238 lines
11 KiB
Plaintext
238 lines
11 KiB
Plaintext
|
ZDDDDDDDDDDDDDDDDDD? IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; ZDDDDDDDDDDDDDDDDDD?
|
||
|
|
3 Founded By: 3 : Network Information Access : 3 Mother Earth BBS 3
|
||
|
|
3 Guardian Of Time 3D: 19AUG90 :D3 Text Files 3
|
||
|
|
3 Judge Dredd 3 : Judge Dredd : 3 (713)-ITS-DOWN 3
|
||
|
|
@DDDDDDDDBDDDDDDDDDY : File 46 : @DDDDDDDDDBDDDDDDDDY
|
||
|
|
3 HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM< 3
|
||
|
|
3 IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; 3
|
||
|
|
@DDDDDD6 Security Exposures and Controls for MVS GDDDDDDY
|
||
|
|
HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM<
|
||
|
|
|
||
|
|
MVS has many areas of concern to the data security officer. If these are
|
||
|
|
not adequately addressed, the installation exposes itself to the threats of
|
||
|
|
computer viruses, theft and fraud. This article describes some of the major
|
||
|
|
security exposures (hmm, what shall we use these for?) in MVS and suggests a
|
||
|
|
remedy for each.
|
||
|
|
The Implementation of most of the suggested control mechanisms requires the
|
||
|
|
purchase of some type of optional security software package. This will be
|
||
|
|
generically referred to as "security software".
|
||
|
|
|
||
|
|
|
||
|
|
AUTHORIZED LIBRARIES
|
||
|
|
|
||
|
|
Authorized libraries are by far the greatest area of exposure in the MVS
|
||
|
|
enviornment. According to IBM's statement on integrity, MVS guarantees
|
||
|
|
integrity for all processing done by unauthorized programs running in the
|
||
|
|
system. That is, and unauthorized program cannont preform a task that would
|
||
|
|
compromise the integrity of the system or of data outside the program's realm.
|
||
|
|
So what is an 'authorized' program? It is one that can execute privileged
|
||
|
|
instructions and bypass normal security checks and controls. IBM never
|
||
|
|
guaranteed integrity for authorized programs (except for those that it wrote
|
||
|
|
as part of the operating system). Indeed, by the very nature of these programs
|
||
|
|
it is impossible for them to do so. The installation is responsible to ensure
|
||
|
|
that authorized programs function as desired and that they are secured from
|
||
|
|
unauthorized access.
|
||
|
|
For a program to be authorized it must meet 2 criteria. It must be linkedited
|
||
|
|
with AC=1 and it must reside in an authorized library. The first condition
|
||
|
|
is easy to satisfy. Anyone who knows how to linkedit a program can get past
|
||
|
|
this condition, therefore, in which all the controls are needed. That is, the
|
||
|
|
installation must ensure that authorized libraries are not subject to abuse.
|
||
|
|
Authorized libraries are installation-defined and are specified in the
|
||
|
|
following members of SYS1.PARMLIB:
|
||
|
|
|
||
|
|
IEAAPFxx
|
||
|
|
LNKLSTxx
|
||
|
|
LPALSTxx
|
||
|
|
|
||
|
|
Three steps can be taken to control the use of authorized libraries.
|
||
|
|
1 - ensure that there are security profiles protecting all existing
|
||
|
|
authorized libraries and allow update access to only a handful
|
||
|
|
of induviduals. Further, make sure that security profiles are
|
||
|
|
added and deleted as meccessary.
|
||
|
|
2 - Implement formal procedures for adding or deleting authorized libraries
|
||
|
|
and for adding, deleting, or modifying programs in an autthorized
|
||
|
|
library.
|
||
|
|
3 - Conduct periodic reviews to ensure that everything is in place.
|
||
|
|
|
||
|
|
|
||
|
|
TAPE BYPASS LABEL PCOCESSING (BLP) PROCEDURES
|
||
|
|
|
||
|
|
MVS JCL allows the option of bypassing the tape label when processing a tape
|
||
|
|
data set. By bypassing the tape label, security checking is not done; thus,
|
||
|
|
and unauthorized user can read or even destroy tape data.
|
||
|
|
There are 2 ways to restrict the use of the tape BLP option. One is to
|
||
|
|
specify JES2 parameters such that BLP processing is allowed only via specified
|
||
|
|
initiationrs and control the use of these special initiators. The second way
|
||
|
|
is to use the tape management system to disallow this option.
