O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

How to Increase User Accountability by Eliminating the Default User in Unix Systems Services (USS) in z/OS

866 visualizações

Publicada em

Hear an overview of implementation considerations for sites that are preparing for the removal of default UNIX® authorization assignments (for both users and groups). IBM®’s z/OS 1.13 is the last planned release to support BPX.DEFAULT.USER. Attend the session to learn more about best practices for managing this change for the mainframe, and the specific features of CA Top Secret® and CA ACF2™, support your work to complete the changeover.

For more information, please visit http://cainc.to/Nv2VOe

Publicada em: Tecnologia
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

How to Increase User Accountability by Eliminating the Default User in Unix Systems Services (USS) in z/OS

  1. 1. How to Increase User Accountability by Eliminating the Default User in Unix Systems Services (USS) in z/OS Julie-Ann Williams Mainframe millennia… Director / Security Specialist MFX26S #CAWorld
  2. 2. 2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD © 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The content provided in this CA World 2015 presentation is intended for informational purposes only and does not form any type of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA. For Informational Purposes Only Terms of this Presentation
  3. 3. 3 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Abstract Hear an overview of implementation considerations for sites that are preparing for the removal of default UNIX authorization assignments (for both USERs and GROUPs). IBM’s z/OS 1.13 is the last planned release to support BPX.DEFAULT.USER. Security professionals should attend this session to learn more about best practices for managing this change, and the specific features of CA Top Secret and CA ACF2 supporting your work to complete the changeover. Julie-Ann Williams millennia…
  4. 4. 4 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Agenda USS – DEPRECATION OF BPX.DEFAULT.USER WHAT’S THE PROBLEM? HOW DID WE GET HERE? WHAT NEEDS TO BE DONE TO FIX IT? Q & A SESSION 1 2 3 4 5
  5. 5. 5 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Today’s Discussion A Few Words to Review BPX.DEFAULT.USER IBM has deprecated the use of BPX.DEFAULT.USER from z/OS v2r1. z/OS Impacted If you use USS and haven’t already addressed the problem you may have critical issues which can stop elements of z/OS from working. Convert to Unique There is no justification for allowing default access to Unix Systems Services. If your user hasn’t justified their need then they shouldn’t be granted access. Just like any other z/OS resource!
  6. 6. 6 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Today’s Discussion A Few Words to Review USS – deprecation of BPX.DEFAULT.USER I don’t want to sound like a scare-monger but... If you have BPX.DEFAULT.USER defined in your z/OS security system then you almost certainly have a problem! Unix System Services has always been the unloved cousin of z/OS having been forced on us, unceremoniously, back in the late 1990s. We didn’t know anything about Unix at the time but “suddenly” we were told that without it we wouldn’t be able to use FTP! Most of us took a classic, head-in-the-sand approach and that was to use defaults wherever possible. That way everything kept running and we didn’t have to learn something new. For some reason that attitude has prevailed for the last 15 or so years. And it is because of this, that our Team still see many z/OS installations with very limited control over USS in their environment. z/OS v2r1 presents us all with a challenge.
  7. 7. 7 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  Significant change in how default access to USS is granted from z/OS 2.1 – BPX.DEFAULT.USER is replaced by new resources – Potential show-stopper  Essential z/OS services may not function! Is USS the Elephant in the Room? BPX.DEFAULT.USER RESOURCE IS NO LONGER SUPPORTED
  8. 8. 8 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  POSIX compliant UNIX server emulation – Portable Operating System Interface for UNIX  a set of standards that define various aspects of the UNIX operating system. – From the users perspective it’s a UNIX server – From the z/OS perspective just another supported service What is USS? UNIX SYSTEM SERVICES
  9. 9. 9 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD What is USS? A LITTLE BIT OF BACKGROUND z/OS System UNIX System Services TCPIP Network Websphere JAVA FTP Email / SMTP Business Applications Other Services E.g. TSO EBCDIC ASCII INTRANET INTERNET User User? Customer? Hacker?
  10. 10. 10 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  Different File system structures  Different data encoding – USS = ASCII – z/OS = EBCDIC  Different security models z/OS vs USS LOGICAL BOUNDARY USED TO KEEP Z/OS AND USS PROCESSES SEPARATED Apples vs. Oranges
