T 5.120 Tampering with the Linux/zSeries system configuration

Three different Linux operating modes are possible on zSeries:

• Linux native on zSeries hardware
• Linux on a zSeries LPAR
• Linux under the z/VM host system

Further information on the Linux operating modes in zSeries is given in the safeguard S 3.41 Introduction to Linux and z/VM for zSeries systems.

All three Linux operating modes with zSeries are exposed to the threats described in module S 3.2 Servers under Unix.

Mainframe-specific threats when using Linux

When using Linux on zSeries mainframes there may be other security problems over and above the threats described in module S 3.2 Servers under Unix, some of which are outlined below:

Linux on a zSeries LPAR

Threats relating specifically to the mainframe ensue from the possible effects on the zSeries hardware:

• By accessing the HCD functions (Hardware Configuration Definition), employees can allocate hardware resources, such as hard disks, to the Linux partition without authorisation. As a result, the Linux operating system has access to the hardware resources.
• Access to the HMC (hardware management console) makes its possible to tamper with aspects such as starting, stopping, and the allocation of resources to an LPAR. This is covered in relation to the z/OS operating system in T 5.116 Tampering with the z/OS system configuration. Equally critical in terms of security is access to SEs (service elements). The service element is a component in the zSeries hardware providing the same range of functions as an HMC.

Linux on the z/VM host system

In this scenario Linux is operated on emulated hardware of a virtual machine. The virtual machine's emulated hardware is achieved by z/VM on the real zSeries hardware. Physical access to the real resources is gained via z/VM only.

The threats relating specifically to the mainframe ensue partly from the possible effects on emulated hardware and partly from the possible effects on z/VM.

• Access to HCD functions and to the HMC can be misused - as in the Linux in a zSeries LPAR operating mode.
• Employees who are allowed to issue critical z/VM commands can, in certain circumstances, seriously jeopardise the operational stability of the z/VM and with it the Linux operating systems running on it.
• Employees who obtain unauthorised access to the DIRMAINT utility can also, for example, generate new virtual systems or allocate minidisks belonging to one Linux system to another. If z/VM RACF is not used, user IDs can also be administrated using DIRMAINT.
• If the security component z/VM RACF (Resource Access Control Facility) is used in the z/VM operating system, the threats for the z/OS operating system under z/VM are comparable to those described in T 3.72 Incorrect configuration of the z/OS security system , RACF. Employees who have high level RACF/VM authorisation (e.g. SPECIAL) can tamper with other z/VM IDs and authorisations using RACF/VM.
• If the authentication procedure in Linux is managed using an LDAP link to the PAM module (Pluggable Authentication Module) using a z/OS RACF, then Linux IDs and authorisations can also be changed by employees with high level z/OS RACF authorisation.

Example:

• For historical reasons, an employee still had the authorisation to use the DIRMAINT function in z/VM. The employee exploited this right to generate and use a private Linux system. As a result of his usage, the zSeries machine was deprived of the resources required for normal processes.