Re: z/OS Configuration for Security - Not RACF or other ESM
On 13Jul02:2324-0500, Paul Gilmartin wrote: > On Tue, 2 Jul 2013 23:26:57 -0400, Rob Schramm wrote: > > > >Not sure about the "church lady" reference. Ye old brain is a bit dull > >today. > > > > http://en.wikipedia.org/wiki/Security_Administrator_Tool_for_Analyzing_Networks https://en.wikipedia.org/wiki/COPS_%28software%29 Hmmm... I can't remember why I associated Larry Wall with COPS. -- May the LORD God bless you exceedingly abundantly! Dave_Craig__ "So the universe is not quite as you thought it was. You'd better rearrange your beliefs, then. Because you certainly can't rearrange the universe." __--from_Nightfall_by_Asimov/Silverberg_ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS Configuration for Security - Not RACF or other ESM
On Tue, 2 Jul 2013 23:26:57 -0400, Rob Schramm wrote: > >Not sure about the "church lady" reference. Ye old brain is a bit dull >today. > http://en.wikipedia.org/wiki/Security_Administrator_Tool_for_Analyzing_Networks -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS Configuration for Security - Not RACF or other ESM
On 13Jul02:2326-0400, Rob Schramm wrote: > > Not sure about the "church lady" reference. Ye old brain is a bit dull > today. > > On Sun, Jun 30, 2013 at 10:57 PM, Paul Gilmartin wrote: > > > On Sun, 30 Jun 2013 17:33:52 -0400, Rob Schramm wrote: > > > > >If you are feeling the need for extra paranoia, Ray Overby's tool to probe > > >all the services that might allow the MVS equivalent of "super user". For > > >data... PCI .. Xbridge for analyzing all data on the system for > > compliance. > > > > > Could it be ... SATAN? IIRC, SATAN was a POSIX-oriented toolkit that came into availability around the same time as Larry Wall's COPS. https://en.wikipedia.org/wiki/Security_Administrator_Tool_for_Analyzing_Networks -- May the LORD God bless you exceedingly abundantly! Dave_Craig__ "So the universe is not quite as you thought it was. You'd better rearrange your beliefs, then. Because you certainly can't rearrange the universe." __--from_Nightfall_by_Asimov/Silverberg_ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS Configuration for Security - Not RACF or other ESM
Gil, Not sure about the "church lady" reference. Ye old brain is a bit dull today. As I remember the hacking was done and presented by an IBMer. I couldn't agree more about the security by obscurity. But in a certain sense, isn't that was encryption is? But I don't think security is hard.. but it does take time, effort and consistency... very Demming in a lot of ways. Rob Schramm Rob Schramm Senior Systems Consultant Imperium Group On Sun, Jun 30, 2013 at 10:57 PM, Paul Gilmartin wrote: > On Sun, 30 Jun 2013 17:33:52 -0400, Rob Schramm wrote: > > >If you are feeling the need for extra paranoia, Ray Overby's tool to probe > >all the services that might allow the MVS equivalent of "super user". For > >data... PCI .. Xbridge for analyzing all data on the system for > compliance. > > > Could it be ... SATAN? > > >Seems that there is a RACF hacking guide for subverting a security DB. > >Numerous conversations about sysprog LPARS. > > > Adversarial or friendly? > > I don't believe in Security by Obscurity. > > -- gil > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS Configuration for Security - Not RACF or other ESM
On Sun, 30 Jun 2013 17:33:52 -0400, Rob Schramm wrote: >If you are feeling the need for extra paranoia, Ray Overby's tool to probe >all the services that might allow the MVS equivalent of "super user". For >data... PCI .. Xbridge for analyzing all data on the system for compliance. > Could it be ... SATAN? >Seems that there is a RACF hacking guide for subverting a security DB. >Numerous conversations about sysprog LPARS. > Adversarial or friendly? I don't believe in Security by Obscurity. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Systems programmers as security risks was Re: z/OS Configuration for Security - Not RACF or other ESM
On 30 Jun 2013 14:34:01 -0700, in bit.listserv.ibm-main you wrote: >If you are feeling the need for extra paranoia, Ray Overby's tool to probe >all the services that might allow the MVS equivalent of "super user". For >data... PCI .. Xbridge for analyzing all data on the system for compliance. > >Seems that there is a RACF hacking guide for subverting a security DB. >Numerous conversations about sysprog LPARS. Regardless of your beliefs on the merits of Edward Snowdenès actions, the fact that he was a systems administrator shows some vulnerabilities in NSA's operations. How did he get all of the information he has? Was it because he was a systems administrator or because was attuned to the mission of the organization? Since a large number of us are or were systems programmers, this raises some very interesting and troubling issues.How easy is it for us to steal information without being caught? Do we inherently have the ability to get any information we want from the systems under our control? What are the safeguards against us going rogue? Are they so drastic that they would either greatly increase the cost of doing our jobs or cripple our organizations? Clark Morris > >Rob Schramm >On Jun 30, 2013 5:21 AM, "Elardus Engelbrecht" < >elardus.engelbre...