> On Tue, Jan 28, 2003 at 05:24:22AM -0800, Nick Jacobsen wrote: > > Hi all, > > One of my clients has an IBM OS/390 running on one of their > > networks I am doing some security testing on, and > considering I really > > have not dealt with any IBM mainframes before when it comes to > > security, I was hoping that some of you might be able to > point me the > > right direction. Anything would be helpful, but especially from a > > penetration viewpoint. Nick, OS/390 and z/OS have significantly more similarity to the exposures of open systems than their predecessors (it's not just a "mainframe" anymore). For example, you will probably find some combination of hardware encryption, digital certificates, PKI, Kerberos, LDAP, SSL, or even regular UNIX System Services (USS -- Unix under MVS, formerly called OMVS). The latter is always a good place to start. I've worked with both RedHat and SUSE systems running Apache on z/OS USS that, as expected, had many of the typical *NIX vulns (but only to their own instance). Security gaps will also be related to the implementation of MQ Series, DB2, and Websphere (i.e. check out the redbook on websphere security -- http://www.redbooks.ibm.com/redpieces/pdfs/sg246846.pdf). I suggest reading the z/OS security guidelines and docs and working backward from there. In other words, there are plenty of docs explaining how things *should* be done that will provide a scope for where to investigate. You might find this paper a good starting point: http://www.research.ibm.com/journal/sj/403/guski.html http://www.research.ibm.com/journal/sj/403/guski.pdf The Resource Access Control Facility (RACF) and use of the RACF Remote Sharing Facility (RRSF) also will tell you a lot about the system, especially if you can manage to access the system or, even better, find past audit reports... ;) Also, there are some tools available but I don't know much about them. http://www.goldisconsulting.com has an RACF password cracker. http://www.janusassociates.com has a penetration tool called "I.C.U...OS/390" and a cheesy but informative presentation about OS/390 security (http://www.janusassociates.com/icu/pres.html). You also might want to ping some OS/390 security guys like Stuart Henderson (http://www.stuhenderson.com/XSERVAUT.HTM) Thierry Falissard (http://os390-mvs.hypermart.net/) or Nigel Pentland (http://www.nigelpentland.co.uk). They have some basic info online and could probably point you in the right direction. Hope that helps. Good luck, Davi +++ ------------------------------------------------------------- +++ Davi Ottenheimer, CISSP Synchron Networks, Inc. Chief Security Engineer 100 Enterprise Way, C230 www.synchronnetworks.com Scotts Valley, CA 95066 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 12:22:16 PST