Security for Linux on System Z

Total Page:16

File Type:pdf, Size:1020Kb

Security for Linux on System Z Front cover Security for Linux on System z Securing the System z infrastructure Securing z/VM Securing Linux guests Lydia Parziale Vic Cross Shrirang Kulkarni Guillaume Lasmayous Nicolas Schmid Ricardo Sousa Karl-Erik Stenfors ibm.com/redbooks International Technical Support Organization Security for Linux on System z January 2010 SG24-7728-00 Note: Before using this information and the product it supports, read the information in “Notices” on page vii. First Edition (January 2010) This edition applies to z/VM version 5.4. Novell SUSE Linux Enterprise Server version 11 and Red Hat Enterprise Linux version 5.4. © Copyright International Business Machines Corporation 2010. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . vii Trademarks . viii Preface . ix The team who wrote this book . .x Become a published author . xiii Comments welcome. xiv Chapter 1. Introduction. 1 1.1 Hardware configuration . 2 1.2 z/VM configuration . 2 1.3 Linux distributions . 2 1.4 Other software used . 2 1.5 Disk storage configurations. 2 Chapter 2. The z/VM security management support utilities . 3 2.1 The need for security management in z/VM . 4 2.1.1 Scaling-up the proof-of-concept . 4 2.2 External security management . 4 2.2.1 z/VM internal security . 4 2.2.2 Reasons to use an ESM . 5 2.2.3 Selective enablement of an ESM . 6 2.3 User directory management . 6 2.3.1 User management . 7 2.3.2 Disk management . 7 2.4 ESM and directory manager security observations. 8 2.5 Securing console access to z/VM virtual machines . 8 2.5.1 The role of console management in securing your environment . 9 2.5.2 The z/VM LOGONBY function . 9 2.5.3 Using a console management utility . 10 2.6 Securing network access to z/VM . 14 2.6.1 z/VM Telnet server . 14 2.6.2 z/VM FTP server . 21 2.7 Securing z/VM resources . 24 2.7.1 Built-in security features . 24 2.7.2 Securing z/VM resources with RACF . 27 2.7.3 Securing TCP/IP service machines with RACF . 28 2.7.4 Centralized authentication . 29 2.7.5 Centralized audit . 29 2.8 z/VM Directory Maintenance Facility (DirMaint) . 38 2.8.1 DirMaint features. 38 2.8.2 Customizing DirMaint . 39 2.8.3 Using DirMaint . 45 Chapter 3. Configuring and using the z/VM LDAP server . 49 3.1 The z/VM LDAP server . 50 3.1.1 LDAP server back ends . 50 3.1.2 The relationship between z/VM LDAP server and RACF . 51 3.2 Setting up the z/VM LDAP server . 51 © Copyright IBM Corp. 2010. All rights reserved. iii 3.2.1 Activating the z/VM LDAP server . 51 3.2.2 Adding schemas supplied by IBM to LDBM . 54 3.3 Extending the LDBM schema . 54 3.3.1 LDAP schema dependencies for Linux. 54 3.3.2 Adding schemas to the z/VM LDAP server. 56 3.4 Using phpLDAPadmin to manage the z/VM LDAP server . 59 3.4.1 Installing phpLDAPadmin . 60 3.4.2 Common schemas supporting phpLDAPadmin . 62 3.4.3 Updating LDBM using phpLDAPadmin. 63 3.5 LDBM and Native Authentication . 81 3.5.1 LDBM record with the userPassword attribute . 81 3.5.2 Creating a RACF account for an LDAP user. 82 3.5.3 Identifying the RACF account corresponding to the LDAP object. 82 3.6 Linux authentication using the z/VM LDAP server . 83 3.6.1 Using YaST to enable LDAP on SLES 11 . 83 3.7 Centralizing Linux audit information with z/VM RACF. 90 3.7.1 Enabling extended operations support in z/VM LDAP server . 91 3.7.2 RACF configuration. 91 3.7.3 Adding the @LINUX class to RACF . 92 3.7.4 Linux configuration . 94 3.8 Using an OpenLDAP server with the z/VM LDAP server . 96 3.8.1 The OpenLDAP rewrite/remap overlay . 96 3.8.2 Configuring OpenLDAP . 96 Chapter 4. Authentication and access control . 97 4.1 SELinux. 98 4.1.1 Important files and directories for SELinux . 98 4.1.2 Enabling SELinux . 99 4.1.3 Disabling SELinux. 103 4.1.4 Policies . 104 4.1.5 RPMs required for SELinux. 105 4.2 AppArmor . ..