@sita.co.za> wrote: > >> Rob Schramm wrote: >> >> >Did anyone mention OMVS? >> >> Groan... ;-D >> >> Good catch, no one mentioned OMVS at all in this thread. When it comes to >> OMVS and all its security things, that alone is a whole book for us >> greaybeards. ;-D >> >> Good luck to the OP, now that you mention OMVS/USS/zFS/etc... ;-D >> >> What else remains? >> >> Groete / Greetings >> Elardus Engelbrecht >> >> -- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN >> > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS Configuration for Security - Not RACF or other ESM
If you are feeling the need for extra paranoia, Ray Overby's tool to probe all the services that might allow the MVS equivalent of "super user". For data... PCI .. Xbridge for analyzing all data on the system for compliance. Seems that there is a RACF hacking guide for subverting a security DB. Numerous conversations about sysprog LPARS. Rob Schramm On Jun 30, 2013 5:21 AM, "Elardus Engelbrecht" < elardus.engelbre...@sita.co.za> wrote: > Rob Schramm wrote: > > >Did anyone mention OMVS? > > Groan... ;-D > > Good catch, no one mentioned OMVS at all in this thread. When it comes to > OMVS and all its security things, that alone is a whole book for us > greaybeards. ;-D > > Good luck to the OP, now that you mention OMVS/USS/zFS/etc... ;-D > > What else remains? > > Groete / Greetings > Elardus Engelbrecht > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS Configuration for Security - Not RACF or other ESM
Rob Schramm wrote: >Did anyone mention OMVS? Groan... ;-D Good catch, no one mentioned OMVS at all in this thread. When it comes to OMVS and all its security things, that alone is a whole book for us greaybeards. ;-D Good luck to the OP, now that you mention OMVS/USS/zFS/etc... ;-D What else remains? Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS Configuration for Security - Not RACF or other ESM
Did anyone mention OMVS? Rob Schramm Rob Schramm Senior Systems Consultant Imperium Group On Sat, Jun 29, 2013 at 11:25 AM, Elardus Engelbrecht < elardus.engelbre...@sita.co.za> wrote: > Robert S. Hansel (RSH) wrote: > > >To add to your list, also offhand, include PARMLIBs, catalogs, JESPARMs > (governing entry of operator commands), TSO parms, installation SVCs and > Program Calls, Exits, I/O Appendages, PROCLIBs, and IPLPARMs. > > Add also these: SMP/E usage, z/OS Communication Server controls (portlist > for example), usage of SSL, controlling of Dig Certs (RACF/gskkyman/PKI). > > All your applications MUST call RACF, not using its own security methods. > (Yes, I know this thread is about omitting RACF and also DB2, for example, > can rather use its own security which is just about good as RACF.) > > About JES2 - you need to control incoming/outgoing traffic (NJE, FTP, etc) > too. > > Then - version controlling of every software package is very important - > just one example - you need to re-assemble security exits again and again > with each new version. Of course - RACF/ESM is partially involve. > > There are certainly more to add, but I need to RTFM... ;-D > > >So much of z/OS control is tightly coupled with RACF protection (how do > you protect APF libraries without RACF) that I would be inclined to combine > their respective security best practices into a single document. > > IOW - IBM Statement Of Integrity. > > Groete / Greetings > Elardus Engelbrecht > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS Configuration for Security - Not RACF or other ESM
Robert S. Hansel (RSH) wrote: >To add to your list, also offhand, include PARMLIBs, catalogs, JESPARMs >(governing entry of operator commands), TSO parms, installation SVCs and >Program Calls, Exits, I/O Appendages, PROCLIBs, and IPLPARMs. Add also these: SMP/E usage, z/OS Communication Server controls (portlist for example), usage of SSL, controlling of Dig Certs (RACF/gskkyman/PKI). All your applications MUST call RACF, not using its own security methods. (Yes, I know this thread is about omitting RACF and also DB2, for example, can rather use its own security which is just about good as RACF.) About JES2 - you need to control incoming/outgoing traffic (NJE, FTP, etc) too. Then - version controlling of every software package is very important - just one example - you need to re-assemble security exits again and again with each new version. Of course - RACF/ESM is partially involve. There are certainly more to add, but I need to RTFM... ;-D >So much of z/OS control is tightly coupled with RACF protection (how do you >protect APF libraries without RACF) that I would be inclined to combine their >respective security best practices into a single document. IOW - IBM Statement Of Integrity. Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS Configuration for Security - Not RACF or other ESM
