zsc40 Beyond Legacy Security Paul R. Robichaux NewEra Software, Inc. Thursday, May 9th at 9:00 10:15 am Session Number - zsc40 Location Melrose

Transcription

1 Beyond Legacy Security zsc40 Paul R. Robichaux, Inc. Thursday, May 9th at 9:00 0:5 am Session Number - zsc40 Location Melrose

2 TCE The Control Editor Productivity and Control! Building a Safer, more Secure z/os Environment for your Business Applications 2

3 TCE An Overview Better z/os Configuration Control! Today s Agenda: Why Legacy z/os Configuration Security is not Enough? Why is Compensating/Complementary Control Desirable? What level of Incremental Access Control does TCE Provide? How does TCE Provide a Balance of Productivity and Control? 3

4 TCE An Overview A Practical Necessity zenterprise System Integrity - Resting on z/os Configuration Definitions Legacy Security Processes zenterprise Information Systems Denial Yes 99.99% Enterprise Data z/os Configuration Definitions 00.0% Configuration Data 4

5 TCE An Overview The Dataset Level Control Boundary z/os Edit Events UNIX Granted Access Privileges Update None Yes Control Boundary Read Vetted-Users 5

6 TCE An Overview Security Vs. z/os Configuration Control Your External Security Manager Provides Security: The functions provided by your External Security Manager () are required, absolute and unmatched for securing, granting and/or denying user and/or application access to system data, resources and commands. The Control Editor Provides Documentation and Control: The functions provided to you by TCE ensure that the activities of those users granted access to system data, resources and commands by the are fully documented and that, when desirable, -like controls are applied by TCE to individual members in Partitioned Datasets and/or to Sequential Datasets. The z/os Nanny and The z/os Padlock share common control, logging, reporting and notification facilities. 6

7 TCE An Overview Better z/os Configuration Control! : External Security Manager Access Rights Update Privileges 7

8 TCE An Overview Better z/os Configuration Control! CMS: Change Management System Planning Authorization : External Security Manager Access Rights Update Privileges CMS 8

9 TCE An Overview Better z/os Configuration Control! CMS: Change Management System Planning Authorization : External Security Manager Access Rights Update Privileges CMS TCE Enhances the CMS: Capture Actual Changes Enhance Change Documentation Record/Document Unplanned Changes TCE TCE Enhances the : Documents all Events Records Policy Violations Enforces Member Level Control 9

10 TCE An Overview Better z/os Configuration Control! CMS: Change Management System Planning Authorization : External Security Manager Access Rights Update Privileges CMS TCE Enhances the CMS: Capture Actual Changes Enhance Change Documentation Record/Document Unplanned Changes TCE TCE Enhances the : Documents all Events Records Policy Violations Enforces Member Level Control TCE Establishes and Enforces z/os System Programming Best Practices: Backup, Inspection, Where-Used, History, Restore, Notification Defines Responsibility, Pinpoints Accountability Establishes Trust between Team Members Supports Local Control Management 0

11 TSO/ISPF TCE An Overview Better z/os Configuration Control! Scope: zenterprise System Integrity - Resting on z/os Configuration Definitions Boundaries: TSO/ISPF Named in a Statement of Policy Controlled Dataset Categories Applications ICE Operational Best Practices Working Groups Member Level Control Datasets User and Group Working Datasets Batch Utilities Operating Environments: Other Out-of-Policy Change Detection z/os zunix

12 TCE An Overview Boundaries z/os Edit Events Granted Access Privileges Update UNIX ACTSTRxx BPXPRMxx None SMFPRMxx PROGxx Yes ACTCONxx CONSOLxx Read IKJTSOxx TCPIPxx Denial Denial Edit, Copy, Create, Move, Replace, Rename, Add and Delete in PO and PS Datasets or UNIX File. 2

13 TCE An Overview with TCE Boundary Overlap! z/os Edit Events Granted Access Privileges Update UNIX ACTSTRxx BPXPRMxx None SMFPRMxx PROGxx Yes ACTCONxx CONSOLxx Read IKJTSOxx TCPIPxx Denial Events Denial Control Files Control Journals Journal Query Notification 3

14 TCE An Overview Dataset Access Control - 3.4! z/os Configuration Integrity - Access means access to all Configuration Elements. Legacy Security Processes Denial Yes MBR List:..AUTORxx..ATCSTR....ATCCON....BPXPRMxx..CLOCKxx..COMMNDxx..CONSOLxx..HZSPRMxx..IEAFIXxx..IEALPAxx..IEASYSxx..IEASYMxx..IKJTSOxx..PROGxx..SMFPRMxx..TCPIPxx..OTHERSxx E = Edit M = Move D = Delete R = Rename B = Browse V = View C = Copy P = Print S = Submit G = Reset T = TSO Commands W = Workstation Read Only Updaters 4

