More Related Content Similar to How to Increase User Accountability by Eliminating the Default User in Unix Systems Services (USS) in z/OS (20) More from CA Technologies (20) How to Increase User Accountability by Eliminating the Default User in Unix Systems Services (USS) in z/OS1. How to Increase User Accountability by Eliminating
the Default User in Unix Systems Services (USS)
in z/OS
Julie-Ann Williams
Mainframe
millennia…
Director / Security Specialist
MFX26S
#CAWorld
2. 2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
© 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
The content provided in this CA World 2015 presentation is intended for informational purposes only and does not form any type
of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.
For Informational Purposes Only
Terms of this Presentation
3. 3 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Abstract
Hear an overview of implementation considerations for
sites that are preparing for the removal of default UNIX
authorization assignments (for both USERs and GROUPs).
IBM’s z/OS 1.13 is the last planned release to support
BPX.DEFAULT.USER.
Security professionals should attend this session to learn
more about best practices for managing this change, and
the specific features of CA Top Secret and CA ACF2
supporting your work to complete the changeover.
Julie-Ann
Williams
millennia…
4. 4 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Agenda
USS – DEPRECATION OF BPX.DEFAULT.USER
WHAT’S THE PROBLEM?
HOW DID WE GET HERE?
WHAT NEEDS TO BE DONE TO FIX IT?
Q & A SESSION
1
2
3
4
5
5. 5 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Today’s Discussion
A Few Words to Review
BPX.DEFAULT.USER
IBM has deprecated the use of
BPX.DEFAULT.USER from z/OS
v2r1.
z/OS Impacted
If you use USS and haven’t
already addressed the problem
you may have critical issues
which can stop elements of
z/OS from working.
Convert to Unique
There is no justification for
allowing default access to Unix
Systems Services.
If your user hasn’t justified
their need then they shouldn’t
be granted access.
Just like any other z/OS
resource!
6. 6 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Today’s Discussion
A Few Words to Review
USS – deprecation of BPX.DEFAULT.USER
I don’t want to sound like a scare-monger but... If you have BPX.DEFAULT.USER defined in your z/OS security system then you
almost certainly have a problem!
Unix System Services has always been the unloved cousin of z/OS having been forced on us, unceremoniously, back in the late
1990s. We didn’t know anything about Unix at the time but “suddenly” we were told that without it we wouldn’t be able to
use FTP! Most of us took a classic, head-in-the-sand approach and that was to use defaults wherever possible. That way
everything kept running and we didn’t have to learn something new.
For some reason that attitude has prevailed for the last 15 or so years. And it is because of this, that our Team still see many
z/OS installations with very limited control over USS in their environment.
z/OS v2r1 presents us all with a challenge.
7. 7 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Significant change in how default access to USS is granted
from z/OS 2.1
– BPX.DEFAULT.USER is replaced by new resources
– Potential show-stopper
Essential z/OS services may not function!
Is USS the Elephant in the Room?
BPX.DEFAULT.USER RESOURCE IS NO LONGER SUPPORTED
8. 8 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
POSIX compliant UNIX server emulation
– Portable Operating System Interface for UNIX
a set of standards that define various aspects of the UNIX operating system.
– From the users perspective it’s a UNIX server
– From the z/OS perspective just another supported service
What is USS?
UNIX SYSTEM SERVICES
9. 9 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
What is USS?
A LITTLE BIT OF BACKGROUND
z/OS System UNIX System
Services
TCPIP Network
Websphere
JAVA
FTP
Email / SMTP
Business
Applications
Other Services
E.g. TSO
EBCDIC ASCII
INTRANET
INTERNET
User
User?
Customer?
Hacker?
10. 10 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Different File system structures
Different data encoding
– USS = ASCII
– z/OS = EBCDIC
Different security models
z/OS vs USS
LOGICAL BOUNDARY USED TO KEEP Z/OS AND USS PROCESSES SEPARATED
Apples vs. Oranges
11. 11 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
People
– Users
– Groups
Stuff
– Files
– Resources
System z Security
SECURITY FUNDAMENTALS
12. 12 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Fundamentally different security models
In general
– z/OS Security protects z/OS resources
– USS Security protects USS resources
Both security processes involved when
action involves z/OS and USS resources
Dual Security Model
SECURITY FUNDAMENTALS
Apples vs. Oranges
13. 13 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Users
– 8 Character limit, Alpha/Alpha-numeric
– One id per user
– Each User has a default group
Groups
– 8 character limit, Alpha/Alpha-Numeric
– Contains 1 or more Users
z/OS Security
CA ACF2, CA TOP SECRET AND IBM’S RACF
14. 14 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Access to ‘stuff’ controlled using rules/profiles
Access to profiles granted to multiple Users and/or Groups
– Or by resource default (universal) access
Profiles based on z/OS independent qualifier logic
– e.g.
