Intrusion Management using Vanguard Enforcer · Intrusion Management using Vanguard Enforcer Jim McNeill Vanguard Professional Services VSS13 . ... Type Profile Name ... Arabic Brazilian

SECURITY & COMPLIANCE CONFERENCE 2016

Intrusion Management

using Vanguard Enforcer

Jim McNeill

Vanguard Professional Services

VSS13

VANGUARD SECURITY & COMPLIANCE 2016

Legal Notice

Copyright

©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited

license to view these materials for your organization’s internal purposes. Any unauthorized

reproduction, distribution, exhibition or use of these copyrighted materials is expressly

prohibited.

Trademarks

The following are trademarks of Vanguard Integrity Professionals – Nevada:

Vanguard Administrator

Vanguard Advisor

Vanguard Analyzer

Vanguard SecurityCenter

Vanguard Offline

Vanguard Cleanup

Vanguard PasswordReset

Vanguard Authenticator

Vanguard inCompliance

Vanguard IAM

Vanguard GRC

Vanguard QuickGen

Vanguard Active Alerts

Vanguard Configuration Manager

Vanguard Configuration Manager Enterprise Edition

Vanguard Policy Manager

Vanguard Enforcer

Vanguard ez/Token

Vanguard Tokenless Authenticator

Vanguard ez/PIV Card Authenticator

Vanguard ez/Integrator

Vanguard ez/SignOn

Vanguard ez/Password Synchronization

Vanguard Security Solutions

Vanguard Security & Compliance

Vanguard zSecurity University

©2016 Vanguard Integrity Professionals, Inc. 2


Legal Notice

CICS

CICSPlex

DB2

eServer

IBM

IBM z

IBM z Systems

IBM z13

S/390

System z

System z9

System z10

System/390

VTAM

WebSphere

z Systems

z9

z10

z13

z/Architecture

z/OS

z/VM

zEnterprise

IMS

MQSeries

MVS

NetView

OS/390

Parallel Sysplex

RACF

RMF

The following are trademarks or registered trademarks of the International Business Machines Corporation in the United States, other countries, or both: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries. Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation. Other company, product, and service names may be trademarks or service marks of others.



Session Topics

• Overview

– Why do we need Vanguard Enforcer™?

– How does Vanguard Enforcer work?

• Creating a Baseline

• Refreshing a Baseline

• Setting Vanguard Enforcer Sensor Task Options

• Vanguard Enforcer Benefits



Overview - Why do we need

Vanguard Enforcer?

• Break the cycle of:

– Do an assessment

– Remediate findings

• Next year we have same findings back

• Once you fix something, keep it fixed!



Vanguard Enforcer

Sensor Task Concepts

• Baseline – Capture of current system state

• Sensors continuously compare current state to baseline

• Findings / Actions Log

• Notification – E-Mail (SMTP)

– TSOSEND

– Console Message

– SNMP

• Automatic correction of RACF® protection changes – Warning or Auto-Correct Modes

– Global or Component level



Overview –

How does Vanguard Enforcer work?

• Startup • Manual • Time-Interval

• Global Table • Critical Data Sets • Critical Volumes • Critical Gen’l Res. • Critical Groups • Privileged Users • APF Libraries • LINKLST Libraries

• RACF Options • LPA List • PPT • SVCs • Started Tasks • Restricted Utilities • Temporary Access

• Email Notice • TSO Send Message • Console Message • SNMP • Enforcer Log • Generate RACF Commands • Automatic Correction

Triggers Start Scan Enforcer

Sensors Take Action

Enforcer

Baseline Enforcer Log

SMF

Log

Actions



Vanguard Enforcer

Active Alerts Concepts

• Interfaces with SMF

• Collects SMF records in a dataspace

• Violations, Warnings, and Active Alerts

• Real time notification

– E-Mail (SMTP)

– Console Message

– SNMP



Vanguard Enforcer

Active Alerts Task Overview

Alert

Dataspace

Real Time

Notification SMF SMF Records Collector Take Action Actions

• Email Notice

• Console Message

• SNMP

VANOPTS



Vanguard Enforcer Components

User Interface

TSO ISPF

Operator Commands

Started Tasks

Vanguard Enforcer Sensor Task

Vanguard Enforcer Data Collector Task

Vanguard Enforcer Real Time Notification

Task

VANOPTS

Members for Sensor Task

Members for Collector and RTN tasks

VANOPTS

Enforcer

Sensors

Real Time

Notification Collector



Vanguard Enforcer

Options Specified in VANOPTS

Vanguard Enforcer Sensor Task VEEOPTxx - Enforcer Sensor Task basic information

VEEEMNxx - Email recipients for each Enforcer Monitor

VEETSNxx - TSO SEND recipients for each Enforcer Monitor

Vanguard Enforcer Collector and Real Time Notification Tasks VEAOPTxx - Identification of desired Active Alerts

VEARTNyy - Masking Criteria or Filters for Violation Notices, Active Alert 5 (Warnings), and Active Alert 11

