IBM Security zSecure Suite 2.4 was announced on July 23, 2019 with a planned availability date of September 30, 2019. You can read the US announcement letter
here. This release provides enhanced file integrity monitoring capabilities, functionality to associate security commands to approved change requests, extended STIG coverage (in particular for ACF2), currency for z/OS 2.4, ICSF HCR77D0, and DISA-STIG 6.41, and more.
BackgroundIBM Z hosts mission critical information and essential business production applications in many organizations due to the strong heritage of integrated security support capabilities and application-level resiliency. z/OS 2.4 builds on this, seeking to optimize existing application investments in new and innovative ways and unleashing potential through enabling new application development processes.
Resource Access Control Facility (RACF) is the foundational IBM package provided for protecting Z. When a program must make an access decision about the use of certain resources, it will call the System Authorization Facility, which calls the external security manager (for example RACF), which then responds with "allowed", "protection undefined", or "denied". CA ACF2 is an alternative external security manager.
IBM Security zSecure suite builds on the security support in IBM Z, z/OS and RACF to enhance mainframe security capabilities. It can help you protect your enterprise, detect threats, comply with policy and regulations and reduce costs. IBM Security zSecure furthermore helps protect various mainframe sub-systems, including Db2, CICS, IMS, MQ, and z/OS UNIX.
IBM Security zSecure Admin boosts productivity for RACF administrators. While it usually generates RACF commands to make updates, the CKGRACF component can also directly update the RACF database; for example to set a password back to a user-defined default password in case of a lost password (so that the administrator does not know it). IBM Security zSecure Audit helps review the security of the system in various ways, e.g. by formatting event log records from the System Management Facilities (SMF) and by displaying global RACF security settings (SETROPTS configurations). IBM Security zSecure Command Verifier allows you to define granular policies as to which users can make certain changes through RACF commands. IBM Security zSecure CICS Toolkit helps with RACF administration from a Customer Information Control System (CICS) environment. IBM Security zSecure Visual provides a user interface for RACF administration from Windows. IBM Security zSecure Alert is a real-time monitor for security events. The IBM Security zSecure Adapters for SIEM send enriched SMF information to security information and event management (SIEM) solutions such as IBM QRadar SIEM.
The Security Technical Implementation Guide (STIG) from the United States Defense Information Systems Agency (DISA) provides a framework for ensuring that security is set up properly. IBM Security zSecure Audit helps automate compliance control points belonging to this standard as well as for the P
ayment Card Industry Data Security Standard (PCI-DSS) from the Payment Card Industry Security Standards Council and GSD331/ISeC (a global services document with information security controls documentation from IBM).
IBM Z Multi-Factor Authentication (IBM Z MFA) helps security administrators enforce a policy that requires authentication with multiple factors during the logon process. It is designed to work with IBM z/OS Security Server RACF to centralize the information of valid factors within RACF to help clients create a layered defense, accelerate deployment, simplify management with existing infrastructure, and be able to more simply achieve regulatory compliance and reduce risk to critical applications and data.
The common query language employed by zSecure Admin, zSecure Audit, zSecure Manager for RACF z/VM, zSecure Alert, and zSecure Adapters for SIEM is called the CARLa Auditing and Reporting Language (CARLa).
Benefits
IBM Security zSecure 2.4 provides
* support for stronger checksum algorithms (SHA2-512, SHA3-512) for monitoring file integrity
* a new RE.F (file integrity monitoring) menu in addition to the Library Audit (AU.L) application
* a started task that can help ensure that issued RACF commands can be related to approved changed requests by logging to a z/OS log stream (see the April 2019 service stream enhancement (SSE) for details)
* a new CR (command review) menu where you can review the logged annotated commands and that can also be used to route security command streams to additional systems where you want them deployed
* support for new RACF classes and profile segments for various z/OS 2.4 enhancements, including extended support for custom data (site-specific data that is held in the RACF database) and Identity Token management
* currency for other z/OS 2.4 functionality, such as reporting on the new Restricted Use Common Storage Areas and support for the TLS 1.3 protocol and IBM z/OS Container Extensions
* capability to compare compliance between different points in time in the rule-based auditing menu (AU.R)
* a new report type ACF2_SENSRESOURCE_ACCESS (parallel to the earlier ACF2_SENSDSN_ACCESS) intended for writing compliance rules for general resources under ACF2
* extended coverage of ACF2 compliance controls for STIG
* capability to resolve symlinks and variables in selected z/OS UNIX path names
* more UNIX compliance control automation
* support for IBM Z Multi-Factor Authentication SMF record type 83-7
* zSecure CICS Toolkit VERIFY API extension for pass phrases
* various enhancements for pervasive encryption and the Integrated Cryptographic Service Facility (ICSF), for example SMF 82-18 (crypto co-processor configuration) support
* display of Information Management System Open Transaction Manager Access (IMS OTMA) settings the IMS region reports
* integration of Db2 authid privileges configured through ZPARMs into the Db2 access control list displays
* a new alert (1123) for privilege escalation detection
* a new menu option (CO.L) to easily work with the last CARLa query
* L(ist) command on CKFREEZE in SETUP FILES summarizes CKFREEZE record types and what space they take up
Edit: The December 2019 revision of the Installation and Deployment Guide contains a new Appendix G to help you use this information to determine how you can reduce the size of your CKFREEZE data sets depending on the functions you want to use them for.