MY.DATA.-
MY.SECRET.DATA.-
z/OS Security
CA ACF2, CA TOP SECRET AND IBM’S RACF
15. 15 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
UIDs
– Numeric, 0 – 2,147,483,647
– One UID per user
– UID(0) = Superuser = God Mode
GIDs
– Numeric, 0- 2,147,483,647
– Contain 1 or more UIDs
USS Security
UNIX SECURITY
16. 16 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Access to ‘stuff’ controlled using resources’ UNIX “File
Security Packet” contents
Hierarchical structure for all resources including files
USS Security
UNIX SECURITY - CONNECTING USERS TO STUFF
17. 17 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
UNIX FSP includes:
– Permission bits Owner : Group : Other
Only 1 Owner (UID), 1 Group (GID)
Other = Default (universal) Access
– UNIX Access Control List
Individual Group/User access
– Stored with resource in USS File system
– Values inherited from parent resource, system defaults or set manually
USS Security
UNIX SECURITY - CONNECTING USERS TO STUFF
18. 18 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
USS security UID’s & GID’s mapped to z/OS security
Users & Groups
Nominally 1 to 1 mapping
User must have valid UID and Default GID to access USS
Allocated explicitly or inherited via USS default access facility
USS Security
UNIX SECURITY - CONNECTING USERS TO STUFF
19. 19 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
UID, Default GID & up to 300 supplementary group GIDs
used for authority checks
– 256 for CA-TSS
USS Security
UNIX SECURITY - CONNECTING USERS TO STUFF
20. 20 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Explicit Access
– Specific unique UID & GID values assigned to Userids & Groups
– Fixed auditable assignments
– Simple to audit usage
Access to USS
EXPLICIT VS DEFAULT
21. 21 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Default Access
– Single UID & GID values assigned to all callers
– Allocated ‘on demand’
– Very complex to audit usage
Access to USS
EXPLICIT VS DEFAULT
22. 22 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Single fixed UID and GID values
Allocated to user if id has no UID or GID values
– Dynamically assigned at logon/use of USS
– Temporary assignment
All users assigned the same numbers
USS Default Access – Historic
BPX.DEFAULT.USER
23. 23 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Range of UID & GID values
Next unique UID and or GID values automatically assigned to
USERID and Default Group if none found
Permanently assigned on first access to USS
USS Default Access – New
BPX.UNIQUE.USER & BPX.NEXT.USER
24. 24 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Unique ranges per database
Max 129 users or groups sharing a single UID or GID
RACF database AIM(2) or higher required
USS Default Access – New
BPX.NEXT.USER
25. 25 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
RACF database AIM(3)
UNIXPRIV class active and SHARED.IDS profile defined
USS Default Access – New
BPX.UNIQUE.USER
26. 26 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
UNIXOPTS GSO DFTUSER & DFTGROUP no longer used
BPX.NEXT.USER
– UID & GID ranges set via AUTOIDOM GSO record
BPX.UNIQUE.USER
– MODLUSER & UNIQUSER (UNIXOPTS GSO)
RO55702
– Create facility resource rule that traces any use of BPX.DEFAULT.USER
USS Default Access – New
CA ACF2 SPECIFICS
27. 27 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
OMVSUSR & OMVSGRP control options no longer used
BPX.NEXT.USER
– UID & GID ranges set via DFLTRNGU / DFLTRNGG control options
BPX.UNIQUE.USER
– MODLUSER & UNIQUSER control options
RO58980
– Adds ability to cut trace records for BPX.DEFAULT.USER usage
USS Default Access – New
CA TOP SECRET SPECIFICS
28. 28 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
‘On Demand’ access to a business critical service?
Hackers know how to misuse it!
And who else?
Default Access to USS?
HOW ARE YOU JUSTIFYING THIS TO YOUR AUDITOR?
29. 29 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Any z/OS Userid can access USS ‘on demand’
– not just those that need it
Can access any USS resource where ‘OTHER’ value
is READ or above
Can access any z/OS dataset with uacc
of READ or above
Default Access to USS?
