Re: z/OS Virus Checker zLinux Virus Checker
Oh. Yes, I thought commercials are not that popular here :) We also provide in-depth IT security assessments for mainframe systems, have been doing this for quite some years. We offer some specialized tools as well, for example for offline / regular RACF password auditing (but no, no such animal as a z/OS virus checker). More information at http://www.detack.com/en/hms.html Costin Enache / Detack GmbH --- On Fri, 3/4/11, Jan Vanbrabant vanbrabant...@gmail.com wrote: From: Jan Vanbrabant vanbrabant...@gmail.com Subject: Re: z/OS Virus Checker zLinux Virus Checker To: IBM-MAIN@bama.ua.edu Date: Friday, March 4, 2011, 8:56 AM Don't see anything like a forum in the sitemap of your web site. J On Fri, Mar 4, 2011 at 7:21 AM, Dr. Stephen Fedtke max_mainframe_...@fedtke.com wrote: hi all, i almost missed this discussion. if you are interested in further arguments and details in this field Vulnerability Analysis and Scan on z you should also refer to the it security forum on our website. we completely solve this problem for over a decade. best stephen --- Dr. Stephen Fedtke Enterprise-IT-Security.com Seestrasse 3a CH-6300 Zug Switzerland Tel. ++41-(0)41-710-4005 www.enterprise-it-security.com ++NEWS++ SF-LoginHood provides state-of-the-art password, phrase and login security for z/OS ++NEWS++ At 14:04 29.01.2011 -0600, you wrote: Elardus, Please let me add some information in response to your posting: There is a difference between a Virus and a System Integrity Exposure.The System Integrity Exposure is the Root Cause that a Virus exploits.There may be many Viruses, especially in Windows Systems, which exploit the same Root Cause.The PC Virus checkers look for the signatures of Virus code either executing or in directories and then take action to remove them.The Virus Checkers cannot fix the Root Cause -- in the case of Windows, only Microsoft can do that.But, it would be better if Microsoft would fix the Root Cause because then the Virus programs would become ineffective. IBM's Statement of Integrity clearly states that if a System Integrity Vulnerability (the Root Cause) is reported to IBM, they will fix it.Microsoft does not make this commitment and this is why the z/OS Operating System is a much more securable system than Windows. However, z/OS is not immune to these threats because it too has system integrity vulnerabilities.In your posting, you state that there are many alternatives to our Vulnerability Analysis Product for the ethical hacking/penetrating/scanning for defects and exposures.In fact, IBM purports to provide this capability from their Tivoli zSecure unit.On their zSecure Audit Website, they state: Security zSecure Audit includes a powerful system integrity analysis feature. Reports identify exposures and potential threats based on intelligent analysis built into the system.That's a pretty powerful and absolute statement. But, since Tivoli is part of IBM you can be assured that their Quality Assurance Unit regularly tests their software against revisions to the IBM z/OS Operating System and, if any integrity exposures were found, they would have reported the vulnerabilities to IBM z/OS Development and Development would have fixed them.That would just be the normal course of business within IBM. But, then, how can you reconcile the fact that our VAT product has located SIXTY SEVEN (67) new system integrity vulnerabilities in z/OS within the last two years.And, our clients have reported them to IBM, IBM has accepted them as errors, issued APARS for all of them and issued PTFs for almost all of them.So, obviously, the IBM Tivoli zSecure Audit package is not catching these errors.And, if IBM, is not catching these in their own code, what about the ones introduced by the rest of the Independent Software Vendor products and locally developed or otherwise obtained code on your system?There is a big vulnerability here that cannot be ignored. An exploit of a z/OS (or ISV) system integrity vulnerability would allow the illegitimate user to obtain control in an authorized state and use this state to change his security credentials to obtain access and be able to modify any RACF protected resource on the system with no SMF journaling of the access.We have found these integrity exposures in code that is in operation on every z/OS system in existence.That is something to be concerned about and to act on. I have no idea of the comparison between the cost of our Vulnerability Analysis Tool versus the competition.We would be happy to discuss that with you -- we believe it is inexpensive compared to the benefits which include not only a reduction of risk and exposure to data loss and modification which would result in exposure of company secrets
Re: z/OS Virus Checker zLinux Virus Checker
hi all, i almost missed this discussion. if you are interested in further arguments and details in this field Vulnerability Analysis and Scan on z you should also refer to the it security forum on our website. we completely solve this problem for over a decade. best stephen --- Dr. Stephen Fedtke Enterprise-IT-Security.com Seestrasse 3a CH-6300 Zug Switzerland Tel. ++41-(0)41-710-4005 www.enterprise-it-security.com ++NEWS++ SF-LoginHood provides state-of-the-art password, phrase and login security for z/OS ++NEWS++ At 14:04 29.01.2011 -0600, you wrote: Elardus, Please let me add some information in response to your posting: There is a difference between a Virus and a System Integrity Exposure.The System Integrity Exposure is the Root Cause that a Virus exploits.There may be many Viruses, especially in Windows Systems, which exploit the same Root Cause.The PC Virus checkers look for the signatures of Virus code either executing or in directories and then take action to remove them.The Virus Checkers cannot fix the Root Cause -- in the case of Windows, only Microsoft can do that.But, it would be better if Microsoft would fix the Root Cause because then the Virus programs would become ineffective. IBM's Statement of Integrity clearly states that if a System Integrity Vulnerability (the Root Cause) is reported to IBM, they will fix it.Microsoft does not make this commitment and this is why the z/OS Operating System is a much more securable system than Windows. However, z/OS is not immune to these threats because it too has system integrity vulnerabilities.In