1 / 35

Chapter 4b: z/OS Security Overview

Chapter 4b: z/OS Security Overview. Slide Animation. Chapter 4b objectives. In this chapter you will learn to: Explain security and integrity concepts Explain RACF and its interface with the operating system Authorize a program Discuss integrity concepts

charo
Download Presentation

Chapter 4b: z/OS Security Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter 4b: z/OS Security Overview Slide Animation

  2. Chapter 4b objectives • In this chapter you will learn to: • Explain security and integrity concepts • Explain RACF and its interface with the operating system • Authorize a program • Discuss integrity concepts • Explain the importance of change control • Explain the concept of risk assessment

  3. RACF the Security Server • RACF is used for the basic identification, authentication, access and audit control functions. • It is more than that, but hold on for a bit… • With RACF you can do at least the following: • Local or remote security administration • User identification and authentication • Resource authorization checking and system access control • Audit reports and integrity reports • Violation reporting

  4. Alphabet Soup • Definitions: • RACF: Resource Access Control Facility • LDAP : Lightweight Directory Access Protocol • DCE : Distributed Computing Environment • OCEP: Open Cryptographic Enhanced Plug-ins =>Extensions to Open Cryptographic Services Facility of z/OS Base • CDSA : Common Data Security Architecture => Standard API definition for crypto functions, certificate management and storage. Cross-industry. Cross platform. Intel and many vendors. • Industry Standard Names

  5. z/OS security architecture • Authenticate users and other accessors • UserID and Password • Digital Certificate • PassTicket • Kerberos Token • Protect resources from unauthorized usage • Access checking and Authorization points imbedded within z/OS • All accesses to all resources checked for user's authority • Link Pack Area (LPA) is write protected even from privileged programs • Address spaces are isolated from each other • Resources • Business data, databases, transaction systems, programs, batch jobs, operator functions, user commands, networks, print facilities, UNIX…

  6. Why security • Any system security must allow authorized users the access they need and prevent unauthorized access. • Many companies’ critical data is now on computer and is easily stolen if not protected • SecureWay security server provides a framework of services to protect data

  7. RACF • RACF (part of Security Server) and the other available packages are add-on products which provide the basic security framework on a z/OS mainframe. They: • Identify and authenticate users • Authorize users to access protected resources • Log and report attempted unauthorized access • Control means of access to resources

  8. RACF functions overview

  9. Identification and verification of users • RACF uses a user ID and system encrypted password to perform its user identification and verification • The user ID identifies the person to the system • The password verifies the user’s identity • Passwords should not be trivial and exits can be used to enforce policies.

  10. Protection Levels • RACF works on a hierarchical structure • ALLOC allows data set creation and destruction • CONTROL allows VSAM repro • WRITE allows update of data • READ allows read of data • NONE no access • A higher permission implies all those below

  11. Protecting a dataset • A data set profile is built and stored in the database • It will give users or groups an access level • A universal access level will also be set • The profile can be specific or generic, with or without wild cards

  12. Protecting general resources • Many system resources can be protected • DASD volumes • Tapes • CICS or IMS transactions • JES spool datasets • System commands • Application resources and many more • RACF is flexible and more can be added

  13. System Authorization Facility • SAF is part of z/OS • Uses RACF if it is present • Can also use an optional exit routine • SAF is a system service and is a common focal point for all products providing resource control. • SAF is invoked at control points within the code of the resource manager

  14. RACF Structure • Userid • Group • Every userid belongs to at least one group • Group structures are often used for access to resources • Resource • Resource classes • Class descriptor table – used to customize

  15. User Identification • RACF identifies you when you logon • Userid and password are required • Each RACF userid has a unique password • Password is one way encrypted so no one else can get your password not even the administrator • Userid is revoked after a preset number of invalid password attempts

  16. Logging and reporting • RACF maintains statistical information • RACF writes a security log when it detects: • Unauthorized attempts to enter the system • Access to resources • This depends on the settings for the resource • For example AUDIT(ALL(UPDATE) will record all updates to a resource • Issuing of commands

  17. Security Administration • Interpret the security policy to: • Determine which RACF functions to use • Identify the level of RACF protection • Identify which data to protect • Identify administrative structures and users

  18. Authorized programs • Authorized tasks running authorized programs are allowed to access sensitive system functions • Unauthorized programs may only use standard functions to avoid integrity problems

  19. Authorized Program Facility

  20. Authorized Libraries • A task is authorized when the executing program has the following characteristics: • It runs in supervisor state • It runs in PSW key 0 to 7 • All previous programs in the same task were APF programs • The module was loaded from an APF library

  21. APF Libraries • Authorized libraries are defined by the APF list in SYS1.PARMLIB • SYS1.LINKLIB, SYS1.SVCLIB and SYS1.LPALIB are automatically authorized • Installation libraries are defined in PROGxx • By default all libraries in the linklist are authorized but many installations set LNKAUTH=APFTAB, often prompted by auditors, so that this is no longer the case and only those in the list are authorized

