SECURITY & COMPLIANCE CONFERENCE 2016
Intrusion Management
using Vanguard Enforcer
Jim McNeill
Vanguard Professional Services
VSS13
VANGUARD SECURITY & COMPLIANCE 2016
Legal Notice
Copyright
©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly
prohibited.
Trademarks
The following are trademarks of Vanguard Integrity Professionals – Nevada:
Vanguard Administrator
Vanguard Advisor
Vanguard Analyzer
Vanguard SecurityCenter
Vanguard Offline
Vanguard Cleanup
Vanguard PasswordReset
Vanguard Authenticator
Vanguard inCompliance
Vanguard IAM
Vanguard GRC
Vanguard QuickGen
Vanguard Active Alerts
Vanguard Configuration Manager
Vanguard Configuration Manager Enterprise Edition
Vanguard Policy Manager
Vanguard Enforcer
Vanguard ez/Token
Vanguard Tokenless Authenticator
Vanguard ez/PIV Card Authenticator
Vanguard ez/Integrator
Vanguard ez/SignOn
Vanguard ez/Password Synchronization
Vanguard Security Solutions
Vanguard Security & Compliance
Vanguard zSecurity University
©2016 Vanguard Integrity Professionals, Inc. 2
VANGUARD SECURITY & COMPLIANCE 2016
Legal Notice
CICS
CICSPlex
DB2
eServer
IBM
IBM z
IBM z Systems
IBM z13
S/390
System z
System z9
System z10
System/390
VTAM
WebSphere
z Systems
z9
z10
z13
z/Architecture
z/OS
z/VM
zEnterprise
IMS
MQSeries
MVS
NetView
OS/390
Parallel Sysplex
RACF
RMF
The following are trademarks or registered trademarks of the International Business Machines Corporation in the United States, other countries, or both: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries. Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation. Other company, product, and service names may be trademarks or service marks of others.
©2016 Vanguard Integrity Professionals, Inc. 3
VANGUARD SECURITY & COMPLIANCE 2016
Session Topics
• Overview
– Why do we need Vanguard Enforcer™?
– How does Vanguard Enforcer work?
• Creating a Baseline
• Refreshing a Baseline
• Setting Vanguard Enforcer Sensor Task Options
• Vanguard Enforcer Benefits
©2016 Vanguard Integrity Professionals, Inc. 4
VANGUARD SECURITY & COMPLIANCE 2016
Overview - Why do we need
Vanguard Enforcer?
• Break the cycle of:
– Do an assessment
– Remediate findings
• Next year we have same findings back
• Once you fix something, keep it fixed!
©2016 Vanguard Integrity Professionals, Inc. 5
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Enforcer
Sensor Task Concepts
• Baseline – Capture of current system state
• Sensors continuously compare current state to baseline
• Findings / Actions Log
• Notification – E-Mail (SMTP)
– TSOSEND
– Console Message
– SNMP
• Automatic correction of RACF® protection changes – Warning or Auto-Correct Modes
– Global or Component level
©2016 Vanguard Integrity Professionals, Inc. 6
VANGUARD SECURITY & COMPLIANCE 2016
Overview –
How does Vanguard Enforcer work?
