Setting up SAFEGUARD: Safe and Easy A Users Perspective Carl Weber GreenHouse Software & Consulting 14Oct2003, 14:45 – 15:45 MEA-18-U, Room C 1/2

Setting up SAFEGUARD:Safe and Easy

A Users PerspectiveCarl Weber GreenHouse Software & ConsultingCarl Weber GreenHouse Software & Consulting14Oct2003, 14:45 – 15:45 14Oct2003, 14:45 – 15:45 MEA-18-U, Room C 1/2 MEA-18-U, Room C 1/2

And you think you have stress…

GH S

7 years of process computer background prior to Tandem (HW & SW)

Started with Tandem Germany 1978 First cryptographic TAL procedure written in 1979

(causing 1st trouble with the US…) First contact to SAFEGUARD in 1985

(known as OBI at that time; ask Tim Chou…)

Since 1985 product responsibility for all security related Tandem products in Germany

Brief Intro Carl Weber

GH S

Management of the two successful system evaluations at GISA (German Information Security Agency) 1989 and 1993

Participation in the NCSC evaluation incl. ceremony in Baltimore (1993)

Left Tandem 1994 and started GreenHouse as Alliance Partner, specialized in- Security Tools and Products- Security Consulting & Education (from policy development up to implementation)- System programming (TAL/pTAL, PRIV code)


GH S

I still maintain a close contact to Cupertino and the SAFEGUARD development group by- E-Mail- At least a yearly visit in Cupertino


GH S

GreenHouse runs a K122 and S7000,connected by EXPAND over IP(Itanium system is planned for end 2004)

Using most recent versions of GUARDIAN/NSK/OSS

Investment necessary to offer good quality, services, and products(you need the right tools to do a good job!)

Brief Intro GreenHouse

GH S

Development triggered in 1984 by:

- Security Pacific Bank, LA- DoD agencies (indirect)

- Roy Capaldo, Tandem (driving force Marketing)

- Tim Chou, Tandem (technical expert, designer)

with the target of reaching C2 equivalent security functionality

SAFEGUARD History

GH S

Original development team:

- Tim Chou, product and code design, coding, ‘heavy lifting’

- Bill Lamb, developed SAFECOM; later owner of entire code

- Tim Newton, manuals

- Ian Earnest, QA

- Matt Mathews, education

- Kevin Coughlin, support

- many more, part time from other development areas

SAFEGUARD History

GH S

Bill Lamb still is in charge of SAFEGUARD He is around – talk to him to get more insight

information!

SAFEGUARD History

GH S

General Security Statement

Security is another word for- Arrangement- Order- Organization

GH S

Identify Assets and Threats Topics to plan:

- Awareness (assessment of what assets are at risk )

- Accountability (who owns the asset and who needs access )

- Appropriateness (what level of access and degree of auditing is needed )

- Education (NOT product education, but: Why do we do security)


GH S


Have a Plan (Security Policy)describing the target to reach

It is a generic plan, fitting all platforms in your company!

It is a one page thing! It needs to be approved by the board of

directors!

GH S


Make a Plandescribing the way to go

Before installing mechanisms, bring order into your systeme.g. introduce and follow naming conventions

Relate Security Functions to persons

GH S


Educate your employeesNOT product usage,but WHY you are doing it!

GH S


No Plan(s) – No Security!

GH S

SAFEGUARD is a tool to enforce order on your system

It does NOT bring more security, but more granularity and new functionality!(an error 48 from GUARDIAN is as solid as an error 48 from SAFEGUARD!)

Use SAFEGUARD and its features with sense of proportion


GH S

In case GUARDIAN security solves your requirements, do NOT add SAFEGUARD rules (ACLs)!

Introducing and activating SAFEGUARD is:- 99% decision making (make the plan!) (who owns what; who needs access; who is responsible, etc.)

- 1% real work with SAFECOM (normally the creation and execution of an OBEY file)


GH S

SAFEGUARD covers these functions:

- Authentication (more than GUARDIAN)

- Authorization (more than GUARDIAN)

- Auditing (new)

- Administration (much more than GUARDIAN)

SAFEGUARD

GH S

Purchasing SAFEGUARD and paying a yearly license fee does NOT secure your system!

You have to- Run- Configure and- MaintainSAFEGUARD as well!

SAFEGUARD

GH S

Running SAFEGUARD

Methods to run SAFEGUARD

- Started ‘by hand’ (strongly recommended for beginners)

- Through the CIIN file at system cold load time (OK for experts; satisfies 99% of all customers)

- Generated into the OS (sysgened) (only needed in high risk shops; may cause outages)

GH S

Running SAFEGUARD

Command:

[run] OSMP/NAME $ZSMP,NOWAIT,PRI 199,CPU 0/1

This creates the $ZSMP monitor process as well as $ZSnn processes, and- activates all SAFEGUARD default settings or- configured settings!