|
||
|
|
|
||
|
|
|
||
|
|
SYSTEM PARAMETER LIBRARIES
|
||
|
|
|
||
|
|
SYS1.PARMLIB and SYS1.PROCLIB contain system parameters that are used during
|
||
|
|
system startup. The parameters in these systems determine options that will
|
||
|
|
be in effect for the system. If an unauthorized person updates data in them,
|
||
|
|
the system may start improperly or meay even fail to start.
|
||
|
|
Ensure that security profiles exist to protect these libraries. Specifically
|
||
|
|
keep to a minimum the number of people who can update them. Also, establish
|
||
|
|
change control procedures for all updates to these libraries.
|
||
|
|
|
||
|
|
|
||
|
|
SYSTEM DATA SETS
|
||
|
|
|
||
|
|
Data sets beginning with SYS1 are system data sets. Together they constitute
|
||
|
|
the operating system.
|
||
|
|
Restrict access, especially UPDATE access, to all system data sets.
|
||
|
|
Generally, only the systems programmers need to update the system data sets.
|
||
|
|
|
||
|
|
|
||
|
|
STARTED TASKS
|
||
|
|
|
||
|
|
Started tasks are initiated from an operator console. Started tasks, if not
|
||
|
|
properly controlled, can bypass security software to access and even destroy
|
||
|
|
important data.
|
||
|
|
Use the security software to protect all started tasks. Identify all started
|
||
|
|
tasks and assign to each one appropriate access using the security system.
|
||
|
|
Make sure that for each entry a started task exists in PROCLIB. Lastly,
|
||
|
|
institute procedures for adding and removing started tasks.
|
||
|
|
|
||
|
|
|
||
|
|
PROGRAM PROPERTIES TABLE
|
||
|
|
|
||
|
|
IBM provides the Program Properties Table (PPT) to sepcify programs needing
|
||
|
|
sprecial powers. This table should be protected against unauthorized access.
|
||
|
|
An unwarranted program in this table can bypass normal security software
|
||
|
|
processing and checking. Obsolete or unnecesssary programs in the PPT may
|
||
|
|
result in unauthorized programs gaining special powers.
|
||
|
|
Examine all entries in the PPT and make sure each entry is justified.
|
||
|
|
|
||
|
|
|
||
|
|
IEHINTT And IMASPZAP PROGRAMS
|
||
|
|
|
||
|
|
IEHINTT is the tape initialization program that can destroy tape labels and
|
||
|
|
therefore data on tape. IMASPZAP can modify contents of a program. Both these
|
||
|
|
utilities have potential use to cause damage by bypassing security controls.
|
||
|
|
An installation may have other programs whoese use should be restricted also.
|
||
|
|
Use the program protection feature of the security software to restrict
|
||
|
|
access to these programs.
|
||
|
|
|
||
|
|
|
||
|
|
MVS CATALOGS
|
||
|
|
|
||
|
|
If an MVS catalog is destroyed, it can result in widespread disruption of
|
||
|
|
service. The MVS master catalog is the most critical because all data set
|
||
|
|
searches are funnelled through it. The master catalog, if properly protected,
|
||
|
|
can also enforce data set naming standards for the first-level qualifier.
|
||
|
|
For user catalogs, use security software to ensure that only the systems
|
||
|
|
programmers are permitted to delete user catalogs. For a master catalog, ensure
|
||
|
|
that only the systems programming staff is permitted to write into, modify or
|
||
|
|
delete a master catalog.
|
||
|
|
|
||
|
|
|
||
|
|
SYSTEM EXITS
|
||
|
|
|
||
|
|
System exits, such as SMF or JES exits, are provided by IBM to modify the
|
||
|
|
operating system using standardized interfaces. The intended use is to tailor
|
||
|
|
the operating system environment to suit an installation. The use of system
|
||
|
|
exits to tailor the MVS enviornment should not be discouraged; however, since
|
||
|
|
they alter the operating system, their use and implementation must me
|
||
|
|
monitored. Otherwaire, there is room for a time bomb or virus to creep in.
|
||
|
|
Guarantee that proper controls and procedures exist for installing system
|
||
|
|
exits. Ensure that source code for system exits is always availalbe and
|
||
|
|
examine the source code to ensure there are no time bombs. Use the System
|
||
|
|
Modification Program (SMP) to install all exits. This will guarantee system
|
||
|
|
software integrity.
|
||
|
|
|
||
|
|
|
||
|
|
SMF DATA SETS
|
||
|
|
|
||
|
|
Security software packages produce SMF records for logging violations and so
|
||
|
|
on. Other system events and activities also generate SMF records; therefore
|
||
|
|
many different SMF record types are produced. However, the system allows
|
||
|
|
an installation to specify which SMF record types are to be collected and
|
||
|
|
which are to be disgarded. This leaves open the pssibility that important
|
||
|
|
SMF records may have been suppressed, allowing security violations to go
|
||
|
|
unnoticed.