  22. Authorizing libraries

  23. Operator Console Security • Consoles are assigned authority levels in CONSOLxx parmlib member • Commands are grouped: • INFO informational commands • SYS system control commands • IO I/O commands • CONS console control commands • MASTER master console commands • Each console may have one or more levels

  24. Security Roles • Systems programmer sets up RACF • Systems administrator implements the policies • Security Manager sets the policies • Separation of duties is required to prevent uncontrolled access

  25. Z/OS Unix System Services • UNIX environment is integrated into z/OS • Hybrid security mechanisms • UNIX UIDs and GIDs used as well as file permissions • Users and Groups defined in RACF, not in etc/security/passwd • UNIX API calls like getpwnam() or __passwd() are implemented • Security services are performed by RACF • UNIX security strengthened by RACF functions • SMF used for logging • Control of Superuser functionality • Control of security context switching • Applications can use UNIX and MVS functions

  26. USS Security >> Unix Security • No /passwd file • RACF is used for user authentication • Benefit: /passwd file-based hacker attacks won't work • Superuser - UNIX Superusers (uid=0) Have Complete Authority Over UNIX Systems. In z/OS Their Use Is Minimized and Controlled. • RACF controls Users' ability to enter Superuser state • A user can be given a subset of Superuser privileges • Superuser privileges apply only to USS resources • Superuser privileges do not bypass access checks for non-USS resources (e.g., z/OS datasets) • Benefit: • No need to distribute root userid and password to multiple people • Finer granularity in granting of user capabilities • Superuser cannot bypass security for "traditional" z/OS resources

  27. RACF User Identification & Authentication for USS • z/OS UNIX user identification • RACF user profile with OMVS segment • RACF group profile with OMVS segment • no /etc/passwd file • User authentication • RACF password • RACF PassTicket • z/OS UNIX logon • TSO • r_login, telnet

  28. From Resource Managers to RACF and back for USS

  29. RACF Control of USS Functions • Better security through RACF for superuser authority • BPX.FILEATTR.* • Less need for superuser authority through RACF control • Class UNIXPRIV • Improved accountability by switching into superuser mode only when needed • BPX.SUPERUSER • also used by SMP/E • Better security through RACF for user identity changes • BPX.DAEMON • Ability to validate and assume RACF identities • Dæmon programs can only change identity if authorized • BPX.SERVER • Surrogate assignment for POSIX threads • Daemons can create threads with surrogate Userids if authorized: • UPDATE: client needs access authority to MVS resources • READ: client and server both need access authority

  30. UNIXPRIV for Mount and Quiesce • Mount and Quiesce File Systems • SUPERUSER.FILESYS.MOUNT • READ : Mount or unmount file system with nosetuid attribute • UPDATE : Mount or unmount file system with setuid attribute • SUPERUSER.FILESYS.QUIESCE • READ : Quiesce or unquiesce a file system mounted with nosetuid • UPDATE : Quiesce or unquiesce a file system mounted with setuid

  31. UNIXPRIV for other file actions • SUPERUSER.FILESYS.CHOWN • READ : Use chown to change owner of any file • SUPERUSER.FILESYS.PFSCTL • READ : Allows use of the pfsctl() service • SUPERUSER.FILESYS.VREGISTER • READ : Allows use of vreg() service to register as a VFS file server

  32. From Resource Managers to RACF and back for USS

  33. Kerberos on z/OS • Kerberos registry integrated into the RACF registry • Kerberos integrated using SAF • Kerberos KDC (Key Distribution Center) executes within z/OS address space • The authentication server (AS) • Authenticates Users • Grants TGTs • TheE Ticket Granting Server (TGS) • Generates Session Keys • Grants service tickets based on TGT • OS/390 KDC behaves like any other Kerberos "Realm" • Kerberos Realm to Realm function is supported • Kerberos: efficient for relatively small number of users, individually defined to security manager, e.g. enterprise employees via Intranet • Digital Certificates: Support very large numbers of users who are not individually defined to security manager, e.g. Web e-business customers via Internet

  34. Encryption Protects Data Privacy on the Network • End to end network encryption is needed to meet Payment Card Industry requirements • System z Communication Server encrypts network data end-to-end • Supports IPSec protocol for virtual private networks across the internet • Announced support for use of zIIP specialty engine for IPSec traffic • New support for encrypting data on the mainframe beforesending toprinters • IPSec support installed in new printers • LAN printers can now print confidential material on secured printers • Router based encryption is not enough • May expose data in the clear z/OS z/OS Router Router IPSec IPSec CommunicationsServer CommunicationsServer Encrypted “end to end”

  35. Summary • System z Security provides • A secure platform infrastructure • Data privacy • Compliance and audit • Security across the extended enterprise

More Related