your posting, you state that there are many alternatives to our Vulnerability Analysis Product for the ethical hacking/penetrating/scanning for defects and exposures.In fact, IBM purports to provide this capability from their Tivoli zSecure unit.On their zSecure Audit Website, they state: Security zSecure Audit includes a powerful system integrity analysis feature. Reports identify exposures and potential threats based on intelligent analysis built into the system.That's a pretty powerful and absolute statement. But, since Tivoli is part of IBM you can be assured that their Quality Assurance Unit regularly tests their software against revisions to the IBM z/OS Operating System and, if any integrity exposures were found, they would have reported the vulnerabilities to IBM z/OS Development and Development would have fixed them.That would just be the normal course of business within IBM. But, then, how can you reconcile the fact that our VAT product has located SIXTY SEVEN (67) new system integrity vulnerabilities in z/OS within the last two years.And, our clients have reported them to IBM, IBM has accepted them as errors, issued APARS for all of them and issued PTFs for almost all of them.So, obviously, the IBM Tivoli zSecure Audit package is not catching these errors.And, if IBM, is not catching these in their own code, what about the ones introduced by the rest of the Independent Software Vendor products and locally developed or otherwise obtained code on your system?There is a big vulnerability here that cannot be ignored. An exploit of a z/OS (or ISV) system integrity vulnerability would allow the illegitimate user to obtain control in an authorized state and use this state to change his security credentials to obtain access and be able to modify any RACF protected resource on the system with no SMF journaling of the access.We have found these integrity exposures in code that is in operation on every z/OS system in existence.That is something to be concerned about and to act on. I have no idea of the comparison between the cost of our Vulnerability Analysis Tool versus the competition.We would be happy to discuss that with you -- we believe it is inexpensive compared to the benefits which include not only a reduction of risk and exposure to data loss and modification which would result in exposure of company secrets, private information and financial loss, but a reduction of system outages.But, VAT works and locates the errors that other software/services do not.I can totally assure you that a manual process just will not work in our lifetimes.So, an automated process is necessary.And VAT provides that automation. And I agree with you that many z/OS Auditors need to be educated on this. Ray Overby Key Resources, Inc. Ensuring System Integrity for z/Series^(TM) www.vatsecurity.com (312)574-0007 On 1/29/2011 09:12 AM, Elardus Engelbrecht wrote: Cris Hernandez #9 wrote: I too have auditors who treat the my mainframe like one those little puters and I find it best to first educate them before they convince my management to send me chasing phantoms. Don't assume your auditor won't appreciate a mainframe education. Jim Marshall wrote: Auditors came around and wrote up our z/OS V1R10 Sysplex for not running a Virus Checker. Anyone has a constructive solution as to one
Re: z/OS Virus Checker zLinux Virus Checker
Don't see anything like a forum in the sitemap of your web site. J On Fri, Mar 4, 2011 at 7:21 AM, Dr. Stephen Fedtke max_mainframe_...@fedtke.com wrote: hi all, i almost missed this discussion. if you are interested in further arguments and details in this field Vulnerability Analysis and Scan on z you should also refer to the it security forum on our website. we completely solve this problem for over a decade. best stephen --- Dr. Stephen Fedtke Enterprise-IT-Security.com Seestrasse 3a CH-6300 Zug Switzerland Tel. ++41-(0)41-710-4005 www.enterprise-it-security.com ++NEWS++ SF-LoginHood provides state-of-the-art password, phrase and login security for z/OS ++NEWS++ At 14:04 29.01.2011 -0600, you wrote: Elardus, Please let me add some information in response to your posting: There is a difference between a Virus and a System Integrity Exposure.The System Integrity Exposure is the Root Cause that a Virus exploits.There may be many Viruses, especially in Windows Systems, which exploit the same Root Cause.The PC Virus checkers look for the signatures of Virus code either executing or in directories and then take action to remove them.The Virus Checkers cannot fix the Root Cause -- in the case of Windows, only Microsoft can do that.But, it would be better if Microsoft would fix the Root Cause because then the Virus programs would become ineffective. IBM's Statement of Integrity clearly states that if a System Integrity Vulnerability (the Root Cause) is reported to IBM, they will fix it.Microsoft does not make this commitment and this is why the z/OS Operating System is a much more securable system than Windows. However, z/OS is not immune to these threats because it too has system integrity vulnerabilities.In your posting, you state that there are many alternatives to our Vulnerability Analysis Product for the ethical hacking/penetrating/scanning for defects and exposures.In fact, IBM purports to provide this capability from their Tivoli zSecure unit.On their zSecure Audit Website, they state: Security zSecure Audit includes a powerful system integrity analysis feature. Reports identify exposures and potential threats based on intelligent analysis built into the system.That's a pretty powerful and absolute statement. But, since Tivoli is part of IBM you can be assured that their Quality Assurance Unit regularly tests their software against revisions to the IBM z/OS Operating System and, if any integrity exposures were found, they would have reported the vulnerabilities to IBM z/OS Development and Development would have fixed them.That would just be the normal course of business within IBM. But, then, how can you reconcile the fact that our VAT product has located SIXTY SEVEN (67) new system integrity vulnerabilities in z/OS within the last two years.And, our clients have reported them to IBM, IBM has accepted them as errors, issued APARS for all of them and issued PTFs for almost all of them.So, obviously, the IBM Tivoli zSecure Audit package is not catching these