Ten Things You Should not Forget in Mainframe Security

Ten Things You Should not Forget in Mainframe Security

Pete Garza

Mainframe

Zions Bank

Senior Information Security Architect

MFX47S

#CAWorld

2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD

Terms of this Presentation

© 2015 All rights reserved. All trademarks referenced herein belong to their respective companies. The presentation provided at CA World

2015 is intended for information purposes only and does not form any type of warranty. Some of the specific slides with customer references

relate to customer's specific use and experience of CA products and solutions so actual results may vary.

For Informational Purposes Only


Abstract

Given the current state of security and breaches in the news every day, you won’t want to miss this session. We will cover the top 10 areas that you should be reviewing as a security practitioner that most organizations overlook. With the knowledge taken from this session, you will be able to better educate your staff and auditors about how to take security to the next level for your business and protect z/OS®.

Pete Garza -Sr. Information Security Architect


Agenda

ARE YOU SECURE? WHERE DO YOU START?

ENTERPRISE SECURITY MANAGER (ESM)

STATIC IDS / PASSTICKETS / OSMF / CICS

SHOULD I BE CONCERNED WHEN AN EXTERNAL MF SECURITY AUDIT IS DONE

CONFIGURATION BEST PRACTICES

DRP THINGS TO WORRY ABOUT

1

2

3

4

5

6


How Secure is Your Mainframe VM secure platform for virtual environments and workloads

Security is built into every level of the System z structure

– Processor - Hypervisor- Operating system – Communications – Storage - Applications

Security features designed specifically to help users

– Comply with security related regulatory requirements

– Identity and access management

– Hardware and software encryption

– Communication security capabilities

– Extensive logging and reporting of security events

– Security certifications based on Common Criteria and FIPS 140


How Secure is Your Mainframe Mainframes are extremely secure, there is still a variety of attack vectors that can

result in a breach.

There can be too much trust in mainframe security

– Historically, risk may seem low but the recent increase in mainframe connectivity means

mainframes need the same attention to security as any other device on the network

– However, between the above trust and scarcity of qualified mainframe security resources

There is typically an underinvestment in mainframe security.

There needs to be a common, enterprise-wide approach to security

– Security groups and z/OS teams need to work together in pursuing this common

approach


How Secure is Your MF Most reported attacks point to exploits of misconfigurations and a large

percentage are initiated by inside

The security policy may be sound but implementation does not match the policy

Distributed decision following its policy can result in contradicting access policy

e.g. Open access to resources

– Inadequate Policy

e.g. Legacy practices and standards mainframe

– Misconfiguration can be predictable

– Unix System Services often is not secured


Where do I start?


Process Definition

Take a Look at


Teachability

Repeatability

Measurability

Manageability

Fire-prevention versus fire-fighting

Ending dependency on superstars

Achieving CMM Level 3

High rate of return

Benefits of Documenting Processes


Guidelines - Managerial parameters concerning either processes

(intended objectives) or products (desired attributes).

Definition of Guidelines


Definition of a Process

This includes:

• Efforts of people

• Equipment guided by guidelines

• Standards

• Procedures

Process - The work effort that produces a product.


Process Life Cycle: Define the Process

Does the process satisfy its stated requirements/goals?

Are the entry points of the process understandable and reasonable?

Are the deliverables of the process clearly stated?

Does the process point to or include a description of each deliverable’s purpose, form and content?

Is the flow complete, logical and consistent with the task descriptions?

Are the task descriptions complete, logical, and consistent with the flow for the process?

Does the process clearly indicate potential exceptions; does it provide guidance for how to handle them?

Do the recommendations clearly indicate the methods of performing each task?

Is the RACI expressed in the process consistent with the process flow and task descriptions?

Are the exit criteria for the process properly defined and understandable?

Process Acceptance Checklist Yes or No


List your security processes and identify missing processes

Setup meetings to discuss current and missing process

By setting up meetings you should be able to identify gaps

Define process owners and scope

Prioritize

Create a Security Central Repository

Next Steps


MF Security Project Process FlowExample of how MF security should be involved supporting projects


Where do I start?

