You are previewing Security for Linux on System z.
O'Reilly logo
Security for Linux on System z

Book Description

No IT server platform is 100% secure and useful at the same time. If your server is installed in a secure vault, three floors underground in a double-locked room, not connected to any network and switched off, one would say it was reasonably secure, but it would be a stretch to call it useful.

This IBM® Redbooks® publication is about switching on the power to your Linux® on System z® server, connecting it to the data and to the network, and letting users have access to this formidable resource space in a secure, controlled, and auditable fashion to make sure the System z server and Linux are useful to your business. As the quotation illustrates, the book is also about ensuring that, before you start designing a security solution, you understand what the solution has to achieve.

The base for a secure system is tightly related to the way the architecture and virtualization has been implemented on IBM System z. Since its inception 45 years ago, the architecture has been continuously developed to meet the increasing demands for a more secure and stable platform.

This book is intended for system engineers and security administrators who want to customize a Linux on System z environment to meet strict security, audit, and control regulations.
For additional information, there is a tech note that describes the best practices for securing your network. It can be found at:
http://www.redbooks.ibm.com/abstracts/tips0981.html?Open

Table of Contents

  1. Front cover
  2. Notices
    1. Trademarks
  3. Preface
    1. The team who wrote this book
    2. Now you can become a published author, too!
    3. Comments welcome
    4. Stay connected to IBM Redbooks
  4. Chapter 1. Introduction
    1. 1.1 Hardware configuration
    2. 1.2 z/VM configuration
    3. 1.3 Other software used
    4. 1.4 Disk storage configurations
  5. Chapter 2. The z/VM security management support utilities
    1. 2.1 The need for security management in z/VM
      1. 2.1.1 Scaling up the proof-of-concept
    2. 2.2 External security management
      1. 2.2.1 z/VM internal security
      2. 2.2.2 Reasons to use an ESM
      3. 2.2.3 Selective enablement of an ESM
    3. 2.3 User directory management
      1. 2.3.1 User management
      2. 2.3.2 Disk management
    4. 2.4 Securing console access to z/VM virtual machines
      1. 2.4.1 The role of console management in securing your environment
      2. 2.4.2 The z/VM LOGONBY function
      3. 2.4.3 Using a console management utility
    5. 2.5 Securing network access to z/VM
      1. 2.5.1 X.509v3 digital certificates and trust hierarchies
      2. 2.5.2 z/VM Telnet server
      3. 2.5.3 z/VM FTP server
    6. 2.6 Securing z/VM resources
      1. 2.6.1 Built-in security features
      2. 2.6.2 Securing z/VM resources with RACF
      3. 2.6.3 Securing TCP/IP service machines with RACF
      4. 2.6.4 Centralized authentication
      5. 2.6.5 Centralized audit
    7. 2.7 z/VM Directory Maintenance Facility (DirMaint)
      1. 2.7.1 DirMaint features
      2. 2.7.2 Customizing DirMaint
      3. 2.7.3 Using DirMaint
    8. 2.8 Other ESM and directory manager security observations in this book
  6. Chapter 3. Configuring and using the System z LDAP servers
    1. 3.1 The z/VM and z/OS LDAP servers
      1. 3.1.1 z/VM LDAP server backends
      2. 3.1.2 The relationship between the LDAP servers and RACF
    2. 3.2 Setting up the z/OS LDAP server
      1. 3.2.1 Using dsconfig
    3. 3.3 Setting up the z/VM LDAP server
      1. 3.3.1 Activating the z/VM LDAP server
      2. 3.3.2 Adding schema supplied by IBM to LDBM
    4. 3.4 Extending the LDBM schema
      1. 3.4.1 LDAP schema dependencies for Linux
      2. 3.4.2 Extending the schema of the z/VM LDAP server
    5. 3.5 LDBM and native authentication
      1. 3.5.1 LDBM record with the userPassword attribute
      2. 3.5.2 Creating a RACF account for an LDAP user
      3. 3.5.3 Identifying the RACF account corresponding to the LDAP object
    6. 3.6 Access control lists
      1. 3.6.1 ACL permissions
      2. 3.6.2 ACL format
      3. 3.6.3 Propagating ACLs
      4. 3.6.4 Updating ACLs
    7. 3.7 Linux authentication using the z/VM LDAP server
      1. 3.7.1 Using YaST to enable LDAP on SLES 11 SP2
      2. 3.7.2 Enabling LDAP authentication on RHEL 6
      3. 3.7.3 Mapping the LDAP account to RACF
      4. 3.7.4 Password management with Linux and the z/VM LDAP server
    8. 3.8 Using an OpenLDAP server with the z/VM LDAP server
      1. 3.8.1 The OpenLDAP rewrite-remap overlay
      2. 3.8.2 Configuring OpenLDAP to authenticate using z/VM LDBM
      3. 3.8.3 Configuring OpenLDAP to authenticate using z/VM SDBM
      4. 3.8.4 RACF password management with OpenLDAP slapo_rwm
    9. 3.9 Centralizing Linux audit information with z/VM RACF
      1. 3.9.1 Enabling extended operations support in z/VM LDAP server
      2. 3.9.2 RACF configuration
      3. 3.9.3 Adding the @LINUX class to RACF
      4. 3.9.4 Linux configuration
