Finding work running under UID 0 and understanding what it is is important for security on z/OS.

Some UID 0 processes run for hours and are easy to find with tools like SDSF. Other work might only run for a fraction of a second, and is virtually impossible to catch “in the act”.

SMF data can help. SMF type 30 records have Unix Process sections for z/OS unix work. The Unix Process section includes the UID so you can use it to find UID 0 work.

Here is an example of the EasySMF Unix Work report:

The UID field allows you to filter the report to include only work with UID 0.

The report builds a tree using the parent process information so you can see the relationship between different tasks. Information from SMF about the running program is included, which can help to understand what the work is doing.

The Elapsed column shows how long these tasks were running. Most of these tasks were part of system startup and many ran for less than half a second, so it would be very difficult to catch them in real time.

You can download a 30 day trial to see what the data from your system looks like here:

EasySMF 30 Day Trial

EasySMF can now load SMF data using the z/OSMF Dataset and File REST API.

The z/OSMF REST API uses HTTPS instead of FTP so it is a good option for sites that don’t want to use FTP. HTTPS works better with firewalls because it uses a single port instead of separate control and data connections used by FTP.

z/OSMF will compress the data for transfer. If the connection is bandwidth-limited, that can make loading SMF data up to 10 times faster.

Limitations

z/OSMF cancels the REST API task if it hasn’t completed after approximately 15 minutes. This limits the amount of data that can be transferred. However, with 10 times faster data transfer, that could be the equivalent of over 2 hours transfer time using FTP.

Hopefully IBM will relax this limitation in the future.

• Are all my z/OS TCP/IP connections encrypted?
• How do I know what level of TLS is being used?
• Which TCP/IP clients or servers are using insecure ciphers?

zERT – the z/OS Encryption Readiness Technology is designed to answer these questions.

zERT is a function of TCP/IP on z/OS. It collects information about cryptographic security attributes of TCP/IP connections and writes it to SMF. IBM provides some free zERT reports in z/OSMF, but the data needs to be loaded into DB2 before you can view the reports.

EasySMF allows you to view zERT SMF reports without DB2.

zERT can produce 2 types of records – Connection Detail and Aggregation. Like z/OSMF, EasySMF reports on zERT Aggregation records: SMF type 119 subtype 12.

zERT Aggregation records contain similar information to the zERT Connection Detail records, but information for multiple connections with the same security characteristics are combined. This reduces the number of records generated.

The aggregation records still break the information down to the IP address and port level, but they combine information from multiple connections with the same security settings from the same client.

Finding the Important Information

Even using aggregation records, zERT reports have a lot of information. Records are produced for each client connecting to TCP/IP. Most of these records are not interesting. The entries you probably want to see are connections with specific security attributes, e.g. insecure ciphers or old TLS versions.

EasySMF makes it easy to find the important entries. EasySMF groups connections by security attributes and server port.

Here we can see there are multiple clients connecting to FTP and z/OSMF using TLS V1.0.

We can filter the report to show only the TLS 1.0 entries, and expand the groups to show the individual client addresses. To save the report data, you can export it to Excel or in CSV format.

zERT is a very useful facility to help you secure your z/OS system. Download a 30 day trial of EasySMF and see how EasySMF can help you interpret your zERT data.

A few weeks ago, @wizardofzos tweeted about a unix shell script that showed a bug on z/OS.

Here is the script:

#!/bin/bash
mkdir -p broken
c=1
while [ $c -le 4000 ]
do
  f=$RANDOM
  touch broken/$f
  setfacl -m "u:IBMUSER:rwx" broken/$f
  clear
  echo "Testing cut" | cut -c1 
  echo "Done for $c"
  let c=c+1
done

I was curious, so I tried to reproduce it on my system. The original script runs under bash. I tried it under both bash and /bin/sh but was unable to reproduce the bug, so I couldn’t do any further investigation.

What I did notice, however, was that the script was much, much faster under /bin/sh. That was interesting, so I had a closer look at the SMF data using EasySMF. I ran the 2 jobs for 1000 iterations of the loop. 1000 iterations created approximately 5000 unix tasks. Due to the various type 30 subtypes, the /bin/sh job produced about 20,000 type 30 records and the bash job about 28,000.

Here is part of the Job Completions report for the 2 jobs:

ANDREWRA is the job running bash, ANDREWRB runs /bin/sh.

The bash job took 2 minutes elapsed versus 1 minute for /bin/sh, but more interesting is the CPU time: more than 1 minute for bash, less than 5 seconds for /bin/sh. Those CPU times are the totals for all the descendants grouped under the collapsed top level jobs in the report.

The Unix Work report shows this in more detail. It works from the Step End SMF records and shows substep information as well. This is part of the report for ANDREWRA running bash:

We can see some interesting stuff here:

• Very little of the CPU time is charged back to the owning job JOB06732. Most of it is in OMVS sub tasks.
• The top level bash step uses the most CPU time.
• We can see what looks like the fork/exec pattern described in the SMF manual, where the parent forks and then execs another program creating a sub-step in SMF.
• Forking the bash task also seems to use a relatively large amount of CPU time.
• Although the Job Number STC06734 is the same for all these tasks, they are actually separate tasks reusing the same OMVS initiator.

The same report for ANDREWRB running /bin/sh:

Interesting differences:

• The top level shell uses a lot less CPU.
• It does not show the same sub-step pattern. The commands themselves exist as top level steps in the OMVS initiator. Overall it uses a lot less CPU.

Conclusions

This isn’t meant to be a criticism of the bash port. I imagine IBM has a lot more ability to get into the operating system internals and optimize /bin/sh. But it is interesting to see the difference in resource usage.

The obvious conclusion would be to avoid bash for shell scripts with significant loops, or (probably) scripts that spawn many subcommands e.g. find. Use bash if you really need it’s functionality, e.g. for login shells.

Much of my description of what is going on is speculative based on what I can see in SMF, if you know more please feel free to comment.