15 TCE An Overview with TCE Member Level Control! z/os Edit Events Granted Access Privileges Update UNIX ACTSTRxx BPXPRMxx None TCE Yes SMFPRMxx PROGxx ACTCONxx CONSOLxx TCE Read IKJTSOxx TCPIPxx Denial Events Denial Control Files Control Journals Journal Query Notification 5

16 TCE An Overview What Access Denial Look Like! As a Pop-Up displayed to the TSO/ISPF User: Edit access attempt denied by The Control Editor. Reason Code 0037 Press END to exit Where Edit Changes to: 'Browse/View', 'Create', 'Copy', 'Move', and 'Replace' as appropriate for the access event attempt. Where Reason Code 0037 : Would be interpreted by the TCE Administrator as the line number of the Controlling Rule in the NSESELXX Configuration Member that determined/controlled the reported access denial, in this case line 37. As a WTO write to the System Log: TCER0000I - Browse/view access denial for ESSJDL DSN: USER.PARMLIB MEM: PSYNCH RSN:

17 TCE An Overview How does TCE work? - A Listener!...One way to envision The Control Editor is to think of it as an Event Listener on a subsystem interface that allows it to Hear all Events, recording only those that match a predetermined event profile (Control List) and optionally logging all defined events when forensic system analysis is required. These processes require no z/os modifications, Hooks or Exits and are totally within the z/os Administrators control. Configuration Change Events Control List Match? Notify/Act Event Log TCE can Detect TSO/ISPF Line Commands, Configuration Edits, z/os Operator Commands and z/os System Message Events. 7

18 TCE An Overview How does TCE work? - A Listener!...One way to envision The Control Editor is to think of it as an Event Listener on a subsystem interface that allows it to Hear all Events, recording only those that match a predetermined event profile (Control List) and optionally logging all defined events when forensic system analysis is required. These processes require no z/os modifications, Hooks or Exits and are totally within the z/os Administrators control. Configuration Change Events Accesses Commands Messages Concatenations: (Datasets/Directory) Datasets: (PDS,PDSE,SEQ,FILE) Members: Fully Qualified, Prefix, Suffix Actions: Edit, Move, Delete, Rename Browse, View, Copy, Print, Submit Operator Commands: SET, MODIFY, VARY Security Commands: RACF, ACF2, TSS Exclusion Options: TASK, JOBS, USER, TERM System Messages: All, Message ID and/or Text Security Messages: All, Message ID and/or Text HZS, RTD Messages: All, Message ID and/or Text Actions: Issue Commands, Notify z/os and UNIX Edit Events, Operator Commands and System Message Events. 8

19 TCE An Overview How does TCE work? - The Base Case! z/os Edit Events UNIX TSO/ISPF Edit Window Update Authority Update EDIF Interface VTAMLib YES JCLLib PROCLib PARMLib NO TCE can Detect Edit, Copy, Create, Move, Replace, Rename, Add and Delete in PO and PS Datasets. 9

20 TCE An Overview How does TCE work? - Edit Window! The Edit Interface (EDIF) service provides edit functions for data accessed through dialogsupplied I/O routines. The dialog intercept must perform all environment-dependent functions such as dataset allocation, opening, reading, writing, closing, and freeing. The dialog is also responsible for any necessary ENQ/DEQ serialization. TCE provides intercepts for requests to edit controlled datasets that allow for: pre-processing that can allow/deny dataset/member access, detects changes, create backups, editing data in partitioned datasets and sequential files and post-processing detects changes, displays inline descriptor information, generate optional occurrence notification and refreshes a backup as needed. TCE's invocation interface: provides routines that perform data read and write operations, provides command processing to support MOVE, COPY, CREATE, REPLACE, and the EDIT primary commands and supports TCE specific TSO/ISPF primary commands RESTORE, HISTORY, IPLCHECK, TCEHELP, INSPECT, JSCAN, and PSCAN. For more on EDIF and the Edit Window see the z/os VR3.0 ISPF Services Guide 20

