zOS Mainframe Security Review/Check/Assessment



All about SAF, RACF, encryption, Firewall, Risk assessment and integrity concepts

zOS Mainframe Security Review/Check/Assessment

Postby Hoe San » Tue Aug 19, 2014 9:32 pm

Hi,

Been tasked to do a mainframe security assessment in my shop. May any zOS guru give me some guidance on how to begin with?
Appreciate all the advice given. Thank you.
Hoe San
 
Posts: 4
Joined: Thu Feb 05, 2009 1:12 pm
Has thanked: 0 time
Been thanked: 0 time

Re: zOS Mainframe Security Review/Check/Assessment

Postby steve-myers » Tue Aug 19, 2014 10:50 pm

What qualifications did you give that gave your superiors that you could perform this task? If you had to do it from scratch, what would you do?
steve-myers
Global moderator
 
Posts: 2105
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 243 times

Re: zOS Mainframe Security Review/Check/Assessment

Postby Hoe San » Wed Aug 20, 2014 11:56 am

A junior system engineer who has no idea on where to start from as zOS as zOS is wide horizontally and vertically. Appreciate any guidance/advice.
Hoe San
 
Posts: 4
Joined: Thu Feb 05, 2009 1:12 pm
Has thanked: 0 time
Been thanked: 0 time

Re: zOS Mainframe Security Review/Check/Assessment

Postby steve-myers » Wed Aug 20, 2014 11:54 pm

Everyone has to start from somewhere. What would you do?
  1. Is a security package installed?
    The three big ones are IBM's RACF, with CA-Top Secret and CA-ACF2 as alternates. All three are excellent. Like most I have a preference, which I won't disclose here because it's pointless. If none are installed, stop here.
    All three have a testing mode, or "warn" mode. In "warn" mode, userid controls are enabled but resource use is not fully protected. Make sure the security product is not in "warn" mode.
  2. Review how enhanced security authority is distributed. The terms differ between the products; you will have to review product documentation to find the terms. You want to look for two major issues.
    • How are userids created? Who can do it? What are the controls? A related issue is how are problems corrected? How and who can assign new passwords if one is forgotten? What are the controls to verify these users are valid?
      RACF and Top Secret have the ability to place users into groups. Does the grouping have anything to do with the current organization's structure? If not - and don't be surprised if it doesn't, can it be corrected? ACF2 does not have this direct ability, but the so called UID string is supposed to imply grouping. Does it make sense?
    • Storage management. This organization usually has near 100% ability to look at and modify anything.
      Look for users that are not storage management with storage management authority. If possible this authority should be removed.
  3. Verify production data is rigidly isolated from test. Unfortunately this is not as firewalled as well as one might like. Look for the breaks in the firewall.
That should get you started. This is security auditing 101.
steve-myers
Global moderator
 
Posts: 2105
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 243 times


Return to Mainframe Security

 


  • Related topics
    Replies
    Views
    Last post