Linux on IBM eServer zSeries and S/390: Best Security Practices

Book description

This IBM Redbooks publication discusses best security practices for running Linux as a z/VM guest on IBM eServer zSeries and S/390 machines. This publication is intended for system administrators and IT architects responsible for deploying secure Linux servers running under z/VM. We consider both z/VM and Linux security topics.

We examine the unique security and integrity features zSeries offers for consolidating a large number Linux servers under z/VM. We discuss virtual machine isolation and command privileges assigned to VM guests. Security configuration options for z/VM Version 4.4 are explained.

In this book, we also discuss Linux security topics. We examine options for hardening a Linux installation. Securing Linux network traffic using Secure Sockets Layer and Secure Shell is considered. We look at implementing a virtual private network using FreeS/WAN. Commercial firewall technology and implementation using the StoneGate firewall for zSeries is discussed. We examine using IBM Tivoli Access Manager in conjunction with an LDAP server running on z/OS to authenticate Linux users against a RACF running on z/OS.

Table of contents

  1. Notices
    1. Trademarks
  2. Preface
    1. The team that wrote this redbook
    2. Become a published author
    3. Comments welcome
  3. Chapter 1: Introduction
    1. Security goals
      1. Security policy
    2. Elements of security
      1. Physical security
      2. System security
      3. Network security
    3. System installation and backup
      1. Verifying the RPM package
  4. Chapter 2: z/VM integrity and security
    1. zSeries and z/VM system integrity
      1. LPAR integrity
      2. Integrity provided by the z/VM Control Program
    2. zSeries network security
    3. Securing your z/VM system
      1. System integrity statement for z/VM
    4. CP privilege classes
    5. The z/VM SYSTEM CONFIG file
      1. Enabling journaling
      2. System features
      3. Defining privilege classes
      4. z/VM virtual networking
      5. Configuring virtual networks
      6. Redefining a command privilege class
    6. The z/VM user directory
      1. The USER directory entry statement
      2. The INCLUDE statement
      3. The IPL statement
      4. The LOGONBY statement
      5. The MDISK statement
      6. The LINK statement
      7. The DEDICATE statement
      8. The OPTION statement
      9. The SPECIAL statement
    7. Directory Maintenance Facility
      1. DirMaint security features
    8. RACF for z/VM
  5. Chapter 3: Hardening a Linux installation
    1. Linux system logging
      1. Configuring syslogd
      2. Using a central log server
    2. Pluggable Authentication Modules
      1. PAM configuration files
      2. Limiting superuser login to secure terminals
      3. Restricting user login
      4. Mandatory access control
      5. Linux Security Module (LSM)
    3. Delegating superuser authority with sudo
      1. Configuring sudo
      2. Using the sudo command
      3. Command logging with sudo
      4. Security considerations with sudo
    4. Securing Internet services with TCP_wrappers
      1. TCP_wrappers access control specification
      2. Configuring TCP_wrappers
    5. Securing Linux using Bastille
      1. Configuring security settings with Bastille
      2. Reverting changes
      3. Copying the Bastille setup to other hosts
  6. Chapter 4: Secure Sockets Layer and the Secure Shell
    1. Introduction to Secure Sockets Layer
    2. Enabling OpenSSL in Apache
      1. Creating SSL keys
      2. Generating an SSL certificate
      3. Activating mod_ssl
      4. Configuring mod_ssl
    3. Using hardware acceleration with OpenSSL
      1. Installing the crypto engine
      2. Creating a crypto device node
      3. Configuring mod_ssl to use the crypto engine
    4. Secure Shell overview
    5. Secure network access using SSH
      1. Known hosts
      2. SSH access control
    6. File transfer and remote command execution
      1. The scp command
      2. The sftp command
      3. Remote command execution using SSH
    7. Authentication without passwords
    8. Secure tunneling using port forwarding
      1. Local port forwarding
      2. Remote port forwarding
      3. When to use local or remote forwarding
      4. Implications of and options for port forwarding
    9. X forwarding
      1. Security considerations with X forwarding
    10. Securing VNC using port forwarding
      1. Installing the VNC server
      2. Installing the VNC client on Windows
      3. Installing an SSH server on Windows
      4. Configuring the Windows SSH server
      5. Creating a local forwarded tunnel from Windows to Linux
      6. Connecting to the VNC server over the SSH tunnel
  7. Chapter 5: Implementing virtual private networks using FreeS/WAN
    1. An overview of FreeS/WAN
      1. Opportunistic encryption
    2. Starting FreeS/WAN
    3. Configuring FreeS/WAN
      1. Displaying public/private keys
      2. Testing the IPSEC tunnel
  8. Chapter 6: StoneGate firewall
    1. The role of firewalls
    2. Firewall technologies
      1. Packet filtering firewalls
      2. Proxy firewalls
      3. Stateful inspection firewalls
      4. StoneGate and multi-layer inspection
      5. Firewall functions
      6. Requirements for modern firewalls
      7. Firewall weaknesses
    3. StoneGate firewall components
      1. StoneGate GUI
      2. Management system
      3. Communications between the components
      4. Network address translation between components
      5. Secured communication
      6. Certificate backups
      7. Distributed management
      8. Implementation strategies
    4. StoneGate on Linux for zSeries
      1. High availability technologies
      2. Benefits of multilink technology
      3. Applying multilink technology
    5. StoneGate installation
      1. The z/VM guest definition
      2. Ensuring file integrity
      3. Downloading the installation files to z/VM
      4. Installing the firewall engine
      5. Configuring the StoneGate firewall engine (1/2)
      6. Configuring the StoneGate firewall engine (2/2)
  9. Chapter 7: Using z/OS features in a Linux environment
    1. z/OS HiperSockets Accelerator
    2. IBM Tivoli Access Manager for e-business
    3. Authentication using IBM Tivoli Access Manager
      1. Configuring LDAP on z/OS
      2. Modifying the z/OS LDAP schema
      3. Enabling z/OS LDAP native authentication
      4. Installing Tivoli Access Manager Policy Director on Linux
      5. Configuring Tivoli Access Manager for Linux
      6. Enabling Linux LDAP user authentication
    4. IBM Tivoli Access Manager WebSEAL
      1. Configuring WebSEAL
      2. Creating the WebSEAL junctions
      3. Configuring the WebSphere Application Server
    5. Securing z/OS Web resources from Linux
  10. Related publications
    1. IBM Redbooks
    2. Other publications
    3. Online resources
    4. How to get IBM Redbooks
    5. Help from IBM
  11. Index (1/2)
  12. Index (2/2)
  13. Back cover

Product information

  • Title: Linux on IBM eServer zSeries and S/390: Best Security Practices
  • Author(s): Gregory Geiselhart, Ami Ehlenberger, Darius Fariborz, Jerry Lam, Neville Mendes, Carlos Ordonez, Luiz Carlos Santos, Karl-Erik Stenfors
  • Release date: May 2004
  • Publisher(s): IBM Redbooks
  • ISBN: None