Since 1992, IBM has provided UNIX System Services, a UNIX programming environment for z/OS. z/OS UNIX System Services take advantage of the inherent strengths of z/OS, including the security mechanisms of IBM's flagship security product, the Resource Access Control Facility, RACF.
Working with RACF allows UNIX System Services to provide these z/OS exclusive enhancements to UNIX Security:
- No /etc/passwd file: UNIX System Services rely on RACF for user authentication. This means that user information is not kept in /etc/passwd and that all user administration is performed outside of UNIX System Services. User's encrypted passwords simply aren't available under UNIX System Services. This prevents brute-force password attacks against /etc/passwd and stops intruders from altering user information from within UNIX System Services.
- Enhanced group administration: UNIX System Services and RACF allow a user to be associated with up to 300 groups. This provides a simpler administration by using RACF's powerful group facilities
- Granularity of auditing and reporting: UNIX System Services and RACF provide comprehensive auditing, allowing numerous events to audited. Reporting is based on an open architecture which allow the use of practically any reporting package. This provides better detection of suspicious events.
- Control of from where code is fetched: UNIX System Services allow an administrator to require that code running within the UNIX environment is from non-UNIX System Services libraries. This can be used to prevent the alteration of modules from within UNIX System Services. In addition, IBM has announced that in OS/390 Release 4, programs within the HFS can be controlled using profiles in the RACF facility class. Any successful attempt to modify a controlled file causes the file to be marked as no longer controlled.
- Limit what a user can see: Users can see only their processes. A "ps" command shows only those processes executing within the user address space, which are, by definition, owned by that user.
This page was last updated November 2003.