IBM Security Z Security

IBM Security zSecure 2.4: MQ auditing, Command Audit Trail, compliance automation, and other enhancements

By Jeroen Tiggelman posted Fri July 17, 2020 07:01 AM

On July 16, 2020 a new service stream enhancement (SSE) to zSecure 2.4 has become generally available, providing additional auditing capabilities for the MQ subsystem, additional compliance control automation, Command Verifier enhancements--particularly for the Command Audit Trail--and other improvements.


Mainframes continue to be the home for mission critical information and essential business production applications in many organizations due to the strong heritage of integrated security support capabilities across hardware, operating system, software and applications. Resource Access Control Facility (RACF) is the foundational IBM package provided for protecting Z. IBM Security zSecure suite builds on the security support in IBM Z, z/OS and RACF to enhance mainframe security capabilities.

IBM Security zSecure Audit helps review the security of the system in various ways, e.g. by formatting event log records from the System Management Facilities (SMF) and by running evaluations against compliance standards such as the Security Technical Implementation Guides (STIGs) from the United States Defense Information Systems Agency (DISA). zSecure Audit also supports CA ACF2 and CA Top Secret, two alternatives to RACF. The IBM Security zSecure Adapters for SIEM provide a functional subset to send enriched SMF information to Security Information and Event Management (SIEM) solutions such as IBM QRadar SIEM.

IBM Security zSecure Command Verifier allows you to define granular policies as to which users can make certain changes through RACF commands. The Command Audit Trail stores changes to profiles in the RACF database, so you can easily discover when a change to a profile was made and which administrator issued a particular command. IBM Security zSecure Admin boosts productivity for RACF administrators. 


The SSE for zSecure 2.4 released in July 2020 provides
- new menu options RE.Q.AI and RE.Q.CA for MQ authentication information objects and channel authentication records;
- extensions to other MQ reports (about regions, channels, and initiators);
- several extensions to the zSecure Command Audit Trail;
- the capability to run multiple pre- or post-commands from zSecure Command Verifier policy profiles;
- a serviceability improvement for more easily finding missing definitions that prevent the use of Controlled Special (=CTLSPEC);
- selection capabilities on audit and global audit settings in the RA.D and RA.R (RACF data sets and resources) menu options.
- automation of 17 additional DISA STIG RACF compliance controls (8 of which also apply to ACF2 and Top Secret);
- alternative controls for STIG rules RACF0570 and RACF0580 that allow pass phrases in addition to passwords;
- improvements to the compliance framework for checking general access and logging requirements;
- automatic recognition of additional sensitive resources;
- performance enhancements for the processing of ACF2 trust relationships;
- additional ICSF characteristics on the IPL parameters report;
- additional Db2 events (about system security parameters) for SIEM solutions; and
- assorted bug fixes and other small enhancements.

A technote has been made available to describe the details.

These enhancements primarily apply to zSecure Audit and zSecure Command Verifier, and secondarily to zSecure Admin and zSecure Adapters for SIEM.


To fully benefit from these enhancements the following is required:
* IBM Security zSecure 2.4, or one of the zSecure Compliance solutions
* PTF UJ03469 for APAR OA59861 (this updates code shared between zSecure Command Verifier and other components)
* PTF UJ03468 for APAR OA59862 (this updates code specific to zSecure Command Verifier)
* PTF UJ03462 for APAR OA59823 (this updates code specific to the ACF2 features)
* PTF UJ03649 for APAR OA59995 (this updates code shared among most zSecure components, correcting the earlier PTF UJ03461 for APAR OA59807)


Re-run the CKAZCUST job to add new compliance framework configuration members to your CKACUST data set.

This SSE ships with new menu options. If you use option SE.D.N to customize menus or options for your installation, then you must run SE.D.N again with a sufficiently authorized user ID.

If you call the STIG controls for rules AAMV0410 or AAMV0420 directly, you must adjust the member names to benefit from the latest enhancements (see the incompatibility warnings in the technote).

If you use your own translations (CARLa LANGUAGE statement) with Double-Byte Character Set (DBCS) characters, review the incompatibility warning for changes in the interpretation of literal strings containing DBCS that cross line boundaries.

Verify that you log SMF record type 102 IFCid 106 to ensure it can be sent to your SIEM solution.

Before you can effectively use the control for STIG rule ITNT0030 you must follow the set-up instructions in the zSecure Audit System Audit Guide updates in the technote (allocate a PDS(E) member with relevant warning strings and adjust the C2RG@IDF configuration member with appropriate ALLOCATE and OPTION statements).

Note that PTF UJ03461 contained an error. If you fetched and applied it right after release, be sure to supersede it with PTF UJ03649 to correct the service.

If you have any questions, please ask them here or on the zSecure support forum. The IBM Security zSecure today article serves as a starting point to reach all the latest zSecure announcements.

Editorial note: Added note on ITNT0030.
Editorial note: Updated information for corrective service to PTF UJ03461, which was in error.




Mon October 05, 2020 08:52 PM

Muito bom parabéns Jeroen

Fri July 17, 2020 08:40 AM

Excellent blog, very comprehensive!!