|
||
|
|
Ensure that the member SMFPRMxx in SYS1.PARMLIB collects records produced
|
||
|
|
by the security software and other records required by an installation.
|
||
|
|
|
||
|
|
|
||
|
|
SYSTEM LOG
|
||
|
|
|
||
|
|
The System Log (SYSLOG) data set contains a log of many of the system
|
||
|
|
activities. Among other things, security software violations and other
|
||
|
|
messages that are sent to SYSLOG. The information contained in SYSLOG is
|
||
|
|
useful in tracking down certain events after they have occurred. For this
|
||
|
|
reason, it is essential to have available the SYSLOG for at least the last
|
||
|
|
few days.
|
||
|
|
Collect the SYSLOG and archive at least daily. Assuming a daily collection
|
||
|
|
cycle, a Generation Data Group (GDG) with 10 generations will allow the viewing
|
||
|
|
of the last 10 days' log. Make sure the GDG is protected by the security
|
||
|
|
software to allow read access but not modify or delete access.
|
||
|
|
|
||
|
|
|
||
|
|
TSO TERMINAL TIMEOUT
|
||
|
|
|
||
|
|
If a TSO terminal is left unattended, anyone can manipulate the TSO user's
|
||
|
|
powers to access the system. A terminal may remain signed on by unattended
|
||
|
|
for a long time, leaving the possibility of abuse.
|
||
|
|
Use the mechanism MVS provides to automatically logoff a terminal session
|
||
|
|
that has been inactive for x minutes, where x is installation-specified (member
|
||
|
|
SMFPRMxx in PARMLIB).
|
||
|
|
|
||
|
|
|
||
|
|
VOLUME PROTECTION
|
||
|
|
|
||
|
|
Some volumes contain sensitive information. It maybe desireable to allow
|
||
|
|
only select individuals to look at the VTOCs of these volumes in order to
|
||
|
|
prevent misuse of the information. Use the security software's volume
|
||
|
|
protection controls to prevent unauthorized users from viewing the contents
|
||
|
|
of these volumes.
|
||
|
|
|
||
|
|
|
||
|
|
TSO ACCOUNT AUTHORITY
|
||
|
|
|
||
|
|
This authority allows a person to view and update records in SYS1.UADS
|
||
|
|
which contains profile records and information for all TSO users. With a
|
||
|
|
security software package, this information can be stored in the security
|
||
|
|
database. However, there may still be a need to store some important
|
||
|
|
information in SYS1.UADS for backup purposes.
|
||
|
|
Assign the ACCOUNT authority judiciously. Minimize the number of people
|
||
|
|
who have the TSO ACCOUNT attribute.
|
||
|
|
|
||
|
|
|
||
|
|
TSO OPERATIONS AUTHORITY
|
||
|
|
|
||
|
|
The attribute allows a person to enter some of MVS commands such as the
|
||
|
|
display of initiators. Minimize the number of people who have the TSO
|
||
|
|
OPERATIONS attribute.
|
||
|
|
|
||
|
|
|
||
|
|
SECURITY SOFTWARE
|
||
|
|
|
||
|
|
At IPL time the system may have been tailored such that is asks the operator
|
||
|
|
if the cecurity software is to be active. This allows the operator to remove
|
||
|
|
the security software from the system.
|
||
|
|
Make sure the security software is always active in the system by tailoring
|
||
|
|
the system so that at IPL time the security software is automatically started
|
||
|
|
and there is no terminating option.
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
Well thats it. Ugg. Its been a long day. Some comments and such...
|
||
|
|
Nilrem "I'm just burned out. Mabye in Austin the board will be better."
|
||
|
|
Guardian Of Time "In December, we'll be back, better than before, and I
|
||
|
|
am going to use some of Dr. Ripco's techniques on the
|
||
|
|
new board..."
|
||
|
|
The People At Phrack - any word on the file that was sent in?
|
||
|
|
The People At CUD/TD - its gotten better with time, now you put relevant
|
||
|
|
stuff in.
|
||
|
|
Chester - "when i go over there he lets me rape his system!" hahaha...
|
||
|
|
|
||
|
|
well, take it easy people.
|
||
|
|
-JUDGE DREDD/NIA
|
||
|
|
|
||
|
|
[OTHER WORLD BBS]
|
||
|
|
|
||
|
|
|
||
|
|
|