subject:"Re\: Security for z\/VM"

Re: Security for z/VM

2016-05-05 Thread O'Brien, Dennis L

Scott,
Yes, a userid can only have one ACIGROUP statement in the directory.  MEMBER 
rules can be used to allow userids to temporarily change group membership using 
the VMSECURE GROUP command.  The temporary membership controls what that userid 
can do, but doesn't change what other userids can do to it.


    Dennis O'Brien

"Houston, we've had a problem."  -- Jack Swigert, Command Module pilot of 
Apollo 13, 13 Apr 1970


-Original Message-
From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Scott 
Rohling
Sent: Thursday, May 05, 2016 09:59
To: LINUX-390@VM.MARIST.EDU
Subject: Re: Security for z/VM

One limitation I found in VM:Secure is that a guest can only belong to one
'group' as groups are implemented with ACIGROUP directory statements.
 And that's really the only place the directory management and security
management meet, outside of the use of password encryption which uses the
directory. I appreciate the integration and common interface -- and
'rules' are easy to understand unlike some others..  but the single group
concept makes some things harder (for me).  (And if I've just misunderstood
how to use groups - someone please tell me! I don't want to continue my
ignorance).

Scott Rohling



On Thu, May 5, 2016 at 9:45 AM, O'Brien, Dennis L <
dennis.l.o'br...@bankofamerica.com> wrote:

> VM:Secure is also the only security product that was designed from the
> ground up for z/VM.  All of the others are ports from z/OS.  RACF tries to
> fit z/OS concepts such as "alter" and "control" onto z/VM link modes (W, M,
> MR, MW, etc).  VM:Secure allows you to write rules specifying the link
> modes directly.  I'm not too familiar with ACF2 or Top Secret, but I would
> guess that they are similar to RACF.
>
> If you choose a security product other than VM:Secure, you can implement
> VM:Director instead of Dirmaint for directory management.  VM:Director is
> VM:Secure without the Rules component.
>
>
>   Dennis
> O'Brien
>
> "Houston, we've had a problem."  -- Jack Swigert, Command Module pilot of
> Apollo 13, 13 Apr 1970
>
> -Original Message-
> From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of
> Marcy Cortes
> Sent: Thursday, May 05, 2016 09:23
> To: LINUX-390@VM.MARIST.EDU
> Subject: Re: Security for z/VM
>
> I will point out that VM:Secure is one product for your directory
> management and security.
> If you choose RACF, you also need to implement Dirmaint.
> I believe ACF2 is the same way.  I know Top Secret on VM is.
>
>
>
> -Original Message-
> From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of
> Alan Altmark
> Sent: Thursday, May 05, 2016 9:08 AM
> To: LINUX-390@VM.MARIST.EDU
> Subject: Re: [LINUX-390] Security for z/VM
>
> On Wednesday, 05/04/2016 at 05:19 GMT, "Beard, Rick" 
> wrote:
> > I would like to know if anyone has any preferences on using either
> CA:VMSECURE or CA:ACF2 for
> > securing z/VM systems?
> >
> > Is one more secure than the other?
>
> CA has not certified either product in the Common Criteria scheme ("claim"
> and "proof"), so you can't really answer "How secure is it?"  You cannot,
> therefore, compare them in that respect.  In fact, only RACF on z/VM has
> been part of a certification.
>
> That said, most people choose their external security manager (ESM) for
> reasons unrelated to its capabilities. The choice is instead based on
> 1. What's in your IBM or CA software catalog. I.e. if you've already
> bought one of them, then spending money to buy the other one may not be
> the right choice.
> 2. In-house knowledge.  If you have RACF, ACF2, or TOP SECRET on z/OS,
> then adding it to z/VM is straightforward.  VMSECURE has no z/OS
> equivalent, so you aren't going to get any help from your MVS team.
> 3. Easiest.  All of the examples and discussion from IBM on z/VM security
> are RACF-centric.
>
> Alan Altmark
>
> Senior Managing z/VM and Linux Consultant
> Lab Services System z Delivery Practice
> IBM Systems & Technology Group
> ibm.com/systems/services/labservices
> office: 607.429.3323
> mobile; 607.321.7556
> alan_altm...@us.ibm.com
> IBM Endicott
>
> --
> For LINUX-390 subscribe / signoff / archive access instructions,
> send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or
> visit

