IBM Security Z Security

 View Only

IBM Security zSecure 3.1

By Jeroen Tiggelman posted Sat October 21, 2023 06:44 AM


IBM Security zSecure Suite 3.1 was announced on August 8, 2023 and became available on September 29, 2023. You can read the announcement letter here. This release provides support for compliance standards DISA-STIG 8.12 and CIS IBM z/OS with RACF benchmark 1.0, reporting on connections between CICS and Db2, enhanced IMS reporting, ID-centric audit reports, the capability to deliver report output in JSON format, additional reporting on SMF 1154 (z/OS compliance evidence) records, enhanced access monitoring capabilities, currency for z/OS 3.1, and more.  


IBM Z hosts mission critical information and essential business production applications in many organizations due to the strong heritage of integrated security support capabilities and application-level resiliency. z/OS 3.1 continues to strengthen the security, integrity, and privacy of data, while enabling innovative development to support hybrid cloud and AI. Resource Access Control Facility (RACF) is the foundational IBM package provided for protecting Z. CA ACF2 and CA Top Secret are alternative external security managers. IBM Security zSecure suite builds on the security support in IBM Z, z/OS and RACF to enhance mainframe security capabilities. It can help you protect your enterprise, detect threats, comply with policy and regulations, and reduce costs. IBM Security zSecure furthermore helps protect various mainframe sub-systems, including Db2, CICS, IMS, MQ, and z/OS UNIX.

IBM Security zSecure Admin boosts productivity for RACF administrators and provides further security capabilities on top of RACF. IBM Security zSecure Audit helps review the security of the system in various ways, e.g. by formatting event log records from the System Management Facilities (SMF) and by displaying global RACF security settings (SETROPTS configurations). IBM Security zSecure Command Verifier allows you to define granular policies as to which users can make certain changes through RACF commands. IBM Security zSecure CICS Toolkit helps with RACF administration from a Customer Information Control System (CICS) environment. IBM Security zSecure Visual provides a user interface for RACF administration from Windows. IBM Security zSecure Alert is a real-time monitor for security events. The IBM Security zSecure Adapters for SIEM send enriched SMF information to security information and event management (SIEM) solutions such as IBM QRadar SIEM.

IBM Z Security and Compliance Center 1.2 is designed to help simplify and streamline compliance tasks. It contains a dashboard and an integrated set of micro-services that run on the OpenShift Container Platform on Linux on Z. z/OS compliance data is obtained from participating IBM components with the help of z/OSMF and the IBM Z Common Data Provider component. Some participating components delegate the actual data compilation to the z/OS Compliance Integration Manager component, which integrates with zSecure. All zSecure Audit functionality is included in this product.

IBM Z Multi-Factor Authentication (IBM Z MFA) helps security administrators enforce a policy that requires authentication with multiple factors during the logon process; it is designed to centralize the information of valid factors within RACF to help clients create a layered defense, accelerate deployment, simplify management with existing infrastructure, and be able to more simply achieve regulatory compliance and reduce risk to critical applications and data.

The Security Technical Implementation Guide (STIG) from the United States Defense Information Systems Agency (DISA) provides a framework for ensuring that security is set up properly. IBM Security zSecure Audit helps automate compliance control points belonging to this standard as well as for the Payment Card Industry Data Security Standard (PCI-DSS) from the Payment Card Industry Security Standards Council and the Center for Internet Security (CIS) IBM z/OS with RACF benchmark.

The common query language employed by zSecure Admin, zSecure Audit, zSecure Manager for RACF z/VM, zSecure Alert, and zSecure Adapters for SIEM is called the CARLa Auditing and Reporting Language (CARLa).


IBM Security zSecure 3.1 provides
* support for enhanced security and data protection in connection with enhancements in RACF as provided with z/OS 3.1; this includes support for the password phrase interval
* support for CIS IBM z/OS with RACF benchmark 1.0
* support for STIG 8.12
* a new compliance STANDARD syntax that enhances the capabilities such as for having controls in multiple standards
* a new APPLY_CONTROL command to easily adapt a control from an existing standard to a user-defined one
* additional STIG compliance control automation
* formatting capabilities for additional compliance evidence event records (SMF record type 1154 subtypes)
* support for ICSF 82-49 (master key ceremony) events, including a new alert; also for the feeds to SIEM solutions
* a new menu option AU.I with ID centric reports; AU.I.I shows a general cross-reference of ID use, while AU.I.M gives an overview for MFA
* enhancements for MFA, including reporting on Db2 subsystem parameter MFA_AUTHCACHE_UNUSED_TIME and modify support for factor tag values
* reporting for the IMS Connect and IMS Operations Manager sub-systems (ISPF menu options RE.M.C and RE.M.O)
* reporting on CICS Db2 entries and CICS Db2 transactions
* a new menu option IN.A, which describes the audit concerns for a number of report types that have many
* several new out-of-the-box alerts
* Command Verifier policy enhancements
* CARLa features that allow delivering a report in JavaScript Object Notation (JSON) format
* support for CICS 6.1 and z/VM 7.3
* and several other enhancements, including several for the Access Monitor user interface


