IBM Security Z Security

Security for Z

Join this online user group to communicate across Z Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Sending ACF2 and RACF SMF records to SIEM via zSecure

    Posted Wed December 11, 2024 11:20 PM

    I have been trying to work out how to filter the SMF records to process using zSecure to send to our SIEM.
    Initially, want to restrict to only type 230 (ACF2) & 80 (RACF) records, specifically violations (not loggings), invalid passwords and security database changes.

    I have tried editing the CKQCEF#X member but the filtering I have specified is not being honoured. Could someone please give me some starting statements. 



    ------------------------------
    Mark Butler
    ------------------------------


  • 2.  RE: Sending ACF2 and RACF SMF records to SIEM via zSecure

    Posted Thu December 12, 2024 02:07 AM

    Hi Mark,

    The idea of the "exclude members" (such as CKQCEF#X for ArcSight) is that they contain EXCLUDE statements to limit the records selected.

    The member is included into the overall query in CKQCEFG like this:

    VIEW       CRMA.D.ZSSDEV.$BASE.SCKRCARL(CKQCEFG) - 01.42   Columns 00001 00072 
    Command ===> ________________________________________________ Scroll ===> CSR  
    000208  /* Primary selection of records                                     */ 
    000209  NewList type=SMF name=SMFSEL DDname=CKREPORT PL=0                      
    000210    select likelist=SMFHW      /* optional cut-off of older SMF       */ 
    000211    imbed member=ckqcef#x list /* exclude SMF records exit point      */ 
    000212    summary system('Syst') "|" date MinTime MaxTime "|" SMFdd count(10)  

    Because the statements in the member are added into a report that already has a different SELECT statement, you CANNOT limit using a SELECT statement but must use EXCLUDE.

    An EXCLUDE statement that would only select 80 and 230 would have to exclude everything else.

    I would say:

    exclude not(type=(80,230))

    In this case, TYPE is not a repeated field and this is a simple clause, and therefore

    exclude type<>(80,230) 

    should be equivalent, but in general, I think it is good to think of this as a select clause that is negated for use on EXCLUDE.

    [Note that I am taking it literally that you want to use record type 230 and therefore coded a direct reference, although in ACF2 the record type is configurable.]

    Regards,



    ------------------------------
    Jeroen Tiggelman
    IBM - Software Development Manager IBM Security zSecure
    Delft
    ------------------------------

    Original Message


  • 3.  RE: Sending ACF2 and RACF SMF records to SIEM via zSecure

    Posted Thu December 12, 2024 02:33 AM

    > specifically violations (not loggings), invalid passwords and security database changes.

    And then I skipped this part...

    For RACF, you could look at EV.2 option _ Violations.
    If you look in SYSPRINT, you would see something like:

    Resume  CKRCMDV2 (ISPF variable)                                
         1 |N TYPE=SMF NAME=SMFSEL OUTLIM=0 T=:T1 ST=:T2            
         2 | S PROFILE=(*) type=(80,81,83) (EVENT=ACCESS(FAILURE))  
         3 | LIST TYPE                                              
    End of  CKRCMDV2 (include level 2)                              

    Which gives us the EVENT=ACCESS(FAILURE) clause to add to the type 80 selection.

    In general for RACF you can select with EVENT and EVENTQUAL on certain events. This is explained in detail in this topic.

    So this would bring you to something like

    exclude not(,                                                         
            (type=80 (event=access(failure) or event=racinit(1,2,3))),
        or,                                                           
            type=230,                                                 
        )

    where I randomly put "1,2,3" as a list of qualifiers without looking up what you really wanted there. 

    You can look in Table 17 for the event qualifiers for RACINIT, and in Table 18 for the event qualifiers for ACCESS.

    [Since you are not looking for successful logons, you don't need to worry about including events synthesized from type 30 because type 80 is not actually being written.]

    For ACF2 you can look at EV.3 and then Violations.

    Resume  CKRCMDV2 (ISPF variable)                            
         1 |N TYPE=SMF NAME=SMFSEL OUTLIM=0 T=:T1 ST=:T2        
         2 | S exists(acf2_subtype) ((ACF2_DESCRIPTOR=VIO))     
         3 | LIST TYPE                                          
    End of  CKRCMDV2 (include level 2)                          

    I hope this begins to help.

    Regards,



    ------------------------------
    Jeroen Tiggelman
    IBM - Software Development Manager IBM Security zSecure
    Delft
    ------------------------------

    Original Message


  • 4.  RE: Sending ACF2 and RACF SMF records to SIEM via zSecure

    Posted Thu December 12, 2024 11:19 PM

    Thank you for your input. I have been able to use this to get over the hump that I had.



    ------------------------------
    Mark Butler
    ------------------------------

    Original Message


  • 5.  RE: Sending ACF2 and RACF SMF records to SIEM via zSecure

    Posted Thu December 12, 2024 04:55 AM

    I assume you have already looked at the installation and deployment manual.

    As Jeroen points out, the #X members support filtering by progressively excluding records.  Each EXCLUDE command removes more records from the input stream.

    If you like complicated logical expressions, you can try to write your selection as one large EXCLUDE command, remembering that SELECT EVENT=ACCESS(FAILURE) is the same as EXCLUDE NOT(EVENT=ACCESS(FAILURE)) for most purposes.  So if you like to write a positive selection of some record types and conditions, you wrap those clauses in an EXCLUDE NOT( ) statement, as Jeroen demonstrated.  Note, by using a field name in a select clause, you also imply that the record must contain the field name.

    Alternatively, you can use multiple EXCLUDE commands, remembering that their effect is cumulative.  For example:

    exclude type<>(80,230)   /* forget about all but these 2 types */
    exclude type=80 event=access(success)  /* keep the access failure and warnings, and also all RACF commands, logon events, etc */
    exclude type=230 ACF2_DESCRIPTOR<>VIO  /* keep only the ACF2 violations */

    You can add more EXCLUDE commands for type 80 and 230 to further reduce messages to the SIEM.

    Note, this is not how I would implement a SIEM feed.  Violations are interesting, but don't help much identifying dangerous system changes, data exfiltration, or generally non-compliant activities.  In the olden days, auditors would scrutinize access violations because they did not have the tools to inspect the much more numerous successful access records.  That way, they would, however, miss system updates, database copies, etc.  With intelligent filters in SIEMs you can do much better than just looking at access violations.



    ------------------------------
    Rob van Hoboken
    ------------------------------

    Original Message


  • 6.  RE: Sending ACF2 and RACF SMF records to SIEM via zSecure

    Posted Thu December 12, 2024 11:19 PM

    Thank you for your input. I have been able to use this to get over the hump that I had.



    ------------------------------
    Mark Butler
    ------------------------------

    Original Message


Related Content