IBM Security Z Security

 View Only

IBM Security zSecure today

By Jeroen Tiggelman posted Fri November 09, 2018 01:05 AM


This article is intended as the starting point for reading about IBM Security zSecure. Links to the latest releases are kept current. Latest edit: April 12, 2024.

In a word

IBM Security zSecure suite helps protect your mainframe. It provides cost-effective security administration, improves service by detecting threats, and reduces risk with automated audit and compliance reporting. Most of the product offerings run on z/OS; zSecure Manager for RACF z/VM is an offering for the z/VM operating system. For administrators who are less mainframe minded zSecure Visual provides a Microsoft Windows front-end.

Information about the latest releases can be found in the following articles.

For z/OS: zSecure 3.1 (Sep 2023), and the following service stream enhancement:

    1. Various enhancements, including for Db2 secure row and column mask protection audit (Apr 2024)

    and the following new solution packages: New IBM Z Compliance and Auditing solutions (Aug 2022)

    For z/VM: zSecure Manager for RACF z/VM 2.5.1 (Jun 2022), plus

    1. Compatibility for z/VM 7.3 (Sep 2022)

    zSecure suite

    There are currently eleven zSecure product offerings. It is for example possible to order only support for security administration and not for auditing and compliance, and you can choose to do your administration from a Windows, a CICS, and/or an ISPF environment. If on the other hand "you want it all", you can get a larger functionality package.

    There is one package for z/VM and one to be installed onto the CICS platform. Then there are five "point products" for z/OS, and three "solution packages" containing several of these. Finally, there is one "functionality subset"-- called the zSecure Adapters for SIEM--for one of the "point products" that allows you to just feed mainframe information into your Security Information and Event Management (SIEM) solution. Details on the subdivision of the suite can be found in the article zSecure Administration, Auditing, and Compliance solutions.

    Although available as separate offerings, the products are tightly integrated. Four of the z/OS "point products" share a common report writer engine and an integrated ISPF user interface. The available functions and interface options depend on the overall installed and enabled entitlements. This basis also extends to the z/VM offering, which you can think of as the z/VM equivalent of the zSecure Admin and zSecure Audit offerings. Moreover, the zSecure Admin and zSecure Audit products support analyzing your z/OS and z/VM data together, also using the input collected by the z/VM offering.

    The zSecure for z/OS release numbers follow those of z/OS. For complete support of a z/OS release, you generally need the same release of zSecure. The CICS offering uses the same (z/OS) release numbers The z/VM releases are typically further apart and are not following any strict number scheme. Toleration PTFs for new z/VM releases for zSecure releases in support (both z/VM and z/OS) are distributed liberally. Toleration PTFs for new releases of the CICS subsystem are also habitually made available.

    IBM Z Security and Compliance Center

    IBM Z Security and Compliance Center is a product that builds on functionality in the zSecure suite, but that is not a part of it. It contains all the functionality of zSecure Audit, but furthermore provides a web-based compliance dashboard. Furthermore, the solution packages that contain zSecure Audit have equivalents that contain IBM Z Security and Compliance Center instead.

    CARLa Auditing and Reporting Language (CARLa)

    zSecure Admin, zSecure Audit, zSecure Manager for RACF z/VM, zSecure Alert, zSecure Visual, and Z Security and Compliance Center all make use of a shared report writer engine, known as the "CARLa engine". The script language used to write queries is called "CARLa Auditing and Reporting Language" in full. The report writer is capable of delivering output as ISPF tables, print output, Write To Operator (WTO) messages, Simple Network Management Protocol (SNMP) traps, or UNIX syslog receiver messages, in EBCDIC or UTF-8, as text or in XML. (Note: options depend on entitlements. For example, if you only have a zSecure Visual entitlement--so you work from Windows 99% of the time--you cannot generate ISPF tables.) Release 3.1 also provides support to write output in JavaScript Object Notation (JSON).
    CARLa allows for easy customization of reports. An easy way to develop new administration or auditing reports that are similar to existing ones is to run a query from the user interface and then go to the RESULTS panel and look at the query that just executed and modify it to suit your needs. The SCKRCARL library shipped with the products contains an extensive set of sample CARLa scripts; you can look at the CKA$INDX member at the top for a one line description of each script.

    zSecure Alert provides alert skeletons that use CARLa to define alert conditions and the alert content as delivered as e-mail, text message, WTO , SNMP trap, or UNIX syslog receiver message (with IBM QRadar SIEM or Micro Focus ArcSight content), making it easy to create your own alerts. zSecure Visual client uses CARLa to query the back-end; an understanding of the general workings of CARLa can help in understanding some of the advanced configuration options, but you do not normally work with CARLa directly when using this product. The z/OS Compliance Integration Manager component of Z Security and Compliance Center also invokes the CARLa engine, but the experience for a compliance dashboard user is similar to a user of zSecure Visual client in this respect.