• Startup • Manual • Time-Interval
• Global Table • Critical Data Sets • Critical Volumes • Critical Gen’l Res. • Critical Groups • Privileged Users • APF Libraries • LINKLST Libraries
• RACF Options • LPA List • PPT • SVCs • Started Tasks • Restricted Utilities • Temporary Access
• Email Notice • TSO Send Message • Console Message • SNMP • Enforcer Log • Generate RACF Commands • Automatic Correction
Triggers Start Scan Enforcer
Sensors Take Action
Enforcer
Baseline Enforcer Log
SMF
Log
Actions
©2016 Vanguard Integrity Professionals, Inc. 7
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Enforcer
Active Alerts Concepts
• Interfaces with SMF
• Collects SMF records in a dataspace
• Violations, Warnings, and Active Alerts
• Real time notification
– E-Mail (SMTP)
– Console Message
– SNMP
©2016 Vanguard Integrity Professionals, Inc. 8
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Enforcer
Active Alerts Task Overview
Alert
Dataspace
Real Time
Notification SMF SMF Records Collector Take Action Actions
• Email Notice
• Console Message
• SNMP
VANOPTS
©2016 Vanguard Integrity Professionals, Inc. 9
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Enforcer Components
User Interface
TSO ISPF
Operator Commands
Started Tasks
Vanguard Enforcer Sensor Task
Vanguard Enforcer Data Collector Task
Vanguard Enforcer Real Time Notification
Task
VANOPTS
Members for Sensor Task
Members for Collector and RTN tasks
VANOPTS
Enforcer
Sensors
Real Time
Notification Collector
©2016 Vanguard Integrity Professionals, Inc. 10
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Enforcer
Options Specified in VANOPTS
Vanguard Enforcer Sensor Task VEEOPTxx - Enforcer Sensor Task basic information
VEEEMNxx - Email recipients for each Enforcer Monitor
VEETSNxx - TSO SEND recipients for each Enforcer Monitor
Vanguard Enforcer Collector and Real Time Notification Tasks VEAOPTxx - Identification of desired Active Alerts
VEARTNyy - Masking Criteria or Filters for Violation Notices, Active Alert 5 (Warnings), and Active Alert 11
VEAEALxx - Recipients of Violations, Warnings, and other Active Alerts
EAVIDTXT - Email Text for Violations
EA5EMTXT - Email Text for Warnings (Active Alert 5)
EAnEMTXT - Email Text for Active Alerts 1 - 4, 6 - 9
EAnnETXT - Email Text for Active Alerts 10 - 12
All Enforcer Tasks EMAILLST - Email Distribution lists
VANOPTS
©2016 Vanguard Integrity Professionals, Inc. 11
VANGUARD SECURITY & COMPLIANCE 2016
Configuring Vanguard Enforcer
©2016 Vanguard Integrity Professionals, Inc. 12
VANGUARD SECURITY & COMPLIANCE 2016
Creating a Baseline
Two groups of baselines:
• System Baseline
• Installation Baseline
Enforcer
Baseline
©2016 Vanguard Integrity Professionals, Inc. 13
VANGUARD SECURITY & COMPLIANCE 2016
Creating Installation Sensors Baseline
©2016 Vanguard Integrity Professionals, Inc. 14
VANGUARD SECURITY & COMPLIANCE 2016
Creating a Baseline
• Plan what you want to Baseline
– System Sensors
– Installation Sensors
– Consider using VEEXITGP
• Groups in the access list will not automatically be critical groups
• REXX exec provided in VANSAMP data set
• Documented in Appendix E of Vanguard Enforcer Users Guide
– Multiple System Considerations
• Shared RACF database
– RACF options from one system only
– z/OS® options from each system (APF, PPT, etc)
• Non-shared RACF database
– All options from each system
©2016 Vanguard Integrity Professionals, Inc. 15
VANGUARD SECURITY & COMPLIANCE 2016
Creating a Baseline
©2016 Vanguard Integrity Professionals, Inc. 16
VANGUARD SECURITY & COMPLIANCE 2016
Creating System Sensors Baseline