GH S

Configuring SAFEGUARD

Configuring SAFEGUARD is essential SAFEGUARD without, or with insufficient,

configuration is a massive security breach! Configuration areas are:

- Management rights- Global settings- Audit file handling- Access Control Lists (ACL)

GH S

Configuring SAFEGUARDManagement

SAFEGUARD has its own internal security system, allowing different persons to manage- SAFEGUARD management- SAFEGUARD global configuration attributes- Users- Access rights (ACLs)

GH S


ObjectTypes

Users with OBJECTTYPE access rights have the ability to introduce ACLs and/or Users! - OBJECTTYPE (owner of all OBJECTTYPEs)

- USER (also controls Aliases and Groups)

- DEVICE/SUBDEVICE- PROCESS/SUBPROCESS- VOLUME/SUBVOL/DISKFILE

Introduce ALL OBJECTTYPES

GH S


Security Groups

Security Group users have management access rights in SAFEGUARD

Introduce the two Security Groups- System-Operator- Security-Administrator

GH S

Configuring SAFEGUARDAudit Service

Audit System

Allows definition of- audit service management- audit file handling- audit file size and location

GH S


Audit Service Management

WRITE-THROUGH CACHE ON | OFF

EOF REFRESH ON | OFF

RECOVERY RECYCLE [ FILES ] DENY GRANTS SUSPEND AUDIT

GH S


File SizeChose a file size that spans at least one day.To get the right extent sizes, control the audit files for some time (see next page)Warning:The disk space for the audit files is always allocated

Number of Audit FilesDepends on your disk space; but should have 5 files at least

File LocationChose the least busy disk, having enough space; optionally make use of audit pools

GH S


Auditing is some kind of religious question:- interested in fails (= hacks)?- interested in passes (= who really was it?)

Invoke your Audit department to get your company rules!

When you audit events – CHECK the audits as well!

Keep audit files for some time(e.g. tape backups for 3 months)

GH S

Configuring SAFEGUARDGlobal Settings

Global SAFEGUARD settings- Authentication attributes- Password attributes- ACL use and evaluation rules- Global CI- Global Auditing- Miscellaneous

GH S

Configuring SAFEGUARDGlobal Settings - Authentication

AUTHENTICATE-MAXIMUM-ATTEMPTS = 3 (or more)

AUTHENTICATE-FAIL-TIMEOUT = 60 SECONDS (or more)

AUTHENTICATE-FAIL-FREEZE = OFF

When you raise the number of maximum attempts, raise the time out as well, e.g. 5 attempts within 10 minutes

GH S

Configuring SAFEGUARDGlobal Settings - Password

PASSWORD-REQUIRED = OFF PASSWORD-HISTORY = 13 (or more)

PASSWORD-ENCRYPT = ON PASSWORD-MINIMUM-LENGTH = 6 (or more)

PASSWORD-MAY-CHANGE = 7 DAYS BEFORE-EXPIRATION

PASSWORD-EXPIRY-GRACE = 45 DAYS AFTER-EXPIRATION

GH S

Configuring SAFEGUARDGlobal Settings - WarningMode

WARNING-MODE = OFF WARNING-FALLBACK-SECURITY = GUARDIAN

GH S

Configuring SAFEGUARDGlobal Settings - Device

DIRECTION-DEVICE = DEVICE-FIRST CHECK-DEVICE = ON

COMBINATION-DEVICE = FIRST-ACL CHECK-SUBDEVICE = ON

ACL-REQUIRED-DEVICE = OFF

GH S

Configuring SAFEGUARDGlobal Settings - Process

DIRECTION-PROCESS = PROCESS-FIRST CHECK-PROCESS = ON

COMBINATION-PROCESS = FIRST-ACL CHECK-SUBPROCESS = ON

ACL-REQUIRED-PROCESS = OFF

GH S

Configuring SAFEGUARDGlobal Settings – Disk File

DIRECTION-DISKFILE = FILENAME-FIRST CHECK-VOLUME = OFF

COMBINATION-DISKFILE = FIRST-ACL CHECK-SUBVOLUME = ON

ACL-REQUIRED-DISKFILE = OFF CHECK-FILENAME = ON

CLEARONPURGE-DISKFILE = OFF

GH S

Configuring SAFEGUARDGlobal Settings – ACL Eval.

GH S

These are my favorite settings!

Configuring SAFEGUARDGlobal Settings – ACL Eval.

