The objective of this service
offering is to provide technical consulting and review regarding the
establishment of CA-Top Secret (TSS) mainframe security for the Unix Systems
Services (USS) environment within IBM OS/390 release 2.6. During a three to five man-day effort, a
information security consultant familiar with the setup of TSS and USS security
will review the steps already taken to establish security for the USS
environment and will provide recommendations and knowledge transfer regarding
the securing of this Unix environment.
Specific areas in which Unix security will be examined include the following. In each of these areas, actions already taken
to provide security will be audited and recommendations will be made.
q
TSS setup for USS base Servers such as OMVS, INETD,
BPXOINIT
q
TSS setup of basic Unix Groups (OMVSGRP, TTY)
q
Considerations surrounding the setup and maintenance of Unix
Userids (UIDs)
q
TSS setup of basic Unix Superuser
control
q
Considerations surrounding the setup of default Unix Profile
for users
q
Security for base TCPIP and related servers (TCPIP, FTP,
PORTD, SNMPD)
q
Security for optional Servers including the IBM Internet Web
Server, NFS/DFS, DCE, LDAP
q
TSS
setup for USS base Servers
The
setup of User ACIDs and Started-Task definitions with
TSS will be reviewed and adjusted based upon recommendations and
discussion. USS base Servers include
OMVS, INETD, and BPXOINIT.
Knowledge
transfer will be performed to ensure that security reporting and monitoring
practices are understood for this Unix
environment. Specifically, proper setup
of the TSSOERPT utility report will be verified. Also, use of the TSSUTIL and TSSTRACK
utilities, as they pertain to Unix control, will be
discussed.
q
TSS
setup of basic Unix Groups
The
philosophy for maintaining Unix Groups will be reviewed, discussed, and
adjusted as agreed. A minimum number of
Unix Groups must be defined. The proper
setup of these Groups will be verified.
q
Considerations
surrounding the setup and maintenance of Unix Userids
(UIDs)
The
procedures and philosophy for maintaining Unix Userids
(UIDs) will be reviewed, discussed, and adjusted as
agreed. A moderate number of Unix userids must be defined for
initial USS operation. The proper setup
of these userids will be verified.
q
TSS
setup of basic Unix Superuser control
The
procedures and philosophy for maintaining control for Unix
“Super Users” will be reviewed, discussed, and adjusted as agreed. In particular, the use of the securable
“BPX.*” resources within the FACILITY resource class will be presented.
q
Considerations
surrounding the setup of default Unix Profile for users
The optional capability to create a
default profile for users access of this Unix
environment will be reviewed and discussed.
The complexity of allowing end-user FTP access, while not allowing,
other Unix environment access will be presented.
q
Security
for base TCPIP and related servers (TCPIP, FTP, PORTD, SNMPD)
Likely the most important area to be
reviewed and discussed regards the TCPIP service. This service is the gateway by which remote,
network access, is made to this Unix environment. The setup of security for base TCPIP servers
will be verified. More importantly, the
limitations of mainframe security over Unix
applications commonly accessible via TCPIP will be presented. The need to consider application security
controls in Unix applications such as the IBM Web
Server will be emphasized.
q
Security
for optional Servers including the IBM Internet Web Server, NFS/DFS, DCE, LDAP
The
setup of User ACIDs and Started-Task definitions
within TSS for these servers will be reviewed and adjusted based upon
recommendations and discussion.