CA ACF2 (or CA Top Secret or IBM RACF) – CA ACF2 Daily Reports

– CA ACF2 Clean up Weekly report

– Weekly Show commands reports

– Follow ups

Nightly Security– Nightly problems production control/scheduling

– Nightly problems test/development

At the beginning…


Enterprise Security Manager (ESM)

Daily reports– System entry – ACFRPTPW

– Restricted ID – ACFRPTJL

– Dataset Rules –ACFRPTDS

– Resource rules – ACFRPTRV

– Logonid Modification - ACFRPTLL

– Rule change log – ACFRPTRL

– Resource change log – ACFRPTEL

CA ACF2 REPORTING - Know what they are saying



Daily reports process– Audit Daily report process

Document process

Demonstrate process

Log process

– Auditors review most often

User cleanup upon termination process

Justification for rule and resource modification

– DATA field in rules point to ticket

CA ACF2 REPORTING




Many of todays system hacks are internal

Denial of service starts at system entry

A Journey In Information Security

Why do we do this?


Three VSAM key-sequenced datasets

Logonid 1024 bytes

Access rules 4K records

InfoStorage 4K records

SMF recording 230 record #

Backup controls

Recovery ability

CA ACF2 Control Databases


LPARApplication

CICS Region

Validation 1Validation ?

System Entry


Logonid InfoStorage

UADS

z/OSOperating System

CA-ACF2

CA-ACF2

CA

-AC

F2

CA

-AC

F2

Behind the Scenes


TSO

Batch

One ID verse many

Started Tasks (STC)

Know what they do

CICS

How many regions

MRO

FTP

Where is System Entry Processing Done?


Supplied by user:

Logonid

Password

Source

Date and time

Access Privileges

Logonid DB

z/OS Security Controls

System Entry Validation Process


CA-ACF2

Access Rules:

Option ===> TSO ACF--------------------ACFSET NORULES

Controlled Sharing of Resources


The Auditors are coming –Should I be concerned?


Should I Be Concerned

Be prepared

Common requests– Security Policy

– Security Standards

– Display of current options selected

Show ACF2

– ACFFDR

– Change Control policy

– APF list

– Various CA ACF2 reports

When a MF Audit is done


Should I Be Concerned

CA Auditor will lessen the concern

CA Auditor is a good tool with more than just auditing

Create procedures to audit your physical IT environment.

External review every two years

Helps maintain z/OS integrity through timely identification of z/OS customization and modifications

Helps verify internal compliance to change control procedures

Helps users learn z/OS

You should constantly audit your mainframe z/OS system


CA Auditor Design Philosophy

Functionality was a critical issue in designing

Addresses the needs of a wide range of data processing personnel with varied technical backgrounds

Provides uncompromised accuracy of information

Sets new levels of ease of use

Is virtually self-installing and easy to maintain

Does not impact system performance


CA Auditor Audience

Auditors

Programming managers

Data security managers

Quality assurance personnel

Data center managers

Technical support and systems personnel


-------------- CA-Examine Auditing - MANAGEMENT INFORMATION ----------- OPTION

===>

1 OVERVIEW - Display z/OS or OS/390 version, level, IPL date, etc.

2 HARDWARE - See and scan hardware configuration

3 ERRORS - Show hardware error rate for disk and tape

4 CONSOLE - Display information about operator consoles

5 SMF - Analyze and search the System Management Facility

CA AuditorManagement Information Menu


-- CA-Examine Auditing - z/OS and OS/390 SYSTEM INSTALLATION CHOICES ---

OPTION ===>

1 PARMLIB - Analyze z/OS and OS/390 parameter library

2 APF - Analyze Authorized Program Facility

3 SMP - Analyze z/OS and OS/390 libraries using SMP/E

4 KEY - Show key z/OS and OS/390 libraries

5 TSO - Analyze TSO user attribute file (UADS)

6 CATALOGS - List z/OS and OS/390 system catalogs

z/OS and OS/390 System Installation Choices MenuScreens that you can use to examine z/OS and OS/390 installation options


------ CA-Examine Auditing - z/OS AND OS/390 TECHNICAL INFORMATION ----- OPTION ===>

