IBM Security Z Security

 View Only

IBM Security zSecure Manager for RACF z/VM 2.5.1

By Jeroen Tiggelman posted Tue June 14, 2022 03:15 PM

IBM Security zSecure Manager for RACF z/VM 2.5.1 was announced on June 14, 2022 with a planned availability date of June 17, 2022. This release is based on IBM Security zSecure Suite 2.5.0 (for z/OS) and introduces a near real-time feed of RACF for z/VM SMF events to Security Information and Event Management (SIEM) solutions


IBM Z continues to be the home for mission critical information and essential business production applications in many organizations due to the strong heritage of integrated security support capabilities across hardware, operating system, software and applications. Resource Access Control Facility (RACF) is the foundational IBM package provided for protecting Z. IBM Security zSecure suite builds on the security support in IBM Z and RACF to enhance Z security capabilities. The z/VM operating system is a hypervisor; z/OS instances can run under z/VM. RACF for z/VM and IBM Security zSecure Manager for RACF z/VM provide security capabilities for z/VM to help you secure the entire software stack.

A Security Information and Event Management (SIEM) solution is one that deals with both Security Event Management (SEM)--that is, real-time monitoring, correlation of events, notifications, and console views--and Security Information Management (SIM)--that is, the longer term storage, analysis and reporting of those (basic and collated) events. IBM Security QRadar SIEM consolidates log source event data from thousands of devices, endpoints and applications distributed throughout a network. Splunk is another SIEM solution that is able to process data in QRadar's Log Event Extended Format (LEEF).

The common query language employed by zSecure Admin, zSecure Audit, zSecure Manager for RACF z/VM, zSecure Alert, zSecure Adapters for SIEM, and the z/OS Compliance Integration Manager component of IBM Z Security and Compliance Center is called the CARLa Auditing and Reporting Language (CARLa).


The most notable new feature in IBM Security zSecure Manager for RACF z/VM 2.5.1 is the near real-time feed of RACF events into QRadar. From a functional point of view, this is very similar to the existing near real-time feed that zSecure Adapters for SIEM and zSecure Audit provide on z/OS. In essence, the subset of the events available on z/OS that are also available under z/VM are sent to the existing z/OS and RACF Device Support Modules in IBM Security QRadar SIEM. From an architectural point of view, less so. As a part of this, a new cache server is provided that can hold a day's worth of RACF SMF data, which can also be queried outside of the real-time context.

IBM Security zSecure Manager for RACF z/VM 2.5.1 is based on IBM Security zSecure Suite 2.5.0 (for z/OS), thus providing enhancements that were made for zSecure for z/OS 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.4.0, and 2.5.0 that apply to the z/VM environment. This includes
- support for VMXEVENT RACF SMF events (menu option EV.V)
- productivity enhancements to the ISPF user interface including selection on audit settings and application data, scanning for substrings in profile keys, and primary commands to easily exclude and find lines in a table and to start a recursive query for a user or group via a PF key
- various CARLa enhancements, including for more easily generating LEEF, converting time stamps,  and extending the Compliance Testing Framework
- scope processing enhancements for system-wide attributes

Additionally, the release provides new support specific to the z/VM environment, such as
- for IBM Z Multi-Factor Authentication
- for RACF Security Server for z/VM  enhancements
- for RACF databases on SCSI devices
- for reading OpenEdition BFS files
- for configuring ISPF from within the user interface


To fully benefit from these enhancements the following is required:
* z/VM 7.2 and RACF Security Server for z/VM with PTF UV99386 for APAR VM66459 (this enables near real-time capturing of RACF events)

Note that the new release is supported on z/VM 7.1 as well.

It is recommended to install the fix for APAR VM66579 (PTF UM35971 for z/VM 7.1, or PTF UM35972 for z/VM 7.2).

Edit: It is recommended to install "Fix pack 1" for zSecure Manager for RACF z/VM 2.5.1: APAR VM66617 / PTF UV99413.


Note that the events sent by zSecure Manager for RACF z/VM 2.5.1 will show up in QRadar as "2.5.1" events. Events from z/OS show up as "2.3", "2.4", or "2.5".

Be sure to IPL ZCMS rather than IPL CMS for running this release.

Please verify the incompatibility warnings in the Release notes.


Data collected on z/VM by IBM Security zSecure Manager for RACF z/VM can be processed on z/OS by IBM Security zSecure Admin and Audit. The z/OS products are instrumented to help you view the z/VM data and reports and support combined analysis.

If you do use the z/OS products to look at the z/VM data, be aware of the "Show OS-specific options" setting in SETUP VIEW (SE.5). If you do not tag z/VM there, you might not see options such as EV.V.

If you have any questions, please ask them here or on the zSecure support forum. The IBM Security zSecure today article serves as a starting point to reach all the latest zSecure announcements.



Tue June 21, 2022 05:34 AM

Thanks for explaining the general policy, Rob.

In this case, the new CKVLEEFL script is essentially a subset of the CKQLEEFL one (no layout changes in the CARLa), but all events are marked as "2.5.1". Since they are handled by the same z/OS and RACF Device Support Modules in QRadar you can use this at the present time to see that these events were sent by the z/VM script. That might help explain why you are not seeing certain other events that you might expect in context. FWIW.

Tue June 21, 2022 04:31 AM

To explain the Migration note:

Release numbers included in the header of LEEF events refer to the zSecure release that (last) changed the layout (or significant data interpretation) of the LEEF record.  This allows the SIEM to decide on interpretation of the data, when it deems layout changes relevant.
Contrary to assumptions from users, it has no bearing on the z/OS or z/VM release in use.  In this case, zSecure Manager 2.5.1 is the first release to emit these (VM specific) events.