  11. 11. 11 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  People – Users – Groups  Stuff – Files – Resources System z Security SECURITY FUNDAMENTALS
  12. 12. 12 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  Fundamentally different security models  In general – z/OS Security protects z/OS resources – USS Security protects USS resources  Both security processes involved when action involves z/OS and USS resources Dual Security Model SECURITY FUNDAMENTALS Apples vs. Oranges
  13. 13. 13 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  Users – 8 Character limit, Alpha/Alpha-numeric – One id per user – Each User has a default group  Groups – 8 character limit, Alpha/Alpha-Numeric – Contains 1 or more Users z/OS Security CA ACF2, CA TOP SECRET AND IBM’S RACF
  14. 14. 14 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  Access to ‘stuff’ controlled using rules/profiles  Access to profiles granted to multiple Users and/or Groups – Or by resource default (universal) access  Profiles based on z/OS independent qualifier logic – e.g.  MY.DATA.-  MY.SECRET.DATA.- z/OS Security CA ACF2, CA TOP SECRET AND IBM’S RACF
  15. 15. 15 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  UIDs – Numeric, 0 – 2,147,483,647 – One UID per user – UID(0) = Superuser = God Mode  GIDs – Numeric, 0- 2,147,483,647 – Contain 1 or more UIDs USS Security UNIX SECURITY
  16. 16. 16 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  Access to ‘stuff’ controlled using resources’ UNIX “File Security Packet” contents  Hierarchical structure for all resources including files USS Security UNIX SECURITY - CONNECTING USERS TO STUFF
  17. 17. 17 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  UNIX FSP includes: – Permission bits Owner : Group : Other  Only 1 Owner (UID), 1 Group (GID)  Other = Default (universal) Access – UNIX Access Control List  Individual Group/User access – Stored with resource in USS File system – Values inherited from parent resource, system defaults or set manually USS Security UNIX SECURITY - CONNECTING USERS TO STUFF
  18. 18. 18 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  USS security UID’s & GID’s mapped to z/OS security Users & Groups  Nominally 1 to 1 mapping  User must have valid UID and Default GID to access USS  Allocated explicitly or inherited via USS default access facility USS Security UNIX SECURITY - CONNECTING USERS TO STUFF
  19. 19. 19 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  UID, Default GID & up to 300 supplementary group GIDs used for authority checks – 256 for CA-TSS USS Security UNIX SECURITY - CONNECTING USERS TO STUFF
  20. 20. 20 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  Explicit Access – Specific unique UID & GID values assigned to Userids & Groups – Fixed auditable assignments – Simple to audit usage Access to USS EXPLICIT VS DEFAULT
  21. 21. 21 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  Default Access – Single UID & GID values assigned to all callers – Allocated ‘on demand’ – Very complex to audit usage Access to USS EXPLICIT VS DEFAULT
  22. 22. 22 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  Single fixed UID and GID values  Allocated to user if id has no UID or GID values – Dynamically assigned at logon/use of USS – Temporary assignment  All users assigned the same numbers  USS Default Access – Historic BPX.DEFAULT.USER
  23. 23. 23 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  Range of UID & GID values  Next unique UID and or GID values automatically assigned to USERID and Default Group if none found  Permanently assigned on first access to USS USS Default Access – New BPX.UNIQUE.USER & BPX.NEXT.USER
  24. 24. 24 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  Unique ranges per database  Max 129 users or groups sharing a single UID or GID  RACF database AIM(2) or higher required USS Default Access – New BPX.NEXT.USER
  25. 25. 25 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  RACF database AIM(3)  UNIXPRIV class active and SHARED.IDS profile defined USS Default Access – New BPX.UNIQUE.USER
  26. 26. 26 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  UNIXOPTS GSO DFTUSER & DFTGROUP no longer used  BPX.NEXT.USER – UID & GID ranges set via AUTOIDOM GSO record  BPX.UNIQUE.USER – MODLUSER & UNIQUSER (UNIXOPTS GSO)  RO55702 – Create facility resource rule that traces any use of BPX.DEFAULT.USER USS Default Access – New CA ACF2 SPECIFICS
  27. 27. 27 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  OMVSUSR & OMVSGRP control options no longer used  BPX.NEXT.USER – UID & GID ranges set via DFLTRNGU / DFLTRNGG control options  BPX.UNIQUE.USER – MODLUSER & UNIQUSER control options  RO58980 – Adds ability to cut trace records for BPX.DEFAULT.USER usage USS Default Access – New CA TOP SECRET SPECIFICS
  28. 28. 28 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  ‘On Demand’ access to a business critical service?  Hackers know how to misuse it!  And who else? Default Access to USS? HOW ARE YOU JUSTIFYING THIS TO YOUR AUDITOR?