Recommended publications
  • Today's Howtos Today's Howtos
    Published on Tux Machines (http://www.tuxmachines.org) Home > content > today's howtos today's howtos By Roy Schestowitz Created 09/12/2020 - 5:46am Submitted by Roy Schestowitz on Wednesday 9th of December 2020 05:46:15 AM Filed under HowTos [1] How to Install Nginx with Google PageSpeed on Ubuntu 20.04 [2] Nginx is a free and open-source web server that powers many sites on the internet. It can be used as a reverse proxy and load balancer. It is known for its high-performance and stability. ngx_pagespeed is an open-source Nginx module that can be used to optimize your website performance. It is developed by Google and reduces the page load time and speed up the website response time. Install and Configure ZFS on FreeBSD ? Linux Hint [3] This article will demonstrate how to set up FreeBSD 12.0, the latest version, on Zettabyte File System, or ZFS. The method we?ll employ is going to use BSDinstall and consequently allocate all of the disks to host the FreeBSD system. How to Share Files Between Windows and Linux [4] File sharing is the action of sending a file or more from one computer to another. In theory, it?s a simple thing. The process is quite simple and straightforward if both of the computers are running the same operating system. When it?s different, things get a bit complicated. How To Install Firefox on CentOS 8 - idroot [5] In this tutorial, we will show you how to install Firefox on CentOS 8. For those of you who didn?t know, Firefox is the default web browser in a number of Linux distributions and CentOS is one of them.
    [Show full text]
  • Troubleshooting Passwords
    Troubleshooting Passwords The following procedures may be used to troubleshoot password problems: • Performing Password Recovery with an Existing Administrator, page 1 • Performing Password Recovery with No Existing Administrator, page 1 • Performing Password Recovery for the Linux Grapevine User Account, page 2 Performing Password Recovery with an Existing Administrator To perform password recovery for a user (administrator, installer or observer) where there exists at least one controller administrator (ROLE_ADMIN) user account, take the following steps: 1 Contact the existing administrator to set up a temporary password for the user that requires password recovery. Note The administrator can set up a temporary password by deleting the user's account and then recreating it with the lost password. The user can then log back into the controller to regain access and change the password once again to whatever he or she desires. 2 The user then needs to log into the controller with the temporary password and change the password. Note Passwords are changed in the controller GUI using the Change Password window. For information about changing passwords, see Chapter 4, Managing Users and Roles in the Cisco Application Policy Infrastructure Controller Enterprise Module Configuration Guide. Performing Password Recovery with No Existing Administrator The following procedure describes how to perform password recovery where there exists only one controller administrator (ROLE_ADMIN) user account and this account cannot be successfully logged into. Cisco Application Policy Infrastructure Controller Enterprise Module Troubleshooting Guide, Release 1.3.x 1 Troubleshooting Passwords Performing Password Recovery for the Linux Grapevine User Account Note We recommend that you create at least two administrator accounts for your deployment.
    [Show full text]
  • Mcafee Foundstone Fsl Update
    2017-JUL-27 FSL version 7.5.946 MCAFEE FOUNDSTONE FSL UPDATE To better protect your environment McAfee has created this FSL check update for the Foundstone Product Suite. The following is a detailed summary of the new and updated checks included with this release. NEW CHECKS 22152 - (JSA10802) Juniper Junos Insufficient Authentication Security Bypass Vulnerability Category: SSH Module -> NonIntrusive -> SSH Miscellaneous Risk Level: High CVE: CVE-2017-10601 Description A security-bypass vulnerability is present in some versions of Juniper Junos OS. Observation Juniper Junos OS is an operating system used in Juniper devices. A security-bypass vulnerability is present in some versions of Juniper Junos OS. The flaw lies in the Juniper Junos OS. Successful exploitation could allow a remote attacker to bypass authentication and gain access on the target system. 22161 - (JSA10791) Juniper Junos SRX Hardcoded Credentials Vulnerability Category: SSH Module -> NonIntrusive -> SSH Miscellaneous Risk Level: High CVE: CVE-2017-2343 Description An information disclosure vulnerability is present in some versions of Juniper Junos OS. Observation Juniper Junos OS is an operating system used in Juniper devices. An information disclosure vulnerability is present in some versions of Juniper Junos OS. The flaw lies in the UserFW services authentication API. Successful exploitation could allow an unauthenticated, remote attacker to gain access to sensitive information. 141631 - Red Hat Enterprise Linux RHSA-2017-1798 Update Is Not Installed Category: SSH Module -> NonIntrusive -> Red Hat Enterprise Linux Patches and Hotfixes Risk Level: High CVE: CVE-2017-7895 Description The scan detected that the host is missing the following update: RHSA-2017-1798 Observation Updates often remediate critical security problems that should be quickly addressed.