    Self-study materials on CARLa are available on the zSecure learning site

    zSecure and Security Information and Event Management

    A Security Information and Event Management (SIEM) solution is one that deals with both Security Event Management (SEM)--that is, real-time monitoring, correlation of events, notifications, and console views--and Security Information Management (SIM)--that is, the longer term storage, analysis and reporting of those (basic and collated) events.

    This kind of operation can be performed on the mainframe itself--and indeed zSecure Alert and zSecure Audit provide direct capabilities that fit into these areas--but when we talk about zSecure and SIEM, we generally mean that zSecure acts as an engine that captures events on the mainframe and forwards the information--enriched with associations that the engine can make--to a central cross-platform solution. zSecure provides two types of such event feeds, and sometimes distinguishes between sending (enriched, but non-collated) events and sending alerts. The choice between an "events" (SIM on the mainframe side) and an "alerts" (SEM) solution depends on your requirements.

    zSecure Adapters for SIEM and zSecure Audit ship with out-of-the-box event feeds into IBM QRadar SIEM and Micro Focus ArcSight. These standard CARLa scripts support basic z/OS events and RACF, ACF2, Top Secret, Integrated Cryptographic Services Facility (ICSF), Db2, CICS, z/OS Communications Server (that is, TCP/IP), IBM Security Key Lifecyle Manager (ISKLM), WebSphere Application Server (WAS), and other events. Jobs and instructions are provided for easy deployment. The CARLa scripts contain exit points where installation-specific CARLa can be employed to add custom events or adjust the selection of events to be transferred. It may be possible to use these feeds in Log Event Extended Format (LEEF; for QRadar) or Common Event Format (CEF; for ArcSight) as input to other SIEM solutions. It is also possible to adjust the CARLa scripts to report in another format. The main source for the events is the System Management Facilities (SMF) log; the information is enriched by correlations with the security database and system environment. The information can be transferred as a SIM feed using file polling (triggered from the SIEM solution) or sent near real-time through the syslog protocol. There are in fact two ways to set up the near real-time path: using the SMF in-memory (INMEM) resource feature or using the zSecure SMF Collector. Note that the INMEM feature requires the use of SMF log streams (as opposed to data sets). 

    zSecure Alert is a real-time monitor that sees SMF records before they have been written to disk. It can also listen to WTO messages. It is capable of aggregating events across time intervals and trigger only when certain thresholds are exceeded. zSecure Alert can forward near real-time alerts to many different products through the UNIX syslog receiver, SNMP, and WTO protocols, both to automate intrusion response and to consolidate compliance information. A pluggable component "IBM zSecure Alert DSM" is provided by QRadar SIEM. zSecure Alert also comes with CEF to send to a UNIX syslog receiver for consumption by ArcSight. Sample files to consolidate the alerts into IBM Z NetView are provided in IBM Documentation. zSecure Alert ships with a fair set of alerts out-of-the-box. You can select which of those you are interested in, and add your own alert conditions and reporting using CARLa.

    A real-time event feed with RACF events from z/VM in LEEF format has become available in zSecure Manager for RACF z/VM 2.5.1.

    zSecure and Compliance auditing

    zSecure Audit has supported system status auditing for more than 25 years. The main thing there is to ensure that system configurations and security rules provide appropriate protection. What is appropriate depends on the level of security you need to attain. Therefore, besides reviewing many protection settings automatically and flagging what seemed inappropriate according to an internal policy, zSecure also enabled specifying a number of external security policies that should be met, and then adjusted the generated audit priorities accordingly.

    Security profiles and standards have evolved over the years, and there are different standards available for different purposes. An example is the Payment Card Industry Data Security Standard (PCI-DSS). It is generally difficult to completely automate such standards, as what needs to be protected depends on the implementation you have chosen to hold and process the sensitive data. Sometimes the standards also ask for certification of things that cannot possibly be automatically detected.

    In 2012 zSecure introduced the zSecure Compliance Testing Framework. This externalizes the standards and rules to be evaluated into CARLa, giving you full control over what the compliance stance to be achieved is, while giving you access to all the basic security reports in the product to build those rules and standards on. The Compliance Testing Framework also allows you to override automatically determined results, or assert that certain criteria are met, for example for administrative controls. A few standards are shipped with the product, most notably the Security Technical Implementation Guides (STIGs) from the United States Defense Information Systems Agency (DISA). You can use that as a basis for your own standard, possibly by using the capabilities to suppress and add rules to an otherwise already defined standard. 

    The latest zSecure release ships with an extended user interface for rule-based compliance auditing, allowing you to easily maintain configuration files (such as allow lists) and manage logical sets of compliance rules.