This is part 2 of a two-part article looking at security issues that SMF might not identify.
The authorized program facility (APF) identifies system or user programs that can use sensitive system functions. Any authorized program can do virtually anything in z/OS, which is why hackers will try to raise their authorization level as part of the attack. Authorization is granted at the data set level (APF libraries, LPALIB, LNKLIST, and other system libraries). Any program linked with the AC1 parameter executed from one of those libraries can then operate in an authorized mode. The program can put itself in supervisor state or any system key, modify system control blocks, execute privileged instructions, turn off SMF recording, disable security tracking, or even quiesce the whole system!
Many mainframers assume that every instance of authorization is specified in the APF member in PARMLIB. What the hackers know is that new APF libraries can be added dynamically, (typically) using an operator command. A modern z/OS system has around 200 to 300 APF data sets and thousands of authorized programs.
The solution is to ensure that the APF libraries are locked down using RACF, TSS, or ACF2, and any changes outside of a normal change process is investigated. An integrity monitoring (IM) process can verify that all authorized programs are in their trusted state and generate alerts if any discrepancies from the trusted state are detected.
By default, LNKLST, SVCLIB, and all concatenated datasets are authorized. However, these, and other systems datasets are not identified in the APF list. That means they may be overlooked when validating the status of APF program access.
The solution is to ensure that there is continuous automatic discovery of both static and dynamic modifications to APF libraries and other sensitive system dataset (LINKLST, SVCLIB, LPALIB, PARMLIBs, PROCLIBs, TCPPARMs, VTAMLST, etc). This eliminates the administrative overhead of manual review processes. If a change is detected from the expected, trusted state, a modern integrity monitoring tool raises an alert, nipping an attack in the bud.
Operator and SDSF display commands can show all the available libraries that are authorized. Hackers can easily see a full list of eligible datasets and find one that their stolen userids has update authority for. They might even find a previously-authorized file that no longer exists. The hacker can create a dataset with malware inside, change its name to the obsolete entry, and they now have an authorized process.
The solution is to use modern IM tools that can monitor the use of the display commands (SDSF and OPER commands) to provide valuable early warning that suspicious snooping (or reconnaissance) is underway and should be investigated with advanced forensic tools to prevent problems before they occur. Again, whitelists of valid processes that are allowed to use such display commands can avoid unnecessary alerts.
Unix Systems Services (USS) is now installed on every z/OS system. This Unix system can interchange data and share programs with the z/OS host. Hackers are more familiar with Unix systems than z/OS, making it a more popular point of attack (eg Nordea Bank attack).
Unix hackers can create programs that are authorized in a z/OS context by simply turning on the +A option in the extended attributes. This also requires that the modules are linked AC1, which requires some z/OS knowledge.
The solution to this weakness, again, is to use IM tools, which can scan to identify unapproved program modifications and additions, detecting exposures before the attack is launched. Note: programs with the +A attribute turned on still need to be loaded to an APF library to cause harm.
To stop organization restoring encrypted data from backups, hackers now compromise backups before they attack the real target. Organizations need to ensure that their backups aren’t compromised.
The solution is to make sure that once a backup has been created it should never be changed. Modern IM tools create a validation hash key when the backup is taken. A subsequent scan of the backup can be compared to the original. If the keys match, the backup is verified. Newer integrity monitors can verify large backups in seconds.
Frequently created, immutable backups means that organizations can restore their data very quickly. However, the ability to determine which immutable copy has not been compromised is not supplied with basic snapset or safeguarded copy implementations.
The solution is to integrate SMF information with the results of ongoing IM scans to provide insight into which snapset or safeguarded copy is safe for restore. Full-function IM tools with restore assistance can populate a customized restore process on-the-fly, recovering the compromised infrastructure components from trusted sources and identifying the optimal snapset for data restore.
Exits in z/OS provide many useful functions. Because they provide services to multiple different address spaces, they need to run in the super-powerful Key 0 state. When some exits are loaded dynamically, they can originate from an unauthorized library. Also, LPA modules can be replaced on-the-fly from an unauthorized dataset. This effectively gives the exit Key 0 capabilities. The exit address can then be modified programmatically giving access to the modified LPA module.
The solution is for sites to lock down the SET and SETPROG commands. Sites need to check that RACF, TSS, and ACF2 rules have been updated to enforce this.
The problem with Zero Trust Architecture is that it’s difficult to achieve. Multiple platforms, tools, software, and users must be subjected to rigorous control.
The solution is to integrate modern integrity monitoring. This can create trusted baselines for multiple versions of system and applications software. IM can detect and alert on any accidental or malicious changes made by an insider, or outsider, even with stolen legitimate credentials. These tools automate the investigation of alerted actions and guides response teams through the required remediation steps. No SIEM or event monitoring tool provides the ability to compare operational software and systems to trusted baselines and is therefore incomplete in a Zero Trust context. Integrity monitoring is a necessary component to achieving Zero Trust.
Does SMF catch all activity, suspicious and benign? Unfortunately, no. Many sites upload SMF data to their security console (SIEM) unaware that the information being provided may be incomplete, potentially creating significant risk. For example, there’s no SMF information identifying the best snapset for recovery, or any information indicating when the components were last known to be correct. Some of the snooping techniques used to determine what to go after in a site are just not “seen” by SMF.
In one example, a hacking tool retrieved the list of APF datasets and then issued a RACROUTE REQUEST=AUTH command on each to determine what access the user had to each APF dataset. This is a non-authorized program, and no record of its operation may be created in SMF.
In addition, SDSF and OPER commands to display the list of APF, Linklist, and LPA datasets do not generate SMF records.
The solution is to use system exits to trap what types of search and system modification are being initiated with TSO, SDSF, and OPER. Continuous monitoring from an Early Warning System, integrated with modern IM products, can be enhanced to alert on such activity before subsequent processing.
Modern IM solutions can provide information to SIEM tools in real time. IM solutions add significant new information source to SMF and a SIEM. They also add new forensic analysis, new recovery and new verification assist features to get your z/OS system back quickly and reliably.
For your information, an example of a modern IM tool yay does have the features listed in this article is MainTegrity’s FIM+.
No comments:
Post a Comment