errors.And, if IBM, is not catching these in their own code, what about the ones introduced by the rest of the Independent Software Vendor products and locally developed or otherwise obtained code on your system?There is a big vulnerability here that cannot be ignored. An exploit of a z/OS (or ISV) system integrity vulnerability would allow the illegitimate user to obtain control in an authorized state and use this state to change his security credentials to obtain access and be able to modify any RACF protected resource on the system with no SMF journaling of the access.We have found these integrity exposures in code that is in operation on every z/OS system in existence.That is something to be concerned about and to act on. I have no idea of the comparison between the cost of our Vulnerability Analysis Tool versus the competition.We would be happy to discuss that with you -- we believe it is inexpensive compared to the benefits which include not only a reduction of risk and exposure to data loss and modification which would result in exposure of company secrets, private information and financial loss, but a reduction of system outages.But, VAT works and locates the errors that other software/services do not.I can totally assure you that a manual process just will not work in our lifetimes.So, an automated process is necessary.And VAT provides that automation. And I agree with you that many z/OS Auditors need to be educated on this. Ray Overby Key Resources, Inc. Ensuring System Integrity for z/Series^(TM) www.vatsecurity.com (312)574-0007 On 1/29/2011 09:12 AM, Elardus Engelbrecht wrote: Cris Hernandez #9 wrote: I too have auditors who treat the my mainframe like one those little puters and I find it best to first educate them before they convince my management to send me chasing phantoms. Don't assume your
Re: z/OS Virus Checker zLinux Virus Checker
In 566594.91769...@web65504.mail.ac4.yahoo.com, on 01/31/2011 at 01:39 PM, Scott Ford scott_j_f...@yahoo.com said: I agree with Elardus Engelbrecht. I understand the auditors have a job to do, Shooting from the hip is not party of their job. However common it may be for auditors to generate BS requirements, that is *not* what they are supposed to be doing; they are supposed to be verifying compliance with policies and best practices. Actually doing their job instead of counting coup requires that they understand the environment that they are auditing. From my perspective, the worst part is that while they are generating busy work they are failing to identify the real problems. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS Virus Checker zLinux Virus Checker
Clark Morris wrote: If there is a virus, Trojan etc. that affects web servers such as Eclipse, then that server on zOS may be vulnerable. This is where the scope should be. You should have something to check the z/OS, something else to check op z/Linux, something else to check all those things which run Java, SQL, source codes, etc. Of course, there is RACF, APF, comparing libraries, Health Checker, etc. Determine what the auditors really want (after education of course) and work on that. Ray Overby wrote: There is a difference between a Virus and a System Integrity Exposure. [ ... rest snipped ... ] Agreed. And thanks for your interesting comments about IBM and VAT product. I'm well aware of how IBM is working with security exposures. More or less they are working like this: They accept a APAR, keep it secret while working on it and dropping everything else. Then they distribute a fix with these words more or less: 'Apply this NOW and no, we are NOT going to tell you what is it supposed to do.' I think we must let the OP says what he wants: A/V scanner or something like VAT product. And on WHAT should that software focus? Paul Gilmartin wrote: Fantasia: An entrepreneur attempts to start a business marketing a virus detection/removal product. The business rapidly fails as purchasers return the product perceiving it's defective because it reports removing no viruses. Oh no! You just flamed a budding enterpreneur's dream... ;-D Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS Virus Checker zLinux Virus Checker
I can believe auditors would ask a question like , virus checking on mainframes, been doing systems work on mainframes 40+ yrs, never seen a virus AT ALL.. On a PC totally different issue, btw I think one of the reason you dont see viruses on mainframes because of the difficulty required to write one IMHO .. Scott J Ford From: Clark Morris cfmpub...@ns.sympatico.ca To: IBM-MAIN@bama.ua.edu Sent: Sun, January 30, 2011 2:05:47 PM Subject: Re: z/OS Virus Checker zLinux Virus Checker On 28 Jan 2011 15:21:24 -0800, in bit.listserv.ibm-main you wrote: I too have auditors who treat the my mainframe like one those little puters and I find it best to first educate them before they convince my management to send me chasing phantoms. Don't assume your auditor won't appreciate a mainframe education. The first place to hide a virus is in the OS, y/n? What protects the mainframe OS? Answer, APF. I monitor the APF libraries for any alterations on a daily basis. Any changes that didn't go thru change control are cause for investigation. Most auditors don't know squat about APF, and if they did, they would be asking about it instead of a mainframe virus scanner. The 2nd place to hide virus is in software, which on the mainframe are the command libraries. Aside from the potential for corrupt vendor software (unlikely a vendor will install compromised loadlib, but we're talking auditors here), most those command libraries (vendor in-house) are written in interpretive languages and can be scanned using standard PDS utilities for whatever string (like delete commands) your shop believes poses the greatest threat. Loadlibs can be scanned using standard utilities as well. One method is to unload the PDS to a GDG daily, and compare the current to the previous day's file for any changes. Start with the linklist and the logon proc sysproc/sysexec allocations, after that the catalog can be scanned for application and personal clist/rexx libraries. Looking for changes to the baseline may not qualify as a virus scanner, but it's a whole lot better than doing nothing or spending a fortune on unnecessary software. If there is a virus, Trojan etc. that affects web servers such as