On April 30, 2021 a new service stream enhancement (SSE) to zSecure 2.4 has become generally available, providing additional compliance automation, tape data set, and event correlation enhancements, and more.
Background
Mainframes continue to be the home for mission critical information and essential business production applications in many organizations due to the strong heritage of integrated security support capabilities across hardware, operating system, software and applications. Resource Access Control Facility (RACF) is the foundational IBM package provided for protecting Z.
IBM Security zSecure suite builds on the security support in IBM Z, z/OS and RACF to enhance mainframe security capabilities.
IBM Security zSecure Audit helps review the security of the system in various ways, e.g. by formatting event log records from the System Management Facilities (SMF) and by running evaluations against compliance standards such as the Security Technical Implementation Guides (STIGs) from the United States Defense Information Systems Agency (DISA). zSecure Audit also supports CA ACF2 and CA Top Secret, two alternatives to RACF. The IBM Security zSecure Adapters for SIEM provide a functional subset of zSecure Audit to send enriched SMF information to Security Information and Event Management (SIEM) solutions such as IBM QRadar SIEM.
IBM Security zSecure Alert is a real-time monitor for security events.
IBM Security zSecure Admin boosts productivity for RACF administrators. The Access Monitor component of zSecure Admin can also see security events that are not being logged and summarize all access requests.
The common query language employed by zSecure Admin, zSecure Audit, zSecure Manager for RACF z/VM, zSecure Alert, and zSecure Adapters for SIEM is called the CARLa Auditing and Reporting Language (CARLa).
Benefits
The SSE for zSecure 2.4 released in April 2021 provides
- end to end event correlation between IBM z/OS Connect, CICS and Db2 events
- new out-of-the-box alerts for logons to TSO from IP addresses that have not been allow-listed
- greatly extended support for tape data sets, including recognition of sensitive tape data sets
- more STIG control automation (for all external security managers, but with a slight focus on CA ACF2)
- ability to use a Site Security Plan approach to manage started tasks for STIG compliance purposes (for RACF)
- additional reporting about Integrated Cryptographic Service Facility (ICSF) settings in the system settings report
- performance improvements for CA ACF2 reporting
- and other small enhancements and fixes
A
technote has been made available to describe the details.
These enhancements primarily apply to zSecure Audit and zSecure Alert, and secondarily to zSecure Admin and zSecure Adapters for SIEM.
Prerequisites
To fully benefit from these enhancements the following is required:
* IBM Security zSecure 2.4, or one of the zSecure Compliance solutions
* PTF UJ05461 for APAR OA61058 (this updates code shared among most zSecure components)
* PTF UJ05462 for APAR OA61059 (this updates code specific to the ACF2 features)
Migration
There are no special considerations for migrating to this code level. If you are upgrading to this level from an "older" code level than the previous one from December 2020, also review the migration considerations for the other steps you are taking.
If you have any questions, please ask them here or on the zSecure support forum. The IBM Security zSecure today article serves as a starting point to reach all the latest zSecure announcements.