IBM Security zSecure suite 2.2.1 was announced on October 25, 2016 with a planned availability date of December 9, 2016. You can read the US announcement letter here. This release provides live SMF event streaming to IBM QRadar SIEM, enhanced alerting capability in zSecure Alert based on specific access events captured by zSecure Admin Access Monitor, improved scalability through exploitation of 64-bit addressing mode, new policies in zSecure Command Verifier including the ability to link denial of access to an external security rule, zSecure Audit Compliance Testing Framework enhancements, and currency for DISA-STIG 6.29, PCI-DSS 3.2, CA-ACF2 16, CA-Top Secret 16, MQ 9, Windows Server 2016, RACF Multi-Factor Authentication, and Integrated Cryptographic Services Facility HCR77B1.
IBM Security zSecure suite can help you protect your enterprise, detect threats, comply with policy and regulations and reduce costs. Most of the products run on the z/OS operating system. The zSecure for z/OS release numbers follow those of z/OS. For complete support of a z/OS release, you generally need the same release of zSecure. IBM Security zSecure helps protect various mainframe sub-systems, including DB2, CICS, IMS, and MQ. zSecure Command Verifier intercepts RACF commands before they are issued and helps enforce compliance by preventing erroneous commands. zSecure Access Monitor intercepts access requests and can record them even when they are not being written to the System Management Facilities (SMF) event log. zSecure Alert listens to SMF records and Write To Operator (WTO) console messages as they are being written and sends out security alerts in real-time.
IBM QRadar SIEM consolidates log source event data from thousands of devices endpoints and applications distributed throughout a network. IBM Security zSecure allows sending z/OS, RACF, ACF2, Top Secret, DB2, and CICS events from the System Management Facilities (SMF) log to QRadar SIEM enriched with information from the security database and system snapshot (CKFREEZE) information. This support was first provided in a Service Stream Enhancement (SSE) to zSecure 1.13 (2012), using a batched approach that collected event files using FTP polling. Real-time support for alerts sent out by zSecure Alert was provided later that same year.
The zSecure Audit Compliance Testing Framework was added in zSecure 1.13.1 (2012). A user interface was first provided in zSecure 2.1.0 (2013). The Security Technical Implementation Guide (STIG) from the United States Defense Information Systems Agency (DISA) provides a framework for ensuring that security is set up properly. IBM Security zSecure Audit helps automate compliance control points belonging to this standard as well as for the Payment Card Industry Data Security Standard (PCI-DSS) from the Payment Card Industry Security Standards Council and GSD331/ISeC (a global services document with security controls documentation from IBM).
IBM Multi-Factor Authentication for z/OS helps security administrators enforce a policy that requires authentication with multiple factors during the logon process. It is designed to work with IBM z/OS Security Server RACF to centralize the information of valid factors within RACF to help clients accelerate deployment, simplify management with existing infrastructure, and be able to more simply achieve regulatory compliance and reduce risk to critical applications and data.
IBM Security zSecure Manager for RACF z/VM helps you protect your z/VM systems. You can feed the data collected by its zSecure Collect for z/VM (CKVCOLL) component into IBM Security zSecure Admin and zSecure Audit. This allows comprehensive analysis including both z/OS and z/VM systems.
IBM Common Data Provider for z Systems provides access to z/OS operational data in near real-time. It is a companion product to IBM Operations Analytics for z Systems.
64-bit addressing was introduced to the mainframe by z/Architecture in 2000 through the z900. Later hardware (z800, z990, z890, z9, z10, z196, z114) has added progressively more 64-bit capable machine instructions. An inherent feature of 64-bit addressing is that 8-byte addresses are required, so more memory needs to be read (and written). zSecure has chosen to provide the CKR8Z196 program so that it runs on z196 and later hardware, as the z196 introduced machine instructions that allow better performance when using 64-bit addressing than older hardware.
The common query language employed by zSecure Admin, zSecure Audit, zSecure Manager for RACF z/VM, zSecure Alert, and zSecure Adapters for QRadar SIEM is called the CARLa Auditing and Reporting Language (CARLa).
IBM Security zSecure 2.2.1 provides
* near real-time integration of enriched SMF events into QRadar SIEM via the syslog protocol (TCP or UDP) and enhancements to the syslog protocol for zSecure Alert;
* ability to send RACF VERIFY events from zSecure Access Monitor to zSecure Alert--this allows for example detection of TSO logons, even though no SMF records are written;
* automatic recognition of configuration data sets for zSecure Alert, zSecure Access Monitor, and the QRadar feed as sensitive;
* additional automated STIG controls for RACF, ACF2, and Top Secret and extensions to the compliance testing framework (DOMAIN CONFIG, TEST ASSERT, DEFSENS, etc.);
* exploitation by default of virtual storage above "the 2GB bar" plus performance and scalability enhancements, particularly for ACF2 and DB2 processing;
* ability to configure an additional message text for a particular policy verification--for example to link to company policy;
* ability to 'lock down' users and groups to their current access levels and new policy for use of the SHARED keyword with UIDs and GIDs;
* user interface enhancements, notably including productivity enhancements for administration;
* support for RACF enhancements for Multi-Factor Authentication, including out-of-band authentication support for IBM Multi-Factor Authentication for z/OS 1.2 (November 2016) in zSecure Admin and Audit;
* support for new function in z/OS shipped in the service stream--for example security bypass authorization;
* currency support for ACF2 16 (incl. global password options and the ability to RETIRE logonids), Top Secret 16, MQ 9, DISA-STIG 6.29, PCI-DSS 3.2, and ICSF HCR77B1--and toleration for z/VM 6.4.