Eclipse, then that server on zOS may be vulnerable. A virus, worm, etc. designed to execute Intel code won't be much of a problem but code designed to execute Java code could be. The question is what applications are running that communicate with the world at large (online banking, online ordering, etc.) and what are their vulnerabilities. Can SQL injection work against DB2? Clark Morris The 3rd place I look for mainframe malware is in the parmlibs, JCL, macros, utilities and such. DASD utilities can erase the entire storage pool if corrupted. Who can update these libraries? Are they subject to stringent change control procedures? Are their contents monitored for changes and content? Does your auditor know what DASD is? HSM? DFDSS? Address these items and I can almost guarantee that you'll pass your audits like I do. Disclaimer: apart from monitoring APF, none the above is industry standard, not yet anyway... -hernandez On Fri, 28 Jan 2011 12:27:54 -0600, Jim Marshall jim.marsh...@opm.gov wrote: Auditors came around and wrote up our z/OS V1R10 Sysplex for not running a Virus Checker. Anyone has a constructive solution as to one being available or some verbage which defends the position. Been hunting around for a Virus Checker for zLinux. Also interested in what kind of over head it might use. thanks jim -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS Virus Checker zLinux Virus Checker
Perhaps there is also an issue of availability. Windows, linux, bsd, etc. are cheap or free, so the barrier to entry to obtaining supervisor state (root) is very low. Everyone is the administrator on their own system. Whereas, the barriers to entry for getting a zOS system where you have the ability to actually switch to supervisor state is rather high. Hercules and pirated copies of zOS are reducing this somewhat, but there is is an education curve. Another factor is the limited number target systems when you compare the zOS system installed base on a worldwide basis to the number of previously mentioned system. Just based on shear numbers, it is much more likely to find an 'open' windows, Linux, etc., system than a zOS system. That combined with the fact that zOS and related systems have always had much stricter installation process makes them less likely to be successfully attached with by a virus. There is also an almost unlimited amount of ISV software for windows, linux, etc. of unknown quality and authorship. This also combines with the other factors to make it that much easier to place viruses on these machines. While theoretically possible, it seems like a there is a low probability for a zOS virus to show up in the field. The other attack vectors still hold: insider damage, non-virus attack (DOS on a zOS based website), etc. can still occur. But these are a different, but related, issue. Mon, Jan 31, 2011 at 10:53 AM, Scott Ford scott_j_f...@yahoo.com wrote: I can believe auditors would ask a question like , virus checking on mainframes, been doing systems work on mainframes 40+ yrs, never seen a virus AT ALL.. On a PC totally different issue, btw I think one of the reason you dont see viruses on mainframes because of the difficulty required to write one IMHO .. Scott J Ford From: Clark Morris cfmpub...@ns.sympatico.ca To: IBM-MAIN@bama.ua.edu Sent: Sun, January 30, 2011 2:05:47 PM Subject: Re: z/OS Virus Checker zLinux Virus Checker On 28 Jan 2011 15:21:24 -0800, in bit.listserv.ibm-main you wrote: I too have auditors who treat the my mainframe like one those little puters and I find it best to first educate them before they convince my management to send me chasing phantoms. Don't assume your auditor won't appreciate a mainframe education. The first place to hide a virus is in the OS, y/n? What protects the mainframe OS? Answer, APF. I monitor the APF libraries for any alterations on a daily basis. Any changes that didn't go thru change control are cause for investigation. Most auditors don't know squat about APF, and if they did, they would be asking about it instead of a mainframe virus scanner. The 2nd place to hide virus is in software, which on the mainframe are the command libraries. Aside from the potential for corrupt vendor software (unlikely a vendor will install compromised loadlib, but we're talking auditors here), most those command libraries (vendor in-house) are written in interpretive languages and can be scanned using standard PDS utilities for whatever string (like delete commands) your shop believes poses the greatest threat. Loadlibs can be scanned using standard utilities as well. One method is to unload the PDS to a GDG daily, and compare the current to the previous day's file for any changes. Start with the linklist and the logon proc sysproc/sysexec allocations, after that the catalog can be scanned for application and personal clist/rexx libraries. Looking for changes to the baseline may not qualify as a virus scanner, but it's a whole lot better than doing nothing or spending a fortune on unnecessary software. If there is a virus, Trojan etc. that affects web servers such as Eclipse, then that server on zOS may be vulnerable. A virus, worm, etc. designed to execute Intel code won't be much of a problem but code designed to execute Java code could be. The question is what applications are running that communicate with the world at large (online banking, online ordering, etc.) and what are their vulnerabilities. Can SQL injection work against DB2? Clark Morris The 3rd place I look for mainframe malware is in the parmlibs, JCL, macros, utilities and such. DASD utilities can erase the entire storage pool if corrupted. Who can update these libraries? Are they subject to stringent change control procedures? Are their contents monitored for changes and content? Does your auditor know what DASD is? HSM? DFDSS? Address these items and I can almost guarantee that you'll pass your audits like I do. Disclaimer: apart from monitoring APF, none the above is industry standard, not yet anyway... -hernandez On Fri, 28 Jan 2011 12:27:54 -0600, Jim Marshall jim.marsh...@opm.gov wrote: Auditors came around and wrote up our z/OS V1R10 Sysplex for not running a Virus Checker. Anyone has
Re: z/OS Virus Checker zLinux Virus Checker