21 TCE An Overview How does TCE work? - With your! z/os Edit Events Granted Access Privileges Update UNIX Member Control: User Specific Members Only None TCE Yes Updaters: (Edit) Move, Rename, Create, Etc. Read Only Users: Copy, Print, Submit (Altered) Descriptor Yes TCE Read Denial TCE Denial Changes Control Files Control Journals Journal Query Notification 2

22 TCE An Overview How does TCE work? Accountability! z/os Configuration Integrity - TCE Assignment means Responsibility and Accountability! Legacy Security Processes Denial Yes MBR List:..AUTORxx..ATCSTR....ATCCON....BPXPRMxx..CLOCKxx..COMMNDxx..CONSOLxx..HZSPRMxx..IEAFIXxx..IEALPAxx..IEASYSxx..IEASYMxx..IKJTSOxx..PROGxx..SMFPRMxx..TCPIPxx..OTHERSxx A Super-User, she has access to all members in PDS. z/os VTAM NetWork OPRS Mary Harry 2 An Updater and/or Browser Denied by TCE 2 22

23 TCE An Overview How does TCE work? - Control Cards! NSESEL00 Includes Excludes Statement UserID- -Member- DSN/CAT DSNEDIN CATEDIN DSNEDIN USER23 SYS.PARMLIB Statement UserID- -Member- DSN/CAT DSNEDIN USERXYZ XY SYS.PARMLIB DSNEDEX CATEDEX DSNEDEX USER23 SYS.PARMLIB DSNEDEX USERXYZ PROG SYS.PARMLIB Controlled Access Priority: If any DSNEDIN, CATEDIN, DSNBRIN, CATBRIN exists for the access attempt in question (i.e., for the member/dsn), then there must be an include for the userid in question or the access request will be denied. If no DSNEDIN, CATEDIN, DSNBRIN, CATBRIN exists for the access attempt in question, the userid in question will be granted access unless a DSNEDEX, CATEDEX, DSNBREX, CATBREX exists for the member/dsn and the userid in question. 23

24 TCE An Overview A Balance of Productivity and Control! TCE strikes a balance in design and implementation between the productivity needs of z/os System Programmers and the control needs of z/os System Administrators. The z/os Nanny enhances the TSO/ISPF experience and productivity of z/os System Programmers. The z/os Padlock offers z/os administrators an automated system that compensates for acknowledged weaknesses in their Legacy External Security Managers. The z/os Padlock The control component of The Control Editor fully supports Legacy Security by extending their security control boundaries to heretofore unrecognized events, capturing and reporting security events as they occur in real-time, and enforcing Member Level control over both authorized Updaters and Read Only users. The z/os Nanny The productivity component of The Control Editor enhances the interactive TSO/ISPF experience for z/os Systems Programmers. It is designed to automate step-by-step their achievement of z/os System Programming Best Practices and in doing so compensate for acknowledged weaknesses in Legacy Security Systems. The z/os Nanny and The z/os Padlock share common control, logging, reporting and notification facilities. 24

25 TCE An Overview z/os System Programming Best Practices! Sound z/os System Programming Best Practices are straightforward and simple enough, but we re all human, all busy, we all forget and our best intentions to conform to these practices will sometimes go unfulfilled. Do you: Take a Backup before making changes to z/os Configuration components? Test changes to PARMLIB, PROCLIB, JCLLIB before committing them to production? Research the History of prior changes before attempting new ones? Document Actual changes at the point where the change takes place? Finally, Notify those with a need to know that a change has been made? No Backup, no Test, no Review, no Documentation, no Notification. Any of these can lead to a loss of z/os integrity or compliance or worse - to a loss of z/os availability. In this part of the presentation we will examine the workflow patterns commonly found in many System Programming configuration management tasks and how these tasks can be automatically conformed to Best Practices using The Control Editor (TCE) from, an expert TSO/ISPF workflow assistant, the z/os Nanny. Backup: Generations of individual copies any of which may be used to restore a member. 25

26 TCE An Overview TSO/ISPF Workflow Management! TCE Setup TCE Workflow Management TCE Reports Datasets Messages Backup Occurrence Periodic Commands Notify TCE Forensic MBRUsed TSO/ISPF Edit Restore History Document Testing Detected Change Control Files Control Journals Journal Query Notification 26

27 TCE An Overview TSO/ISPF Workflow Management! z/os Edit Events UNIX TSO/ISPF Edit Window Update Authority If YES Update Take a Backup Check for Update YES If NO Changes? YES NO TCE Event Record(s) TCE Control Journals Last Backup Detected Change Notice Pop-Up Control Journals Notification Denial of Update Authority by the External Security Manager () is considered an Exceptional Event. 27