    [Show full text]
  • Version 7.8-Systemd
    Linux From Scratch Version 7.8-systemd Created by Gerard Beekmans Edited by Douglas R. Reno Linux From Scratch: Version 7.8-systemd by Created by Gerard Beekmans and Edited by Douglas R. Reno Copyright © 1999-2015 Gerard Beekmans Copyright © 1999-2015, Gerard Beekmans All rights reserved. This book is licensed under a Creative Commons License. Computer instructions may be extracted from the book under the MIT License. Linux® is a registered trademark of Linus Torvalds. Linux From Scratch - Version 7.8-systemd Table of Contents Preface .......................................................................................................................................................................... vii i. Foreword ............................................................................................................................................................. vii ii. Audience ............................................................................................................................................................ vii iii. LFS Target Architectures ................................................................................................................................ viii iv. LFS and Standards ............................................................................................................................................ ix v. Rationale for Packages in the Book .................................................................................................................... x vi. Prerequisites
    [Show full text]
  • Pluggable Authentication Modules
    Who this book is written for This book is for experienced system administrators and developers working with multiple Linux/UNIX servers or with both UNIX and Pluggable Authentication Windows servers. It assumes a good level of admin knowledge, and that developers are competent in C development on UNIX-based systems. Pluggable Authentication Modules PAM (Pluggable Authentication Modules) is a modular and flexible authentication management layer that sits between Linux applications and the native underlying authentication system. The PAM framework is widely used by most Linux distributions for authentication purposes. Modules Originating from Solaris 2.6 ten years ago, PAM is used today by most proprietary and free UNIX operating systems including GNU/Linux, FreeBSD, and Solaris, following both the design concept and the practical details. PAM is thus a unifying technology for authentication mechanisms in UNIX. This book provides a practical approach to UNIX/Linux authentication. The design principles are thoroughly explained, then illustrated through the examination of popular modules. It is intended as a one-stop introduction and reference to PAM. What you will learn from this book From Technologies to Solutions • Install, compile, and configure Linux-PAM on your system • Download and compile third-party modules • Understand the PAM framework and how it works • Learn to work with PAM’s management groups and control fl ags • Test and debug your PAM confi guration Pluggable Authentication Modules • Install and configure the pamtester utility
    [Show full text]
  • Linux for Zseries: Device Drivers and Installation Commands (March 4, 2002) Summary of Changes
    Linux for zSeries Device Drivers and Installation Commands (March 4, 2002) Linux Kernel 2.4 LNUX-1103-07 Linux for zSeries Device Drivers and Installation Commands (March 4, 2002) Linux Kernel 2.4 LNUX-1103-07 Note Before using this document, be sure to read the information in “Notices” on page 207. Eighth Edition – (March 2002) This edition applies to the Linux for zSeries kernel 2.4 patch (made in September 2001) and to all subsequent releases and modifications until otherwise indicated in new editions. © Copyright International Business Machines Corporation 2000, 2002. All rights reserved. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Summary of changes .........v Chapter 5. Linux for zSeries Console || Edition 8 changes.............v device drivers............27 Edition 7 changes.............v Console features .............28 Edition 6 changes ............vi Console kernel parameter syntax .......28 Edition 5 changes ............vi Console kernel examples ..........28 Edition 4 changes ............vi Usingtheconsole............28 Edition 3 changes ............vii Console – Use of VInput ..........30 Edition 2 changes ............vii Console limitations ............31 About this book ...........ix Chapter 6. Channel attached tape How this book is organized .........ix device driver ............33 Who should read this book .........ix Tapedriverfeatures...........33 Assumptions..............ix Tape character device front-end........34 Tape block
    [Show full text]