Re: Security for z/VM

2016-05-05 Thread Alan Altmark

On Thursday, 05/05/2016 at 04:46 GMT, "O'Brien, Dennis L" 
 wrote:
> VM:Secure is also the only security product that was designed from the 
ground up for z/VM.  All of
> the others are ports from z/OS.  RACF tries to fit z/OS concepts such as 
"alter" and "control" onto
> z/VM link modes (W, M, MR, MW, etc).  VM:Secure allows you to write 
rules specifying the link modes
> directly.  I'm not too familiar with ACF2 or Top Secret, but I would 
guess that they are similar to
> RACF.

In 2016, use this as your guide only if all other considerations have been 
dealt with.  The #1 problem with introducing an ESM on z/VM is 
establishing the 'correct' configuration, where 'correct' derives from 
Policy and the *people* who create said Policy.  (I help clients do this.) 
 They worry about things like:

- What are the audit settings?
- Can I audit everything I need to?  I don't think VM:Secure can audit 
arbitrary CP commands (according to doc), many of which need to be 
audited, IMO, even though the ESM doesn't control them.
- How is the audit data collected?
- How is it reviewed?
- Where is it archived?
- Will it create a problem with our external auditor?

> If you choose a security product other than VM:Secure, you can implement 
VM:Director instead of
> Dirmaint for directory management.  VM:Director is VM:Secure without the 
Rules component

And now you're back to non-technical (sw catalog) points.  On a technical 
point, does VM:Director have a provision for interfacing with the ESM?

Alan Altmark

Senior Managing z/VM and Linux Consultant
Lab Services System z Delivery Practice
IBM Systems & Technology Group
ibm.com/systems/services/labservices
office: 607.429.3323
mobile; 607.321.7556
alan_altm...@us.ibm.com
IBM Endicott

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

Re: Security for z/VM

2016-05-05 Thread Scott Rohling

One limitation I found in VM:Secure is that a guest can only belong to one
'group' as groups are implemented with ACIGROUP directory statements.
 And that's really the only place the directory management and security
management meet, outside of the use of password encryption which uses the
directory. I appreciate the integration and common interface -- and
'rules' are easy to understand unlike some others..  but the single group
concept makes some things harder (for me).  (And if I've just misunderstood
how to use groups - someone please tell me! I don't want to continue my
ignorance).

Scott Rohling



On Thu, May 5, 2016 at 9:45 AM, O'Brien, Dennis L <
dennis.l.o'br...@bankofamerica.com> wrote:

