On February 25, 2023 a new service stream enhancement (SSE) to zSecure 2.5 has become generally available, providing support for STIG version 8, additional compliance automation, and other enhancements.
Background
IBM Z continues to be the home for mission critical information and essential business production applications in many organizations due to the strong heritage of integrated security support capabilities across hardware, operating system, software and applications. Resource Access Control Facility (RACF) is the foundational IBM package provided for protecting Z. IBM Security zSecure suite builds on the security support in IBM Z, z/OS and RACF to enhance Z security capabilities.
IBM Security zSecure Admin boosts productivity for RACF administrators. While it usually generates RACF commands to make updates, the CKGRACF component can also directly update the RACF database; for example to set a password back to a user-defined default password in case of a lost password. The Access Monitor component can also see security events that are not being logged and summarize all access requests. The RACF Offline component allows making updates to a RACF database that is not active, so as to be able to analyze the effective security changes after reorganizing security rules before activating them using the Access Monitor data. IBM Security zSecure Visual provides a user interface for RACF administration from Windows.
IBM Z Multi-Factor Authentication (IBM Z MFA) helps security administrators enforce a policy that requires authentication with multiple factors during the logon process. It is designed to work with IBM z/OS Security Server RACF to centralize the information of valid factors within RACF to help clients create a layered defense, accelerate deployment, simplify management with existing infrastructure, and be able to more simply achieve regulatory compliance and reduce risk to critical applications and data.
IBM Security zSecure Audit helps review the security of the system in various ways, for example by formatting event log records from the System Management Facilities (SMF) and by running evaluations against compliance standards such as the Security Technical Implementation Guides (STIGs) from the United States Defense Information Systems Agency (DISA). zSecure Audit also supports CA ACF2 and CA Top Secret, two alternatives to RACF. The zSecure Collect component collects system snapshot information. The IBM Security zSecure Adapters for SIEM provide a functional subset of zSecure Audit to send enriched SMF information to Security Information and Event Management (SIEM) solutions such as IBM QRadar SIEM. IBM Security zSecure Alert is a real-time monitor for security events. IBM Security zSecure Command Verifier allows you to define granular policies as to which users can make certain changes through RACF commands.
IBM Z Security and Compliance Center 1.1 is a recently announced new software product designed to help simplify and streamline compliance tasks. It contains a dashboard and an integrated set of micro-services that run on the OpenShift Container Platform on Linux on Z. z/OS compliance data is obtained from participating IBM components with the help of z/OSMF and the IBM Z Common Data Provider component. Some participating components delegate the actual data compilation to the z/OS Compliance Integration Manager component, which integrates with zSecure. All zSecure Audit functionality is available with the new product.
The common query language employed by zSecure Admin, zSecure Audit, zSecure Manager for RACF z/VM, zSecure Alert, zSecure Adapters for SIEM, and the z/OS Compliance Integration Manager component of IBM Z Security and Compliance Center is called the CARLa Auditing and Reporting Language (CARLa).
Benefits
The SSE for zSecure 2.5 released in February 2023 provides
- support for STIG version 8.10 for z/OS with RACF or ACF2
- continued (legacy) support for STIG version 6.43 for z/OS
- support for STIGs for z/OS products [as now separate from z/OS itself] at the (current) v6 level, now designated LATEST (as opposed to the prior "6.52")
- additional compliance automation for STIGs (primarily for z/OS with ACF2)
- a new compliance STANDARD syntax that enhances the capabilities such as for having controls in multiple standards
- formatting capabilities for additional compliance evidence event records (SMF record type 1154 subtypes)
- a new alert 1617 (or 2617 for ACF2) for when an Integrated Cryptographic Service Facility (ICSF) master key promotion has occurred
- support for PHRASE as a mandatory keyword for Command Verifier
- support for reading an encrypted RACF database (see RACF APAR OA62267)
- improved ACEECHK support for zSecure Collect, CKGRACF and RACF-Offline
- reporting on Db2 subsystem parameter MFA_AUTHCACHE_UNUSED_TIME
- modify support for several factor tag values via TYPE=RACF field
- a new menu option IN.A, which describes the audit concerns for a number of report types that have many
- and several other enhancements, including several for the Access Monitor user interface and for z/OS Compliance Integration Manager
The zSecure 2.5.0 documentation was refreshed. Moreover, all zSecure books are now available here (including the ones that used to be licensed).
There is a new "(February 2023)" section in What's new with additional detail.
A technote summarizes which books were updated.
These enhancements primarily apply to zSecure Audit and Z Security and Compliance Center, and secondarily to zSecure Admin, zSecure Alert, zSecure Command Verifier, zSecure Visual, and zSecure Adapters for SIEM.
Prerequisites
To fully benefit from these enhancements the following is required:
Migration
This SSE ships with new menu options. If you use option SE.D.N to customize menus or options for your installation, then you must run SE.D.N again with a sufficiently authorized user ID.
To get a STIG evaluation comparable to how it was before applying this SSE, you should select both a z/OS STIG v6 and the z/OS Products STIG in menu option AU.R.E. The output will report releases 6.43 for z/OS and LATEST for the products, where before this was 6.52 (for both).
The evaluation for BMC INCONTROL IOA has been automated. As a result SIMULATE SUBSYS configurations for this environment are now ignored.
For more details, you can look at the Release notes.
If you are upgrading from a level older than the previous service stream enhancement of May 2022, you might want to read the migration section in this earlier blog entry.
If you have any questions, please ask them here. The IBM Security zSecure today article serves as a starting point to reach all the latest zSecure announcements.