  29. 29. 29 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  Any z/OS Userid can access USS ‘on demand’ – not just those that need it  Can access any USS resource where ‘OTHER’ value is READ or above  Can access any z/OS dataset with uacc of READ or above Default Access to USS? IMPLICATIONS OF DEFAULT ACCESS TO USS
  30. 30. 30 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  Very complex to audit accurately – Multiple compensating controls required – USS Security policy must justify its usage Default Access to USS? IMPLICATIONS OF DEFAULT ACCESS TO USS
  31. 31. 31 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  IBM Presentation to RACF User Group 2013: – Shared UID produces audit non-conformances – No accountability for who did what, who owns what, etc.  If a Unix service creates a resource while running with a shared UID, that resource is available to all users running with that shared UID Default Access to USS? WHAT'S WRONG WITH USING BPX.DEFAULT.USER? ftp://public.dhe.ibm.com/.../nyrug_2013_03_default_user_removal.pdf
  32. 32. 32 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  Robert Hansel, RSH Consulting, presentation to SHARE in 2013: – Shared ID ‐ accountability difficult to establish ‐ frequent audit finding – UID becomes OWNER of File System objects created by a user using the Unix Default User – UID becomes OWNER of File System objects when "chown" specifies a USERID that does not have an OMVS segment Default Access to USS? WHAT'S WRONG WITH USING BPX.DEFAULT.USER? https://share.confex.com/.../RSH%20Consulting%20-%20BPX.DEFAULT.USER%20-%202013-08%20-%20SHARE%20-%2013393.pdf
  33. 33. 33 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  Baseline current configuration – Identify who is using the default access facility – Identify and resolve conflicts  Design new configuration, processes, mitigating controls etc.  Implementation  Ongoing monitoring and compliance Conversion to Unique Users MULTI-STEP PROCESS
  34. 34. 34 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  What UID & GID values are you using?  Are any being shared between multiple ids/groups?  Do the additional resources required by BPX.NEXT.USER exist?  Who is using BPX.DEFAULT.USER? Conversion to Unique Users BASELINE AND USAGE
  35. 35. 35 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  Implement unique UID and GID values as required  Resolve any Shared values – No UID can be shared by more than 129 users – This also applies to GIDs  Correct USS file system FSP permission bits and ACLs Conversion to Unique Users RESOLVING CONFLICTS
  36. 36. 36 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  Correcting z/OS ACLs – RACF via FSSEC – CA-ACF2 via CA SAF HFS security – CA-TSS via HFSACL  Achieving multi-system or site-wide UID / GID uniqueness  Maintaining Uniqueness Conversion to Unique Users COMPLEX CONVERSIONS CHALLENGES
  37. 37. 37 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  Whatever happens your z/OS USS Security Policy will need updating  New procedures  Changes to auditing  You do have one….? USS Security Policy THE CORNERSTONE OF AUDIT
  38. 38. 38 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  Monitoring USS activity – Update existing processes – Additional processes  Compliance with USS Policy – Checking for the ‘human’ factor USS Monitoring and Compliance THE CORNERSTONE OF AUDIT
  39. 39. 39 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD “Hackerne er 100 procent gået efter mainframes og 100 procent efter zOS (operativsystemet i mainframes, red.), og man kan sige, at med disse angreb in mente har mainframen i hvert fald mistet sin uskyldighed” siger Peter Kruse “The hackers are 100 percent gone after mainframes and 100 percent after zOS (operating in mainframes, ed.), And one can say that with these attacks in mind, the mainframe certainly lost its innocence” said Peter Kruse (sic)** ** Google translate One Last Thought COMPUTERWORLD.DK INTERVIEW IN 2013 WITH PETER KRUSE FROM CSIS SECURITY GROUP http://www.computerworld.dk/art/227172/efter-det-store-csc-hack-flere-sager-paa-vej
  40. 40. 40 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  Swedish Breach reported to include: – RACF database with 120k userids – 10,000+ datasets – Entire ‘/’ – Sensitive personal data including financial details One Last Thought WHAT DO YOU HAVE TO LOSE?
  41. 41. 41 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  Danish Breach reported to include: – Large number of files from the Danish Police – Drivers license data  including 4 million social security numbers  Both breaches were initially undetected! One Last Thought WHAT DO YOU HAVE TO LOSE? CIA World Factbook - Denmark; pop 5.6 million (Est April 2014)
  42. 42. 42 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Q & A
  43. 43. 43 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD For More Information To learn more, please visit: http://cainc.to/Nv2VOe CA World ’15

×