Table of Contents (exploded view)
Abstract for Planning for Multilevel Security and the Common Criteria
How to send your comments to IBM
Summary of changes
Changes made in z/OS Version 2 Release 2 as updated in March 2016
Changes made in z/OS Version 2 Release 1
Changes made in z/OS Version 1 Release 13
What is multilevel security?
History
Characteristics of a multilevel-secure system
Access controls
Subjects and objects
Mandatory access control (MAC)
Discretionary access control (DAC)
Object reuse
Accountability
Auditing
Identification and authentication
Labeling hardcopy with security information
The name-hiding function
Write-down
Performance
The trusted computing base
Hardware
Software
Security labels
Defining security labels
Security labels that the system creates
Assigning a security label to a subject or resource
Using security labels
Mandatory access control (MAC)
Dominance
Preventing declassification of data
Controlled write-down
Access rules
The subject is not allowed to write down
Example of security label dominance
The subject is allowed to write down
Reverse and equal mandatory access checking
Discretionary access control (DAC) checking
Security labels for data transferred to tape or DASD
Security labels and data set allocation
Printing security information on hardcopy output
Changing a security label
Using security labels with z/OS UNIX System Services
Associating security labels with remote users
Assigning a home directory and initial program depending on security label
Example of using security label substitution with automount
Security labels and the su command
Security labels for z/OS UNIX files and directories
Assumed security labels
Security labels for zFS file systems and their contents
Security labels for HFS file systems
Security labels and mount points
Security label processing for communications between z/OS UNIX processes
IPC objects
Signals
ptrace
Sockets
Pipes
FIFO special files
Passing open file descriptors when a process changes identity
Using system-specific security labels in a sysplex
Defining and activating system-specific security labels
Shared file system environment and system-specific security labels
SETROPTS options that control the use of security labels
The COMPATMODE and NOCOMPATMODE options
The MLACTIVE and NOMLACTIVE options
The MLFSOBJ option
The MLIPCOBJ option
The MLNAMES and NOMLNAMES options
The MLQUIET and NOMLQUIET options
The MLS and NOMLS options
The MLSTABLE and NOMLSTABLE options
The SECLABELAUDIT and NOSECLABELAUDIT options
The SECLABELCONTROL and NOSECLABELCONTROL options
The SECLBYSYSTEM and NOSECLBYSYSTEM options
Establishing multilevel security
In this topic
The physical environment
The hardware configuration
The software configuration
Required software
z/OS elements and features that do not support multilevel security
z/OS elements and features that partially support multilevel security
Software applications
Defining security labels
Steps for defining security labels
Assigning security labels
Assigning security labels to users
Recommended security labels for users
Listing security labels for users
Assigning security labels to data sets
Assigning security labels to system resources
Protecting data
Ensuring that user data sets are erased when scratched or released
Protecting DASD volumes
Protecting data on tape
Private volumes
Scratch pool volumes
Protecting temporary data sets
Protecting catalogs
Setting up your software for multilevel security
Common Information Model (CIM)
User ID for the CIM started procedure
Distributed File Service
User ID for the zFS started procedure
User IDs for zFS administrators
zFS configuration data sets
Distributed File Service restrictions
Checklist for Distributed File Service setup
DFSMS
The name-hiding function
Using DFSMSrmm
Storage Management Subsystem (SMS)
SMS-managed temporary data sets
Separation of DASD data with different security labels
DFSMS restrictions
Checklist for DFSMS setup
JES2
JES2 user ID
JES2 commands
JES2 system data sets
JES2 spool files
JES2 input devices
JES2 output processing
Controlling which systems can run certain jobs
NJE and RJE
JES2 restrictions
JES2 setup checklist
JES3
JES3 user ID
JES3 commands
JES3 system data sets
JES3 spool files
JES3 input devices
JES3 output processing
NJE and RJP
JES3 restrictions
JES3 setup checklist
MVS
Establish operator LOGON/LOGOFF
Audit operator commands
Program properties table
Establish SMF controls
Using SMF data sets
Using SMF logging
Protect resources
Unit record, communication, and graphic devices
LLA PARMLIB data sets and LLA-managed data sets
System data sets
APF-authorized libraries
Dynamic exits facility
Protect global resource serialization services
Check job control language (JCL)
MVS supplied exit routines
Protect sensitive privileges in IPCS
MVS restrictions
Checklist for MVS setup
PSF
Setting up PSF print labeling
Create the security libraries
Install PSF exit routines for separator pages
Modify the PSF startup procedure
Authorize users allowed to override print labeling
Authorize operators allowed to override separator pages
Enable guaranteed print labeling
Auditing PSF
PSF restrictions
Checklist for PSF setup
RACF
RACF profiles
The STARTED class
Security labels
Surrogate job submission
Audit requirements
RACF resource classes
SETROPTS options
