T 5.116 Tampering with the z/OS system configuration
Interaction with z/OS systems is possible via numerous interfaces, such as via the hardware management console, the MVS master console, the enhanced MVS console service, automation processes, remote MVS console and remote maintenance ports. Some security problems which may be related with the use of these interfaces are highlighted below.
HMC (hardware management console)
Unauthorised access to the HMC can lead to major security problems. This is because it is possible to change the behaviour of the system during operation from the HMC. It is possible to reinitialise individual LPARs (logical partitions) and even an entire computer group. The HMC can also be used to load new input/output control datasets which are then activated at the next initial program load (IPL). As a result there is a risk, for example, that unrelated disks will be assigned to an LPAR.
MVS master console
One of the ways in which z/OS operating systems are controlled is via MVS consoles. The standard consoles have a fixed connection to the system and do not require an ID or a password. This means that people who have physical access to an MVS console with a high level of authorisation (e.g. to the master console) can enter any MVS command. Unauthorised batch jobs or started tasks can therefore be stopped or started. Furthermore, disks on any system can be placed online if they are generated there. In certain circumstances, it is also possible to regenerate channel paths using MVS commands, and then to append disks that do not belong to this LPAR at all.
Enhanced MVS console service
In addition to the standard MVS consoles, the z/OS operating system provides the EMCS (enhanced MVS console service). This is also offered as a function by various applications, such as TSO, CICS or NetView. Dynamic creation of consoles based on a command script job is possible with EMCS; these consoles can support almost all commands including those which can be used on the standard consoles. If EMCS is not protected or only inadequately protected using RACF profiles, it may be possible, in certain circumstances, to tamper with the z/OS operating system from any terminal.
Risks associated with automation
Automation procedures can be programmed to be triggered by messages. If the automation procedures are not specially protected, there is a risk that automation functions could be started without authorisation by generating a fake message.
Remote MVS console
z/OS systems in different locations can be controlled from a central console. Often a software tool is used for this purpose that enables, for example, control of the LPARs in the z/OS systems, even over large distances. The software tool emulates an MVS console on a conventional PC. If the physical or logical access to such control consoles is inadequately protected, there is a risk of unauthorised tampering with remote z/OS systems from the console.
Remote maintenance ports
A further threat for the z/OS system can result from incorrect configuration of the RSF console (remote support facility). In certain circumstances, an external attacker can exploit errors in the configuration and dial into this console (see also T 5.10 Abuse of remote maintenance ports).
Example:
- RACF was set up in a computer centre such that RACF commands could also be entered from an MVS master console. An unauthorised employee had access to the room in which these consoles were installed. As a consequence, he allocated the special privilege to his own user ID. This situation went unnoticed for some time.