28 TCE An Overview Edit Window Line Commands! z/os Edit Events UNIX TSO/ISPF Edit Window Update Authority If YES Update Menu Take a Backup Restore History Testing MBRUsed Check for Update Changes? YES NO YES If NO TCE Event Record(s) TCE Control Journals Last Backup Detected Change Notice Pop-Up Control Journals Notification Detected Changes are considered an Exceptional Event. 28

29 TCE An Overview Better z/os Configuration Control! CMS: Change Management System Planning Authorization : External Security Manager Access Rights Update Privileges CMS TCE Enhances the CMS: Capture Actual Changes Enhance Change Documentation Record/Document Unplanned Changes TCE TCE Enhances the : Documents all Events Records Policy Violations Enforces Member Level Control TCE Establishes and Enforces z/os System Programming Best Practices: Backup, Inspection, Where-Used, History, Restore, Notification Defines Responsibility, Pinpoints Accountability Establishes Trust between Team Members Supports Local Control Management 29

30 TCE An Overview A Balance of Productivity and Control! As a z/os System Utility TCE enhances the TSO/ISPF experience for z/os System Programmers by fully automating, step-by-step, the individual tasks that lead us all towards compliance with the Best z/os System Programming Practices. TCE fully supports all z/os Change Management Systems (CMS) and External Security Managers (). The CMS administrator benefits by now being able to Close the Loop between planning for and/or authorizing a change and the ACTUAL change that was made. The Security Administrator benefits by now being able to compensate for the s inherent lack of visibility over authorized system changes that are performed by vetted system users. TCE is fully under the control of the z/os Administrator. Using a 3270 interface she can easily define Control Boundaries (Datasets, Operator Commands, System Events) within which TCE will be vigilant. Changes, even those made outside the TSO/ISPF domain, are captured and reported; all changes are permanently stored in Control Journals for use in interactive or batch Forensic and Periodic Management Reporting. (External Security Managers) RACF, CA ACF2, CA TOP SECRET. 30

31 TCE An Overview TCE Can Help You z/os Assure Integrity! Establish and Document an appropriate Separation of Duties Assign Specific, Individual Staff Component Responsibility Require a Component Backup prior to Configuration Change Institute Testing of Changes before Commitment to Production Validate Configuration against Established, Audited Baseline Document Change at the Point where the Actual Change is made Maintain a Configuration Where-Used Configuration Reference Profile Create an Atmosphere for Configuration Excellence and Accountability 3

32 TCE An Overview How does TCE work? - Shared Control! Control List: Control List: z/os LPAR - A Shared List: z/os LPAR B to n Events Backup Staged Detected Submit Operator Policy TCE Parameters Exceptions Log Postings Notification 3270 Journal Interface Events Backup Staged Detected Submit Operator Policy TCE Parameters Exceptions Log Postings Notification 3270 Journal Interface Journals Journals Shared Journals 32

33 TCE An Overview How does TCE work? - Can, Cannot do! Batch Utilities and Detected Changes: IEBCOPY IEBGENER Other Utilities Edit TSO Command OMVS Copy of MVS Datasets Others //WHATEVER EXEC PGM=TCEUTIL, PARM= IEBCOPY Detected Change Detected Changes: An automated TCE programmatic process by which the actual content of datasets defined to TCE as Controlled Datasets is reconciled with the last TCE Control Journal Copy. This reconciliation is performed at a minimum hourly and in all cases before the results of any query, report or panel is made available. The z/os Nanny and The z/os Padlock share common control, logging, reporting and notification facilities. 33

34 TCE An Overview Better z/os Configuration Control! Today s Agenda: Why Legacy z/os Configuration Security is not Enough? Why is Compensating/Complementary Control Desirable? What level of Incremental Access Control does TCE Provide? How does TCE Provide a Balance of Productivity and Control? 34

35 TCE An Overview It All Begins with a Controlled Backup! support@newera.com Subject: TCE Download Link or Subject: TCE License Key TCE Control Backups Start IFOM Address Space Customize TCE Control Members 2 VTAM APPLID, APF IFOLOAD Customize the ICE Configuration Run the ALLOC and BUILD Jobs Download ICE Install Files Individual user Address Spaces, controlled by IFOM are created when users log into the ICE Environment. 2 ICE Parmlib Configuration Members - NSECTLxx and NSESELxx 35

36 TCE An Overview That s it folks, all done! Paul R. Robichaux - prr@newera.com 36

37 37