On December 19, 2019 a new service stream enhancement (SSE) to zSecure 2.4 has become generally available, providing additional compliance policies, functional and usability enhancements for security administration, more compliance control automation, and enhancements to security information and event management (SIEM) feeds.
BackgroundMainframes continue to be the home for mission critical information and essential business production applications in many organizations due to the strong heritage of integrated security support capabilities across hardware, operating system, software and applications. Resource Access Control Facility (RACF) is the foundational IBM package provided for protecting Z.
IBM Security zSecure suite builds on the security support in IBM Z, z/OS and RACF to enhance mainframe security capabilities. CA ACF2 is an alternative to RACF; several zSecure components also work with this external security manager.
IBM Security zSecure Admin boosts productivity for RACF administrators.
IBM Security zSecure CICS Toolkit helps with RACF administration from a Customer Information Control System (CICS) environment.
IBM Security zSecure Command Verifier provides additional security policies to check RACF commands against before they are allowed to be issued.
IBM Z Multi-Factor Authentication (MFA) helps security administrators enforce a policy that requires authentication with multiple factors during the logon process.
IBM Security zSecure Audit helps review the security of the system in various ways, e.g. by formatting event log records from the System Management Facilities (SMF) and by running evaluations against compliance standards such as the Security Technical Implementation Guides (STIGs) from the United States Defense Information Systems Agency (DISA).
IBM Security zSecure Alert is a real-time monitor for security events. The
IBM Security zSecure Adapters for SIEM send enriched SMF information to SIEM solutions such as IBM QRadar SIEM.
The common query language employed by zSecure Admin, zSecure Audit, zSecure Manager for RACF z/VM, zSecure Alert, and zSecure Adapters for SIEM is called the CARLa Auditing and Reporting Language (CARLa).
BenefitsThe 2019Q4 SSE for zSecure 2.4 provides
- support for SMF record type 123 subtype 1 (z/OS Connect) and type 119 subtypes 94-98 (ssh);
- extended selection capabilities in menu EV (events) for the new ssh event types;
- enhancements to the event feed towards SIEM solutions (send over z/OS Connect and ssh events; add OWNER information (owner= tag) whenever a RACF profile is implied);
- fromWhereTERMINAL and fromWhereSRCIP information in all alerts based on SMF records that contain TERMINAL or ACF2_SOURCE data, in the e-mail, QRadar UNIX syslog (LEEF), ArcSight CEF, and SNMP alert formats;
- fromWhereUSER and fromWhereSYSTEM information in alerts based on SMF records that contain UTOKEN_SUSER, UTOKEN_SNODE, or ACF2_SUBMITTER data (same formats)--this provides direct access to, for example, SURROGAT source information;
- new zSecure Command Verifier policies to trigger a command when UID(0) or OWNER is assigned;
- enhancements to the Command Audit Trail to track CLAUTH, AUDIT, and GAUDIT changes;
- custom data support in zSecure CICS Toolkit;
- further automation of STIG compliance controls (ZCICR021, ZCA1R020, ZCA1R021, ITCP0050) and assorted other STIG related improvements;
- enhancements to RECREATE to restore MFA related information;
- enhancements for managing digital certificates more easily;
- more extensive troubleshooting documentation to help determine how to limit the size of CKFREEZE data sets (a new Appendix G in the Installation and Deployment Guide) in connection to the L(ist) command in SETUP FILES (SE.1) that was added in
zSecure 2.4;
- new CARLa functions SMF_SECTION_INDEX and SMF_SECTION12_INDEX for use with the DEFINE command, providing more options to process SMF data;
- extensions to the CONVERT function of the DEFINE command, providing more options to convert and print time stamps; and more.
Most zSecure publications have been updated for this SSE. You can find the unlicensed ones in the
IBM Knowledge Center for zSecure Suite V2.4.0, which has been refreshed. Note that the CARLa Command Reference and the User Reference Manuals (for RACF, ACF2, and Top Secret) for zSecure Admin and Audit are licensed publications.
All zSecure documentation is available in the
IBM Security zSecure library Version 2.4.0. If you do not have access to (or see) the licensed publications, send an email to
zDoc@nl.ibm.com; be sure to include your IBM customer number.
A
technote has been made available to highlight which sections have been updated in the various publications.
Prerequisites
To fully benefit from these enhancements the following is required:
* IBM Security zSecure 2.4, or one of the zSecure Administration, Auditing and Compliance solutions
* PTF UJ01655 for APAR OA58799 (this updates code shared among zSecure Admin, zSecure Audit, zSecure Command Verifier, zSecure Alert, and zSecure Adapters for SIEM)
* PTF UJ01656 for APAR OA58801 (this updates code specific to the ACF2 features of zSecure Audit, zSecure Alert, and zSecure Adapters for SIEM)
* PTF UJ01660 for APAR OA58802 (this updates code specific to zSecure CICS Toolkit)
* PTF UJ01661 for APAR OA58804 (this updates code specific to zSecure Command Verifier)
Migration
No special actions are needed for this SSE, but if you are installing the fix for APAR
OA58648 (PTF UJ01604) at the same time, re-run the CKAZCUST job to add new compliance framework configuration member MQCOUSER to your CKACUST data set.
If you have any questions, please ask them here or on the
zSecure support forum. The
IBM Security zSecure today article serves as a starting point to reach all the latest zSecure announcements.