1 SUBSYSTEMS - Display information about z/OS and OS/390 subsystems

2 APPENDAGES - User Input/output appendage display and status review

3 EXITS - z/OS and OS/390 system exit display and status review

4 LPA - Link Pack Area display and library search

5 FLPA/MLPA - Detailed FLPA, MLPA, and selected PLPA Analysis

6 PPT - Program Properties Table analysis and library search

7 SVC - Supervisor call analysis display

z/OS and OS/390 Technical Information Menu


Configuration Best Practices


ACF Field Definition Record

ACFFDR

– Supervisor Call (SVC) numbers

– Definition on VSAM files (acf2 DB’s)

– SMF recording number

– Product and site defined fields

CFDE’s macros

Logonid dsect



A configured ACFFDR module should have multiple instances of the @DDSN macro with each instance defining a different group of security files.

Specifying two @DDSN groups – One named PRIMARY,

– A second named ALT

Switch Command– Aid in applying maintenance to your Primary

– F ACF2,SWITCH

– OPTS GSO record

SWTCHKEY(key) eight byte character field upper case

ACFFDR Database Specification



Command Propagation Facility (CPF) and password synchronization

– Mirror CA ACF2 commands

Business Value:

– CPF and password synchronization simplifies administrative processing by keeping security record contents synchronized across multiple systems.

Additional Considerations:

– Use the CPF password synchronization feature to share updates to passwords and password suspensions among two or more distributed CA ACF2 systems.

Logical CA ACF2 Database Sharing with CPF



Security System Interface – Loaded and activated via CA Cleanup main task.

The Interface: – Represents a small extension to the normal security check process and

executes as each security check completes

Is passive and performs monitoring only

– Contains abend protection that immediately ends CA Cleanup monitoring in the event of any problem

– Produces no measurable overhead

– Is loaded in common memory so all users can execute it

CA CLEANUP for ACF2



Report and Command Generator Authority

A batch utility program: – Produces reports showing unreferenced (or referenced) security file

entries.

– Creates the command files to perform security file cleanup.

– Optionally creates a file of cleanup commands.

– Optionally creates a file to back out change if executed

– A report summary for an UNREF report.

CA CLEANUP for ACF2


DRP’s


DRP’s

Check for CA ACF2 errors messages when the system is coming up

Verify access to CA ACF2 system in the DR environment

Compare CA ACF2 active status with the active status of the DR CA ACF2 system Mode(ABORT)

List the release level of the DR CA ACF2 system and ensure that it is equal to the current production CA ACF2 used.

Ensure that the security configuration parameters for all Lpars are equal– Create a list on each LPAR to ensure that the configuration settings are correct.

Test options by comparing them to the previous day/month setting

Ensure availability of CA ACF2 Reporting

Ensure that you can create / delete / modify CA ACF2 records


DRP’s

ACF79001 ACFFDR COULD NOT BE FOUND - ACF2 TERMINATING

Reason:

The CA ACF2 Field Definition Record (ACFFDR) is required for CA ACF2 processing. You must define the ACFFDR field definition module in a linklist data set. An error occurred in the CA ACF2 installation process.

Action: Notify your CA ACF2 maintenance personnel of this error.

Check for CA ACF2 errors messages when the system is coming up ACF79 Main Task message


DRP’s

ACF79002 ACFINT COULD NOT BE FOUND - ACF2 TERMINATING

Reason: The CA ACF2 initialization routine cannot find the CA ACF2 rule interpreter. The CA ACF2 rule interpreter is required for CA ACF2 processing. An error occurred in the CA ACF2 installation process.

Action: Notify your CA ACF2 maintenance personnel of this error.



DRP’s

ACF79018 UNABLE TO LOCATE ACF2 CVT POINTER IN SSVT

Reason: The CA ACF2 initialization task cannot locate the anchor word for the CA ACF2 CVT. An error occurred while installing the CA ACF2 CVT locator routine ACF$GCVT (CSECT $ACFGCVT).

Action: Contact CA ACF2 Technical Support.



