Performing a z/OS Vulnerability Assessment Part 3 ... · Performing a z/OS Vulnerability Assessment...

Performing a z/OS® Vulnerability Assessment

Part 3 - Remediation

Presented by

Vanguard Integrity Professionals

Legal Notice

Copyright

©2014 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have

a limited license to view these materials for your organization’s internal

purposes. Any unauthorized reproduction, distribution, exhibition or use of these

copyrighted materials is expressly prohibited.

Trademarks

IBM, RACF, System z, and z/OS are trademarks or registered trademarks of

International Business Machines Corporation in the United States, other countries,

or both. UNIX is a registered trademark of The Open Group in the United States

and other countries. Vanguard Administrator, Vanguard Analyzer, Vanguard

Advisor, Vanguard Offline, Vanguard QuickGen, Vanguard zSecurity University,

and Vanguard Security & Compliance are trademarks of Vanguard Integrity

Professionals – Nevada.

2

©2014 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to

view these materials for your organization’s internal purposes. Any unauthorized reproduction,

distribution, exhibition or use of these copyrighted materials is expressly prohibited.

Agenda

3

This section wraps up the webinar series. 3

Wrap Up

2

Exposure Remediation

This section discusses the remedial activity required to reduce the security exposures identified in the environment

1

Introduction

This section re-introduces this vulnerability assessment webinar series and relationship between the three (3) episodes.




INTRODUCTION

Performing a z/OS Vulnerability Assessment – Remediation

4




Webinar Series Overview - Reminder

5




Session 1 Session 2 Session 3

Data Collection

• Review this session anytime from the

go2vanguard.com website

Data Analysis

• Review this session anytime from the

go2vanguard.com website

Remediation

• April 10th 8am Pacific / 11am Eastern

• April 16th 11am Pacific / 2pm Eastern

• April 22nd Noon Pacific / 3pm Eastern

Vulnerability Assessment Approach

6




Data Collectection

This is the data collection phase to be

able to assess the environment.

Data Analysis

This is the data analysis phase where the data

collected is analyzed for any potential

vulnerabilities.

Report

This is the report phase where the consultant

creates a findings reports and discusses

the findings and recommendations with

the customer.

Remediation

This is remediation phase where the

Vanguard consultant explains the results of the data analysis and provides remediation

advice.

1 2 3 4

Today’s Webinar

EXPOSURE REMEDIATION


7




Vulnerability Assessment Scope

8




Scope: Vanguard Top 10 z/OS Risks Identified in Customer Security Assessment

Note: Data collected from hundreds of security assessments performed by Vanguard Integrity Professionals.

Excessive Number

of User IDs with

No Password

Interval

Inappropriate

Usage of z/OS

UNIX® Superuser

Privilege UID(0)

Started Task IDs

are not Defined

as PROTECTED

IDs

Dataset Profiles

with UACC

Greater than

READ

Improper Use or

Lack of

UNIXPRIV

Profiles

Dataset Profiles with

UACC of READ

Excessive Access to

the SMF Data Sets

1 2 3 4 5

6 7 8 9 10 RACF® Database is

not Adequately

Protected

Excessive Access to

APF Libraries

Inappropriate

Access to FACILITY

BPX.DAEMON

Profile

Vanguard Tools for Remediation

9




Vanguard

Provides Identity & Access Management

solutions and Governance, Risk &

Compliance solutions for z/OS and other

enterprose platforms.

Vanguard Offline™

Tests and analyzes how changes to the RACF database will impact users and processes before commands are executed in a production environment

Vanguard Administrator™

Simplify and Enhance Security Management Functions on systems running IBM® Security Server™ (RACF)

Vanguard Advisor™

Offers the most comprehensive Event Detection, Analysis and Reporting package for the z/OS environment

Vanguard Analyzer™

Delivers expert-level Vulnerability Assessments and Audit results for System z® in minutes

Finding #1 – Remediation

Finding

Risk - Severe

Recommended

Best Practice and

Remediation

Excessive Number of User IDs with No Password

Interval

User IDs with no password Interval are not required to change their

passwords. Since passwords do not need to be changed

periodically, people who knew a password for an ID could still

access that ID even if they are no longer authorized users.

Review each of the personal user profiles to determine why they

require NOINTERVAL. Their passwords should adhere to the

company policy regarding password changes. If the user ID is being

used for started tasks or surrogate, it should be reviewed and

changed to PROTECTED. If the user ID is being used for off

platform process, then review controls for where the passwords are

stored and consider converting to usage of digital certificates or

other alternatives.

