IBM Security Z Security

 View Only
Expand all | Collapse all

zSecure alerts during IPL

  • 1.  zSecure alerts during IPL

    Posted Thu October 07, 2021 07:05 AM
    Hi All,
    We are using zSecure Alerts extensively. However, we are finding there is a lot of noise from some alerts when there is an IPL. One in particular is C2P1603 SVC Definition Changed.

    Is there any way of 'suspending' this alert during IPL?

    Thanks and regards,
    Anji

    ------------------------------
    Anji Stephens
    ------------------------------


  • 2.  RE: zSecure alerts during IPL

    Posted Fri October 08, 2021 08:16 AM

    No, there is no supported way to suspend alert generation. These alerts are probably generated because your SVCs are loaded on a different address during the IPL process. Most of the time, they are at the same location, but if you changed something in your system configuration, they might land on a different spot.

    The way to temporarily disable all ExtMon alerts is to manually delete the current baseset. The next time, zSecure Alert will tell you that the baseset is gone, and suspend for one environment interval. But this is not a supported approach. Or you could ensure that your IPL process takes longer than the CKFREEZE retention period :-) 

    For 1603 in particular, it might be possible to tweak it such that it doesn't trigger right after an IPL.  That might not be possible for other alerts.



    ------------------------------
    Guus Bonnes
    ------------------------------



  • 3.  RE: zSecure alerts during IPL

    Posted Fri October 08, 2021 10:36 AM
    Thank you for your reply Guus.

    When you say it may be possible to tweak 1603, please can you expand on how that could be done?

    Thanks,
    Anji

    ------------------------------
    Anji Stephens
    ------------------------------



  • 4.  RE: zSecure alerts during IPL

    Posted Tue October 12, 2021 04:35 AM
    Edited by Rob van Hoboken Tue October 12, 2021 09:22 AM
    As Guus points out, it makes no sense for alert 1603 (and possibly other COMPAREOPT based alerts) to complain about a change of the entry point address after IPL.  In essence, the IPLDATE (lookup?) value from the snapshot CKFREEZE should be a COMPAREOPT BY= field, at least for the SHOW=CHG function.  I am not sure if COMPAREOPT supports lookup specifications, but that's what seems to be necessary to fix these incorrect alerts.

    Automatically deleting snapshot CKFREEZE data sets after an IPL, as Guus suggests, is a workaround that the customer could build, though it nixes the design purpose of these data sets: why else keep a configurable number of these at hand, other than for forensic, after the (alert) fact analysis.

    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 5.  RE: zSecure alerts during IPL

    InnerCircle
    Posted Tue October 12, 2021 11:23 AM

    We have this issue too...after every IPL we get alerts saying that most or all SVCs have been changed which is not helpful at all.   If there is an RFE or something I would be happy to concur/vote for it.

     

    Dan

     

    Dan W Little | Senior Director, Mainframe Operating Systems | Mainframe & Midrange Hosting Services | Tech Infrastructure | Tech & Ops | RBC |

     

    _______________________________________________________________________

    If you received this email in error, please advise the sender (by return email or otherwise) immediately. You have consented to receive the attached electronically at the above-noted email address; please retain a copy of this confirmation for future reference.

    Si vous recevez ce courriel par erreur, veuillez en aviser l'expéditeur immédiatement, par retour de courriel ou par un autre moyen. Vous avez accepté de recevoir le(s) document(s) ci-joint(s) par voie électronique à l'adresse courriel indiquée ci-dessus; veuillez conserver une copie de cette confirmation pour les fins de reference future.






  • 6.  RE: zSecure alerts during IPL

    Posted Tue October 12, 2021 02:29 PM

    Hmmm, that's not exactly what I said. A change in the address indicates that something has changed in your IPL process.  And as such it's not completely useless. The only SVC that normally jumps around is the one for ICSF, because it's installed dynamically, and is dependent on the timing of the ICSF start command.

    I'm not in favor of simply discarding all extended monitoring alerts if it's the first compare after the IPL.  Suppose that somebody inserts a new SVC, you'd definitely want an alert about that.

    The minor change that I was thinking about, and that I needed to test was a change of the compare fields. For example, change the alert to compare not the address, but the first 256 bytes of the code. That might also trigger on an address change, but is less likely, and at least will continue to trigger on all significant changes, even across an IPL. I'll suggest to change the code accordingly.



    ------------------------------
    Guus Bonnes
    ------------------------------



  • 7.  RE: zSecure alerts during IPL

    Posted Fri October 15, 2021 12:53 PM
    Guus, when you say a change to the code, is that something we can do with a customised alert, or are you talking about a PTF? If a PTF, do you have any idea when it would be available please?

    Thanks,
    Anji

    ------------------------------
    Anji Stephens
    ------------------------------



  • 8.  RE: zSecure alerts during IPL

    Posted Mon October 18, 2021 03:33 AM

    Yes, a custom alert will do: in the compareopt, change curr_address into curr_contents (one line).

    An actual product change might be FIN.



    ------------------------------
    Guus Bonnes
    ------------------------------



  • 9.  RE: zSecure alerts during IPL

    Posted Mon October 18, 2021 04:33 AM
    Thank you Guus. I will try that and get back to you.

    Regards,

    ------------------------------
    Anji Stephens
    ------------------------------



  • 10.  RE: zSecure alerts during IPL

    Posted Tue October 19, 2021 04:04 AM
    Hi Guus,
    I have tried your suggestion, but unfortunately there are still the same number of alerts being generated.
    Just to confirm, I am using:

    COMPARE=(curr_contents,curr_apf)

    Is this correct?

    Thanks and regards,

    ------------------------------
    Anji Stephens
    ------------------------------



  • 11.  RE: zSecure alerts during IPL

    Posted Tue October 19, 2021 04:52 AM

    Yes, that's what I used in my testing, and it helped me get rid of some "false positives", especially the one for ICSF.

    I guess it now goes beyond discussion in a public forum to determine what causes the alerts. For example, I would like to see which SVCs trigger the alerts, and the contents of the variables. That involves running some extra carla scripts using the temporary EM-CKFREEZE files (the one from before the IPL, and the first one after it).

    One of the reasons that the alert still triggers might be that the SVC code has relocatable constants (addresses) in the beginning of the code.



    ------------------------------
    Guus Bonnes
    ------------------------------



  • 12.  RE: zSecure alerts during IPL

    Posted Fri October 22, 2021 07:35 AM
    Thank you Guus. Are you suggesting we should open a case? Can you tell me which scripts you need me to run please?

    Thanks,
    Anji

    ------------------------------
    Anji Stephens
    ------------------------------