|
NIA #46 - Security Exposure/Controls for MVS
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
???????????????????? ????????????????????????????????? ????????????????????
? Founded By: ? ? Network Information Access ? ? Mother Earth BBS ?
? Guardian Of Time ??? 19AUG90 ??? Text Files ?
? Judge Dredd ? ? Judge Dredd ? ? (713)-ITS-DOWN ?
???????????????????? ? File 46 ? ????????????????????
? ????????????????????????????????? ?
? ??????????????????????????????????????????? ?
???????? Security Exposures and Controls for MVS ????????
???????????????????????????????????????????
MVS has many areas of concern to the data security officer. If these are
not adequately addressed, the installation exposes itself to the threats of
computer viruses, theft and fraud. This article describes some of the major
security exposures (hmm, what shall we use these for?) in MVS and suggests a
remedy for each.
The Implementation of most of the suggested control mechanisms requires the
purchase of some type of optional security software package. This will be
generically referred to as "security software".
AUTHORIZED LIBRARIES
Authorized libraries are by far the greatest area of exposure in the MVS
enviornment. According to IBM's statement on integrity, MVS guarantees
integrity for all processing done by unauthorized programs running in the
system. That is, and unauthorized program cannont preform a task that would
compromise the integrity of the system or of data outside the program's realm.
So what is an 'authorized' program? It is one that can execute privileged
instructions and bypass normal security checks and controls. IBM never
guaranteed integrity for authorized programs (except for those that it wrote
as part of the operating system). Indeed, by the very nature of these programs
it is impossible for them to do so. The installation is responsible to ensure
that authorized programs function as desired and that they are secured from
unauthorized access.
For a program to be authorized it must meet 2 criteria. It must be linkedited
with AC=1 and it must reside in an authorized library. The first condition
is easy to satisfy. Anyone who knows how to linkedit a program can get past
this condition, therefore, in which all the controls are needed. That is, the
installation must ensure that authorized libraries are not subject to abuse.
Authorized libraries are installation-defined and are specified in the
following members of SYS1.PARMLIB:
IEAAPFxx
LNKLSTxx
LPALSTxx
Three steps can be taken to control the use of authorized libraries.
1 - ensure that there are security profiles protecting all existing
authorized libraries and allow update access to only a handful
of induviduals. Further, make sure that security profiles are
added and deleted as meccessary.
2 - Implement formal procedures for adding or deleting authorized libraries
and for adding, deleting, or modifying programs in an autthorized
library.
3 - Conduct periodic reviews to ensure that everything is in place.
TAPE BYPASS LABEL PCOCESSING (BLP) PROCEDURES
MVS JCL allows the option of bypassing the tape label when processing a tape
data set. By bypassing the tape label, security checking is not done; thus,
and unauthorized user can read or even destroy tape data.
There are 2 ways to restrict the use of the tape BLP option. One is to
specify JES2 parameters such that BLP processing is allowed only via specified
initiationrs and control the use of these special initiators. The second way
is to use the tape management system to disallow this option.
SYSTEM PARAMETER LIBRARIES
SYS1.PARMLIB and SYS1.PROCLIB contain system parameters that are used during
system startup. The parameters in these systems determine options that will
be in effect for the system. If an unauthorized person updates data in them,
the system may start improperly or meay even fail to start.
Ensure that security profiles exist to protect these libraries. Specifically
keep to a minimum the number of people who can update them. Also, establish
change control procedures for all updates to these libraries.
SYSTEM DATA SETS
Data sets beginning with SYS1 are system data sets. Together they constitute
the operating system.
Restrict access, especially UPDATE access, to all system data sets.
Generally, only the systems programmers need to update the system data sets.
STARTED TASKS
Started tasks are initiated from an operator console. Started tasks, if not
properly controlled, can bypass security software to access and even destroy
important data.
Use the security software to protect all started tasks. Identify all started
tasks and assign to each one appropriate access using the security system.
Make sure that for each entry a started task exists in PROCLIB. Lastly,
institute procedures for adding and removing started tasks.
PROGRAM PROPERTIES TABLE
IBM provides the Program Properties Table (PPT) to sepcify programs needing
sprecial powers. This table should be protected against unauthorized access.
An unwarranted program in this table can bypass normal security software
processing and checking. Obsolete or unnecesssary programs in the PPT may
result in unauthorized programs gaining special powers.
Examine all entries in the PPT and make sure each entry is justified.
