Performing a z/os Vulnerability Assessment. Part 2 - Data Analysis. Presented by Vanguard Integrity Professionals

Transcription

1 Performing a z/os Vulnerability Assessment Part 2 - Data Analysis Presented by Vanguard Integrity Professionals

2 Legal Notice Copyright 2014 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited license to view these materials for your organization s internal purposes. Any unauthorized reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. Trademarks IBM, RACF, System z, and z/os are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Vanguard Administrator, Vanguard Analyzer, Vanguard Advisor, Vanguard Configuration Manager, Vanguard zsecurity University, and Vanguard Security & Compliance are trademarks of Vanguard Integrity Professionals Nevada. 2

3 Agenda Introduction 1 This section re-introduces this vulnerability assessment webinar series and relationship between the three (3) episodes. Data Analysis 2 This section discusses the actual analysis of the data collected from session one (1). Wrap Up and Next Webinar 3 This section wraps up the webinar and provides information on the next and final webinar of the series. 3

4 Performing a z/os Vulnerability Assessment Data Analysis INTRODUCTION 4

5 Webinar Series Overview - Reminder Session 1 Session 2 Session 3 Data Collection Review this session anytime from the go2vanguard.com website Data Analysis March 20 th 7am Pacific / 10am Eastern March 26 th 10am Pacific / 1pm Eastern April 1 st 1pm Pacific / 4pm Eastern Remediation April 10 th 8am Pacific / 11am Eastern April 16 th 11am Pacific / 2pm Eastern April 22 nd Noon Pacific / 3pm Eastern 5

6 Vulnerability Assessment Approach Data Collectection This is the data collection phase to be able to assess the environment. Data Analysis This is the data analysis phase where the data collected is analyzed for any potential vulnerabilities. Report This is the report phase where the consultant creates a findings reports and discusses the findings and recommendations with the customer. Remediation This is remediation phase where the Vanguard consultant explains the results of the data analysis and provides remediation advice Today s Webinar N/A 6

7 Performing a z/os Vulnerability Assessment Data Analysis RISK ANALYSIS & ASSESSMENT 7

8 Vulnerability Assessment Scope Scope: Vanguard Top 10 z/os Risks Identified in Customer Security Assessment Excessive Number of User IDs with No Password Interval Inappropriate Usage of z/os UNIX Superuser Privilege UID(0) Started Task IDs are not Defined as PROTECTED IDs Dataset Profiles with UACC Greater than READ Improper Use or Lack of UNIXPRIV Profiles Dataset Profiles with UACC of READ Excessive Access to the SMF Data Sets RACF Database is not Adequately Protected Excessive Access to APF Libraries Inappropriate Access to FACILITY BPX.DAEMON Profile Note: Data collected from hundreds of security assessments performed by Vanguard Integrity Professionals. 8

9 Vanguard Tools Used Vanguard Administrator Simplify and Enhance Security Management Functions on systems running IBM Security Server (RACF) Vanguard Provides Identity & Access Management solutions and Governance, Risk & Compliance solutions for z/os and other enterprose platforms. Vanguard Analyzer Delivers expert-level Vulnerability Assessments and Audit results for System z in minutes Vanguard Advisor Offers the most comprehensive Event Detection, Analysis and Reporting package for the z/os environment Vanguard Configuration Manager Provides the fastest and most accurate method to verify that mainframe security configuration controls are in compliance with the DISA STIGs 9

10 Vanguard's Exposure Criticalities SEVERE Immediate unauthorized access into a system Elevated authorities or attributes Cause system wide outages The ability to violate IBM s Integrity Statement HIGH Vulnerabilities that provide a high potential of disclosing sensitive or confidential data Cause a major sub-system outage Assignment of excessive access to resources Criticalities MEDIUM Vulnerabilities that provide information and/or access that could potentially lead to compromise The inability to produce necessary audit trails LOW Implementation or configuration issues that have the possibility of degrading performance and/or security administration 10