©2016 Vanguard Integrity Professionals, Inc. 17
VANGUARD SECURITY & COMPLIANCE 2016
Progress Messages
©2016 Vanguard Integrity Professionals, Inc. 18
VANGUARD SECURITY & COMPLIANCE 2016
Progress Messages
©2016 Vanguard Integrity Professionals, Inc. 19
VANGUARD SECURITY & COMPLIANCE 2016
Progress Messages
©2016 Vanguard Integrity Professionals, Inc. 20
VANGUARD SECURITY & COMPLIANCE 2016
Creating System Sensors Baseline
©2016 Vanguard Integrity Professionals, Inc. 21
VANGUARD SECURITY & COMPLIANCE 2016
Baseline Dataset Members
©2016 Vanguard Integrity Professionals, Inc. 22
VANGUARD SECURITY & COMPLIANCE 2016
Baseline @ERRLOG@ Member
©2016 Vanguard Integrity Professionals, Inc. 23
VANGUARD SECURITY & COMPLIANCE 2016
Baseline $README Member
©2016 Vanguard Integrity Professionals, Inc. 24
VANGUARD SECURITY & COMPLIANCE 2016
Baseline $README Member
©2016 Vanguard Integrity Professionals, Inc. 25
VANGUARD SECURITY & COMPLIANCE 2016
Baseline $README Member
©2016 Vanguard Integrity Professionals, Inc. 26
VANGUARD SECURITY & COMPLIANCE 2016
Creating Installation Sensors Baseline
©2016 Vanguard Integrity Professionals, Inc. 27
VANGUARD SECURITY & COMPLIANCE 2016
Type Profile Name – Press Enter
©2016 Vanguard Integrity Professionals, Inc. 28
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Enforcer Verifies
©2016 Vanguard Integrity Professionals, Inc. 29
VANGUARD SECURITY & COMPLIANCE 2016
Use Masking – Press F4
©2016 Vanguard Integrity Professionals, Inc. 30
VANGUARD SECURITY & COMPLIANCE 2016
Select Profiles – Press F5
©2016 Vanguard Integrity Professionals, Inc. 32
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Enforcer Verifies –
Press F5
©2016 Vanguard Integrity Professionals, Inc. 33
VANGUARD SECURITY & COMPLIANCE 2016
General Resources
©2016 Vanguard Integrity Professionals, Inc. 34
VANGUARD SECURITY & COMPLIANCE 2016
Mask for BPX Profiles – Press F4
©2016 Vanguard Integrity Professionals, Inc. 35
VANGUARD SECURITY & COMPLIANCE 2016
Select BPX Profiles – Press F5
©2016 Vanguard Integrity Professionals, Inc. 36
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Enforcer Verifies –
Press F5
©2016 Vanguard Integrity Professionals, Inc. 37
VANGUARD SECURITY & COMPLIANCE 2016
Restricted Utilities
©2016 Vanguard Integrity Professionals, Inc. 38
VANGUARD SECURITY & COMPLIANCE 2016
Enter Critical Group – Press Enter
©2016 Vanguard Integrity Professionals, Inc. 39
VANGUARD SECURITY & COMPLIANCE 2016
Critical Groups – Masking
©2016 Vanguard Integrity Professionals, Inc. 40
VANGUARD SECURITY & COMPLIANCE 2016
Critical Groups – Mask for VAN
©2016 Vanguard Integrity Professionals, Inc. 41
VANGUARD SECURITY & COMPLIANCE 2016
Select the Group – Press F5
©2016 Vanguard Integrity Professionals, Inc. 42
VANGUARD SECURITY & COMPLIANCE 2016
Build the Critical Groups Baseline
©2016 Vanguard Integrity Professionals, Inc. 43
VANGUARD SECURITY & COMPLIANCE 2016
Progress Messages
©2016 Vanguard Integrity Professionals, Inc. 44
VANGUARD SECURITY & COMPLIANCE 2016
Progress Messages
©2016 Vanguard Integrity Professionals, Inc. 45
VANGUARD SECURITY & COMPLIANCE 2016
Baseline Created
©2016 Vanguard Integrity Professionals, Inc. 46
VANGUARD SECURITY & COMPLIANCE 2016
Setting Vanguard Enforcer
Execution Options
• Let’s Start with two options – System Sensor Privileged Users
– Installation Sensor Critical Data Sets/Profiles
• Use Warning mode initially
• Test with short intervals
• Granular options – Each sensor can have its own scan interval
– Each sensor can be either in Warning mode or Auto Correct mode
Hmmm, how do I get started?
