IBM Security Z Security

 View Only

IBM Security zSecure 3.1: Db2 secure row and column protection audit, and other enhancements

By Jeroen Tiggelman posted Fri April 12, 2024 11:27 AM


On April 5, 2024 a new service stream enhancement (SSE) to zSecure 3.1 has become generally available, providing compliance enhancements including a number of compliance controls for Center for Internet Security IBM Db2 13 for z/OS Benchmark v1.0.0, the ability to start started tasks before JES2 is available,  and other enhancements.


IBM Z continues to be the home for mission critical information and essential business production applications in many organizations due to the strong heritage of integrated security support capabilities across hardware, operating system, software and applications. Resource Access Control Facility (RACF) is the foundational IBM package provided for protecting Z. IBM Security zSecure suite builds on the security support in IBM Z, z/OS and RACF to enhance Z security capabilities.

IBM Security zSecure Admin boosts productivity for RACF administrators. While it usually generates RACF commands to make updates, the CKGRACF component can also directly update the RACF database; for example to set a password back to a user-defined default password in case of a lost password. The Access Monitor component can see security events that are not being logged and summarize all access requests. The RACF Offline component allows making updates to a RACF database that is not active, so as to be able to analyze the effective security changes after reorganizing security rules before activating them using the Access Monitor data. 

IBM Security zSecure Audit helps review the security of the system in various ways, for example by formatting event log records from the System Management Facilities (SMF) and by running evaluations against compliance standards such as the Security Technical Implementation Guides (STIGs) from the United States Defense Information Systems Agency (DISA). zSecure Audit also supports CA ACF2 and CA Top Secret, two alternatives to RACF. The zSecure Collect component collects system snapshot information. The IBM Security zSecure Adapters for SIEM provide a functional subset of zSecure Audit to send enriched SMF information to Security Information and Event Management (SIEM) solutions such as IBM QRadar SIEM. IBM Security zSecure Alert is a real-time monitor for security events. IBM Security zSecure Command Verifier allows you to define granular policies as to which users can make certain changes through RACF commands. 

IBM Z Security and Compliance Center 1.2 is a software product designed to help simplify and streamline compliance tasks. It contains a dashboard and an integrated set of micro-services that can run under IBM z/OS Container Extensions (zCX) or the OpenShift Container Platform on Linux on Z. z/OS compliance data is obtained from participating IBM components with the help of z/OSMF and the IBM Z Common Data Provider component. Some participating components delegate the actual data compilation to the z/OS Compliance Integration Manager component, which integrates with zSecure. All zSecure Audit functionality is available with this product.

The common query language employed by zSecure Admin, zSecure Audit, zSecure Manager for RACF z/VM, zSecure Alert, zSecure Adapters for SIEM, and the z/OS Compliance Integration Manager component of IBM Z Security and Compliance Center is called the CARLa Auditing and Reporting Language (CARLa).


The SSE for zSecure 3.1 released in April 2024 provides

  • a new report type DB2_CONTROL and a few compliance controls for Center for Internet Security (CIS) IBM Db2 13 for z/OS benchmark 1.0.0
  • support for CIS IBM z/OS with RACF benchmark 1.1.0
  • the ability to run the zSecure Admin Access Monitor, zSecure Alert, and zSecure SMF extractor started tasks under the MSTR subsystem to allow data collection to begin before JES2 is up
  • a NOPROPAGATE keyword on CKGRACF commands in order to only make an update on the local RRSF node
  • a new policy in zSecure Command Verifier for controlling the use of display commands
  • extended key usage information in digital certificate displays
  • a new menu item to show information about general resources and their protection (RE.R)
  • and several other enhancements, including many to the user interface

The zSecure 3.1 documentation was refreshed. There is a new "(April 2024)" section in What's new with additional detail.

These enhancements primarily apply to zSecure Admin, zSecure Audit, zSecure Alert and zSecure Command Verifier, and secondarily to Z Security and Compliance Center, and zSecure Adapters for SIEM.


To fully benefit from these enhancements the following is required:


This SSE ships with new menu options. If you use option SE.D.N to customize menus or options for your installation, then you must run SE.D.N again with a sufficiently authorized user ID.

Please note that changes are required for the setup of the started tasks that can now run under the MSTR subsystem.

For more details, you can look at the Release notes.

If you have any questions, please ask them here. The IBM Security zSecure today article serves as a starting point to reach all the latest zSecure announcements.

1 comment



Sun April 14, 2024 11:31 AM

Awesome Blog Post about shipment of the zSecure 3.1 SSE "2024 Q1". Thank you, @Jeroen Tiggelman!