Page 1 of 1
zOS Mainframe Security Review/Check/Assessment
Posted:
Tue Aug 19, 2014 9:32 pmby Hoe San
Hi,
Been tasked to do a mainframe security assessment in my shop. May any zOS guru give me some guidance on how to begin with?
Appreciate all the advice given. Thank you.
Re: zOS Mainframe Security Review/Check/Assessment
Posted:
Tue Aug 19, 2014 10:50 pmby steve-myers
What qualifications did you give that gave your superiors that you could perform this task? If you had to do it from scratch, what would you do?
Re: zOS Mainframe Security Review/Check/Assessment
Posted:
Wed Aug 20, 2014 11:56 amby Hoe San
A junior system engineer who has no idea on where to start from as zOS as zOS is wide horizontally and vertically. Appreciate any guidance/advice.
Re: zOS Mainframe Security Review/Check/Assessment
Posted:
Wed Aug 20, 2014 11:54 pmby steve-myers
Everyone has to start from somewhere. What would you do?
- Is a security package installed?
The three big ones are IBM's RACF, with CA-Top Secret and CA-ACF2 as alternates. All three are excellent. Like most I have a preference, which I won't disclose here because it's pointless. If none are installed, stop here.
All three have a testing mode, or "warn" mode. In "warn" mode, userid controls are enabled but resource use is not fully protected. Make sure the security product is not in "warn" mode. - Review how enhanced security authority is distributed. The terms differ between the products; you will have to review product documentation to find the terms. You want to look for two major issues.
- How are userids created? Who can do it? What are the controls? A related issue is how are problems corrected? How and who can assign new passwords if one is forgotten? What are the controls to verify these users are valid?
RACF and Top Secret have the ability to place users into groups. Does the grouping have anything to do with the current organization's structure? If not - and don't be surprised if it doesn't, can it be corrected? ACF2 does not have this direct ability, but the so called UID string is supposed to imply grouping. Does it make sense? - Storage management. This organization usually has near 100% ability to look at and modify anything.
Look for users that are not storage management with storage management authority. If possible this authority should be removed.
- Verify production data is rigidly isolated from test. Unfortunately this is not as firewalled as well as one might like. Look for the breaks in the firewall.
That should get you started. This is security auditing 101.