10




Vanguard Administrator™

11




Finding

Report Generation Vanguard

Administrator™:

User Profile Summary

(Fastpath 3;1;1)

Mask:

Protected: N

PWD Interval: 0

Revoked: N


Interval

Remediate the Finding

12




Finding

Vanguard

QuickGen™ Use QuickGen to Change

Password Interval


Interval


13




Finding

Vanguard

QuickGen™ Use QuickGen to Make

User IDs PROTECTED


Interval


Finding

Risk - High

Recommended

Best Practice and

Remediation

Inappropriate Usage of z/OS UNIX Superuser

Privilege UID(0)

User IDs with z/OS UNIX superuser authority, UID(0), have full

access to all UNIX directories and files and full authority to

administer z/OS UNIX.

The assignment of UID(0) authority should be minimized by

managing superuser privileges through profiles in the UNIXPRIV

class. For those user IDs that do not require unrestricted superuser

authority, but do require some privileged UNIX authority, UID(0)

should be changed to a non-zero UID and access should be

granted to one or more of the ‘BPX.qualifier’ profiles in the

FACILITY class and/or access to one or more profiles in the

UNIXPRIV class. For user IDs associated with started tasks, other

than those for which UID(0) is appropriate, product documentation

should be reviewed to determine what specific UNIX authority is

required, grant only that authority, and then replace UID(0) in their

respective OMVS segments with a non-zero value.

14




FACILITY Class Profiles

15




Resource Name Authority Granted

BPX.CF Controls the use of the Coupling Facility sizer tool (_cpl())

BPX.CONSOLE Controls access to authorized features of the _console() service

BPX.DAEMON Controls the change of MVS identities without knowing the target user ID’s password

BPX.DAEMON.HFSCTL Controls the loading of uncontrolled programs from MVS libraries into their address space

BPX.DEBUG Controls the use of ptrace (via dbx) to debug programs

BPX.FILEATTR.APF Controls the setting of the APF-authorized attribute in an HFS file

BPX.FILEATTR.PROGCTL Controls the setting of the program control attribute in an HFS file

BPX.FILEATTR.SHARELIB Controls setting the shared library extended attribute in an HFS file

BPX.JOBNAME Controls which users are allowed to set their own job names

BPX.POE Controls the use of Port-of-Entry for MLS security checks (_poe)

BPX.SERVER Restricts the use of the pthread_security_np() service

BPX.SHUTDOWN Controls special treatment at shutdown

BPX.STOR.SWAP Controls which users can make address spaces nonswappable

BPX.SUPERUSER Allows users to switch to superuser authority

BPX.UNLIMITED.OUTPUT Allows users to override the default spooled output limits for processes

BPX.WLMSERVER Controls access to the WLM server functions

Creating the Report

16




Finding


Administrator™:

User OMVS Segment

(Fastpath 3;5;9;1)

Mask:

UID: 0


Privilege UID(0)

Using EXCLUDE / REBUILD

17




Finding

Using

Exclude/Rebuild Exclude is used to select

the fields you do NOT

want in the Rebuild


Privilege UID(0)


18




Finding

Using

Exclude/Rebuild Exclude all fields except

UID


Privilege UID(0)


19




Finding

Using

Exclude/Rebuild Rebuild all of the profiles


Privilege UID(0)


20




Finding

Change the UIDs Use AUTOUID for the

assignment of unique

UIDs


Privilege UID(0)


Finding

Risk - High

Recommended

Best Practice and

Remediation

Started Task IDs are not Defined as PROTECTED IDs

User IDs associated with started tasks should be defined as

PROTECTED which will exempt them from revocation due to

inactivity or excessive invalid password attempts, as well as being

used to sign on to an application.

Review all started task user IDs that are not protected. Determine if

the user IDs are used for any other function that might require a

password. Define the started task user IDs as PROTECTED for

those tasks that do not require a password.

21




Creating the Report

22




Finding


Administrator™:

User Profile Summary

(Fastpath 3;1;1)

Mask:

Protected: N

Owner: STC Group Name



23




Finding

Vanguard

QuickGen™ Use QuickGen to Define

the Started Tasks as

PROTECTED



Finding

Risk - Severe

Recommended

Best Practice and

Remediation

Dataset Profiles with UACC Greater than READ

Data sets that are protected by a RACF profile with a UACC greater

than READ allow most users with system access to read or modify

these data sets. In addition, users may be able to delete any data

set covered by the dataset profiles that have a UACC of ALTER.

