23.3 z/VM tools
Add-on software products exist that can be used to further enhance the integrity and security of a z/VM system. Two of those products from IBM are z/VM Version 4 feature options called IBM Directory Maintenance for z/VM (DirMaint) and IBM Resource Access Control Facility for z/VM (RACF).
DirMaint provides a safe, efficient, and interactive way to maintain the z/VM system directory. Through its command line or full-screen interface, you can quickly and easily add, modify, or delete users from the system directory. DirMaint includes these features:
In any z/VM installation where large numbers of virtual servers are being deployed, DirMaint is recommended.
The Resource Access Control Facility (RACF) is an external security manager. It provides comprehensive security capabilities that extend the standard security implemented by the base z/VM product. RACF controls user access to the VM system, checks authorization for use of both system and virtual machine resources, and audits the use of those resources. Like DirMaint, RACF is packaged as a priced feature of z/VM Version 4 and is preinstalled on the system installation media.
RACF helps an installation implement its security policy by identifying and authenticating virtual machine access, controlling each virtual machine's access to sensitive data, and logging and reporting events that are relevant to the system's security.
RACF verifies virtual machine logon passwords (which are stored using a one-way strong encryption algorithm) and checks access to minidisks, data in spool files, network nodes, shared segments, and some system commands. You can use RACF commands to audit security-relevant events such as:
When running a Linux guest, such auditing may provide additional insight into the activities of the Linux guest. For example, an Open Source package is available for Linux on zSeries that provides an interface to some CP functions. One of the components is the hcp command, which uses the DIAGNOSE 8 interface to issue CP commands on behalf of the guest virtual machine running Linux. If desired, RACF can be used to track the execution of specific CP or DIAGNOSE commands.
z/VM provides the ability for users who have not yet authenticated themselves to the system to do two things: send messages to users who are logged on and access (using the CP DIAL command) virtual 3270 devices, other than the virtual console, created by a virtual machine. If your security policy prohibits such anonymous access to VM terminal sessions, RACF provides facilities that can disable these functions.