11 Assessment #1 Excessive Number of User IDs with No Password Interval Risk - Severe Recommended Best Practice User IDs with no password Interval are not required to change their passwords. Since passwords do not need to be changed periodically, people who knew a password for an ID could still access that ID even if they are no longer authorized users. Review each of the personal user profiles to determine why they require NOINTERVAL. Their passwords should adhere to the company policy regarding password changes. If the user ID is being used for started tasks or surrogate job submission, it should be reviewed and changed to PROTECTED. 11

12 Vanguard Administrator Excessive Number of User IDs with No Password Interval Report Generation Vanguard Administrator : User Profile Summary (Fastpath 3;1;1) Mask: Protected: N PWD Interval: 0 Revoked: N 12

13 Analyzing the Report Excessive Number of User IDs with No Password Interval Review Report Started Task IDs Surrogate IDs Application IDs Personal User IDs FTP IDs 13

14 Vanguard Configuration Manager Excessive Number of User IDs with No Password Interval Report Generation Vanguard Configuration Manager : Execute RACF

15 Analyzing the Report Excessive Number of User IDs with No Password Interval Review Report Started Task IDs Surrogate IDs Application IDs Personal User IDs FTP IDs 15

16 Assessment #2 Inappropriate Usage of z/os UNIX Superuser Privilege UID(0) Risk - High Recommended Best Practice User IDs with z/os UNIX superuser authority, UID(0), have full access to all UNIX directories and files and full authority to administer z/os UNIX. Since the UNIX environment is the z/os portal for critical applications such as file transfers, Web applications, and TCPIP connectivity to the network in general, the ability of these superusers to accidentally or maliciously affect these operations is a serious threat. The assignment of UID(0) authority should be minimized by managing superuser privileges through profiles in the UNIXPRIV class. 16

17 Vanguard Administrator Inappropriate Usage of z/os UNIX Superuser Privilege UID(0) Report Generation Vanguard Administrator : User OMVS Segment (Fastpath 3;5;9;1) Mask: UID: 0 17

18 Analyzing the Report Inappropriate Usage of z/os UNIX Superuser Privilege UID(0) Review Report Personal User IDs Server IDs 18

19 Vanguard Configuration Manager Inappropriate Usage of z/os UNIX Superuser Privilege UID(0) Report Generation Vanguard Configuration Manager : Execute ZUSS

20 Analyzing the Report Inappropriate Usage of z/os UNIX Superuser Privilege UID(0) Review Report Personal User IDs Server IDs 20

21 Assessment #3 Started Task IDs are not Defined as PROTECTED IDs Risk - High Recommended Best Practice User IDs associated with started tasks should be defined as PROTECTED which will exempt them from revocation due to inactivity or excessive invalid password attempts, as well as being used to sign on to an application. Review all started task user IDs that are not protected. Determine if the user IDs are used for any other function that might require a password. Define the started task user IDs as PROTECTED for those tasks that do not require a password. 21

22 Vanguard Administrator Started Task IDs are not Defined as PROTECTED IDs Report Generation Vanguard Administrator : User Profile Summary (Fastpath 3;1;1) Mask: Protected: N Owner: STC Group Name 22

23 Analyzing the Report Started Task IDs are not Defined as PROTECTED IDs Review Report FTP IDs IDs that might require a password 23

24 Vanguard Configuration Manager Started Task IDs are not Defined as PROTECTED IDs Report Generation Vanguard Configuration Manager : Execute RACF

25 Analyzing the Report Started Task IDs are not Defined as PROTECTED IDs Review Report FTP IDs IDs that might require a password 25

26 Assessment #4 Dataset Profiles with UACC Greater than READ Risk - Severe Recommended Best Practice and Remediation Data sets that are protected by a RACF profile with a UACC greater than READ allow most users with system access to read or modify these data sets. In addition, users may be able to delete any data set covered by the dataset profiles that have a UACC of ALTER. Review the dataset profiles and determine whether the UACC is appropriate. For those profiles where the UACC is excessive, you will have to determine who really needs access before changing the UACC. 26