  • KC Administrator Manual Release 8.0.0
    KC Administrator Manual Release 8.0.0 Kopano BV Jul 01, 2021 Contents 1 Abstract 2 2 Introduction 3 2.1 Intended Audience..........................................3 2.2 Architecture.............................................3 2.3 Components.............................................4 2.4 Protocols and Connections......................................5 3 Installing 6 3.1 System Requirements........................................6 3.2 Installation..............................................9 3.3 Troubleshooting Installation Issues................................. 11 3.4 SSL.................................................. 12 4 Upgrading 14 4.1 Preparing............................................... 14 4.2 Creating backups........................................... 15 4.3 KC 8 dependencies.......................................... 16 4.4 Performing the Upgrade on RPM based distributions........................ 16 4.5 Performing the Upgrade on Debian based distributions....................... 16 4.6 Finalizing the upgrade........................................ 18 5 Configure KC Components 20 5.1 Configure the Kopano Server.................................... 20 5.2 Configure Kopano Konnect..................................... 27 5.3 Configure Kopano Kraph....................................... 30 5.4 Configure the Kopano Spooler.................................... 31 5.5 Configure Kopano Caldav...................................... 32 5.6 Configure Kopano Gateway (IMAP and POP3)........................... 33 5.7 Configure Kopano Quota Manager.................................
    [Show full text]
  • Xen and the Linux Console Or: Why Xencons={Tty,Ttys,Xvc} Will Go Away
    Xen and the linux console or: why xencons={tty,ttyS,xvc} will go away. by Gerd Hoffmann <[email protected]> So, what is the Linux console? Well, there isn't a simple answer to that question. Which is the reason for this paper in the first place. For most users it probably is the screen they are sitting in front of. Which is correct, but it also isn't the full story. Especially there are a bunch of CONFIG_*_CONSOLE kernel options referring to two different (but related) subsystems of the kernel. Introducing virtual terminals (CONFIG_VT) Well, every linux user knows them: Virtual terminals. Using Alt-Fx you can switch between different terminals. Each terminal has its own device, namely /dev/tty<nr>. Most Linux distributions have a getty ready for text login on /dev/tty{1-6} and the X-Server for the graphical login on /dev/tty7. /dev/tty0 is a special case: It referes to the terminal which is visible at the moment. The VT subsystem doesn't draw the characters itself though, it has hardware specific drivers for that. The most frequently used ones are: CONFIG_VGA_CONSOLE VGA text console driver, this one will drive your VGA card if you boot the machine in VGA text mode. CONFIG_FRAMEBUFFER_CONSOLE Provides text screens on top of a graphical display. The graphical display in turn is driven by yet another driver. On x86 this very often is vesafb. Other platforms have generic drivers too. There are also a bunch of drivers for specific hardware, such as rivafb for nvidia cards.
    [Show full text]
  • Samba-3 by Example
    Samba-3 by Example Practical Exercises in Successful Samba Deployment John H. Terpstra May 27, 2009 ABOUT THE COVER ARTWORK The cover artwork of this book continues the freedom theme of the first edition of \Samba-3 by Example". The history of civilization demonstrates the fragile nature of freedom. It can be lost in a moment, and once lost, the cost of recovering liberty can be incredible. The last edition cover featured Alfred the Great who liberated England from the constant assault of Vikings and Norsemen. Events in England that finally liberated the common people came about in small steps, but the result should not be under-estimated. Today, as always, freedom and liberty are seldom appreciated until they are lost. If we can not quantify what is the value of freedom, we shall be little motivated to protect it. Samba-3 by Example Cover Artwork: The British houses of parliament are a symbol of the Westminster system of government. This form of government permits the people to govern themselves at the lowest level, yet it provides for courts of appeal that are designed to protect freedom and to hold back all forces of tyranny. The clock is a pertinent symbol of the importance of time and place. The information technology industry is being challenged by the imposition of new laws, hostile litigation, and the imposition of significant constraint of practice that threatens to remove the freedom to develop and deploy open source software solutions. Samba is a software solution that epitomizes freedom of choice in network interoperability for Microsoft Windows clients.