Sysplex considerations
RACF exit routines
RACF restrictions
Checklist for RACF setup
RMF
Checklist for RMF setup
SDSF
SAF and ISFPARMS
Security label assignments
Controlling access to SDSF panels
SDSF Restrictions
Checklist for SDSF setup
TCP/IP
Mandatory access checking for stacks in a multilevel-secure environment
Setting up a multilevel-secure TCP/IP network
TCP/IP restrictions
TSO/E
TSO/E user identification
Security label on logon
Generic TSO system names
Audit all logon attempts
Protect user messages
Sending and receiving messages
Control access to spool data sets via TSO/E commands
OUTPUT command
TRANSMIT and RECEIVE commands
Control who can submit and cancel jobs
SUBMIT command
CANCEL command
TSO/E installation exit IKJEFF53
TSO/E auditing
TSO/E restrictions
Checklist for TSO/E setup
VTAM
Verify application authorization
VTAM auditing
Checklist for VTAM setup
z/OS UNIX System Services
z/OS UNIX user IDs
Support for security labels
Home directory and initial program for users
Security labels for z/OS UNIX files, directories, and symbolic links
Migrating your HFS version root to a zFS version root with security labels
Steps for migrating your HFS version root to a zFS version root with security labels
Disabling cron for general use
Steps for disabling cron for general use
z/OS UNIX restrictions
Checklist for z/OS UNIX setup
Activating multilevel security
Steps for activating multilevel security
Auditing a multilevel-secure system
Security-relevant events
Events always logged
Events optionally logged
Auditing that the security administrator and other authorized users can specify
Auditing that the auditor can specify
Logging attempts to access resources in specific classes
Logging for resources and users that have a security label assigned
SETROPTS AUDIT
Auditing a specific user ID
SMF records
Generating audit reports
Operating a system
Messages and notices
Printed output
Dumps and traces
Tape processing
Residual temporary data sets on DASD
SETROPTS MLQUIET
Adding authorized programs to a multilevel-secure system
System integrity
Examples of adding products
CICS
DB2
The DB2 RACF access control module
Security labels for rows in a table
Security labels for other DB2 resources
Security labels for DB2 subsystems
Security labels for data sets holding DB2 data
Security labels for DB2 users
Access requirements for DB2 users
Authority checking for users with installation sysadm or installation sysopr authority
DFSORT
Information Management System (IMS)
Interactive System Productivity Facility (ISPF)
WebSphere MQ for z/OS
Adding other server-based products
Servers that support multilevel security
Servers that do not support multilevel security
The certified configuration for the Common Criteria for z/OS V2R2
Assumptions
z/OS security functions
Supported hardware
Installation
Documentation for the Certified Software Configuration
The certified software configuration
Restricting software not allowed in the certified configuration after you install
Restrict specified installed data sets
Steps for restricting installed data sets that cannot be used in the certified configuration
Restrict specified load modules in shared data sets
Restrict specified load modules installed into the HFS
Disable APPC/MVS programs
Restrict the IEHINITT utility
Software restrictions in the certified configuration
Communications Server
FTP server
Digital Certificate Access Server (DCAS)
Enterprise Identity Mapping (EIM)
HTTP server
IBM Tivoli Directory Server for z/OS
Network Authentication Service
Network File System (NFS) server
OpenSSH functions
PKI Services
RACF
Transport Layer Security (TLS) processing
Configuration options for Ported Tools (OpenSSH) for the evaluated configuration
System configuration
Multiple z/OS systems
Identification and authentication
Passwords and password phrases
PassTickets
Authentication via client digital certificates
Authentication via Kerberos
Authentication in the LDAP server
Authentication in the FTP server
Authentication in the HTTP server
Authentication in the CIM server
Started procedures
z/OS UNIX superuser privileges
Surrogate authority
Access control
Data sets
DASD volumes
SMS-managed DASD volumes
DASD volumes that are not managed by SMS
Tape volumes
Special considerations for data on tape
Devices
Terminals
TCP/IP connections
Operator commands
Programs
Consoles
z/OS UNIX file system objects
z/OS UNIX IPC objects
LDAP LDBM objects
Global resource serialization services
Common Information Model (CIM) data
RACF resource classes
Mandatory access control
RACF options
Auditing
Protecting audit data
Audit settings
Auditing IBM Tivoli Directory Server for z/OS
Capturing and processing security-relevant audit events
Roles
Secure communication
The Communications Server
System SSL
IP network applications
OpenSSH
z/OS Network Authentication Service
Import and export of data to tape or diskette
Exporting data that has one security label
Exporting data that has multiple security labels
Steps for exporting data that has multiple security labels
Printing
System time
z/OS UNIX file systems
Hierarchical file system (HFS)
zFS
Temporary file system (TFS)
Residual data
Residual data sets on DASD
Residual data on tape
Abstract machine testing
Accessibility
Using assistive technologies
Keyboard navigation of the user interface
z/OS information