DRP’s Verify access to CA ACF2 system in the DR environment

– Just try and logon

Not running in the same mode as production will bring the system up, but puts your company as risk– Compare CA ACF2 active status with the active status of the DR CA

ACF2 system. Mode(ABORT)

Proper DR testing will ensure – Include things like loss of database

– Recover a CICS region

SHOW ALL or SHOW ACF


Review use of Static ID’s


Static ID’s

All Mainframe address spaces require Logonids– Users – user password managed by user

– Applications – static id and static password

– Production jobs – static id and no password

Work loads on the MF accountability lost when not associated to end user. This makes resolving problems difficult

The user already has been authenticated on the system making the request– Duplicated authentication

Create the id as part of network access (automate

– Make all requests with a single ID

Pass the ID and use passtickets

– Passtickets with Application ID with passwords

The Concerns


User logon

Application Id

or

JAVAGenerate Passticket

User logonid

Application ID

A

PPA

PPA

PPA

PP

CICS WEB SERVICES

C

I

C

S

Static ID Flow


How to Review a New Static ID Request


Passtickets, XREF, Resource Rules


Passtickets


Passtickets

Building recordsYou can build via batch – ACFBATCHTSO using ACF2 command

SET PROFILE(PTKTDATA) DIVISION(SSIGNON)

INSERT cicswebservice.appid sskey(1234567812345678) mult-use INSERT cicswebservice.appid.userlid sskey(8765432187654321) mult-use

F ACF2,REBUILD(PTK),CLASS(P)

Building Records - PTKDATA


Passtickets


SET XREF(RGP) SYSID(****)

INSERT APPIDRGP INCLUDE(CCCC CCCC CCCC CCCC) RESOURCE TYPE(CKC)F ACF2,NEWXREF,TYPE(RGP)

Building Records – Resource Group


Passtickets


SET RESOURCE(CKC) COMPILE *$KEY(APPIDRGP) TYPE(CKC) ROLESETUSER(APPID) ALLOW

STORE

Building Records – Resource Rule


OSMF How do I put in the Security?


Convert into CA ACF2 Commands

/* Create the z/OSMF Administrators group */ Call RacfCmd "ADDGROUP IZUADMIN OMVS(GID(9003))"

/* Create the z/OSMF Users group */ Call RacfCmd "ADDGROUP IZUUSER OMVS(GID(9004))"

/* Create the z/OSMF Administrator UserID */ /* The home directory is created in the -prime step. If automount managed, pre-create it before the -prime step */

Call RacfCmd "ADDUSER ZOSMFAD DFLTGRP(IZUADMIN) OMVS(UID(9001) HOME(/u/zosmfad) PROGRAM(/bin/sh)) NOPASSWORD NOOIDCARD " Call RacfCmd "ALU ZOSMFAD TSO(PROC(IKJTDA) ACCTNUM(TSO) SIZE(2096128)) OMVS(ASSIZEMAX(2147483647) MEMLIMIT(2G))"

/* Assign a password to the Administrator UserID before using it */ /* This is an example only - it is not recommended to insert passwords in this file */ /* Call RacfCmd "ALU ZOSMFAD PASSWORD(InsertAValidPassword) NOEXPIRED" */

/* Connect the z/OSMF Administrator UserID to the WebSphere Application Server Administrators Group */ Call RacfCmd "CONNECT ZOSMFAD GROUP(WSCFG1)"



What is the ACF2 setup for z/OSMF?

Products

o CA ACF2 for z/OS & CA ACF2 Option for DB2

Releases - CA ACF2 for z/OS: Release:15+

Components - CA ACF2 for z/OS

Description:

There is a IBM supplied REXX EXEC izudflt.cfg.rexx to generate RACF commands for z/OSMF configuration. This is the ACF2 conversion of the REXX EXEC.

Solution:

This is the z/OSMF IZUCONFIG.CFG.REXX conversion to ACF2 commands.

Document ID: TEC614236


Create the z/OSMF Administrator default group IZUADMIN and z/OSMF

Step 1: User group IZUUSER

ACF

SET PROFILE(GROUP) DIV(OMVS)

INSERT IZUADMIN GID(9003)

INSERT IZUUSER GID(9004)

F ACF2,REBUILD(GRP),CLASS(P)


Create the z/OSMF Administrator default group IZUADMIN and z/OSMF

Step 2. Create the z/OSMF Administrator UserID ZOSMFAD:

SET LID

INSERT ZOSMFAD NAME(Z/OSMF ADMINISTRATOR) MAXDAYS(0) LIDZMAX GROUP(IZUADMIN)

UID(9001) HOME(/u/zosmfad) PROGRAM(/bin/sh) PASSWORD(xxxxxxxx)

Step 3. Connect the z/OSMF Administer UserID and z/OSMF Users to Core:

SET RESOURCE(APL)

RECKEY BBNBASE ADD(- UID(uid string for ZOSMFAD) SERVICE(READ) ALLOW)

RECKEY BBNBASE ADD(- UID(uid string for IZUUSERs) SERVICE(READ) ALLOW)

F ACF2,REBUILD(APL)


Create the z/OSMF Administrator default group IZUADMIN and z/OSMFStep 5. SyncToOSThread permits:

SET RESOURCE(FAC) RECKEY BBO ADD(SYNC.BBNBASE.BBNC001 UID(uid string for WSCRU1) ALLOW) F ACF2,REBUILD(FAC)

Step 5.1 Define resource class ZMFAPLA:

SET C(GSO) SYSID(appropriate sysid) INSERT CLASMAP.ZMFAPLA RESOURCE(ZMFAPLA) RSRCTYPE(ZMF) F ACF2,REFRESH(CLASMAP)

Step 5.2 Add Resource type ZMF to INFODIR: CHA INFODIR TYPES(R-RZMF) ADD F ACF2,REFRESH(INFODIR)


Create the z/OSMF Administrator default group IZUADMIN and z/OSMFStep 5.3 Set up Core rules:

SET RESOURCE(ZMF) RECKEY BBNBASE ADD(ZOSMF.- UID(uid string for ZOSMFAD) SERVICE(READ) ALLOW) RECKEY BBNBASE ADD(ZOSMF.- UID(uid string for IZUUSERs) SERVICE(READ) ALLOW) RECKEY BBNBASE ADD(ZOSMF.ADMINTASKS.- UID(uid string for IZUUSERs)) RECKEY BBNBASE ADD(ZOSMF.SETTINGS.-.MODIFY UID(uid string for IZUUSERs)) RECKEY BBNBASE ADD(ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.MODIFY UID(uidstring for IZUUSERs)) RECKEY BBNBASE ADD(ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.INSTALL UID(uid string for IZUUSERs)) RECKEY BBNBASE ADD(ZOSMF.CAPACITY_PROVISIONING.CAPACITY_PROVISIONING.EDIT UID(uid string for IZUUSERs))RECKEY BBNBASE ADD(ZOSMF.SOFTWARE_DEPLOYMENT.DATA. UID(uid string for ZOSMFAD) ALLOW) RECKEY BBNBASE ADD(ZOSMF.SOFTWARE_DEPLOYMENT.DATA. UID(uid string for IZUUSERs) ALLOW) RECKEY BBNBASE ADD(ZOSMF.SOFTWARE_DEPLOYMENT.SOFTWARE-.PRODUCT_INFO_FILE. UID(uid string for IZUUSERs)) F ACF2,REBUILD(ZMF)


CICS Security


FHPA1101 MYREGION DFHSIT42 IS BEING LOADED.

