC Group Name
Started Task IDs are not Defined as PROTECTED IDs
Remediate the Finding
23
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Vanguard
QuickGen™ Use QuickGen to Define
the Started Tasks as
PROTECTED
Started Task IDs are not Defined as PROTECTED IDs
Finding #4 – Remediation
Finding
Risk - Severe
Recommended
Best Practice and
Remediation
Dataset Profiles with UACC Greater than READ
Data sets that are protected by a RACF profile with a UACC greater
than READ allow most users with system access to read or modify
these data sets. In addition, users may be able to delete any data
set covered by the dataset profiles that have a UACC of ALTER.
Review each of these profiles and determine whether the UACC is
appropriate. For those profiles where the UACC is excessive, you
will have to determine who really needs access before changing the
UACC. To find out who is accessing these data sets, review SMF
data to determine who is accessing the data sets with greater than
READ access. You can then build PERMIT commands based on
the review of the SMF data.
24
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Creating the Report
25
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Report Generation Vanguard
Administrator™:
Data Set Profile Summary
(Fastpath 3;3;1)
Mask:
UACC: R GT
Dataset Profiles with UACC Greater than READ
Create a Command File
26
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Vanguard
QuickGen™ Use QuickGen to Create a
Command File
Dataset Profiles with UACC Greater than READ
Check Access
27
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Vanguard
Offline™ Use Offline to Check
Access
Dataset Profiles with UACC Greater than READ
Specify Input File
28
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Vanguard
Offline™ Use Offline to Check
Access
Dataset Profiles with UACC Greater than READ
Enter Input File and Submit
29
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Vanguard
Offline™ Use Offline to Check
Access
Dataset Profiles with UACC Greater than READ
Run an Impact Analysis Report
30
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Vanguard
Offline™ Use Offline to Check
Access
Dataset Profiles with UACC Greater than READ
Previously Granted Access Report
31
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Vanguard
Offline™ Use Offline to Check
Access
Dataset Profiles with UACC Greater than READ
Review the Report for Previous Access
32
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Vanguard
Offline™ Use Offline to Check
Access
Dataset Profiles with UACC Greater than READ
Finding #5 – Remediation
Finding
Risk - High
Recommended
Best Practice and
Remediation
Improper Use or Lack of UNIXPRIV Profiles
The UNIXPRIV class resource rules are designed to give a limited
subset of the superuser UID (0) capability. When implemented
properly, UNIXPRIV profiles can significantly reduce the
unnecessary requests for assignment of UID (0) to user IDs.
Review the users’ activity that are currently defined as
SUPERUSERs to determine if more granular profiles may be
defined in the UNIXPRIV class that will authorize their activity.
Refine the access list and define more granular profiles based upon
the superuser functions that the users with UID(0) need.
33
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
The UNIXPRIV Class Profiles
34
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Resource Name Access Given
SUPERUSER.FILESYS (READ access) Allows a user to read any HFS file and read or search any HFS directory.
SUPERUSER.FILESYS (UPDATE access) Allows a user to write to any existing HFS file.
SUPERUSER.FILESYS (CONTROL access) Allows a user to write to any HFS directory.
SUPERUSER.FILESYS.ACLOVERRIDE Specifies that ACL entries override SUPERUSER.FILESYS
SUPERUSER.FILESYS.CHANGEPERMS Allows users to change permission bits for any file.
SUPERUSER.FILESYS.CHOWN Allows a user to change ownership of any file.
SUPERUSER.FILESYS.MOUNT Allows a user to issue mount and unmount requests.
SUPERUSER.FILESYS.QUIESCE Allows user to issue quiesce and unquiesce commands for a file system
SUPERUSER.FILESYS.PFSCTL Allows a user to call pfsctl().
SUPERUSER.FILESYS.USERMOUNT Allows nonprivileged users to mount and unmount file systems with the
nosetuid option.
SUPERUSER.FILESYS.VREGISTER Allows a user to issue vregister() to register as a vfs file server.
SUPERUSER.IPC.RMID Allows a user to do ipcrm calls to clean up leftover IPC mechanisms.
SUPERUSER.PROCESS.GETPSENT Allows user to see all processes.
SUPERUSER.PROCESS.KILL Allows user to send signals to any process.
SUPERUSER.PROCESS.PTRACE Allows user to use dbx to trace any process.
SUPERUSER.SETPRIORITY Allows a user to increase his priority.
Creating the Report
35
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Report Generation Vanguard
Administrator™:
General Resource
Access List
(Fastpath 3;4;4)
Mask:
Class: UNIXPRIV
Improper Use or Lack of UNIXPRIV Profiles
Finding #6 – Remediation
Finding
Risk - High
Recommended
Best Practice and
Remediation
Dataset Profiles with UACC of READ
Data sets that are protected by a RACF profile with a UACC of
READ will allow most users with system access to read or copy
sensitive and critical data residing in these data sets.
Review each of these profiles and determine whether the UACC is
appropriate. For those profiles where the UACC is excessive, you
will have to determine who really needs access before changing the
UACC. To find out who is accessing these data sets, review SMF
data to determine who is accessing the data sets with READ
access. You can then build PERMIT commands based on the
review of the SMF data.