The new near real-time integration with QRadar SIEM requires the following:
* zSecure Audit, zSecure Adapters for QRadar SIEM, or one of the zSecure Administration, Auditing, and Compliance solutions that includes zSecure Audit as a component
* QRadar SIEM, including (some of) the Device Support Modules (DSMs) for z/OS, RACF, ACF2, Top Secret, DB2, and CICS events
* z/OS V2R1 or newer, plus the z/OS SMF in-memory (INMEM) resource feature and SMF real-time interface provided through z/OS APAR OA49263 (September 2016)
* Optionally IBM Common Data Provider for z Systems V1.1, plus the enhancements provided through CDP APAR OA51414 (December 2016)
Exploitation of virtual storage above the bar requires a z196 or newer hardware.
For Multi-Factor Authentication for z/OS 1.2 support note
* RACF APAR OA50930 (December 2016) and SAF APAR OA50931 and the documentation updates provided in this technote by the RACF team for MFA V3.
* zSecure 2.2.1 provides some initial support for this brand-new function in zSecure Admin and zSecure Audit 2.2.1
* zSecure Command Verifier does not tolerate use of the new command keywords yet, see APAR OA51719
* Additional updates will be provided for zSecure Admin and Audit through APAR OA51723
If you install the RACF-offline component of zSecure Admin 2.2.1 over a 2.1.1 or older release, please follow the instructions in this technote.
Note that the CARLa engine of zSecure 2.2.1 uses 64-bit addressing by default. If you run on a z196 or newer, CKRCARLA will invoke the CKR8Z196 program (instead of CKR4Z).
Note that the CKR4Z program was first shipped with the original zSecure 2.2.0 release; it is not present in older zSecure releases. Note that the CKRCARLA 2.2.0 program will always calls CKR4Z..
Note that the CKR8Z196 program is only enabled at the zSecure 2.2.0 level if you installed the 64-bit SSE.
If you want to fall back to using the 31-bit engine, you can do one of the following:
* In the ISPF UI under SETUP RUN (SE.0), second panel, option "Select program to run", choose 2 option to call CKR4Z directly
* You can call the CKRCARLA program with the command ALLOC PROGRAM=CKR4Z on the parameter string--but for batch programs the preferred method is a direct call to PGM=CKR4Z
* To the zSecure Alert engine (C2POLICE) and zSecure Access Monitor (C2PACMON) you can specify DEBUG CKRCARLA('ALLOC PROGRAM=CKR4Z;')
* To the zSecure Server (CKNSERVE) you can specify OPTION CKRCARLA('ALLOC PROGRAM=CKR4Z;')
* For the zSecure Visual server (C2RSERVE) you can change the external link so that it points to CKR4Z instead of CKRCARLA
Note that calling CKR4Z directly might mean that you need to set up Program Access to Data Sets (PADS) or program pathing for that program.
For the near-real time integration with QRadar SIEM you need to do the following
* SMF must be configured to use SMF log streams (as opposed to data sets). This is a prerequisite for the SMF in-memory resource feature.
* You must be running the 64-bit CARLa engine.
* Next, you need to choose between two ways of connecting to the SMF in-memory resource feature:
- directly from the CARLa engine to the SMF real-time interface
- through the System Data Engine (SDE) component of the IBM Common Data Provider for z Systems (CDP)
These options are functionally equivalent, but have different set-up requirements.
Note that the second option is available even if you do not have the CDP product, because zSecure ships the SDE (FMID HHB011E) as a "supporting program", that is to say, you are allowed to use it for the purposes of this near real-time integration with QRadar SIEM.
As far as the CARLa configuration (CKQSPECL) is concerned, this is just another keyword on the ALLOCATE statement for the SMF data source (INMEM=resourcename vs. CDP).
* Note that CKQSPECL is provided in SCKRCARL. You probably want to copy it to your CKRPARM data set. The easiest way to do this might be to modify the CKRZPOST post-installation job in SCKRSAMP before you run it: locate the line with "S M=CKQSPEC" and make sure there is a line "S M=CKQSPECL" behind it.
* CKR8Z196 can be brought up as a started task using the sample procedure CKQRADAR in SCKRPROC, which references CKQSPECL and the main CARLa script CKQLEEFL. This script is functionally equivalent to the CKQLEEF script for use with FTP and includes the same exit points, so your event selections and custom events can be carried over automatically.
Note that the CARLa engine will periodically restart itself automatically and now also listens to operator commands (such as MODIFY,RESTART).
* You must configure the QRadar SIEM DSMs to accept the syslog protocol. (If your DSMs have not been automatically defined to allow that, shell commands can be run to enable the selection.)
What's new in zSecure 2.2.1
If you have any questions, please post them here or on the zSecure forum. You can also visit the zSecure community. The current zSecure for z/VM release is 1.11.2. The IBM Security zSecure today developerWorks article serves as a starting point to reach all the latest zSecure announcements.