S 4.220 Protection of Unix System Services on z/OS systems

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator, Specialists Responsible

Unix System Services (USS) is a Posix-compatible subsystem that runs under the z/OS operating system. For the general protection of the Unix System Services, the safeguards described in module S 3.2 Servers under Unix must be implemented. Furthermore, there are additional security aspects that need to be taken into account:

Double UID assignments

Steps must be taken to ensure that the same UID cannot be assigned twice, as this prevents accurate assignment to the MVS user ID.

HFS files

HFS files (Hierarchical File System) containing the Unix file system must be protected using RACF file profiles. Only the Unix started task should have access to these RACF profiles. The HFS files should be backed up using HSM (Hierarchical Storage Manager) functions. However, HFS files should not be migrated by HSM. These recommendations also apply to zFS files.

The ROOT file system should be mounted with the READ-ONLY option.

Consideration should be given to protecting the HFS files of the users using the RACF profiles of the corresponding user's ID. To avoid each user with their own HFS file having to run the mount and umount commands, consideration should be given to using the automount function.

The BPXPRMxx member

The most important USS parameters are defined in the parmlib in the BPXPRMxx member. Some parameters describe the resources available (e.g. MAXPROCSYS or MAXPROCUSER). These parameters must be set according to the performance offered by the zSeries hardware or LPAR to prevent the system from becoming overloaded.

Symbolic variables should be used to define this member.

APF authorisation

In the USS file system, APF (Authorized Program Facility) authorisations should never be granted using the File Security Packet (FSP. The modules of APF files of the z/OS-operating system should be loaded instead.

Superuser UID(0) and UNIXPRIV

Many system commands requiring Superuser (UID 0) permissions for their use on other Unix systems can be protected using the RACF profiles in the RACF class UNIXPRIV when using USS. This means that the administration rights can be managed by RACF, in which case Superuser authorisation only needs to be granted in a few exceptional cases. The recommendations for handling Superuser rights are listed in S 2.289 Use of restrictive z/OS IDs.

BPX.xxx RACF profiles in the FACILITY class

The BPX.xxx RACF profiles in the FACILITY class should be used to protect many USS functions in addition to using the profiles in the UNIXPRIV class. In many cases, it is then unnecessary to grant higher authorisations (e.g. UID 0).

Auditing and monitoring

The USS should be audited and monitored using the same mechanisms as for z/OS. The processes in the USS write SMF records. Access violations are converted to RACF messages and generate messages in the syslog. Both sources should be analysed as described in safeguard S 2.291 Security reporting and security audits under z/OS. Some Unix tasks, for example the web server delivered with the installation, write log information to their own separate files. These files should also be analysed if the corresponding programs are enabled.

Character set conversion

The recommendations in S 4.218 Information on character set conversion in z/OS systems should be taken into account when using the USS subsystem.

Review questions:

© Federal Office for Information Security. All rights reserved.