©2016 Vanguard Integrity Professionals, Inc. 47
VANGUARD SECURITY & COMPLIANCE 2016
Setting Execution Options
©2016 Vanguard Integrity Professionals, Inc. 48
VANGUARD SECURITY & COMPLIANCE 2016
Setting Execution Options
©2016 Vanguard Integrity Professionals, Inc. 49
VANGUARD SECURITY & COMPLIANCE 2016
Press F1 for Sensor Help
©2016 Vanguard Integrity Professionals, Inc. 50
VANGUARD SECURITY & COMPLIANCE 2016
Press F1 again for Extended Help
©2016 Vanguard Integrity Professionals, Inc. 51
VANGUARD SECURITY & COMPLIANCE 2016
Press PF8 to view more Extended Help
©2016 Vanguard Integrity Professionals, Inc. 52
VANGUARD SECURITY & COMPLIANCE 2016
Setting Execution Options – Press F5
©2016 Vanguard Integrity Professionals, Inc. 53
VANGUARD SECURITY & COMPLIANCE 2016
Execution Options Updated
©2016 Vanguard Integrity Professionals, Inc. 54
VANGUARD SECURITY & COMPLIANCE 2016
Refreshing Baselines
• When authorized changes need to be in Baseline
• Refresh individual entries only
• Much quicker than full baseline build
Why should I refresh the
Baseline?
©2016 Vanguard Integrity Professionals, Inc. 55
VANGUARD SECURITY & COMPLIANCE 2016
Refreshing Baselines
©2016 Vanguard Integrity Professionals, Inc. 56
VANGUARD SECURITY & COMPLIANCE 2016
Enter Mask Filter – Press F4
©2016 Vanguard Integrity Professionals, Inc. 57
VANGUARD SECURITY & COMPLIANCE 2016
Select Dataset Profiles – Press F5
©2016 Vanguard Integrity Professionals, Inc. 58
VANGUARD SECURITY & COMPLIANCE 2016
Press F5 to Build
©2016 Vanguard Integrity Professionals, Inc. 59
VANGUARD SECURITY & COMPLIANCE 2016
Baseline has been Refreshed
©2016 Vanguard Integrity Professionals, Inc. 60
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Enforcer
Refreshed and Resumed
Yippee, I refreshed the baseline to
reflect security changes and now
Vanguard Enforcer is protecting my
system!
©2016 Vanguard Integrity Professionals, Inc. 61
VANGUARD SECURITY & COMPLIANCE 2016
Commands for Execution Options
• Issue the MODIFY command to dynamically change
Vanguard Enforcer execution options
– Example: To start the Privileged Users sensor
F ENFSTC,PUC(START)
– Example: To stop the Privileged Users sensor
F ENFSTC,PUC(STOP)
– Example: To alter the Privileged Users sensor
F ENFSTC,PUC(ALTER(NOWARNING))
– Example: To display settings for Privileged Users Sensor
F ENFSTC,PUC(DISPLAY)
©2016 Vanguard Integrity Professionals, Inc. 62
VANGUARD SECURITY & COMPLIANCE 2016
Security for MODIFY Commands
• OPERCMDS Profiles for MODIFY commands
– Example for Privileged Users sensor:
Resource Name Required Access
ENFSTC.MODIFY.PUC.START CONTROL
ENFSTC.MODIFY.PUC.STOP CONTROL
ENFSTC.MODIFY.PUC.ALTER CONTROL
ENFSTC.MODIFY.PUC.DISPLAY READ
©2016 Vanguard Integrity Professionals, Inc. 63
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Enforcer Benefits
• Eliminates vulnerability by securing critical data and other resources
• Guides you through the creation of your baseline capture process
• Provides continuous monitoring and generates event notification, 24 x 7
• Automatic Correction or Warning Mode
• Ensures the standards, policies, rules and settings defined by an organization's security and compliance experts are in force
• Avoids repetitive audit findings each year
• Common Criteria EAL3+ Certification for Enforcer Sensor Task
©2016 Vanguard Integrity Professionals, Inc. 64
VANGUARD SECURITY & COMPLIANCE 2016
Conclusion
Questions?
©2016 Vanguard Integrity Professionals, Inc. 65
VANGUARD SECURITY & COMPLIANCE 2016
Thank You!
Grazie
Japanese
Thank You English
Merci
Russian
Danke German
Italian
Gracias Spanish
Obrigado Brazilian Portuguese
Arabic
Simplified Chinese
Traditional Chinese Hindi
Tamil
Thai
Korean
For more information, please visit:
http://www.go2vanguard.com
©2016 Vanguard Integrity Professionals, Inc. 66