> VM:Secure is also the only security product that was designed from the
> ground up for z/VM.  All of the others are ports from z/OS.  RACF tries to
> fit z/OS concepts such as "alter" and "control" onto z/VM link modes (W, M,
> MR, MW, etc).  VM:Secure allows you to write rules specifying the link
> modes directly.  I'm not too familiar with ACF2 or Top Secret, but I would
> guess that they are similar to RACF.
>
> If you choose a security product other than VM:Secure, you can implement
> VM:Director instead of Dirmaint for directory management.  VM:Director is
> VM:Secure without the Rules component.
>
>
>   Dennis
> O'Brien
>
> "Houston, we've had a problem."  -- Jack Swigert, Command Module pilot of
> Apollo 13, 13 Apr 1970
>
> -Original Message-
> From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of
> Marcy Cortes
> Sent: Thursday, May 05, 2016 09:23
> To: LINUX-390@VM.MARIST.EDU
> Subject: Re: Security for z/VM
>
> I will point out that VM:Secure is one product for your directory
> management and security.
> If you choose RACF, you also need to implement Dirmaint.
> I believe ACF2 is the same way.  I know Top Secret on VM is.
>
>
>
> -Original Message-
> From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of
> Alan Altmark
> Sent: Thursday, May 05, 2016 9:08 AM
> To: LINUX-390@VM.MARIST.EDU
> Subject: Re: [LINUX-390] Security for z/VM
>
> On Wednesday, 05/04/2016 at 05:19 GMT, "Beard, Rick" 
> wrote:
> > I would like to know if anyone has any preferences on using either
> CA:VMSECURE or CA:ACF2 for
> > securing z/VM systems?
> >
> > Is one more secure than the other?
>
> CA has not certified either product in the Common Criteria scheme ("claim"
> and "proof"), so you can't really answer "How secure is it?"  You cannot,
> therefore, compare them in that respect.  In fact, only RACF on z/VM has
> been part of a certification.
>
> That said, most people choose their external security manager (ESM) for
> reasons unrelated to its capabilities. The choice is instead based on
> 1. What's in your IBM or CA software catalog. I.e. if you've already
> bought one of them, then spending money to buy the other one may not be
> the right choice.
> 2. In-house knowledge.  If you have RACF, ACF2, or TOP SECRET on z/OS,
> then adding it to z/VM is straightforward.  VMSECURE has no z/OS
> equivalent, so you aren't going to get any help from your MVS team.
> 3. Easiest.  All of the examples and discussion from IBM on z/VM security
> are RACF-centric.
>
> Alan Altmark
>
> Senior Managing z/VM and Linux Consultant
> Lab Services System z Delivery Practice
> IBM Systems & Technology Group
> ibm.com/systems/services/labservices
> office: 607.429.3323
> mobile; 607.321.7556
> alan_altm...@us.ibm.com
> IBM Endicott
>
> --
> For LINUX-390 subscribe / signoff / archive access instructions,
> send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or
> visit
> http://www.marist.edu/htbin/wlvindex?LINUX-390
> --
> For more information on Linux on System z, visit
> http://wiki.linuxvm.org/
>
> --
> For LINUX-390 subscribe / signoff / archive access instructions,
> send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or
> visit
> http://www.marist.edu/htbin/wlvindex?LINUX-390
> --
> For more information on Linux on System z, visit
> http://wiki.linuxvm.org/
>
> --
> This message, and any attachments, is for

Re: Security for z/VM

2016-05-05 Thread O'Brien, Dennis L

VM:Secure is also the only security product that was designed from the ground 
up for z/VM.  All of the others are ports from z/OS.  RACF tries to fit z/OS 
concepts such as "alter" and "control" onto z/VM link modes (W, M, MR, MW, 
etc).  VM:Secure allows you to write rules specifying the link modes directly.  
I'm not too familiar with ACF2 or Top Secret, but I would guess that they are 
similar to RACF.

If you choose a security product other than VM:Secure, you can implement 
VM:Director instead of Dirmaint for directory management.  VM:Director is 
VM:Secure without the Rules component.

    Dennis O'Brien

"Houston, we've had a problem."  -- Jack Swigert, Command Module pilot of 
Apollo 13, 13 Apr 1970

-Original Message-
From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Marcy 
Cortes
Sent: Thursday, May 05, 2016 09:23
To: LINUX-390@VM.MARIST.EDU
Subject: Re: Security for z/VM

I will point out that VM:Secure is one product for your directory management 
and security.
If you choose RACF, you also need to implement Dirmaint.
I believe ACF2 is the same way.  I know Top Secret on VM is.

-Original Message-
From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Alan 
Altmark
Sent: Thursday, May 05, 2016 9:08 AM
To: LINUX-390@VM.MARIST.EDU
Subject: Re: [LINUX-390] Security for z/VM

On Wednesday, 05/04/2016 at 05:19 GMT, "Beard, Rick"  
wrote:
> I would like to know if anyone has any preferences on using either 
CA:VMSECURE or CA:ACF2 for
> securing z/VM systems?
>
> Is one more secure than the other?