Review each of these profiles and determine whether the UACC is

appropriate. For those profiles where the UACC is excessive, you

will have to determine who really needs access before changing the

UACC. To find out who is accessing these data sets, review SMF

data to determine who is accessing the data sets with greater than

READ access. You can then build PERMIT commands based on

the review of the SMF data.

24




Creating the Report

25




Finding


Administrator™:

Data Set Profile Summary

(Fastpath 3;3;1)

Mask:

UACC: R GT


Create a Command File

26




Finding

Vanguard

QuickGen™ Use QuickGen to Create a

Command File


Check Access

27




Finding

Vanguard

Offline™ Use Offline to Check

Access


Specify Input File

28




Finding

Vanguard


Access


Enter Input File and Submit

29




Finding

Vanguard


Access


Run an Impact Analysis Report

30




Finding

Vanguard


Access


Previously Granted Access Report

31




Finding

Vanguard


Access


Review the Report for Previous Access

32




Finding

Vanguard


Access



Finding

Risk - High

Recommended

Best Practice and

Remediation

Improper Use or Lack of UNIXPRIV Profiles

The UNIXPRIV class resource rules are designed to give a limited

subset of the superuser UID (0) capability. When implemented

properly, UNIXPRIV profiles can significantly reduce the

unnecessary requests for assignment of UID (0) to user IDs.

Review the users’ activity that are currently defined as

SUPERUSERs to determine if more granular profiles may be

defined in the UNIXPRIV class that will authorize their activity.

Refine the access list and define more granular profiles based upon

the superuser functions that the users with UID(0) need.

33




The UNIXPRIV Class Profiles

34




Resource Name Access Given

SUPERUSER.FILESYS (READ access) Allows a user to read any HFS file and read or search any HFS directory.

SUPERUSER.FILESYS (UPDATE access) Allows a user to write to any existing HFS file.

SUPERUSER.FILESYS (CONTROL access) Allows a user to write to any HFS directory.

SUPERUSER.FILESYS.ACLOVERRIDE Specifies that ACL entries override SUPERUSER.FILESYS

SUPERUSER.FILESYS.CHANGEPERMS Allows users to change permission bits for any file.

SUPERUSER.FILESYS.CHOWN Allows a user to change ownership of any file.

SUPERUSER.FILESYS.MOUNT Allows a user to issue mount and unmount requests.

SUPERUSER.FILESYS.QUIESCE Allows user to issue quiesce and unquiesce commands for a file system

SUPERUSER.FILESYS.PFSCTL Allows a user to call pfsctl().

SUPERUSER.FILESYS.USERMOUNT Allows nonprivileged users to mount and unmount file systems with the

nosetuid option.

SUPERUSER.FILESYS.VREGISTER Allows a user to issue vregister() to register as a vfs file server.

SUPERUSER.IPC.RMID Allows a user to do ipcrm calls to clean up leftover IPC mechanisms.

SUPERUSER.PROCESS.GETPSENT Allows user to see all processes.

SUPERUSER.PROCESS.KILL Allows user to send signals to any process.

SUPERUSER.PROCESS.PTRACE Allows user to use dbx to trace any process.

SUPERUSER.SETPRIORITY Allows a user to increase his priority.

Creating the Report

35




Finding


Administrator™:

General Resource

Access List

(Fastpath 3;4;4)

Mask:

Class: UNIXPRIV

Improper Use or Lack of UNIXPRIV Profiles


Finding

Risk - High

Recommended

Best Practice and

Remediation

Dataset Profiles with UACC of READ

Data sets that are protected by a RACF profile with a UACC of

READ will allow most users with system access to read or copy

sensitive and critical data residing in these data sets.

Review each of these profiles and determine whether the UACC is

appropriate. For those profiles where the UACC is excessive, you

will have to determine who really needs access before changing the

UACC. To find out who is accessing these data sets, review SMF

data to determine who is accessing the data sets with READ

access. You can then build PERMIT commands based on the

review of the SMF data.

36




Creating the Report

37




Finding


Administrator™:

Data Set Profile Summary

(Fastpath 3;3;1)

Mask:

UACC: R EQ

Dataset Profiles with UACC of READ

Verify Previous Access

38




Use Vanguard QuickGen™ to create command file

Use command file as input to Vanguard Offline™

Run the Impact Report from Vanguard Offline™

Review the report for previous access granted


Finding

Risk - High

Recommended

Best Practice and

Remediation

Excessive Access to the SMF Data Sets

SMF data collection is the system activity journaling facility of the

z/OS system. With the proper parameter designations, it serves as

the basis to ensure individual user accountability. The ability to

READ SMF data enables someone to identify potential opportunities

to breach your security. If UPDATE or higher access is granted, a

risk of audit log corruption exists. Access control for the unloaded

data is critical to ensure a valid chain of custody.

