IBM Security zSecure 2.2
JeroenTiggelman 27000186A5 Visits (14209)
IBM Security zSecure suite can help you protect your enterprise, detect threats, comply with policy and regulations and reduce costs. Most of the products run on the z/OS operating system. The zSecure for z/OS release numbers follow those of z/OS. For complete support of a z/OS release, you generally need the same release of zSecure.
IBM Security zSecure helps protect various mainframe sub-systems, including DB2, CICS, IMS, and MQ.
The zSecure Audit Compliance Testing Framework was added in zSecure 1.13.1 (2012). A user interface was first provided in zSecure 2.1.0 (2013). The Security Technical Implementation Guide (STIG) from the United States Defense Information Systems Agency (DISA) provides a framework for ensuring that security is set up properly. IBM Security zSecure Audit helps automate compliance control points belonging to this standard as well as for the Pa
The common query language employed by zSecure Admin, zSecure Audit, zSecure Manager for RACF z/VM, zSecure Alert, and zSecure Adapters for QRadar SIEM is called the CARLa Auditing and Reporting Language (CARLa).
IBM Security zSecure 2.2.0 provides currency with
* z/OS V2R2, announced on July 28, 2015 with a planned availability date of September 30, 2015;
* Information Management System (IMS) V14, announced on October 5, 2015 with a planned availability date of October 30, 2015; and
* CICS Transaction Server V5R3, announced on October 5, 2015 with a planned availability date of December 11, 2015.
* Windows 10--for the zSecure Visual client.
Notable features include
* Support for more tightly controlled audit access to z/OS UNIX--through the new system-wide ROAUDITOR (read-only auditor) user attribute in the Resource Access Control Facility (RACF) release shipped with z/OS V2R2 (unlike AUDITOR, does not allow changing audit settings); the new UNIXPRIV SUPE
* Support for the new TSO PASSWORDPREPROMPT option for LOGON;
* Support for new System Management Facilities (SMF) log event types 42-27 (VTOC updates) and 90-37 (APF list changes);
* More extensive support for SMF 82 (Integrated Cryptographic Services Facility);
* Support for pass phrases in zSecure Visual client;
* User interface improvements for Rule-based compliance auditing (menu option AU.R), including more selective reporting capabilities;
* New and updated compliance checks.
The STIG standard version level has been upgraded to 6.24 and the PCI-DSS level to 3.1.
Information from newly supported SMF record types is passed towards IBM Security QRadar SIEM.
The forthcoming integration with IBM Security Identity Governance will be described in more detail in a later article.
Function provided for zSecure 2.1.1 in service stream enhancements is of course included also, such as for stro
Statement of direction
The announcement letter for zSecure 2.2.0 furthermore expressed IBM's intent for zSecure to provide 64-bit addressing support in future. This support has been provided on June 25, 2016 in a Serv
The former CKRCARLA program (the CARLa engine) has come to exist in two variants called CKR4Z (for 31-bit addressing) and CKR8Z196 (for 64-bit addressing), which can be called by a new CKRCARLA stub program depending on the environment (e.g. hardware level)--but the release provided in the service stream maintained the 31-bit variant as the default.
In zSecure 2.2.0, the CARLa engine is called CKR4Z. If you have Program Access to Data Sets (RACF) controls or program pathing (ACF2) in place based on the name CKRCARLA you might want to make adjustments for this to enable calling the program directly. The CKRCARLA program provided in zSecure 2.2 is a stub that always calls CKR4Z (so you generally do not need to change your JCL etc., nor make any changes to PADS or program pathing at this time). Also note the Migration section in the announcement of the 64-bit SSE.
Edit: If you share your RACF database with LPARs that run older zSecure releases, take a look at thes
If you have any questions, please post them here or on the zSecure forum. You can also visit the zSecure community. The current zSecure for z/VM release is 1.11.2. The I
- Reworded PADS and program pathing observations. Removed reference to z/OS 1.12.
- Adjusted the Statement of Direction and Migration sections for the availability of the 64-bit addressing support.