CA has not certified either product in the Common Criteria scheme ("claim" 
and "proof"), so you can't really answer "How secure is it?"  You cannot, 
therefore, compare them in that respect.  In fact, only RACF on z/VM has 
been part of a certification.

That said, most people choose their external security manager (ESM) for 
reasons unrelated to its capabilities. The choice is instead based on
1. What's in your IBM or CA software catalog. I.e. if you've already 
bought one of them, then spending money to buy the other one may not be 
the right choice.
2. In-house knowledge.  If you have RACF, ACF2, or TOP SECRET on z/OS, 
then adding it to z/VM is straightforward.  VMSECURE has no z/OS 
equivalent, so you aren't going to get any help from your MVS team.
3. Easiest.  All of the examples and discussion from IBM on z/VM security 
are RACF-centric.

Alan Altmark

Senior Managing z/VM and Linux Consultant
Lab Services System z Delivery Practice
IBM Systems & Technology Group
ibm.com/systems/services/labservices
office: 607.429.3323
mobile; 607.321.7556
alan_altm...@us.ibm.com
IBM Endicott

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

--
This message, and any attachments, is for the intended recipient(s) only, may 
contain information that is privileged, confidential and/or proprietary and 
subject to important terms and conditions available at 
http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended 
recipient, please delete this message.

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

Re: Security for z/VM

2016-05-05 Thread Marcy Cortes

I will point out that VM:Secure is one product for your directory management 
and security.
If you choose RACF, you also need to implement Dirmaint.
I believe ACF2 is the same way.  I know Top Secret on VM is.

-Original Message-
From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Alan 
Altmark
Sent: Thursday, May 05, 2016 9:08 AM
To: LINUX-390@VM.MARIST.EDU
Subject: Re: [LINUX-390] Security for z/VM

On Wednesday, 05/04/2016 at 05:19 GMT, "Beard, Rick"  
wrote:
> I would like to know if anyone has any preferences on using either 
CA:VMSECURE or CA:ACF2 for
> securing z/VM systems?
>
> Is one more secure than the other?

CA has not certified either product in the Common Criteria scheme ("claim" 
and "proof"), so you can't really answer "How secure is it?"  You cannot, 
therefore, compare them in that respect.  In fact, only RACF on z/VM has 
been part of a certification.

That said, most people choose their external security manager (ESM) for 
reasons unrelated to its capabilities. The choice is instead based on
1. What's in your IBM or CA software catalog. I.e. if you've already 
bought one of them, then spending money to buy the other one may not be 
the right choice.
2. In-house knowledge.  If you have RACF, ACF2, or TOP SECRET on z/OS, 
then adding it to z/VM is straightforward.  VMSECURE has no z/OS 
equivalent, so you aren't going to get any help from your MVS team.
3. Easiest.  All of the examples and discussion from IBM on z/VM security 
are RACF-centric.

Alan Altmark

Senior Managing z/VM and Linux Consultant
Lab Services System z Delivery Practice
IBM Systems & Technology Group
ibm.com/systems/services/labservices
office: 607.429.3323
mobile; 607.321.7556
alan_altm...@us.ibm.com
IBM Endicott

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

Re: Security for z/VM

2016-05-05 Thread Alan Altmark

On Wednesday, 05/04/2016 at 05:19 GMT, "Beard, Rick"  
wrote:
> I would like to know if anyone has any preferences on using either 
CA:VMSECURE or CA:ACF2 for
> securing z/VM systems?
>
> Is one more secure than the other?

CA has not certified either product in the Common Criteria scheme ("claim" 
and "proof"), so you can't really answer "How secure is it?"  You cannot, 
therefore, compare them in that respect.  In fact, only RACF on z/VM has 
been part of a certification.