    [Show full text]
  • MC-1200 Series Linux Software User's Manual
    MC-1200 Series Linux Software User’s Manual Version 1.0, November 2020 www.moxa.com/product © 2020 Moxa Inc. All rights reserved. MC-1200 Series Linux Software User’s Manual The software described in this manual is furnished under a license agreement and may be used only in accordance with the terms of that agreement. Copyright Notice © 2020 Moxa Inc. All rights reserved. Trademarks The MOXA logo is a registered trademark of Moxa Inc. All other trademarks or registered marks in this manual belong to their respective manufacturers. Disclaimer Information in this document is subject to change without notice and does not represent a commitment on the part of Moxa. Moxa provides this document as is, without warranty of any kind, either expressed or implied, including, but not limited to, its particular purpose. Moxa reserves the right to make improvements and/or changes to this manual, or to the products and/or the programs described in this manual, at any time. Information provided in this manual is intended to be accurate and reliable. However, Moxa assumes no responsibility for its use, or for any infringements on the rights of third parties that may result from its use. This product might include unintentional technical or typographical errors. Changes are periodically made to the information herein to correct such errors, and these changes are incorporated into new editions of the publication. Technical Support Contact Information www.moxa.com/support Moxa Americas Moxa China (Shanghai office) Toll-free: 1-888-669-2872 Toll-free: 800-820-5036 Tel: +1-714-528-6777 Tel: +86-21-5258-9955 Fax: +1-714-528-6778 Fax: +86-21-5258-5505 Moxa Europe Moxa Asia-Pacific Tel: +49-89-3 70 03 99-0 Tel: +886-2-8919-1230 Fax: +49-89-3 70 03 99-99 Fax: +886-2-8919-1231 Moxa India Tel: +91-80-4172-9088 Fax: +91-80-4132-1045 Table of Contents 1.
    [Show full text]
  • Getting Ready for Samba4
    Getting Ready for Samba4 Samba Team member Andrew Bartlett explores the world of Samba4, its development status, what you can (and can’t) do with Samba4, and — most importantly– when you can expect to start using Samba4 in a production environment. Andrew Bartlett Thursday, April 3rd, 2008 Ever wanted to run an Active Directory Domain Controller on your Linux server? Did you run a Samba 3.0 DC, but had to move to Active Directory, or worried you might need to? Interested in the leading edge of Samba development, and wondering what the preceding questions mean? Without Samba, Linux, Windows and Macintosh computers could not share files and printers with each other, and networks of windows computers could only use Microsoft’s products to implement consistent user names and passwords across an organisation, something known as domain control. Since Samba was last covered by Linux Magazine in 2002, it seems the whole world has changed. Yet for members of the Samba Team the task remains to provide the Free Software community with a solid implementation of the Common Internet File System (CIFS) protocol, and with that a bridge into the Windows world. It is in that pursuit of interoperability that the Samba Team has continued, soon (at the time of writing) releasing version 3.2.0 of Samba, and alpha releases of Samba4. But Samba4 is more than just a new version of Samba, and more akin to a new development effort. Largely rewritten to handle the problems of interacting with modern versions of Microsoft’s Windows suite, Samba4 has been a storehouse of testing and innovation.
    [Show full text]
  • Univerzita Pardubice Fakulta Elektrotechniky a Informatiky
    Univerzita Pardubice Fakulta elektrotechniky a informatiky Multiplatformní správa uživatelských účtů Bubák Miroslav Bakalářská práce 2008 ZDE BUDE ZADÁNÍ ZDE BUDE ZADÁNÍ Souhrn Tato bakalářská práce se zabývá centralizovanou správou uživatelských účtů. Má za cíl navrhnout nekomerční řešení pro malé/střední firmy. Popsáno je několik nejrozšířenějších metod pro uložení informací o uživateli na straně serveru. Klíčová slova multipatformní, uživatelský účet, LDAP, Samba, správa Title Multiplatform user accounts management Abstract This bachelor work deals with central user accounts management. It aims to project noncommercial solution which could be used in small/middle company. This paper describes the most common methods used to store user informations on the server side. Keywords multipatform, user accounts, LDAP, Samba, management Obsah Úvod..............................................................................................................................9 1. Teoretický rozbor....................................................................................................10 1.1. Co ukládat – informace o uživateli.................................................................10 1.1.1. Unix.........................................................................................................10 1.1.2. Windows..................................................................................................10 1.1.3. Společné informace.................................................................................11 1.2. Možnosti
    [Show full text]