On December 14, 2020 a new service stream enhancement (SSE) to zSecure 2.4 has become generally available, providing a.o. additional compliance automation, several usability enhancements, and a number of new report types.
Mainframes continue to be the home for mission critical information and essential business production applications in many organizations due to the strong heritage of integrated security support capabilities across hardware, operating system, software and applications. Resource Access Control Facility (RACF) is the foundational IBM package provided for protecting Z. IBM Security zSecure suite builds on the security support in IBM Z, z/OS and RACF to enhance mainframe security capabilities.
IBM Security zSecure Audit helps review the security of the system in various ways, e.g. by formatting event log records from the System Management Facilities (SMF) and by running evaluations against compliance standards such as the Security Technical Implementation Guides (STIGs) from the United States Defense Information Systems Agency (DISA). zSecure Audit also supports CA ACF2 and CA Top Secret, two alternatives to RACF. The IBM Security zSecure Adapters for SIEM provide a functional subset to send enriched SMF information to Security Information and Event Management (SIEM) solutions such as IBM QRadar SIEM. IBM Security zSecure Alert is a real-time monitor for security events. IBM Security zSecure Admin boosts productivity for RACF administrators. The Access Monitor component of zSecure Admin can also see security events that are not being logged and summarize all access requests.
The common query language employed by zSecure Admin, zSecure Audit, zSecure Manager for RACF z/VM, zSecure Alert, and zSecure Adapters for SIEM is called the CARLa Auditing and Reporting Language (CARLa).
The SSE for zSecure 2.4 released in December 2020 provides
- more STIG control automation (for all external security managers, but with a focus on RACF)
- support for STIG release 6.47
- a new compliance configuration setup that eliminates the need to re-run the CKAZCUST job to create new configuration members on future upgrades
- capability to work with long compliant configuration values, for example for working with trusted digital certificates
- various new report types dealing with digital certificates, JES2 devices and remote work stations, inetd and OpenSSH daemon configurations, and IBM CL/SuperSession and BMC INCONTROL IOA environments
- a usability enhancement to zSecure Alert that allows improved annotation of events with job information
- support for SMF relocate section 443 and ID token extensions
- SIEM feed enhancements based on extended support for z/VM RACF events in class VMXEVENT
- capability in the UI to run reports in the background for additional Access Monitor and RACF reports options
- enhancements to ACF2_SENSDSN_ACCESS for linking logonids to started tasks
- the ability to run CKXLOGID (the TSO command to specify ticket information for the Command Logging function) authorized
- better parameter member parsing
- and other improvements and fixes
A technote has been made available to describe the details.
These enhancements primarily apply to zSecure Audit, and secondarily to zSecure Admin, zSecure Alert, and zSecure Adapters for SIEM.
To fully benefit from these enhancements the following is required:
* IBM Security zSecure 2.4, or one of the zSecure Compliance solutions
* PTFs UJ04501 and UJ04557 for APARs OA60419 and OA60420 (this updates code shared among most zSecure components)
* PTF UJ04502 for APAR OA60459 (this updates code specific to the ACF2 features)
When installing UJ04501, be sure to adjust the installation job provided in the PTF cover letter and the ++HOLD ACTION and run it, otherwise the SMP/E installation will fail.
Create a site CKACUSV data set and add a reference to relevant zSecure configurations (for example, C2R$PARM). Note that this PTF will introduce new SCKACUST and SCKACUSV libraries. Be sure to read up on the general changes around CKACUST and CKACUSV and consider educating your end users about it.
If you have any questions, please ask them here or on the zSecure support forum. The IBM Security zSecure today article serves as a starting point to reach all the latest zSecure announcements.
Editorial note: Added reference to the ++HOLD ACTION. The text inside the technote was enhanced for this also.