    10. 3.10 Using z/VM LDAP in an SSI cluster
      1. 3.10.1 LDAP server high availability
      2. 3.10.2 z/VM LDAP server clustering for the LDBM backend
      3. 3.10.3 z/VM LDAP server clustering for the SDBM backend
  7. Chapter 4. Authentication and access control
    1. 4.1 SELinux
      1. 4.1.1 Important files and directories for SELinux
      2. 4.1.2 Enabling SELinux
      3. 4.1.3 Disabling SELinux
      4. 4.1.4 Policies
      5. 4.1.5 RPMs required for SELinux
    2. 4.2 AppArmor
      1. 4.2.1 Important files and directories for AppArmor
      2. 4.2.2 Enable or disable AppArmor by using YaST
      3. 4.2.3 RPMs required for AppArmor
    3. 4.3 Pluggable Authentication Modules
      1. 4.3.1 Important files and libraries for PAM
      2. 4.3.2 Enabling PAM
      3. 4.3.3 PAM and LDAP
    4. 4.4 Sudo (superuser do)
    5. 4.5 OpenSSH
      1. 4.5.1 Important files and directories for OpenSSH
      2. 4.5.2 OpenSSH commands
      3. 4.5.3 Enable or disable OpenSSH
      4. 4.5.4 Authentication methods
      5. 4.5.5 OpenSSH using the hardware cryptographic support of IBM System z
  8. Chapter 5. Cryptographic hardware
    1. 5.1 Clear key
      1. 5.1.1 Accelerated Linux kernel functions
      2. 5.1.2 Random number generator
    2. 5.2 File system encryption
      1. 5.2.1 Key management
    3. 5.3 Cryptographic APIs
    4. 5.4 Securing communication and applications
    5. 5.5 Statistics and performance
    6. 5.6 Secure Key Crypto
      1. 5.6.1 Comparing secure key, clear key, and protected key operations
      2. 5.6.2 Secure key functions
    7. 5.7 Set up of CPACF, Crypto Express3, and Crypto Express4
      1. 5.7.1 Toleration mode versus exploitation mode
  9. Chapter 6. Physical and infrastructure security on System z
    1. 6.1 Physical environment
    2. 6.2 Minimal Installations
    3. 6.3 Protecting the Hardware Management Console
    4. 6.4 Protecting the configuration
    5. 6.5 Building a secure multizone application environment
      1. 6.5.1 The multizone concept
      2. 6.5.2 Controlling the zones with RACF
      3. 6.5.3 Using HiperSockets as part of your network solution
    6. 6.6 IBM security solutions
      1. 6.6.1 IBM Security Network Intrusion Prevention system
      2. 6.6.2 IBM Tivoli zSecure Manager for RACF z/VM
      3. 6.6.3 IBM Tivoli Endpoint Manager for Patch Management
      4. 6.6.4 IBM Tivoli Endpoint Manager for Security and Compliance
      5. 6.6.5 IBM Tivoli Access Manager WebSEAL
    7. 6.7 Linux firewalls
      1. 6.7.1 The ebtables tool
      2. 6.7.2 The iptables tool
      3. 6.7.3 Linux firewall tools
    8. 6.8 Disk security
      1. 6.8.1 Traditional mainframe environments
      2. 6.8.2 Modern environments
    9. 6.9 Protecting ECKD disk
      1. 6.9.1 Shared-DASD configurations
      2. 6.9.2 LPAR configuration for Linux workloads
    10. 6.10 Protecting Fibre Channel Protocol (FCP) disks
      1. 6.10.1 Using FBA emulation in z/VM
      2. 6.10.2 Using N_Port ID Virtualization
    11. 6.11 Protecting z/VM minidisks
      1. 6.11.1 Minidisk access security
      2. 6.11.2 Overlapping minidisks
      3. 6.11.3 Minidisk-owning user
      4. 6.11.4 Shared DASD considerations
  10. Chapter 7. Security implications of z/VM SSI and LGR
    1. 7.1 Overview
    2. 7.2 Lab environment configuration
      1. 7.2.1 Background information
      2. 7.2.2 Physical and logical configuration
      3. 7.2.3 Proposed tests
      4. 7.2.4 Considerations
  11. Chapter 8. Best practices
    1. 8.1 Security checklist
    2. 8.2 Physical security
    3. 8.3 Securing the logical access to z/VM
      1. 8.3.1 z/VM user passwords
      2. 8.3.2 Choosing the z/VM privilege class
      3. 8.3.3 z/VM network connection
    4. 8.4 Securing the data
      1. 8.4.1 Securing your minidisks
      2. 8.4.2 Reducing the intrusion points with shared disks
      3. 8.4.3 Protecting the data with encrypted file systems
    5. 8.5 Securing the network
      1. 8.5.1 Securing the virtual switches
      2. 8.5.2 Virtual switch using VLAN tagging
      3. 8.5.3 Virtual switch port isolation
      4. 8.5.4 Network diagnostics
      5. 8.5.5 Switch off backchannel communication
      6. 8.5.6 Implementing mandatory access control
    6. 8.6 Access control
    7. 8.7 Authentication
      1. 8.7.1 Improving security for SSH key pair
    8. 8.8 User management
      1. 8.8.1 Centralized user repository
      2. 8.8.2 Securing connections to the user information repository
    9. 8.9 Audit
    10. 8.10 Separation of duties
  12. Appendix A. Using phpLDAPadmin to manage the z/VM and z/OS LDAP servers
    1. Installing phpLDAPadmin
    2. Logging on to phpLDAPadmin
    3. Common schema supporting phpLDAPadmin
    4. Updating LDBM using phpLDAPadmin
    5. phpLDAPadmin and the z/OS LDAP server
    6. Managing an SDBM backend using phpLDAPadmin
  13. Appendix B. Additional material
    1. Locating the web material
    2. Using the web material
  14. Related publications
    1. IBM Redbooks
    2. Other publications
    3. Online resources
    4. Help from IBM
  15. Back cover