23.3 zVM tools

23.3 z/VM tools

Add-on software products exist that can be used to further enhance the integrity and security of a z/VM system. Two of those products from IBM are z/VM Version 4 feature options called IBM Directory Maintenance for z/VM (DirMaint) and IBM Resource Access Control Facility for z/VM (RACF).

23.3.1 DirMaint

DirMaint provides a safe, efficient, and interactive way to maintain the z/VM system directory. Through its command line or full-screen interface, you can quickly and easily add, modify, or delete users from the system directory. DirMaint includes these features:

• Distributed virtual machine management. DirMaint is designed on the assumption that there are multiple system administrators and is implemented so that two administrators cannot change the same directory entry at the same time.

• Automatic minidisk allocation. Instead of requiring you to pore over minidisk map reports to find available slots for new minidisks, DirMaint will automatically locate gaps in any number of DASD pools that you define and assign new minidisks in those gaps. This avoids the accidental definition of overlapping minidisks.

• Automatic minidisk erasure. When a minidisk is deleted, DirMaint asynchronously erases all data content on the minidisk before returning it to the pool of available DASD. No residual data remains.

• Support for end users. A general user has the ability to make limited changes to his or her own system directory entry.

• Auditing of all transactions.

• Automatic backup of the system directory.

In any z/VM installation where large numbers of virtual servers are being deployed, DirMaint is recommended.

23.3.2 RACF

The Resource Access Control Facility (RACF) is an external security manager. It provides comprehensive security capabilities that extend the standard security implemented by the base z/VM product. RACF controls user access to the VM system, checks authorization for use of both system and virtual machine resources, and audits the use of those resources. Like DirMaint, RACF is packaged as a priced feature of z/VM Version 4 and is preinstalled on the system installation media.

RACF helps an installation implement its security policy by identifying and authenticating virtual machine access, controlling each virtual machine's access to sensitive data, and logging and reporting events that are relevant to the system's security.

RACF verifies virtual machine logon passwords (which are stored using a one-way strong encryption algorithm) and checks access to minidisks, data in spool files, network nodes, shared segments, and some system commands. You can use RACF commands to audit security-relevant events such as:

• Any CP command or DIAGNOSE code (including privileged commands and codes)

• The creation, opening, and deletion of spool files

• The dumping and loading of spool files through the SPXTAPE and SPTAPE commands

• APPC/VM CONNECT and SEVER operations

• The creation and deletion of logical devices

When running a Linux guest, such auditing may provide additional insight into the activities of the Linux guest. For example, an Open Source package is available for Linux on zSeries that provides an interface to some CP functions. One of the components is the hcp command, which uses the DIAGNOSE 8 interface to issue CP commands on behalf of the guest virtual machine running Linux. If desired, RACF can be used to track the execution of specific CP or DIAGNOSE commands.

z/VM provides the ability for users who have not yet authenticated themselves to the system to do two things: send messages to users who are logged on and access (using the CP DIAL command) virtual 3270 devices, other than the virtual console, created by a virtual machine. If your security policy prohibits such anonymous access to VM terminal sessions, RACF provides facilities that can disable these functions.