27 Vanguard Administrator Dataset Profiles with UACC Greater than READ Report Generation Vanguard Administrator : Data Set Profile Summary (Fastpath 3;3;1) Mask: UACC: R GT 27

28 Analyzing the Report Dataset Profiles with UACC Greater than READ Review Report Determine data sets that are protected by these profiles to verify the UACC 28

29 Assessment #5 Improper Use or Lack of UNIXPRIV Profiles Risk - High Recommended Best Practice and Remediation The UNIXPRIV class resource rules are designed to give a limited subset of the superuser UID (0) capability. When implemented properly, UNIXPRIV profiles can significantly reduce the unnecessary requests for assignment of UID (0) to user IDs. Review the users activity that are currently defined as SUPERUSERs to determine if more granular profiles may be defined in the UNIXPRIV class that will authorize their activity. 29

30 Vanguard Administrator Improper Use or Lack of UNIXPRIV Profiles Report Generation Vanguard Administrator : General Resource Access List (Fastpath 3;4;4) Mask: Class: UNIXPRIV 30

31 Analyzing the Report Improper Use or Lack of UNIXPRIV Profiles Review Report Examine the access lists to determine if access to these profiles are correct or if more granular profiles should be defined 31

32 Assessment #6 Dataset Profiles with UACC of READ Risk - High Recommended Best Practice and Remediation Data sets that are protected by a RACF profile with a UACC of READ will allow most users with system access to read or copy sensitive and critical data residing in these data sets. Review each of these profiles and determine whether the UACC is appropriate. For those profiles where the UACC is excessive, you will have to determine who really needs access before changing the UACC. 32

33 Vanguard Administrator Dataset Profiles with UACC of READ Report Generation Vanguard Administrator : Data Set Profile Summary (Fastpath 3;3;1) Mask: UACC: R EQ 33

34 Analyzing the Report Dataset Profiles with UACC of READ Review Report Determine data sets that are protected by these profiles to verify the UACC 34

35 Assessment #7 Excessive Access to the SMF Data Sets Risk - High Recommended Best Practice and Remediation SMF data collection is the system activity journaling facility of the z/os system. With the proper parameter designations, it serves as the basis to ensure individual user accountability. The ability to READ SMF data enables someone to identify potential opportunities to breach your security. If UPDATE or higher access is granted, a risk of audit log corruption exists. Access control for the unloaded data is critical to ensure a valid chain of custody. Ensure that access authority to SMF collection files is limited to only systems programming staff and/or batch jobs that perform SMF dump processing and ensure that UPDATE and higher accesses are being logged. 35

36 Vanguard Analyzer Excessive Access to the SMF Data Sets Report Generation Vanguard Analyzer : SMF Environment Analysis option 3;H Enter DSN Command to display SMF Dataset Information Enter option R for profile information 36

37 Analyzing the Report Excessive Access to the SMF Data Sets Review Report Ensure the access to the SMF data sets is limited to appropriate users 37

38 Vanguard Configuration Manager Excessive Access to the SMF Data Sets Report Generation Vanguard Configuration Manager : Execute ACP

39 Analyzing the Report Excessive Access to the SMF Data Sets Review Report Ensure the access to the SMF data sets is limited to appropriate users 39

40 Assessment #8 RACF Database is not Adequately Protected Risk - Severe Recommended Best Practice and Remediation The RACF database contains extremely sensitive security information. No access to the RACF database is required for normal administration activities using either RACF commands or the RACF provided ISPF panels. A user who has read access to the RACF database could make a copy and then use a cracker program to find the passwords for user IDs and could obtain a list of user IDs and resources. Review the protection for the RACF database and remove any entries granting access higher than NONE, other than the senior RACF administrators and system staff running RACF database utilities. 40