On Mon, 31 Jan 2011 10:53:28 -0800, Scott Ford scott_j_f...@yahoo.com wrote: I can believe auditors would ask a question like , virus checking on mainframes, been doing systems work on mainframes 40+ yrs, never seen a virus AT ALL.. On a PC totally different issue, btw I think one of the reason you dont see viruses on mainframes because of the difficulty required to write one IMHO .. Scott J Ford Our auditors don't think that way. They think a computer is a computer is a computer and they all run windows and they all need McAfee AntiVirus because that is what the windows team said they run on all the desktops. So we were hit because we did not have McAfee on the z890. /Tom Kern PS. They did not appreciate my picture of the z890 with a McAfee box on top of it. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS Virus Checker zLinux Virus Checker
Thomas Kern wrote: Our auditors don't think that way. They think a computer is a computer is a computer and they all run windows and they all need McAfee AntiVirus because that is what the windows team said they run on all the desktops. So we were hit because we did not have McAfee on the z890. Ask the auditors to go to McAfee/Symantec/Kaspersky/Norton/etc and ask that vendors if they have any software for z/OS... Offer them a free lunch if they indeed find one. PS. They did not appreciate my picture of the z890 with a McAfee box on top of it. ;-D They're like the tax man... Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS Virus Checker zLinux Virus Checker
On Mon, 2011-01-31 at 14:22 -0500, Sam Siegel wrote: Hercules and pirated copies of zOS Do you have evidence of this? -- David Andrews A. Duda Sons, Inc. david.andr...@duda.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS Virus Checker zLinux Virus Checker
I agree with Elardus Engelbrecht. I understand the auditors have a job to do, no issue. I can remember one auditor telling me to pull superzap off our box and re-link when we needed. I rolled my eyes, I couldnt believe what I was hearing. I strongly feel if you dont understand something like virus checking on a mainframe look at IBM, do they write one or offer one with z/OS ? ... Should I now step down from my soapbox .. Regards, Scott J Ford From: Elardus Engelbrecht elardus.engelbre...@sita.co.za To: IBM-MAIN@bama.ua.edu Sent: Mon, January 31, 2011 2:40:45 PM Subject: Re: z/OS Virus Checker zLinux Virus Checker Thomas Kern wrote: Our auditors don't think that way. They think a computer is a computer is a computer and they all run windows and they all need McAfee AntiVirus because that is what the windows team said they run on all the desktops. So we were hit because we did not have McAfee on the z890. Ask the auditors to go to McAfee/Symantec/Kaspersky/Norton/etc and ask that vendors if they have any software for z/OS... Offer them a free lunch if they indeed find one. PS. They did not appreciate my picture of the z890 with a McAfee box on top of it. ;-D They're like the tax man... Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS Virus Checker zLinux Virus Checker
Thomas Kern wrote on 1/31/2011 11:23 AM: PS. They did not appreciate my picture of the z890 with a McAfee box on top of it. A manager at one shop I worked at long long ago mentioned that at his previous shop, the auditors once came in and asked What do you have that keeps application programmers from updating system libraries? He responded Oh, we bought ACF2. Auditor said ok, good and left. Manager turned to another person in his office and said It's sitting on the shelf right over there. /Leonard -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS Virus Checker zLinux Virus Checker
In listserv%201101281227548868.0...@bama.ua.edu, on 01/28/2011 at 12:27 PM, Jim Marshall jim.marsh...@opm.gov said: Auditors came around and wrote up our z/OS V1R10 Sysplex for not running a Virus Checker. Anyone has a constructive solution as to one being available or some verbage which defends the position. We are not using z/OS to distribute PC software. We are not automatically executing data files from sources outside of our control. But first ensure that both statements are true. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS Virus Checker zLinux Virus Checker
In 701312.84358...@web31803.mail.mud.yahoo.com, on 01/28/2011 at 03:20 PM, Cris Hernandez #9 hernandez...@yahoo.com said: Address these items and I can almost guarantee that you'll pass your audits like I do. Only if they have the same auditors that you do. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS Virus Checker zLinux Virus Checker
In 4d431dc8.2080...@comcast.net, on 01/28/2011 at 01:49 PM, Ray Overby rayove...@comcast.net said: A Virus exploits a system integrity vulnerability. The OP quoted the auditors about asking only about virus threats, not vulnerabilities in general. Since we started using the tool commercially, in the last two years, we have found close to 100 system integrity vulnerabilities in z/OS and ISV products. K3wl. Have you found a virus? So, your Auditors are correct Not unless the OP seriously misrepresented what they asked. To me it read like the standard auditor behavior of addressing nonissues while failing to address the real issues. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS Virus Checker zLinux Virus Checker
On 28 Jan 2011 15:21:24 -0800, in bit.listserv.ibm-main you wrote: I too have auditors who treat the my mainframe like one those little puters and I find it best to first educate them before they convince my management to send me chasing phantoms. Don't assume your auditor won't appreciate a mainframe education. The first place to hide a virus is in the OS, y/n? What protects the mainframe OS? Answer, APF. I monitor the APF libraries for any alterations on a daily basis. Any changes that didn't go thru change control are cause for investigation. Most auditors don't know squat about APF, and if they did, they would be asking about it instead of a mainframe virus scanner. The 2nd place to hide virus is in software, which on the mainframe are the command libraries. Aside from the potential for corrupt vendor software (unlikely a vendor will install compromised loadlib, but we're talking auditors here), most those command libraries (vendor in-house) are written in interpretive languages and can be scanned using standard PDS utilities for whatever string (like delete commands) your shop believes poses the greatest threat. Loadlibs can be scanned using standard utilities as well. One method