These settings allow:- an easy understanding of ACLs- A clear structure- Protection against non allowed file and subvol creates

GH S

Configuring SAFEGUARDGlobal Settings – Auditing

AUDIT-OBJECT-ACCESS-PASS = NONE AUDIT-AUTHENTICATE-PASS = ALL

AUDIT-OBJECT-ACCESS-FAIL = NONE AUDIT-AUTHENTICATE-FAIL = ALL

AUDIT-OBJECT-MANAGE-PASS = ALL AUDIT-SUBJECT-MANAGE-PASS = ALL

AUDIT-OBJECT-MANAGE-FAIL = All AUDIT-SUBJECT-MANAGE-FAIL = ALL

AUDIT-DEVICE-ACCESS-PASS = NONE AUDIT-PROCESS-ACCESS-PASS = NONE

AUDIT-DEVICE-ACCESS-FAIL = NONE AUDIT-PROCESS-ACCESS-FAIL = NONE

AUDIT-DEVICE-MANAGE-PASS = ALL AUDIT-PROCESS-MANAGE-PASS = ALL

AUDIT-DEVICE-MANAGE-FAIL = ALL AUDIT-PROCESS-MANAGE-FAIL = ALL

AUDIT-DISKFILE-ACCESS-PASS = NONE

AUDIT-DISKFILE-ACCESS-FAIL = NONE

AUDIT-DISKFILE-MANAGE-PASS = ALL

AUDIT-DISKFILE-MANAGE-FAIL = ALL

Auditing can be configured on an individual object basis as well!

GH S

Configuring SAFEGUARDGlobal Settings – Audit Client

AUDIT-CLIENT-SERVICE = ON

GH S

Configuring SAFEGUARDGlobal Settings – CI

CI-PROG = $SYSTEM.SYSTEM.TACL CMON = OFF

CI-LIB = * NONE * CMONERROR = ACCEPT

CI-SWAP = * NONE * CMONTIMEOUT = 1 SECONDS

CI-CPU = ANY BLINDLOGON = ON

CI-PRI = 149 NAMELOGON = ON

CI-PARAM-TEXT =

GH S

Configuring SAFEGUARDGlobal Settings – Terminal

TERMINAL-EXCLUSIVE-ACCESS = OFF

GH S

Configuring SAFEGUARDAccess Control Lists

It does make sense to have ACLs onapplication, SPOOLER and PATHWAY- (Sub-)Processes- Disk Files (file, subvol, volume)

Do NOT put ACLs on SPI interfaces Do NOT secure the SAFEGUARD SPI

interface!!!

GH S


I don’t know of DEVICES to be secured, except- X.25 lines- tape drives

Use the highest possible level to minimize number of ACLs

GH S


Introduction of Terminals does make sense only with fixed named terminals.

All other terminal types should use: $SYSTEM.SYSTEM.LOGONas initial resource, or service (IP)

GH S

Configuring SAFEGUARDInitial Command Interpreter

Initial Command Interpreter- Requires a SAFEGUARD controlled terminal- Can be defined - on the User (first check) - on the Terminal (next check) - globally (last check)

GH S

Configuring SAFEGUARD Initial Command Interpreter

Benefits:- A LOGON starts a pre-defined resource- the password handling can be done at logon time- LOGON- as well as LOGOFF-events are recorded

GH S

Maintaining SAFEGUARD

Never ever change global SAFEGUARD settings ‘on the fly’, or for test purposes:You for sure end up in big trouble!

All that needs maintenance is:- Users (add, delete, alter)- ACLs (add, delete, alter)- Possibly Audit file sizes and locations- Rarely management rights

GH S

Conclusion

Have a plan (Security Policy) in place BEFORE you start

Relate security functions to persons Make a plan to run and configure

SAFEGUARD Check audit information – at least keep it for

some time (…for a post mortal analysis)

GH S

Conclusion

Most important:

Educate your employees!Not about security products, but about security as a method, and why you are going to use it!

GH S

ConclusionBad news

Security costs- money- CPU cycles- disk space- time- nerves

Security causes- trouble

GH S

ConclusionGood News

Security- gives you a system that is much easier to maintain- makes you sleep better ([not only] at home)- is worth the effort!

GH S

Helpful Gadgets

Check

www.GreenHouse.de

for supported FreeWare and ShareWare tools and products, making life with SAFEGUARD much easier!

Come to my tools presentation tomorrow at 11:30 in this room (C1)

GH S

http://www.greenhouse.de/

GH S

Questions?Questions?(please...)

Thank you for your time and attention!Enjoy the conference!

Documents

Setting up SAFEGUARD: Safe and Easy A Users Perspective Carl Weber GreenHouse Software & Consulting 14Oct2003, 14:45 – 15:45 MEA-18-U, Room C 1/2