41 Vanguard Analyzer RACF Database is not Adequately Protected Report Generation Vanguard Analyzer : Database Analysis option 3;3 Enter option R for profile information 41

42 Analyzing the Report RACF Database is not Adequately Protected Review Report Verify that only senior RACF administrators and system staff running RACF database utilities have access to the RACF database 42

43 Vanguard Configuration Manager RACF Database is not Adequately Protected Report Generation Vanguard Configuration Manager : Execute ACP

44 Analyzing the Report RACF Database is not Adequately Protected Review Report Verify that only senior RACF administrators and system staff running RACF database utilities have access to the RACF database 44

45 Assessment #9 Excessive Access to APF Libraries Risk - Severe Recommended Best Practice and Remediation UPDATE or higher access to an APF library can allow an individual to create an authorized program which can bypass security controls and execute privileged instructions. UPDATE or higher access should be limited to senior systems support staff. Review all accesses to APF libraries and remove or change inappropriate access entries. Ensure that UPDATE and higher accesses are being logged. 45

46 Vanguard Analyzer Excessive Access to APF Libraries Report Generation Vanguard Analyzer : Sensitive/Critical Data Sets Analysis Batch option 4;B Enter option R next to Authorized Program Facility (APF) Table Enter YES for RACF detail 46

47 Analyzing the Report Excessive Access to APF Libraries Review Report Verify that UPDATE or higher access to the APF libraries is limited to senior systems support staff 47

48 Vanguard Configuration Manager Excessive Access to APF Libraries Report Generation Vanguard Configuration Manager : Execute ACP

49 Analyzing the Report Excessive Access to APF Libraries Review Report Verify that UPDATE or higher access to the APF libraries is limited to senior systems support staff 49

50 Assessment #10 Inappropriate Access to FACILITY Class BPX.DAEMON Profile Risk - High Recommended Best Practice and Remediation Daemons are processes that perform services for other users. In order to do this, a daemon must be able to change its identity temporarily to the identity of the user it will perform work for. The RACF FACILITY class profile called BPX.DAEMON can be used to control the use of the daemon functions. Access to BPX.DAEMON must be restricted to the z/os UNIX kernel user ID, z/os UNIX daemons (e.g., inetd, syslogd, ftpd), and other system software daemons (e.g., web servers). Review the access list of the BPX.DAEMON profile to remove any access for users that are not actual z/os UNIX daemons. 50

51 Vanguard Administrator Inappropriate Access to FACILITY Class BPX.DAEMON Profile Report Generation Vanguard Administrator : General Resource Access List (Fastpath 3;4;4) Mask: Class: FACILITY Profile: BPX.DAEMON 51

52 Analyzing the Report Inappropriate Access to FACILITY Class BPX.DAEMON Profile Review Report Verify that access to the profile is restricted to the z/os UNIX kernel user ID and z/os UNIX daemons 52

53 Performing a z/os Vulnerability Assessment Data Analysis WRAP-UP 53

54 Webinar Series Overview Session 1 Session 2 Session 3 Data Collection Review this session anytime from the go2vanguard.com website Data Analysis March 20 th 7am Pacific / 10am Eastern March 26 th 10am Pacific / 1pm Eastern April 1 st 1pm Pacific / 4pm Eastern Remediation April 10 th 8am Pacific / 11am Eastern April 16 th 11am Pacific / 2pm Eastern April 22 nd Noon Pacific / 3pm Eastern Please join us next time and have your data with you 54

55 Vanguard s zsecurity University To register for a webinar or training course: go2vanguard.com Place mouse on Training Customer Savings: Special Discounts for software customers and Vanguard Security & Compliance 2013 attendees Don t forget that all of the Vanguard zsecurity University courses are eligible for CPE Credits and all course materials are provided on a tablet computing device that the attendee keeps at the end of the class. 55

56

57 Questions 57