is to unload the PDS to a GDG daily, and compare the current to the previous day's file for any changes. Start with the linklist and the logon proc sysproc/sysexec allocations, after that the catalog can be scanned for application and personal clist/rexx libraries. Looking for changes to the baseline may not qualify as a virus scanner, but it's a whole lot better than doing nothing or spending a fortune on unnecessary software. If there is a virus, Trojan etc. that affects web servers such as Eclipse, then that server on zOS may be vulnerable. A virus, worm, etc. designed to execute Intel code won't be much of a problem but code designed to execute Java code could be. The question is what applications are running that communicate with the world at large (online banking, online ordering, etc.) and what are their vulnerabilities. Can SQL injection work against DB2? Clark Morris The 3rd place I look for mainframe malware is in the parmlibs, JCL, macros, utilities and such. DASD utilities can erase the entire storage pool if corrupted. Who can update these libraries? Are they subject to stringent change control procedures? Are their contents monitored for changes and content? Does your auditor know what DASD is? HSM? DFDSS? Address these items and I can almost guarantee that you'll pass your audits like I do. Disclaimer: apart from monitoring APF, none the above is industry standard, not yet anyway... -hernandez On Fri, 28 Jan 2011 12:27:54 -0600, Jim Marshall jim.marsh...@opm.gov wrote: Auditors came around and wrote up our z/OS V1R10 Sysplex for not running a Virus Checker. Anyone has a constructive solution as to one being available or some verbage which defends the position. Been hunting around for a Virus Checker for zLinux. Also interested in what kind of over head it might use. thanks jim -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS Virus Checker zLinux Virus Checker
Cris Hernandez #9 wrote: I too have auditors who treat the my mainframe like one those little puters and I find it best to first educate them before they convince my management to send me chasing phantoms. Don't assume your auditor won't appreciate a mainframe education. Jim Marshall wrote: Auditors came around and wrote up our z/OS V1R10 Sysplex for not running a Virus Checker. Anyone has a constructive solution as to one being available or some verbage which defends the position. After reading all those good answers, please allow me a reply: I told my auditors this: 1. There are NO vendors for z/OS antivirus software. Give me one example and I'm ready to talk with my management. Otherwise we talk about RACF, APF, etc. as discussed already in this thread. 2. There are Linux and Unix antivirus software, but z/OS itself are immune against the threats. 3. Some disgruntled employee(s) may place a TROJAN, not a virus. It happened unfortunately. That is another matter for another rainy day. 4. Depending on RACF accesses, one can write something in any language to delete or modify datasets. Anyone. It is up to you to protect your z/OS. Read again that thread in ibmmainframes.com mentioned in this thread for some info. 5. About VAT Security and similar software/service - It looked to me that this is *ethical* hacking/penetrating/scanning for defects and exposures. That is the standard (?), but expensive way, for checking out your z/OS. There are many such software and services available from various vendors. I'm very sure those auditors are in for a serious *re-education* ;-D Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS Virus Checker zLinux Virus Checker
Elardus, Please let me add some information in response to your posting: There is a difference between a Virus and a System Integrity Exposure.The System Integrity Exposure is the Root Cause that a Virus exploits.There may be many Viruses, especially in Windows Systems, which exploit the same Root Cause.The PC Virus checkers look for the signatures of Virus code either executing or in directories and then take action to remove them.The Virus Checkers cannot fix the Root Cause -- in the case of Windows, only Microsoft can do that.But, it would be better if Microsoft would fix the Root Cause because then the Virus programs would become ineffective. IBM's Statement of Integrity clearly states that if a System Integrity Vulnerability (the Root Cause) is reported to IBM, they will fix it.Microsoft does not make this commitment and this is why the z/OS Operating System is a much more securable system than Windows. However, z/OS is not immune to these threats because it too has system integrity vulnerabilities.In your posting, you state that there are many alternatives to our Vulnerability Analysis Product for the ethical hacking/penetrating/scanning for defects and exposures.In fact, IBM purports to provide this capability from their Tivoli zSecure unit.On their zSecure Audit Website, they state: Security zSecure Audit includes a powerful system integrity analysis feature. Reports identify exposures and potential threats based on intelligent analysis built into the system.That's a pretty powerful and absolute statement. But, since Tivoli is part of IBM you can be assured that their Quality Assurance Unit regularly tests their software against revisions to the IBM z/OS Operating System and, if any integrity exposures were found, they would have reported the vulnerabilities to IBM z/OS Development and Development would have fixed them.That would just be the normal course of business within IBM. But, then, how can you reconcile the fact that our VAT product has located SIXTY SEVEN (67) new system integrity vulnerabilities in z/OS within the last two years.And, our clients have reported them to IBM, IBM has accepted them as errors, issued APARS for all of them and issued PTFs for almost all of them.So, obviously, the IBM Tivoli zSecure Audit package is not catching these errors.And, if IBM, is not catching these in their own code, what about the ones introduced by the rest of the Independent Software Vendor products and locally developed or otherwise obtained code on your system?There is a big vulnerability here that cannot be ignored. An exploit of a z/OS (or ISV) system integrity vulnerability would allow the illegitimate user to obtain control in an authorized state and use this state to change his security credentials to obtain access and be able