IMPLICATIONS OF DEFAULT ACCESS TO USS
30. 30 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Very complex to audit accurately
– Multiple compensating controls required
– USS Security policy must justify its usage
Default Access to USS?
IMPLICATIONS OF DEFAULT ACCESS TO USS
31. 31 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
IBM Presentation to RACF User Group 2013:
– Shared UID produces audit non-conformances
– No accountability for who did what, who owns what, etc.
If a Unix service creates a resource while running with
a shared UID, that resource is available to all users running
with that shared UID
Default Access to USS?
WHAT'S WRONG WITH USING BPX.DEFAULT.USER?
ftp://public.dhe.ibm.com/.../nyrug_2013_03_default_user_removal.pdf
32. 32 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Robert Hansel, RSH Consulting, presentation
to SHARE in 2013:
– Shared ID ‐ accountability difficult to establish ‐ frequent audit finding
– UID becomes OWNER of File System objects created by a user using
the Unix Default User
– UID becomes OWNER of File System objects when "chown"
specifies a USERID that does not have an OMVS segment
Default Access to USS?
WHAT'S WRONG WITH USING BPX.DEFAULT.USER?
https://share.confex.com/.../RSH%20Consulting%20-%20BPX.DEFAULT.USER%20-%202013-08%20-%20SHARE%20-%2013393.pdf
33. 33 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Baseline current configuration
– Identify who is using the default access facility
– Identify and resolve conflicts
Design new configuration, processes, mitigating controls etc.
Implementation
Ongoing monitoring and compliance
Conversion to Unique Users
MULTI-STEP PROCESS
34. 34 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
What UID & GID values are you using?
Are any being shared between multiple ids/groups?
Do the additional resources required by BPX.NEXT.USER exist?
Who is using BPX.DEFAULT.USER?
Conversion to Unique Users
BASELINE AND USAGE
35. 35 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Implement unique UID and GID values as required
Resolve any Shared values
– No UID can be shared by more than 129 users
– This also applies to GIDs
Correct USS file system FSP permission bits and ACLs
Conversion to Unique Users
RESOLVING CONFLICTS
36. 36 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Correcting z/OS ACLs
– RACF via FSSEC
– CA-ACF2 via CA SAF HFS security
– CA-TSS via HFSACL
Achieving multi-system or site-wide UID / GID uniqueness
Maintaining Uniqueness
Conversion to Unique Users
COMPLEX CONVERSIONS CHALLENGES
37. 37 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Whatever happens your z/OS USS Security Policy
will need updating
New procedures
Changes to auditing
You do have one….?
USS Security Policy
THE CORNERSTONE OF AUDIT
38. 38 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Monitoring USS activity
– Update existing processes
– Additional processes
Compliance with USS Policy
– Checking for the ‘human’ factor
USS Monitoring and Compliance
THE CORNERSTONE OF AUDIT
39. 39 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
“Hackerne er 100 procent gået efter mainframes og 100 procent efter zOS
(operativsystemet i mainframes, red.), og man kan sige, at med disse angreb in
mente har mainframen i hvert fald mistet sin uskyldighed” siger Peter Kruse
“The hackers are 100 percent gone after mainframes and 100 percent after zOS
(operating in mainframes, ed.), And one can say that with these attacks in
mind, the mainframe certainly lost its innocence” said Peter Kruse (sic)**
** Google translate
One Last Thought
COMPUTERWORLD.DK INTERVIEW IN 2013 WITH PETER KRUSE FROM CSIS SECURITY GROUP
http://www.computerworld.dk/art/227172/efter-det-store-csc-hack-flere-sager-paa-vej
40. 40 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Swedish Breach reported to include:
– RACF database with 120k userids
– 10,000+ datasets
– Entire ‘/’
– Sensitive personal data including financial details
One Last Thought
WHAT DO YOU HAVE TO LOSE?
41. 41 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Danish Breach reported to include:
– Large number of files from the Danish Police
– Drivers license data
including 4 million social security numbers
Both breaches were initially undetected!
One Last Thought
WHAT DO YOU HAVE TO LOSE?
CIA World Factbook - Denmark; pop 5.6 million (Est April 2014)
42. 42 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Q & A
43. 43 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
For More Information
To learn more, please visit:
http://cainc.to/Nv2VOe
CA World ’15