VEAEALxx - Recipients of Violations, Warnings, and other Active Alerts

EAVIDTXT - Email Text for Violations

EA5EMTXT - Email Text for Warnings (Active Alert 5)

EAnEMTXT - Email Text for Active Alerts 1 - 4, 6 - 9

EAnnETXT - Email Text for Active Alerts 10 - 12

All Enforcer Tasks EMAILLST - Email Distribution lists

VANOPTS



Configuring Vanguard Enforcer



Creating a Baseline

Two groups of baselines:

• System Baseline

• Installation Baseline

Enforcer

Baseline



Creating Installation Sensors Baseline



Creating a Baseline

• Plan what you want to Baseline

– System Sensors

– Installation Sensors

– Consider using VEEXITGP

• Groups in the access list will not automatically be critical groups

• REXX exec provided in VANSAMP data set

• Documented in Appendix E of Vanguard Enforcer Users Guide

– Multiple System Considerations

• Shared RACF database

– RACF options from one system only

– z/OS® options from each system (APF, PPT, etc)

• Non-shared RACF database

– All options from each system



Creating a Baseline



Creating System Sensors Baseline



Progress Messages



Progress Messages



Progress Messages



Creating System Sensors Baseline



Baseline Dataset Members



Baseline @ERRLOG@ Member



Baseline $README Member









Creating Installation Sensors Baseline



Type Profile Name – Press Enter



Vanguard Enforcer Verifies



Use Masking – Press F4



Mask for VAN



Select Profiles – Press F5



Vanguard Enforcer Verifies –

Press F5



General Resources



Mask for BPX Profiles – Press F4



Select BPX Profiles – Press F5



Vanguard Enforcer Verifies –

Press F5



Restricted Utilities



Enter Critical Group – Press Enter



Critical Groups – Masking



Critical Groups – Mask for VAN



Select the Group – Press F5



Build the Critical Groups Baseline



Progress Messages



Progress Messages



Baseline Created



Setting Vanguard Enforcer

Execution Options

• Let’s Start with two options – System Sensor Privileged Users

– Installation Sensor Critical Data Sets/Profiles

• Use Warning mode initially

• Test with short intervals

• Granular options – Each sensor can have its own scan interval

– Each sensor can be either in Warning mode or Auto Correct mode

Hmmm, how do I get started?



Setting Execution Options



Setting Execution Options



Press F1 for Sensor Help



Press F1 again for Extended Help



Press PF8 to view more Extended Help



Setting Execution Options – Press F5



Execution Options Updated



Refreshing Baselines

• When authorized changes need to be in Baseline

• Refresh individual entries only

• Much quicker than full baseline build

Why should I refresh the

Baseline?



Refreshing Baselines



Enter Mask Filter – Press F4



Select Dataset Profiles – Press F5



Press F5 to Build



Baseline has been Refreshed



Vanguard Enforcer

Refreshed and Resumed

Yippee, I refreshed the baseline to

reflect security changes and now

Vanguard Enforcer is protecting my

system!



Commands for Execution Options

• Issue the MODIFY command to dynamically change

Vanguard Enforcer execution options

– Example: To start the Privileged Users sensor

F ENFSTC,PUC(START)

– Example: To stop the Privileged Users sensor

F ENFSTC,PUC(STOP)

– Example: To alter the Privileged Users sensor

F ENFSTC,PUC(ALTER(NOWARNING))

– Example: To display settings for Privileged Users Sensor

F ENFSTC,PUC(DISPLAY)



Security for MODIFY Commands

• OPERCMDS Profiles for MODIFY commands

– Example for Privileged Users sensor:

Resource Name Required Access

ENFSTC.MODIFY.PUC.START CONTROL

ENFSTC.MODIFY.PUC.STOP CONTROL

ENFSTC.MODIFY.PUC.ALTER CONTROL

ENFSTC.MODIFY.PUC.DISPLAY READ



Vanguard Enforcer Benefits

• Eliminates vulnerability by securing critical data and other resources

• Guides you through the creation of your baseline capture process

• Provides continuous monitoring and generates event notification, 24 x 7

• Automatic Correction or Warning Mode

• Ensures the standards, policies, rules and settings defined by an organization's security and compliance experts are in force

• Avoids repetitive audit findings each year

• Common Criteria EAL3+ Certification for Enforcer Sensor Task



Conclusion

Questions?



Thank You!

Grazie

Japanese

Thank You English

Merci

Russian

Danke German

Italian

Gracias Spanish

Obrigado Brazilian Portuguese

Arabic

Simplified Chinese

Traditional Chinese Hindi

Tamil

Thai

Korean

For more information, please visit:

http://www.go2vanguard.com

[email protected]


Documents

Intrusion Management using Vanguard Enforcer · Intrusion Management using Vanguard Enforcer Jim McNeill Vanguard Professional Services VSS13 . ... Type Profile Name ... Arabic Brazilian