On October 25, 2024 new release zSecure Admin 3.1.1 has become generally available, introducing a web interface via a z/OSMF plug-in. This shipped as an update in the zSecure 3.1 service stream alongside other enhancements to zSecure Admin, zSecure Audit, zSecure Alert, and zSecure Command Verifier. On November 15, 2024 support for STIG release 9.2 was added.
Background
IBM Z continues to be the home for mission critical information and essential business production applications in many organizations due to the strong heritage of integrated security support capabilities across hardware, operating system, software and applications. Resource Access Control Facility (RACF) is the foundational IBM package provided for protecting Z. The IBM zSecure portfolio builds on the security support in IBM Z, z/OS and RACF to enhance Z security capabilities.
IBM zSecure Admin boosts productivity for RACF administrators. While it usually generates RACF commands to make updates, the CKGRACF component can also directly update the RACF database; for example to set a password back to a user-defined default password in case of a lost password. The Access Monitor component can see security events that are not being logged and summarize all access requests. The RACF Offline component allows making updates to a RACF database that is not active, so as to be able to analyze the effective security changes after reorganizing security rules before activating them using the Access Monitor data. A plug-in to IBM z/OS Management Facility (z/OSMF) provides a web interface.
IBM zSecure Audit helps review the security of the system in various ways, for example by formatting event log records from the System Management Facilities (SMF) and by running evaluations against compliance standards such as the Security Technical Implementation Guides (STIGs) from the United States Defense Information Systems Agency (DISA). zSecure Audit also supports CA ACF2 and CA Top Secret, two alternatives to RACF. The zSecure Collect component collects system snapshot information. The IBM Security zSecure Adapters for SIEM provide a functional subset of zSecure Audit to send enriched SMF information to Security Information and Event Management (SIEM) solutions such as IBM QRadar SIEM. IBM zSecure Alert is a real-time monitor for security events. IBM zSecure Command Verifier allows you to define granular policies as to which users can make certain changes through RACF commands.
IBM Z Security and Compliance Center is a software product designed to help simplify and streamline compliance tasks. It contains a dashboard and an integrated set of micro-services that can run under IBM z/OS Container Extensions (zCX) or the OpenShift Container Platform on Linux on Z. z/OS compliance data is obtained from participating IBM components with the help of z/OSMF and the IBM Z Common Data Provider component. Some participating components delegate the actual data compilation to the z/OS Compliance Integration Manager component, which integrates with zSecure. All zSecure Audit functionality is available with this product.
The common query language employed by zSecure Admin, zSecure Audit, zSecure Manager for RACF z/VM, zSecure Alert, zSecure Adapters for SIEM, and the z/OS Compliance Integration Manager component of IBM Z Security and Compliance Center is called the CARLa Auditing and Reporting Language (CARLa).
Benefits
The updates recently shipped in the zSecure 3.1 service stream provide the following enhancements:
- A z/OSMF plug-in for zSecure Admin that allows doing some of the administration functions from a web user interface.
This plug-in identifies itself as release 3.1.1 (whereas all pre-existing components continue to identify themselves as 3.1.0).
This plug-in includes open source software; zSecure Admin 3.1.1 comes with a new license information file declaring this.
A ++HOLD is provided with the update to highlight this.
- As part of the support for this in the CARLa engine, SYSPRINT messages are captured during the run.
These have been made accessible in the ISPF user interface via the new SHOWLOG primary command.
When a high severity message is issued under ISPF, this message display is brought up automatically.
- A STIG Product standard has been added for zSecure for ACF2, release 1.1.
The z/OS RACF and ACF2 STIG standards are now at release 9.2.
The PCI-DSS controls have been upgraded from 3.2.1 to 4.0 and are now in multi-standard syntax and available via menu option AU.R.
More controls have been added to the Center for Internet Security (CIS) IBM z/OS RACF Benchmark.
More controls have been added to the CIS IBM Db2 for z/OS Benchmark--only available with an IBM Z Security and Compliance Center entitlement. Without this entitlement, the standard is not offered in the ISPF user interface.
The underlying new report types DB2_COLUMN, ACF2_DB2_RULE, and ACF2_DB2_RULELINE also require this entitlement.
- New DB2 options have been added under RE.D:
- AC Db2 Access control
- CT Db2 Permission/Mask
- TC Db2 Table columns (requires entitlement to IBM Z Security and Compliance Center)
- zSecure Command Verifier enhancements:
- new policy to further protect CSDATA fields
- new policy profiles for the NOCSDATA parameter
- additional validation that an ACL ID exists
- ability to invoke REXX or CLIST as post-command
- ability to self-grant where user ID is HLQ of profile
- enhanced Command Audit Trail data insert
- In EV selection on UOWID (Unit-of-Work ID) is available for CICS, Db2, and z/OS Connect records; for CICS records also TRACKING_TOKEN.
- New CARLa fields in report types SMF (for record types 42-6, 1154-49 and 1154-96) , ACF2_LID, and ACCESS
- Improved serialization when reading the live RACF database
- Show parameter for digital certificates with RSASSA-PSS signing algorithm
- SMF record statistic reporting in zSecure Alert
The zSecure 3.1 documentation was refreshed. There is a new "(October 2024)" section in What's new with additional detail.
Edit: Each zSecure main topic contains a PDF file and HTML pages. A ZIP file with all the PDFs can be downloaded from the technote that explains the changes.
The latest compliance standard overview is here.
These enhancements primarily apply to zSecure Admin, zSecure Audit, zSecure Command Verifier, and Z Security and Compliance Center, and secondarily to zSecure Alert and zSecure Adapters for SIEM.
Prerequisites
To fully benefit from these enhancements the following is required:
Migration
This October 2024 service stream enhancement comes with new menu options. If you use option SE.D.N to customize menus or options for your installation, then you must run SE.D.N again with a sufficiently authorized user ID.
For more details, you can look at the Release notes.
If you have any questions, please ask them here. The IBM Security zSecure today article serves as a starting point to reach all the latest zSecure announcements.