IEHINTT And IMASPZAP PROGRAMS
IEHINTT is the tape initialization program that can destroy tape labels and
therefore data on tape. IMASPZAP can modify contents of a program. Both these
utilities have potential use to cause damage by bypassing security controls.
An installation may have other programs whoese use should be restricted also.
Use the program protection feature of the security software to restrict
access to these programs.
MVS CATALOGS
If an MVS catalog is destroyed, it can result in widespread disruption of
service. The MVS master catalog is the most critical because all data set
searches are funnelled through it. The master catalog, if properly protected,
can also enforce data set naming standards for the first-level qualifier.
For user catalogs, use security software to ensure that only the systems
programmers are permitted to delete user catalogs. For a master catalog, ensure
that only the systems programming staff is permitted to write into, modify or
delete a master catalog.
SYSTEM EXITS
System exits, such as SMF or JES exits, are provided by IBM to modify the
operating system using standardized interfaces. The intended use is to tailor
the operating system environment to suit an installation. The use of system
exits to tailor the MVS enviornment should not be discouraged; however, since
they alter the operating system, their use and implementation must me
monitored. Otherwaire, there is room for a time bomb or virus to creep in.
Guarantee that proper controls and procedures exist for installing system
exits. Ensure that source code for system exits is always availalbe and
examine the source code to ensure there are no time bombs. Use the System
Modification Program (SMP) to install all exits. This will guarantee system
software integrity.
SMF DATA SETS
Security software packages produce SMF records for logging violations and so
on. Other system events and activities also generate SMF records; therefore
many different SMF record types are produced. However, the system allows
an installation to specify which SMF record types are to be collected and
which are to be disgarded. This leaves open the pssibility that important
SMF records may have been suppressed, allowing security violations to go
unnoticed.
Ensure that the member SMFPRMxx in SYS1.PARMLIB collects records produced
by the security software and other records required by an installation.
SYSTEM LOG
The System Log (SYSLOG) data set contains a log of many of the system
activities. Among other things, security software violations and other
messages that are sent to SYSLOG. The information contained in SYSLOG is
useful in tracking down certain events after they have occurred. For this
reason, it is essential to have available the SYSLOG for at least the last
few days.
Collect the SYSLOG and archive at least daily. Assuming a daily collection
cycle, a Generation Data Group (GDG) with 10 generations will allow the viewing
of the last 10 days' log. Make sure the GDG is protected by the security
software to allow read access but not modify or delete access.
TSO TERMINAL TIMEOUT
If a TSO terminal is left unattended, anyone can manipulate the TSO user's
powers to access the system. A terminal may remain signed on by unattended
for a long time, leaving the possibility of abuse.
Use the mechanism MVS provides to automatically logoff a terminal session
that has been inactive for x minutes, where x is installation-specified (member
SMFPRMxx in PARMLIB).
VOLUME PROTECTION
Some volumes contain sensitive information. It maybe desireable to allow
only select individuals to look at the VTOCs of these volumes in order to
prevent misuse of the information. Use the security software's volume
protection controls to prevent unauthorized users from viewing the contents
of these volumes.
TSO ACCOUNT AUTHORITY
This authority allows a person to view and update records in SYS1.UADS
which contains profile records and information for all TSO users. With a
security software package, this information can be stored in the security
database. However, there may still be a need to store some important
information in SYS1.UADS for backup purposes.
Assign the ACCOUNT authority judiciously. Minimize the number of people
who have the TSO ACCOUNT attribute.
TSO OPERATIONS AUTHORITY
The attribute allows a person to enter some of MVS commands such as the
display of initiators. Minimize the number of people who have the TSO
OPERATIONS attribute.
SECURITY SOFTWARE
At IPL time the system may have been tailored such that is asks the operator
if the cecurity software is to be active. This allows the operator to remove
the security software from the system.
Make sure the security software is always active in the system by tailoring
the system so that at IPL time the security software is automatically started
and there is no terminating option.
---
Well thats it. Ugg. Its been a long day. Some comments and such...
Nilrem "I'm just burned out. Mabye in Austin the board will be better."
Guardian Of Time "In December, we'll be back, better than before, and I
am going to use some of Dr. Ripco's techniques on the
new board..."
The People At Phrack - any word on the file that was sent in?
The People At CUD/TD - its gotten better with time, now you put relevant
stuff in.
Chester - "when i go over there he lets me rape his system!" hahaha...
well, take it easy people.
-JUDGE DREDD/NIA
[OTHER WORLD BBS]
|
|