ACFAE040 Phase 0 Initialization Started

ACFAE300 Setting DFHSIT value SEC=YES

ACFAE000 ACF2 PARAMETERIZATION IN PROGRESS

ACFAE309 Setting DFHSIT value XFCT=YES

ACFAE303 Setting DFHSIT value XPCT=YES

ACFAE304 Setting DFHSIT value XTRAN=YES

ACFAE301 Setting DFHSIT value RESSEC=ALWAYS

ACFAE301 Setting DFHSIT value RESSEC=ALWAYS

ACFAE302 Setting DFHSIT value CMDSEC=ALWAYS

ACFAE311 Setting DFHSIT value DFLTUSER=CICSDFT

ACFAE350 Setting DFHSIT value XAPPC=NO

ACFAE351 Setting DFHSIT value XUSER=YES

ACFAE320 Setting DFHSIT value XEJB=YES

ACFAE321 Setting DFHSIT value EJBROLEPRFX=

ACFAE322 Setting DFHSIT value SNSCOPE=NONE

ACFAE353 Setting DFHSIT value XHFS=YES

ACFAE041 Phase 0 Initialization Ended

CICS SECURITYCICS INITIALIZATION


ACFAE044 Phase 2 Initialization Started ACFAE075 Storage manager subtask has been attached ACFAE050 Signon Manager Subtask is active ACFAE051 Attaching 005 Signon Server Subtasks ACFAE076 Program manager subtask has been attached ACF04057 GLOBAL DIRECTORY RMTP ALREADY EXISTSACF04057 GLOBAL DIRECTORY RMTP ALREADY EXISTS ACFAE123 Global directory.. Ensure console reload was performedACF04057 GLOBAL DIRECTORY RCFC ALREADY EXISTS ACFAE123 Global directory.. Ensure console reload was performedACF04057 GLOBAL DIRECTORY RCKC ALREADY EXISTS ACFAE123 Global directory.. Ensure console reload was performed+ACFF9003 CICSSSUB PROCESS INITIALIZATION STARTED +ACFF9014 CICSSSUB PROCESS INITIALIZATION COMPLETED +ACFF9003 CICSLSUB PROCESS INITIALIZATION STARTED +ACFF9014 CICSLSUB PROCESS INITIALIZATION COMPLETED ACFAE045 Phase 2 Initialization Ended ACFAE047 Security Initialization Complete

CICS SECURITYCICS INITIALIZATION


CICS SECURITY

You can load CA ACF2 parms one of two ways– Startup JCL

– CA ACF2 Information Storage records

C-CIC Records

CICS INITIALIZATION


CICS SECURITY - ACFM-Function Summary• AM-Access Rule Maintenance

• Inspects, modifies, and stores access rule sets under the CICS interface. • CP-CA ACF2 Command Processor

• Executes the ACF command and supports most of the standard ACF command facilities. • EN, ES, and EV-End of Session

• Terminates ACFM sessions. • HM-Help General Menu Display

• Displays a list of all functions that are available in ACFM. • OD/OM-System Option Display and Modification

• Displays (OD) and modifies (OM) the CICS interface security subsystem options currently in effect.

• RC-Resource Control • Adds USERKEYs, reloads directories for CICSKEYs and USERKEYs, and resets CA ACF2

validations for session caches. • RM-Resource Rule Maintenance

• Inspects, modifies, and stores resource rule sets under the CICS interface.


CICS SECURITY - ACFM-Function Summary SD-CICS Interface System Status Display

– Contains secondary functions that display the status of the CICS interface system:

• CACHE

• DIRECT

• ENVIRON

• GENERAL

• LOOK

• SUBTASK

• WINDOW

• MRO - MRO, ISC, IRC

• IRC inter region

communications

• ISC intersystem

communications

• MRO Multiple Region Option


CICS SECURITY – ACFEWho is on the Region?

ACFE=WHOSON

<<< List of USERS in Region: CICSSEC >>>

Signon Signon SignonUserid Netname Applid Mode Type Time Date

<<------------------------------------------------------------------------------------->>


Don’t

Be convinced that you are secure because your infrastructure has advanced monitoring and protection

Cripple the business with cumbersome processes they will find a way to circumvent

Remember

You are only as secure as your least secure vendor (none are too small to consider)

Do

Be aware of recent breaches and ensure you raise the bar for attackers

Consider all paths into the Mainframe.

SummaryA Few Words to Review


Q & A


Follow Conversations in the Mainframe Content Center

CA Data Content Discovery

CA ACF2 ™ for z/OS

CA Top Secret® for z/OS

CA Cleanup

CA Auditor

Identify and Control Security Risk

Discover regulated data on z Systems™ and maintain a secure infrastructure

Advanced Authentication –Nov 18th @ 4:30pm

The Known Unknown -

Nov 19th @ 12:15pm


For More Information

To learn more, please visit:

http://cainc.to/Nv2VOe

CA World ’15

http://cainc.to/Nv2VOe

http://bit.ly/1wbjjqX

Technology

Ten Things You Should not Forget in Mainframe Security