to modify any RACF protected resource on the system with no SMF journaling of the access.We have found these integrity exposures in code that is in operation on every z/OS system in existence.That is something to be concerned about and to act on. I have no idea of the comparison between the cost of our Vulnerability Analysis Tool versus the competition.We would be happy to discuss that with you -- we believe it is inexpensive compared to the benefits which include not only a reduction of risk and exposure to data loss and modification which would result in exposure of company secrets, private information and financial loss, but a reduction of system outages.But, VAT works and locates the errors that other software/services do not.I can totally assure you that a manual process just will not work in our lifetimes.So, an automated process is necessary.And VAT provides that automation. And I agree with you that many z/OS Auditors need to be educated on this. Ray Overby Key Resources, Inc. Ensuring System Integrity for z/Series^(TM) www.vatsecurity.com (312)574-0007 On 1/29/2011 09:12 AM, Elardus Engelbrecht wrote: Cris Hernandez #9 wrote: I too have auditors who treat the my mainframe like one those little puters and I find it best to first educate them before they convince my management to send me chasing phantoms. Don't assume your auditor won't appreciate a mainframe education. Jim Marshall wrote: Auditors came around and wrote up our z/OS V1R10 Sysplex for not running a Virus Checker. Anyone has a constructive solution as to one being available or some verbage which defends the position. After reading all those good answers, please allow me a reply: I told my auditors this: 1. There are NO vendors for z/OS antivirus software. Give me one example and I'm ready to talk with my management. Otherwise we talk about RACF, APF, etc. as discussed already in this thread. 2. There are Linux and Unix antivirus software, but z/OS itself are immune against the threats. 3. Some disgruntled employee(s) may place a TROJAN, not a virus. It happened unfortunately. That is another matter for another
Re: z/OS Virus Checker zLinux Virus Checker
On Sat, 29 Jan 2011 14:04:21 -0600, Ray Overby wrote: ..., if any integrity exposures were found, they would have reported the vulnerabilities to IBM z/OS Development and Development would have fixed them.That would just be the normal course of business within IBM. However, sometimes IBM simply notifies customers that an IBM product poses an integrity threat and should be used only by highly trusted personnel, and does not provide information concerning what actions those trusted users should avoid. advertixing snipped. On 1/29/2011 09:12 AM, Elardus Engelbrecht wrote: 1. There are NO vendors for z/OS antivirus software. Give me one example and I'm ready to talk with my management. Otherwise we talk about RACF, APF, etc. as discussed already in this thread. Fantasia: An entrepreneur attempts to start a business marketing a virus detection/removal product. The business rapidly fails as purchasers return the product perceiving it's defective because it reports removing no viruses. 2. There are Linux and Unix antivirus software, but z/OS itself are immune against the threats. Sort of. The popular ClamAV mostly filters outgoing emails for Windows viruses as an act of social responsibility. And maybe to satisfy auditors. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
z/OS Virus Checker zLinux Virus Checker
Auditors came around and wrote up our z/OS V1R10 Sysplex for not running a Virus Checker. Anyone has a constructive solution as to one being available or some verbage which defends the position. Been hunting around for a Virus Checker for zLinux. Also interested in what kind of over head it might use. thanks jim -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS Virus Checker zLinux Virus Checker
http://ibmmainframes.com/about5373.html discusses MVS internal attack testing and no actual attacks. Some damage from trusted users misusing commands. http://www.informatik.uni-leipzig.de/cs/Literature/Features/report.pdf Bottom of page 20 section 2.3.5 Of course, mainframe communications are subject to being monitored by spyware in network connections (TJMAX). I know we run McAffee virus checkers on Netware servers to find emailed viruses in attachments for Windows. Would not be suprised to find this use on z/Linux or z/Notes, etc in products that handle email. http://www.mail-archive.com/linux-390@vm.marist.edu/msg58573.html z/Linux ClamAV and compile from source. Suggestion is all communication go through one z/Linux server running this. http://linuxvm.org/present/SHARE111/S9249ea.pdf Share presentation of testing Linux on z/VM including secuity tools on page 12 foil 26. On Fri, Jan 28, 2011 at 12:27 PM, Jim Marshall jim.marsh...@opm.gov wrote: Auditors came around and wrote up our z/OS V1R10 Sysplex for not running a Virus Checker. Anyone has a constructive solution as to one being available or some verbage which defends the position. Been hunting around for a Virus Checker for zLinux. Also interested in what kind of over head it might use. thanks jim -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- Mike A Schwab, Springfield IL USA Where do Forest Rangers go to get away from it all? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS Virus Checker zLinux Virus Checker
On 28 January 2011 13:27, Jim Marshall jim.marsh...@opm.gov wrote: Auditors came around and wrote up our z/OS V1R10 Sysplex for not running a Virus Checker. Perhaps you should ask them to point out a z/OS virus that you could use to test with... Anyone has a constructive solution as to one being available Some time ago one of our customers wanted to use z/OS UNIX as a file server to store Windows users' data on. They were talking to us about synchronizing their DCE and Windows passwords, but in passing they wanted something to scan for Windows malware on z/OS. At the time, Sophos claimed to have such a thing, but to my knowledge it was never actually delivered. I'm not sure if the customer eventually implemented their server as proposed, or to what extent the lack of AV was the cause. or some verbage which defends the position. I would ask your auditors what malware problem they are trying to address. If they believe there is malware in the wild that targets z/OS, I think we would all be interested to hear about it. Obviously it's not impossible, and there have been various trojans and such over the last decades, but it's just not the problem that Windows in particular faces. If they are concerned about z/OS hosting Windows malware in its files, even though z/OS itself is immune (unless it's Java, perhaps), then they should identify the threat, i.e. how does its presence on z/OS threaten the target Windows platforms? You might be able to divide and conquer... If they can't point out any z/OS malware, and can't show a scenario where Windows malware in z/OS files causes an additional exposure to Windows systems, then you're done. If they claim that Windows malware on z/OS is a problem, then ask them if their approved Windows AV scheme scans for z/OS malware in Windows files, and if not why not! That should keep them busy. Tony H. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS Virus Checker zLinux Virus Checker
A Virus exploits a system integrity vulnerability. About five years ago, I was engaged to investigate a z/OS facility for system integrity vulnerabilities and, through that work, have developed a product, the z/OS Vulnerability Analysis Tool, that does a system vulnerability assessment on z/OS. Since we started using the tool commercially, in the last two years, we have found close to 100 system integrity vulnerabilities in z/OS and ISV products. So, your Auditors are correct -- you should be investigating your systems for integrity vulnerabilities. For more information, please visit www.vatsecurity.com http://www.vatsecurity.com and attend one of our webinars or contact us so we can discuss it. Ray Overby Key Resources, Inc. ray.ove...@kr-inc.com On 1/28/2011 12:27 PM, Jim Marshall wrote: Auditors came around and wrote up our z/OS V1R10 Sysplex for not running a Virus Checker. Anyone has a constructive solution as to one being available or some verbage which defends the position. Been hunting around for a Virus Checker for zLinux. Also interested in what kind of over head it might use. thanks jim -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS Virus Checker zLinux Virus Checker
I don't have a z/OS solution for you, but I do use CLAMAV on my zLinux webservers. It is not an efficient solution. It takes a lot of CPU and I/O. If I had to do it over again, I would engineer an x86 staging server to do ALL the Anti-Virus scanning as files are placed there for migration to the public site. Only web content providers would be allowed to put stuff there. It would be scanned and if clean migrated to the appropriate production server in the correct subdirectories. The operating system components and applications code would be scanned on the maintenance server before being migrated into production. I would argue that with such an auditable process with anti-virus steps, I do not need an anti-virus program on my production zLinux servers. /Tom Kern /301-903-2211 /Contractor to US Dept of Energy On Fri, 28 Jan 2011 12:27:54 -0600, Jim Marshall jim.marsh...@opm.gov wrote: Auditors came around and wrote up our z/OS V1R10 Sysplex for not running a Virus Checker. Anyone has a constructive solution as to one being available or some verbage which defends the position. Been hunting around for a Virus Checker for zLinux. Also interested in what kind of over head it might use. thanks jim -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS Virus Checker zLinux Virus Checker
Date: Fri, 28 Jan 2011 14:25:26 -0500 From: t...@harminc.net If they claim that Windows malware on z/OS is a problem, then ask them if their approved Windows AV scheme scans for z/OS malware in Windows files, and if not why not! I like that, Tony! Cliff McNeill -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: z/OS Virus Checker zLinux Virus Checker
I too have auditors who treat the my mainframe like one those little puters and I find it best to first educate them before they convince my management to send me chasing phantoms. Don't assume your auditor won't appreciate a mainframe education. The first place to hide a virus is in the OS, y/n? What protects the mainframe OS? Answer, APF. I monitor the APF libraries for any alterations on a daily basis. Any changes that didn't go thru change control are cause for investigation. Most auditors don't know squat about APF, and if they did, they would be asking about it instead of a mainframe virus scanner. The 2nd place to hide virus is in software, which on the mainframe are the command libraries. Aside from the potential for corrupt vendor software (unlikely a vendor will install compromised loadlib, but we're talking auditors here), most those command libraries (vendor in-house) are written in interpretive languages and can be scanned using standard PDS utilities for whatever string (like delete commands) your shop believes poses the greatest threat. Loadlibs can be scanned using standard utilities as well. One method is to unload the PDS to a GDG daily, and compare the current to the previous day's file for any changes. Start with the linklist and the logon proc sysproc/sysexec allocations, after that the catalog can be scanned for application and personal clist/rexx libraries. Looking for changes to the baseline may not qualify as a virus scanner, but it's a whole lot better than doing nothing or spending a fortune on unnecessary software. The 3rd place I look for mainframe malware is in the parmlibs, JCL, macros, utilities and such. DASD utilities can erase the entire storage pool if corrupted. Who can update these libraries? Are they subject to stringent change control procedures? Are their contents monitored for changes and content? Does your auditor know what DASD is? HSM? DFDSS? Address these items and I can almost guarantee that you'll pass your audits like I do. Disclaimer: apart from monitoring APF, none the above is industry standard, not yet anyway... -hernandez On Fri, 28 Jan 2011 12:27:54 -0600, Jim Marshall jim.marsh...@opm.gov wrote: Auditors came around and wrote up our z/OS V1R10 Sysplex for not running a Virus Checker. Anyone has a constructive solution as to one being available or some verbage which defends the position. Been hunting around for a Virus Checker for zLinux. Also interested in what kind of over head it might use. thanks jim -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html