* The DSN_MEMBER report type is similar to the DSN report type, but reports on the member level
* currency with CICS 5.5
The STIG standard version level has been upgraded to 6.41.
Migration
This year zSecure participated more fully in the z/OS Early Support Program. As a result, the base FMIDs were now cut in March. It is strongly recommended that you ensure that you have all PTFs cut before September 30 applied, so that you have all new function as described in the zSecure publications at GA.
Edit: Most zSecure 2.4 publications have been refreshed in December 2019 following the administration, compliance automation, and event management service stream enhancement.
The original Command and Ticket Logging SSE shipped with an incompatibility warning in case you had a CKR.** back-stop profile. This incompatibility was eliminated in a later PTF. If you are already using this function but did not create a generic CKR.CKXLOG.** profile yet, then do so now, because it is now required for the function to be considered active.
If you are actively using the Library Audit (AU.L) function, then be aware of a change in the default for the checksum algorithm to be used. zSecure Collect for z/OS will now use SHA3-512 if that is supported in the hardware (z14 or newer), and otherwise SHA2-512 if that is supported by the hardware (for example z12) instead of the prior CRC32. Changing the checksum algorithm between CKFREEZEs means that checksums are incomparable. If you are not ready to migrate to a newer algorithm, you can specify CHECK_ALGORITHM=OLD for your zSecure Collect runs. When you do migrate, you can instruct AU.L to accept checksums as equal when they have been computed with different algorithms and the CKFREEZEs were created close together in time through a new "Period during which a checksum algorithm change is tolerated" option (which generates the CARLa keyword CHECKSUM_ALG_CHANGE=xx).
The AU.C (Change track) menu was removed, as its functions have been taken over by "Show differences" in AU.R and other functions.
In order to make it easier to use the various "Show differences" options, selecting a set of files without an explicit VERSION specified as a baseline will now set VERSION to "BASE". There is a known issue for an explicit allocation where you specified FUNCTION=BASE on a security source but not on the CKFREEZE matched to it, that it can now happen that the CKFREEZE is no longer matched to it, since the VERSION is only set to "BASE" for the security source. (You can see the match-ups in the CKR0615 message.) A possible symptom in this case is message CKR0617 ("Missing security database") for the now "orphaned" CKFREEZE.
The program names for the 31-bit and 64-bit CARLa engines have changed from CKR4Z and CKR8Z196 to CKR4Z196 and CKR8Z12. This reflects, for example, that the 8-byte memory model now has a z12 as the technical minimum. If you were calling either program directly, you might need to adjust your JCL and you might also need to look at Program Access to Data Sets requirements. If you use the default of calling router module CKRCARLA, you should not be affected by this change.
z/OS 2.4 provides privilege escalation detection. zSecure Collect for z/OS 2.4 has been adapted to use TRUSTED instead of PRIVILEGED authority. You might see more SMF (access check) records cut as a result of this change.
zSecure 2.4 ships with new menu options. If you use option SE.D.N to customize menus or options for your installation, then you must run SE.D.N again with a sufficiently authorized user ID.
Run the CKAZCUST job to add new compliance framework configuration members to your CKACUST data set.
See the Release notes for additional detail, and a list of links to the release notes for prior releases in case you skipped some.
Further reading
What's new in zSecure 2.4
The zSecure unlicensed documentation is available in the IBM Knowledge Center for zSecure Suite V2.4.0. Note that the CARLa Command Reference and the User Reference Manuals (for RACF, ACF2, and Top Secret) for zSecure Admin and Audit are licensed publications.
All zSecure documentation is available in the IBM Security zSecure library Version 2.4.0. If you do not have access to (or see) the licensed publications, send an email to zDoc@nl.ibm.com; be sure to include your IBM customer number. (If you participate in the zSecure 2.4 Early Support Program (ESP) and your IBM ID is registered, you should already have access to these licensed publications.)
If you have any questions, please post them here or on the zSecure support forum. The current zSecure for z/VM release is 1.11.2. The IBM Security zSecure today article serves as a starting point to reach all the latest zSecure announcements.