On January 31, 2025 a new service stream enhancement (SSE) shipped in the zSecure 3.1 service stream that provides multi-system support for the zSecure Admin 3.1.1 Web UI, support for IBM Threat Detection for z/OS in zSecure Audit and Alert 3.1.0, and other updates.
Background
IBM Z continues to be the home for mission critical information and essential business production applications in many organizations due to the strong heritage of integrated security support capabilities across hardware, operating system, software and applications. Resource Access Control Facility (RACF) is the foundational IBM package provided for protecting Z. The IBM zSecure portfolio builds on the security support in IBM Z, z/OS and RACF to enhance Z security capabilities.
IBM zSecure Admin boosts productivity for RACF administrators. While it usually generates RACF commands to make updates, the CKGRACF component can also directly update the RACF database; for example to set a password back to a user-defined default password in case of a lost password. The Access Monitor component can see security events that are not being logged and summarize all access requests. The RACF Offline component allows making updates to a RACF database that is not active, so as to be able to analyze the effective security changes after reorganizing security rules before activating them using the Access Monitor data. A plug-in to IBM z/OS Management Facility (z/OSMF) provides a web interface. IBM zSecure CICS Toolkit helps with RACF administration from a Customer Information Control System (CICS) environment.
IBM zSecure Audit helps review the security of the system in various ways, for example by formatting event log records from the System Management Facilities (SMF) and by running evaluations against compliance standards such as the Security Technical Implementation Guides (STIGs) from the United States Defense Information Systems Agency (DISA). zSecure Audit also supports CA ACF2 and CA Top Secret, two alternatives to RACF. The zSecure Collect component collects system snapshot information. The IBM Security zSecure Adapters for SIEM provide a functional subset of zSecure Audit to send enriched SMF information to Security Information and Event Management (SIEM) solutions such as IBM QRadar SIEM. IBM zSecure Alert is a real-time monitor for security events.
IBM Z Security and Compliance Center is a software product designed to help simplify and streamline compliance tasks. It contains a dashboard and an integrated set of micro-services that can run under IBM z/OS Container Extensions (zCX) or the OpenShift Container Platform on Linux on Z. z/OS compliance data is obtained from participating IBM components with the help of z/OSMF and the IBM Z Common Data Provider component. Some participating components delegate the actual data compilation to the z/OS Compliance Integration Manager component, which integrates with zSecure. All zSecure Audit functionality is available with this product.
IBM Threat Detection for z/OS is an Artificial Intelligence software product that identifies anomalies in data access that might indicate a potential cyber attack
The common query language employed by zSecure Admin, zSecure Audit, zSecure Manager for RACF z/VM, zSecure Alert, zSecure Adapters for SIEM, and the z/OS Compliance Integration Manager component of IBM Z Security and Compliance Center is called the CARLa Auditing and Reporting Language (CARLa).
The zSecure Admin Web UI component was introduced last October via the zSecure 3.1 service stream. Only the Web UI component identifies itself as 3.1.1. All other components of the zSecure portfolio continue to identify themselves as 3.1.0.
Benefits
The updates recently shipped in the zSecure 3.1 service stream include the following enhancements:
- The Web UI component of zSecure Admin now supports connections via the zSecure Server (CKNSERVE), allowing administering multiple systems from a central location. This brings the functionality of the Web UI substantially closer to equivalence with zSecure Visual, for which withdrawal from marketing was announced last December, with zSecure Admin as the replacement product.
- Support for IBM Threat Detection for z/OS, both for the new SMF 98 subtypes 5-8 and the SMF 83 subtype 8 (anomaly detected) record.
The latter is forwarded to SIEM solutions via the Log Event Enhanced Format (LEEF) and Common Event Format (CEF) event streams.
There are also new zSecure Alert alerts based on this new record type. The user interface allows inspecting the new record types.
- More compliance controls have been added to the Center for Internet Security (CIS) IBM z/OS RACF Benchmark and the CIS IBM Db2 for z/OS Benchmark.
- Menu option RE.D.AP has been added for Db2 audit policies.
- The RACF Offline REPORT command now also reports on CKGRACF commands.
- In zSecure CICS Toolkit password and pass phrase support for ADD USER and ALTER USER has been extended.
For more details, see the refreshed zSecure 3.1 documentation. There is a new "(January 2025)" section in What's new.
The latest compliance standard overview is here.
These enhancements apply to zSecure Admin, zSecure Audit, zSecure Alert, zSecure Adapters for SIEM, zSecure CICS Toolkit, and Z Security and Compliance Center.
Prerequisites
To fully benefit from these enhancements the following is required:
Migration
This January 2025 SSE comes with new menu options. If you use option SE.D.N to customize menus or options for your installation, then you must run SE.D.N again with a sufficiently authorized user ID.
If you did not install the October 2024 SSE before, you will see a ++HOLD explaining that it upgraded zSecure Admin to 3.1.1, which contains a web UI plug-in for z/OSMF that includes open source.
For more details, you can look at the Release notes.
If you have any questions, please ask them here. The IBM Security zSecure today article serves as a starting point to reach all the latest zSecure announcements.