36
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Creating the Report
37
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Report Generation Vanguard
Administrator™:
Data Set Profile Summary
(Fastpath 3;3;1)
Mask:
UACC: R EQ
Dataset Profiles with UACC of READ
Verify Previous Access
38
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Use Vanguard QuickGen™ to create command file
Use command file as input to Vanguard Offline™
Run the Impact Report from Vanguard Offline™
Review the report for previous access granted
Finding #7 – Remediation
Finding
Risk - High
Recommended
Best Practice and
Remediation
Excessive Access to the SMF Data Sets
SMF data collection is the system activity journaling facility of the
z/OS system. With the proper parameter designations, it serves as
the basis to ensure individual user accountability. The ability to
READ SMF data enables someone to identify potential opportunities
to breach your security. If UPDATE or higher access is granted, a
risk of audit log corruption exists. Access control for the unloaded
data is critical to ensure a valid chain of custody.
Ensure that access authority to SMF collection files is limited to only
systems programming staff and/or batch jobs that perform SMF
dump processing and ensure that UPDATE and higher accesses
are being logged.
39
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Creating the Report
40
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Report Generation Vanguard Analyzer™:
SMF Environment
Analysis – option 3;H
Enter DSN Command to
display SMF Dataset
Information
Enter option R for profile
information
Excessive Access to the SMF Data Sets
Review the Report
41
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Review Report Ensure the access to the
SMF data sets is limited to
appropriate users
Excessive Access to the SMF Data Sets
Finding #8 – Remediation
Finding
Risk - Severe
Recommended
Best Practice and
Remediation
RACF Database is not Adequately Protected
The RACF database contains extremely sensitive security
information. No access to the RACF database is required for
normal administration activities using either RACF commands or the
RACF provided ISPF panels. A user who has read access to the
RACF database could make a copy and then use a cracker program
to find the passwords for user IDs and could obtain a list of user IDs
and resources.
Review the protection for the RACF database and remove any
entries granting access higher than NONE, other than the senior
RACF administrators and system staff running RACF database
utilities.
42
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Creating the Report
43
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Report Generation Vanguard Analyzer™:
Database Analysis –
option 3;3
Enter option R for profile
information
RACF Database is not Adequately Protected
Review the Report
44
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Review Report Verify that only senior
RACF administrators and
system staff running
RACF database utilities
have access to the RACF
database
RACF Database is not Adequately Protected
Finding #9 – Remediation
Finding
Risk - Severe
Recommended
Best Practice and
Remediation
Excessive Access to APF Libraries
UPDATE or higher access to an APF library can allow an individual
to create an authorized program which can bypass security controls
and execute privileged instructions.
UPDATE or higher access should be limited to senior systems
support staff. Review all accesses to APF libraries and remove or
change inappropriate access entries. Ensure that UPDATE and
higher accesses are being logged.
45
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Creating the Report
46
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Report Generation Vanguard Analyzer™:
Sensitive/Critical Data
Sets Analysis Batch –
option 4;B
Enter option R next to
Authorized Program
Facility (APF) Table
Enter YES for RACF detail
Excessive Access to APF Libraries
Review the Report
47
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Review Report Verify that UPDATE or
higher access to the APF
libraries is limited to senior
systems support staff
Excessive Access to APF Libraries
Finding #10 – Remediation
Finding
Risk - High
Recommended
Best Practice and
Remediation
Inappropriate Access to FACILITY Class
BPX.DAEMON Profile
Daemons are processes that perform services for other users. In
order to do this, a daemon must be able to change its identity
temporarily to the identity of the user it will perform work for. The
RACF FACILITY class profile called BPX.DAEMON can be used to
control the use of the daemon functions.
Access to BPX.DAEMON must be restricted to the z/OS UNIX
kernel user ID, z/OS UNIX daemons (e.g., inetd, syslogd, ftpd), and
other system software daemons (e.g., web servers). Review the
access list of the BPX.DAEMON profile to remove any access for
users that are not actual z/OS UNIX daemons.
48
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Creating the Report
49
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Report Generation Vanguard
Administrator™:
General Resource
Access List
(Fastpath 3;4;4)
Mask:
Class: FACILITY
Profile: BPX.DAEMON
Inappropriate Access to FACILITY Class
BPX.DAEMON Profile
Review the Report
50
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Finding
Review Report Verify that access to the
profile is restricted to the
z/OS UNIX kernel user ID
and z/OS UNIX daemons
Inappropriate Access to FACILITY Class
BPX.DAEMON Profile
WRAP-UP
Performing a z/OS Vulnerability Assessment – Remediation
51
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Vulnerability Assessment - Wrap-up
• Vulnerability Assessments are a required part of
your security program, including z/OS
• Tools can help automate these assessments, but
you still need knowledge and skills to interpret the
data presented to you
• Vanguard can help you through our security
assessment services for z/OS
52
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Vanguard zSecurity University™
53
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
To register for a webinar or training course: go2vanguard.com Place mouse on Training
Customer Savings: Special Discounts for software customers and Vanguard Security & Compliance™ 2013 attendees
Don’t forget that all of the Vanguard zSecurity University™ courses are eligible for CPE Credits and all course materials are provided on a tablet
computing device that the attendee keeps at the end of the class.
Assessment Data Sheet
54
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
To learn more about Vanguard
Assessment Services,
download the Assessment Data
Sheet
Questions
56
©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.