That said, most people choose their external security manager (ESM) for 
reasons unrelated to its capabilities. The choice is instead based on
1. What's in your IBM or CA software catalog. I.e. if you've already 
bought one of them, then spending money to buy the other one may not be 
the right choice.
2. In-house knowledge.  If you have RACF, ACF2, or TOP SECRET on z/OS, 
then adding it to z/VM is straightforward.  VMSECURE has no z/OS 
equivalent, so you aren't going to get any help from your MVS team.
3. Easiest.  All of the examples and discussion from IBM on z/VM security 
are RACF-centric.

Alan Altmark

Senior Managing z/VM and Linux Consultant
Lab Services System z Delivery Practice
IBM Systems & Technology Group
ibm.com/systems/services/labservices
office: 607.429.3323
mobile; 607.321.7556
alan_altm...@us.ibm.com
IBM Endicott

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

Re: Security for z/VM

2016-05-04 Thread Marcy Cortes

If you have any kind of security policy at all you can't meet it without an 
ESM.  

But the idea of making a checklist with your desired goals is a good one.   
Examples:   enforce complex passwords, lock out after x attempts, password 
encryption strength, etc.

Can't comment on ACF2 since I've never used that.  

Marcy

-Original Message-
From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Cohen, Sam
Sent: Wednesday, May 04, 2016 10:26 AM
To: LINUX-390@VM.MARIST.EDU
Subject: Re: [LINUX-390] Security for z/VM

Rick,

You're asking for a religious argument here.  Don't forget about RACF and its 
interface with DIRMAINT.  Meanwhile,  I suggest that the better question is:  
what does "securing" mean to your company and what are the security policies 
such that you need an external security manager (as opposed to the mechanisms 
that exist within z/VM)? 

Thanks,


Sam Cohen
Levi, Ray & Shoup, Inc.



-Original Message-
From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Beard, 
Rick
Sent: Wednesday, May 04, 2016 4:34 AM
To: LINUX-390@VM.MARIST.EDU
Subject: Security for z/VM

I would like to know if anyone has any preferences on using either CA:VMSECURE 
or CA:ACF2 for securing z/VM systems?
Is one more secure than the other?
Is one easier to use and configure over the other?


Thanks,

Rick Beard
Infrastructure Management Senior Analyst ITO Global Service Operations & 
Engineering www.atos.net
[atos_logotype]



--
For LINUX-390 subscribe / signoff / archive access instructions, send email to 
lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit http://wiki.linuxvm.org/

--
For LINUX-390 subscribe / signoff / archive access instructions, send email to 
lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit http://wiki.linuxvm.org/

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

Re: Security for z/VM

2016-05-04 Thread Cohen, Sam

Rick,

You're asking for a religious argument here.  Don't forget about RACF and its 
interface with DIRMAINT.  Meanwhile,  I suggest that the better question is:  
what does "securing" mean to your company and what are the security policies 
such that you need an external security manager (as opposed to the mechanisms 
that exist within z/VM)? 

Thanks,


Sam Cohen
Levi, Ray & Shoup, Inc.



-Original Message-
From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Beard, 
Rick
Sent: Wednesday, May 04, 2016 4:34 AM
To: LINUX-390@VM.MARIST.EDU
Subject: Security for z/VM

I would like to know if anyone has any preferences on using either CA:VMSECURE 
or CA:ACF2 for securing z/VM systems?
Is one more secure than the other?
Is one easier to use and configure over the other?


Thanks,

Rick Beard
Infrastructure Management Senior Analyst ITO Global Service Operations & 
Engineering www.atos.net
[atos_logotype]



--
For LINUX-390 subscribe / signoff / archive access instructions, send email to 
lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit http://wiki.linuxvm.org/

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

Re: Security for z/VM

Re: Security for z/VM

Re: Security for z/VM

Re: Security for z/VM

Re: Security for z/VM

Re: Security for z/VM

Re: Security for z/VM

Re: Security for z/VM

8 matches

Site Navigation

Mail list logo

Footer information