Ken, The reference that perhaps comes closest to what you want is the book "OS/390-z/OS Security Audit and Control Features". It used to be available from ISACA but is now out of print. It is a bit dated (2004), somewhat verbose, and mostly focused on RACF. Also from ISACA is the 2009 checklist publication "z/OS Security Audit/Assurance Program". It is a free download for members. May not give you much more than you already have. At a glance, It appears is a slightly updated checklist from that available in the aforementioned book. You might also find the DISA STIG for RACF helpful. It includes controls for z/OS. http://iase.disa.mil/stigs/os/mainframe/z_os.html To add to your list, also offhand, include PARMLIBs, catalogs, JESPARMs (governing entry of operator commands), TSO parms, installation SVCs and Program Calls, Exits, I/O Appendages, PROCLIBs, and IPLPARMs. So much of z/OS control is tightly coupled with RACF protection (how do you protect APF libraries without RACF) that I would be inclined to combine their respective security best practices into a single document. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com - 2013 RACF Training - Audit & Compliance Roadmap - Boston - NOV 5-8 - Intro & Basic Admin - WebEx - OCT 21-25 - Securing z/OS UNIX - WebEx - JUL 23-25 - Securing z/OS UNIX - WebEx - SEPT 17-20 - Securing z/OS UNIX - WebEx - DEC 3-6 - -Original Message- Date:Fri, 28 Jun 2013 18:46:51 + From: Ken Porowski Subject: z/OS Configuration for Security - Not RACF or other ESM I have been tasked with documenting 'best practice' for configuring z/OS for security. This does not include RACF (or other ESM) practices. The scope is limited to what I can do in configuring z/OS to ensure no one can bypass RACF/ESM. What I can think of offhand is keeping tight control of LPALIST, LINKLIST, APFLIST, SCHEDxx/PPT Does anyone know of a book/paper/guide/reference that would outline a 'best practice' for z/OS security configuration. I've been searching this list, redbooks, Google, but not finding much that isn't RACF/ESM specific. TIA Ken Ken Porowski VP Mainframe Engineering CIT Information Technology +1 973 740 5459 (tel) One CIT Drive Livingston, NJ 07039 ken.porow...@cit.com www.cit.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
z/OS Configuration for Security - Not RACF or other ESM
I have been tasked with documenting 'best practice' for configuring z/OS for security. This does not include RACF (or other ESM) practices. The scope is limited to what I can do in configuring z/OS to ensure no one can bypass RACF/ESM. What I can think of offhand is keeping tight control of LPALIST, LINKLIST, APFLIST, SCHEDxx/PPT Does anyone know of a book/paper/guide/reference that would outline a 'best practice' for z/OS security configuration. I've been searching this list, redbooks, Google, but not finding much that isn't RACF/ESM specific. TIA Ken Ken Porowski VP Mainframe Engineering CIT Information Technology +1 973 740 5459 (tel) One CIT Drive Livingston, NJ 07039 ken.porow...@cit.com www.cit.com This email message and any accompanying materials may contain proprietary, privileged and confidential information of CIT Group Inc. or its subsidiaries or affiliates (collectively, "CIT"), and are intended solely for the recipient(s) named above. If you are not the intended recipient of this communication, any use, disclosure, printing, copying or distribution, or reliance on the contents, of this communication is strictly prohibited. CIT disclaims any liability for the review, retransmission, dissemination or other use of, or the taking of any action in reliance upon, this communication by persons other than the intended recipient(s). If you have received this communication in error, please reply to the sender advising of the error in transmission, and immediately delete and destroy the communication and any accompanying materials. To the extent permitted by applicable law, CIT and others may inspect, review, monitor, analyze, copy, record and retain any communications sent from or received at this email address. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN