Security Blanket®

Security Blanket icon
Security Blanket Try me

For Sales Information
call 1.866.230.1307
or email

For Technical Support call 1.866.230.1317
or email

Hardening Linux VMs on IBM® System z®


Linux running on an IBM System z mainframe or an x86 server, is vulnerable to security violations if it is not hardened or locked down. The term “hardening” refers to the process of changing an operating system so that it is providing only what is necessary for a production environment. This involves turning off or disabling unused services and applications, establishing proper permissions, and setting password policy, for example.

"Many of the vulnerabilities we identify are because the operating systems are not securely configured. Usually, vendors set their operating system configurations in the least secure manner in order to facilitate installation and implementation.”
 "Q&A: Federal Information Security Isn’t Just About FISMA Compliance, Auditor Says", by Jaikumar Vijayan, ComputerWorld, June 14, 2007.

Linux runs natively on the IBM System z with the same concerns for OS security. IBM’s Redbook, Practical Migration to Linux on System z, October 2009 is a technical planning reference for organizations that are migrating to Linux on System z. In section 11.1.3, the Redbook addresses the issue of hardening the Linux VM.

"The term hardening is commonly used in server security to mean the process of taking a generic purpose operating system and changing it to only provide what is necessary for the production environment. This provides a baseline for security for the given operating system.

During migration you may be given an already hardened Linux image . . . However, if a hardened Linux image does not already exist, then you should create and maintain one."

The Practical Migration to Linux on System z goes on to provide references to various sources that provide the guidelines for the hardening process. With Security Blanket, the process of hardening your Linux VMs on System z is automated. An administration console running on one VM, can manage any other Linux instance that it can see, within that LPAR, or other LPARs, or even other Linux instances running on x86 boxes. VMs can be grouped, security profiles assigned, compliancy assessments run, and automatic configuration initiated to harden the VMs.

The Redbook refers to the creation of a baseline hardened VM. The baseline VM is then used as a guide for hardening the other VMs (be it ten or a hundred). Security Blanket eliminates the need for a baseline hardened VM because industry standard hardening guidelines are built in. They may be utilized as is or modified to adhere to an organization’s security policy. All VMs in a group can be hardened to a defined policy with one click.

The Redbook goes on to recommend the maintaining of a hardened Linux VM.

“It is necessary to maintain base hardened Linux VMs. Kernels change and security patches are issued, so you need to develop a plan for maintaining the base image and assigning the resources to accomplish it.” Maintaining the base hardened Linux VM is fully automated when running Security Blanket. Baseline reports can be run on a group of VMs before and after patches are applied. If an application fails after patching, a Baseline Comparison report will quickly show you what has changed. And if a group of VMs has been locked down and the kernel changes due to patching or some other activity, a subsequent compliancy assessment identifies whether the VMs are still compliant. If not, one simple click will take them back to a state of compliancy.

What happens if you don’t harden your Linux VMs on System z . . .
  • Unused services are left on leaving them vulnerable to attack
  • Every patch applied to an operating system could potentially change previously configured security settings
  • After patches are applied, Discretionary Access Controls (DAC) (permissions) are usually reset to default values
  • By not tracking cryptographic hashes (fingerprints) of critical file systems through baselines, organizations would be unaware of changes introduced either by the application of patches or malicious attacker modifying files.
  • Server configurations are inconsistent making them difficult to manage
  • Inconsistency across operating systems leads to risk
  • Excessive permissions granted through Discretionary Access Controls could lead to unauthorized access.
  • Passwords don’t conform to security policy
  • Non-existent or insufficient audit trails diminish an organization’s ability to detect intruders or perform appropriate forensics analysis in order to improve the security posture.
  • User, system, and root account protections are insufficient in order to safeguard the system’s expected operational capabilities as well as to maintain the integrity of the data it is storing and processing.
ALL of which make the Linux VMs vulnerable to attack.
  • Security Blanket assesses the Linux VMs to identify misconfiguration(s) or weak settings within the operating system using pre-defined assessment guidelines such as DISA STIGs, PCI DSS, and the CIS benchmarks, as well as custom user-defined guidelines.
  • Security Blanket automatically hardens the Linux VM’s to a state of compliancy.
  • Security Blanket provides monitoring of all Linux VMs, eliminates configuration drift, and maintains consistent, reliable, compliance.
  • Inventory auditing of virtualized assets
  • Ability to create a Red Book profile
  • IFL based pricing model
  • Evidence of consistency & compliancy
  • Comparison Reports show exceptions
  • 24 x 7 technical support
TCS logo Sitemap Contact
Twitter TCS LinkedIn TCSBack to Top
Content Update 9/7/11