Note that zSecure 3.1 participated in the z/OS 3.1 Release Beta Program. The base FMIDs were cut in March 2023. It is strongly recommended that you ensure that you have all PTFs cut before September 29 applied, so that you have all new function as described in the zSecure publications at general availability.

zSecure 3.1 ships with new menu options. If you use option SE.D.N to customize menus or options for your installation, then you must run SE.D.N again with a sufficiently authorized user ID.

zSecure 3.1 supports DISA-STIG standard z/OS RACF/ACF2 8.12 and z/OS TSS 8.10. These z/OS STIG standards are now separate from the z/OS Products STIGs. The current version for these z/OS Product STIGs is still 6, and the release levels vary. To do an evaluation similar to what was provided as z/OS STIG 6.50 in the previous zSecure release, you must select both the z/OS STIG and the z/OS Products STIG, and the reported standard levels will vary. Note that there was dual support for z/OS STIG versions 6 and 8 in an earlier service stream enhancement to 2.5. In zSecure 3.1 the z/OS STIG version 6 standard is no longer included in the user interface; the CARLa members with the compliance controls are still available in the SCKRCARL data set.

zSecure 3.1 provides support for CIS IBM z/OS with RACF benchmark 1.0. This replaces support for the old GSD331/ISeC standard, which is no longer included in the user interface; the CARLa members with the compliance controls are still available in the SCKRCARL data set. A table explaining which CIS controls relate to which GSD controls can be found in the Release Notes.

The evaluation for BMC INCONTROL IOA has been automated. As a result SIMULATE SUBSYS configurations for this environment are now ignored.

Be aware that zSecure 3.1 has different PIDs from zSecure 2.x. If you specifically disable certain features in IFAPRDxx, you might have to revise those statements. (Note: by default the features are available if they are installed, specific enablement is not required.)

If you install the IBM Z Security and Compliance Center 1.2 product into the same SMP/E zone as zSecure Audit 3.1 (or zSecure Adapters for SIEM)--and you do not specifically disable the product--then the zSecure engine will register to product registration services that the IBM Z Security and Compliance Center is running instead of (not: in addition to) the zSecure Audit features. This same mechanism already held true for zSecure Audit over zSecure Adapters for SIEM.

Note that IBM Z Security and Compliance Center does not have separate RACF, ACF2, and Top Secret features, but all external security managers (ESMs) are enabled. Which ESMs are enabled influences the default mask type used in evaluating CARLa select statements that could apply to multiple ESMs. In particular, if you have a zSecure Audit for ACF2 only installation and you add RACF enablement to that installation, you might see in places that ACF2 style masking changes to RACF Enhanced Generic Naming. You might want to control these via an OPTION MASKTYPE=ACF2 statement. (Note: the zSecure Compliance and Auditing solutions have all ESMs enabled by default, so if you have those and use the default settings, you should not see any changes.)

If you install the IBM Z Security and Compliance Center product into the same SMP/E zone as zSecure components that use the ISPF user interface (zSecure Admin, zSecure Audit, zSecure Alert, and zSecure Visual), the user interface will identify itself in panel titles as "zSecure Suite". If you install IBM Z Security and Compliance Center into its own SMP/E zone, the user interface will show "Z Security Compliance Center". Note that the message issued when the user interface starts will list all relevant entitlements by listing the program identifiers (PIDs) (with the understanding that for the zSecure Compliance solutions the PIDs for the individual "point products" contained will be listed instead of the solution PID).

To make sure that the newly supported SMF events make it to your SIEM solution, verify that you log those SMF records.

The CC_SERIAL field in the SMF report type has become a repeated field. This means that it will by default now be shown on the detail display. If you use this in your own queries, you can use a BOTH, MORE, or NODETAIL modifier if that is not what you want.

The CKGRACF component now supports managing USRDATA for discrete profiles. This has a resulted in a command syntax change: a GENERIC keyword must now be used with fully qualified generic profiles.

Additional migration considerations and details can be found in the Release Notes.

Further reading

Additional details can be found in What's New.

All zSecure documentation is available in IBM Documentation. Note that the formerly licensed publications have been added to this collection.

If you have any questions, please post them here. The current zSecure for z/VM release is 2.5.1.
The IBM Security zSecure today article serves as a starting point to reach all the latest zSecure announcements.