RE: Mainframes on the Net?

["Paul D. Robertson" <proberts () patriot net>]

On Thu, 14 Nov 2002, Desai, Ashish wrote:

> IBM implemented this using new "syscalls". CA's security
> montior did NOT know how to handle these new "syscalls" so
> it allowed blanket access to the files. I don't know if IBM's
> security monitor did the right thing.

It's not clear to me from some quick Web searches if Unix System Services 
goes through RACF via some user-id equiv. mechanism, or if the main vector 
is direct with its own ID/ACL scheme.

That's why I'd go Linux on VM- in that case you should be able to confirm 
that the VM can only access the virtual devices you assign to it.

> I don't know if CA fixed this problem.

This is where some time with the red books and then on a call with IBM 
would produce some interesting results- the MVS runs *nix stuff is 
obviously bolted on somewhat strangely, and knowing at what level the 
subsystem has access to devices would tailor how and where things get 
arranged.

Thanks for posting this, it certainly makes validation much more important 
than if the native security interfaces were used.

> Anyway the point I am making is that different OS instance 
>  may be given permission to access filesystem. Make sure
> that the correct access is defined in the security monitor
> so that the Internet facing system does not have access to the
> core filesystem where the customer data is stored

Here's the only interesting audit document I could find:

http://www.auditnet.org/docs/USS.pdf

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards