IBM Security Z Security

 View Only

IBM Security zSecure 2.3.1: Command and Ticket Logging

By Jeroen Tiggelman posted Sat April 27, 2019 04:03 AM

On April 19, 2019 a new service stream enhancement (SSE) to zSecure 2.3.1 has become generally available, providing functionality to keep a command log annotated with ticket numbers to connect modifications to an approved request in the change management system and make it easier to redeploy changes to another system.

Mainframes continue to be the home for mission critical information and essential business production applications in many organizations due to the strong heritage of integrated security support capabilities across hardware, operating system, software and applications.

Resource Access Control Facility (RACF) is the foundational IBM package provided for protecting Z. When an access check occurs in a resource manager (i.e., a program that must make an access decision about the use of certain resources) the application programming interface (API) known as the System Authorization Facility (SAF) is called. If the system is protected by RACF, then SAF will forward the question to that External Security Manager (ESM) and return the answer (allowed/protection undefined/denied).

IBM Security zSecure suite builds on the security support in IBM Z, z/OS and RACF to enhance mainframe security capabilities.
IBM Security zSecure Admin boosts productivity for RACF administrators.
IBM Security zSecure Command Verifier provides an additional security layer. RACF calls zSecure Command Verifier before processing a RACF command and zSecure Command Verifier compares the requested command to your security policies and can adjust the parameters or tell RACF to deny the command.

The common query language employed by zSecure Admin, zSecure Audit, zSecure Manager for RACF z/VM, zSecure Alert, and zSecure Adapters for SIEM is called the CARLa Auditing and Reporting Language (CARLa).

New function
This SSE adds a new started task zSecure Admin Command Logger (CKXLOG) to zSecure Admin to be run on each system where RACF commands are run, providing an option to log all RACF commands that are issued through the zSecure interface in a central repository (z/OS log stream). The records of the commands can be annotated with a change ticket number and a ticket description. The zSecure Admin ISPF interface and zSecure Command Verifier can send the commands to the zSecure Admin Command Logger. The zSecure Admin ISPF interface can be configured to require entering ticket information when issuing commands.

A new menu CR (Command Review) is available in the zSecure Admin ISPF interface. Option CR.2 (CKXLOG) allows you to review and re-run commands in the command execution log. Option CR.1 (Libraries) allows you to work with RACF commands in PDS members and route them to systems where you want them deployed.

A new report type CKXLOG is available in CARLa to work with the command execution log.

A TSO command CKXLOGID is provided for specifying ticket information in the batch.

For more details, read the Technote.

This update primarily applies to zSecure Admin. If zSecure Command Verifier is also available, the functionality is enhanced further.


To fully benefit from these enhancements the following is required:
* IBM Security zSecure 2.3.1, or one of the zSecure Administration solutions
* PTF UA99126 for APAR OA56718 (this updates code shared between zSecure Admin and zSecure Command Verifier)
* PTF UA99127 for APAR OA56801 (this updates code specific to zSecure Command Verifier)
* PTF UA99128 for APAR OA56705 (this updates code shared between zSecure Admin and other CARLa-driven components)
* PTF UJ00783 for APAR OA58254 (this updates code shared between zSecure Admin and other CARLa-driven components)

The original set of updates came with a ++HOLD ACTION for zSecure Admin, as prompting for ticket information is turned on if a profile matching CKR.CKXLOG.ID.PROMPT is found in the resource class used for controlling the product. If you had a back-stop profile CKR.** this might be triggered on installing the PTF. In that scenario, you probably want to set up CKR.CKXLOG.ID.SHOW and CKR.CKXLOG.ID.PROMPT profiles with the desired access controls before doing so; you can prevent displaying new entry fields / all prompting with UACC(NONE) and specifying no permits. Otherwise, the new functionality is turned off by default.

The additional update in UJ00783 removes this incompatibility by requiring a generic profile CKR.CKRLOG.** to exist for the functionality to be turned on. If you installed the original set first and were already using the function and you are now installing this additional update and/or moving to zSecure 2.4.0 at the GA level (or better), you will need to make sure this generic profile is defined for the functionality to continue to work.

Since this service stream enhancement comes with a new menu CR (Command Review), it has a different National Language Support table level. If you use option SE.D.N to customize menus or options for your installation, then you must run SE.D.N again with a sufficiently authorized user ID.

If you have any questions, please post them here or on the zSecure support forum. The IBM Security zSecure today article serves as a starting point to reach all the latest zSecure announcements.

Editorial note: The migration information was updated to also mention the CKR.CKXLOG.ID.SHOW profile.
Editorial note: The article was revised for the additional PTF that eliminated the original incompatibility with back-stop profiles.