Ensure that access authority to SMF collection files is limited to only

systems programming staff and/or batch jobs that perform SMF

dump processing and ensure that UPDATE and higher accesses

are being logged.

39




Creating the Report

40




Finding

Report Generation Vanguard Analyzer™:

SMF Environment

Analysis – option 3;H

Enter DSN Command to

display SMF Dataset

Information

Enter option R for profile

information


Review the Report

41




Finding

Review Report Ensure the access to the

SMF data sets is limited to

appropriate users



Finding

Risk - Severe

Recommended

Best Practice and

Remediation

RACF Database is not Adequately Protected

The RACF database contains extremely sensitive security

information. No access to the RACF database is required for

normal administration activities using either RACF commands or the

RACF provided ISPF panels. A user who has read access to the

RACF database could make a copy and then use a cracker program

to find the passwords for user IDs and could obtain a list of user IDs

and resources.

Review the protection for the RACF database and remove any

entries granting access higher than NONE, other than the senior

RACF administrators and system staff running RACF database

utilities.

42




Creating the Report

43




Finding


Database Analysis –

option 3;3

Enter option R for profile

information


Review the Report

44




Finding

Review Report Verify that only senior

RACF administrators and

system staff running

RACF database utilities

have access to the RACF

database



Finding

Risk - Severe

Recommended

Best Practice and

Remediation

Excessive Access to APF Libraries

UPDATE or higher access to an APF library can allow an individual

to create an authorized program which can bypass security controls

and execute privileged instructions.

UPDATE or higher access should be limited to senior systems

support staff. Review all accesses to APF libraries and remove or

change inappropriate access entries. Ensure that UPDATE and

higher accesses are being logged.

45




Creating the Report

46




Finding


Sensitive/Critical Data

Sets Analysis Batch –

option 4;B

Enter option R next to

Authorized Program

Facility (APF) Table

Enter YES for RACF detail


Review the Report

47




Finding

Review Report Verify that UPDATE or

higher access to the APF

libraries is limited to senior

systems support staff



Finding

Risk - High

Recommended

Best Practice and

Remediation

Inappropriate Access to FACILITY Class

BPX.DAEMON Profile

Daemons are processes that perform services for other users. In

order to do this, a daemon must be able to change its identity

temporarily to the identity of the user it will perform work for. The

RACF FACILITY class profile called BPX.DAEMON can be used to

control the use of the daemon functions.

Access to BPX.DAEMON must be restricted to the z/OS UNIX

kernel user ID, z/OS UNIX daemons (e.g., inetd, syslogd, ftpd), and

other system software daemons (e.g., web servers). Review the

access list of the BPX.DAEMON profile to remove any access for

users that are not actual z/OS UNIX daemons.

48




Creating the Report

49




Finding


Administrator™:

General Resource

Access List

(Fastpath 3;4;4)

Mask:

Class: FACILITY

Profile: BPX.DAEMON


BPX.DAEMON Profile

Review the Report

50




Finding

Review Report Verify that access to the

profile is restricted to the

z/OS UNIX kernel user ID

and z/OS UNIX daemons


BPX.DAEMON Profile

WRAP-UP


51




Vulnerability Assessment - Wrap-up

• Vulnerability Assessments are a required part of

your security program, including z/OS

• Tools can help automate these assessments, but

you still need knowledge and skills to interpret the

data presented to you

• Vanguard can help you through our security

assessment services for z/OS

52




Vanguard zSecurity University™

53




To register for a webinar or training course: go2vanguard.com Place mouse on Training

Customer Savings: Special Discounts for software customers and Vanguard Security & Compliance™ 2013 attendees

Don’t forget that all of the Vanguard zSecurity University™ courses are eligible for CPE Credits and all course materials are provided on a tablet

computing device that the attendee keeps at the end of the class.

Assessment Data Sheet

54




To learn more about Vanguard

Assessment Services,

download the Assessment Data

Sheet

Questions

56




Performing a z/OS Vulnerability Assessment Part 3 ... · Performing a z/OS Vulnerability Assessment...

Documents

Transcript of Performing a z/OS Vulnerability Assessment Part 3 ... · Performing a z/OS Vulnerability Assessment...