Front cover Security for Linux on System z Securing the System z infrastructure Securing z/VM Securing Linux guests Lydia Parziale Vic Cross Shrirang Kulkarni Guillaume Lasmayous Nicolas Schmid Ricardo Sousa Karl-Erik Stenfors ibm.com/redbooks International Technical Support Organization Security for Linux on System z January 2010 SG24-7728-00 Note: Before using this information and the product it supports, read the information in “Notices” on page vii. First Edition (January 2010) This edition applies to z/VM version 5.4. Novell SUSE Linux Enterprise Server version 11 and Red Hat Enterprise Linux version 5.4. © Copyright International Business Machines Corporation 2010. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . vii Trademarks . viii Preface . ix The team who wrote this book . .x Become a published author . xiii Comments welcome. xiv Chapter 1. Introduction. 1 1.1 Hardware configuration . 2 1.2 z/VM configuration . 2 1.3 Linux distributions . 2 1.4 Other software used . 2 1.5 Disk storage configurations. 2 Chapter 2. The z/VM security management support utilities . 3 2.1 The need for security management in z/VM . 4 2.1.1 Scaling-up the proof-of-concept . 4 2.2 External security management . 4 2.2.1 z/VM internal security . 4 2.2.2 Reasons to use an ESM . 5 2.2.3 Selective enablement of an ESM . 6 2.3 User directory management . 6 2.3.1 User management . 7 2.3.2 Disk management . 7 2.4 ESM and directory manager security observations. 8 2.5 Securing console access to z/VM virtual machines . 8 2.5.1 The role of console management in securing your environment . 9 2.5.2 The z/VM LOGONBY function . 9 2.5.3 Using a console management utility . 10 2.6 Securing network access to z/VM . 14 2.6.1 z/VM Telnet server . 14 2.6.2 z/VM FTP server . 21 2.7 Securing z/VM resources . 24 2.7.1 Built-in security features . 24 2.7.2 Securing z/VM resources with RACF . 27 2.7.3 Securing TCP/IP service machines with RACF . 28 2.7.4 Centralized authentication . 29 2.7.5 Centralized audit . 29 2.8 z/VM Directory Maintenance Facility (DirMaint) . 38 2.8.1 DirMaint features. 38 2.8.2 Customizing DirMaint . 39 2.8.3 Using DirMaint . 45 Chapter 3. Configuring and using the z/VM LDAP server . 49 3.1 The z/VM LDAP server . 50 3.1.1 LDAP server back ends . 50 3.1.2 The relationship between z/VM LDAP server and RACF . 51 3.2 Setting up the z/VM LDAP server . 51 © Copyright IBM Corp. 2010. All rights reserved. iii 3.2.1 Activating the z/VM LDAP server . 51 3.2.2 Adding schemas supplied by IBM to LDBM . 54 3.3 Extending the LDBM schema . 54 3.3.1 LDAP schema dependencies for Linux. 54 3.3.2 Adding schemas to the z/VM LDAP server. 56 3.4 Using phpLDAPadmin to manage the z/VM LDAP server . 59 3.4.1 Installing phpLDAPadmin . 60 3.4.2 Common schemas supporting phpLDAPadmin . 62 3.4.3 Updating LDBM using phpLDAPadmin. 63 3.5 LDBM and Native Authentication . 81 3.5.1 LDBM record with the userPassword attribute . 81 3.5.2 Creating a RACF account for an LDAP user. 82 3.5.3 Identifying the RACF account corresponding to the LDAP object. 82 3.6 Linux authentication using the z/VM LDAP server . 83 3.6.1 Using YaST to enable LDAP on SLES 11 . 83 3.7 Centralizing Linux audit information with z/VM RACF. 90 3.7.1 Enabling extended operations support in z/VM LDAP server . 91 3.7.2 RACF configuration. 91 3.7.3 Adding the @LINUX class to RACF . 92 3.7.4 Linux configuration . 94 3.8 Using an OpenLDAP server with the z/VM LDAP server . 96 3.8.1 The OpenLDAP rewrite/remap overlay . 96 3.8.2 Configuring OpenLDAP . 96 Chapter 4. Authentication and access control . 97 4.1 SELinux. 98 4.1.1 Important files and directories for SELinux . 98 4.1.2 Enabling SELinux . 99 4.1.3 Disabling SELinux. 103 4.1.4 Policies . 104 4.1.5 RPMs required for SELinux. 105 4.2 AppArmor . ..