IBM Security zSecure Audit: compliance extensions and ACF2 support
JeroenTiggelman 27000186A5 Visits (9919)
On December 16, 2017 a new service stream enhancement (SSE) to zSecure Audit 2.3.0 has become generally available, adding enhancements to ACF2 support (for example, for z/OS UNIX and CICS) and compliance functions (for example, multiple sensitivities and a new DB2_ACCESS report type).
Mainframes continue to be the home for mission critical information and essential business production applications in many organizations due to the strong heritage of integrated security support capabilities across hardware, operating system, software and applications. The IBM z14 enables the ultimate data protection of pervasive encryption – while being open and connected in the cloud to speed innovation at lower cost. z/OS V2R3 is designed to provide new policy-based encryption options that take full advantage of the improvements in the z14 platform and can help clients protect their critical business data. The new encryption capabilities and policies apply both to data at rest and to data in flight.
Resource Access Control Facility (RACF) is the foundational IBM package provided for protecting Z. IBM Security zSecure suite builds on the security support in IBM Z, z/OS and Resource Access Control Facility to enhance mainframe security capabilities. It can help you protect your enterprise, detect threats, comply with policy and regulations and reduce costs. IBM Security zSecure Audit and IBM Security zSecure Alert also support the security package CA-ACF2. IBM Security zSecure furthermore helps protect various mainframe sub-systems, including Db2, CICS, IMS, and MQ.
When an access check occurs in a resource manager (i.e., a program that must make an access decision about the use of certain resources) the application programming interface (API) known as the System Authorization Facility (SAF) is called. If the system is protected by RACF or ACF2, then SAF will forward the question to that External Security Manager (ESM) and return the answer (allowed/protection undefined/denied). ACF2 allows filtering what requests are to be forwarded from SAF on a broad level via SAFDEF records. This allows SAF to respond immediately with allowed/protection undefined/denied for categories of resources for which the answer is obvious; this can for example be used to always allow JES2 address spaces to manipulate JES2 spool data sets.
The common query language employed by zSecure Admin, zSecure Audit, zSecure Manager for RACF z/VM, zSecure Alert, and zSecure Adapters for SIEM is called the CARLa Auditing and Reporting Language (CARLa).
The Security Technical Implementation Guide (STIG) from the United States Defense Information Systems Agency (DISA) provides a framework for ensuring that security is set up properly. IBM Security zSecure Audit helps automate compliance control points belonging to this standard as well as for the Payment Card Industry Data Security Standard (PCI-DSS) from the Payment Card Industry Security Standards Council and GSD331/ISeC (a global services document with information security controls documentation from IBM).
Notable benefits include:
* Automatic reporting of multiple data set sensitivities in the PRIV_SENSTYPE field in the SENSDSN report type, and the SENSITIVITY field in the TRUSTED report type. (The SENSTYPE field in the SENSDSN report type continues to hold the "primary" sensitivity. ) Relevant compliance controls have been adjusted to exploit this enhanced functionality.
* New report type DB2_ACCESS with individual permissions to DB2 objects (from RACF, ACF2, and DB2). This could be used in a compliance rule to forbid GRANT permissions. A sample CARLa script CKADQDP is provided in the SCKRCARL data set.
* New report type ACF2_SAFDEF to report on ACF2 SAFDEF records. These are now shown in the AA.S (ACF2 Administration - Infostorage) menu.
* Enhanced reporting on ACF2 protection of CICS transactions. SAFELIST and PROTLIST records are now shown in AA.S. The various RE.C (Resources - CICS) menu options have also been enhanced.
* The ACF2 divisions OMVS, LANGUAGE, and WORKATTR as well as more password related fields are now shown in AA.L (Logonids). Selection capabilities are also provided.
* Automatic mapping of z/OS UNIX UIDs and GIDs to ACF2 logonids and groups. This enhances RE.U (UNIX). UID and GID overviews have been added to AU.S (Audit Status).
* The ability to show installation defined LID fields in the ACF2 logonid displays (AA.L) by specifying what is desired in SE.6 (Setup Instdata).
* Sending more encryption related data fields from SMF record 119-11 to QRadar (esp. related to TLS).
* Reporting improvements for rule-based compliance reporting (AU.R), including the format of the output.
Furthermore, this update includes fixes for the following APARs:
* OA54485 - In a multi-level summary in print format, literals will no longer be repeated across summary levels;
* OA54579 - Better ACF2 masking;
* OA54580 - Improvement to zSecure Admin Access Monitor;
* OA54581 - Fix for compliance reporting.
This update primarily applies to zSecure Audit for ACF2. zSecure Audit for RACF, zSecure Audit for Top Secret, zSecure Admin, zSecure Alert, zSecure Adapters for SIEM, and zSecure Visual are also affected.
Documentation updates have been provided in a Technote.
To fully benefit from these enhancements the following is required:
This service stream enhancement enables more menu options (for example, SE.6 for ACF2), and therefore has a different NLS table level. If you use option SE.D.N to customize menus or options for your installation, then you must run SE.D.N again with a sufficiently authorized user ID.
If you have any questions, please ask them here or on the zSecure support forum. The current zSecure for z/VM release is 1.11.2. The I
 For the SENSDSN report type the SENSTYPE field had an alias SENSITIVITY also. For ease of use, the program has been changed in this SSE so that all report types that accept either SENSTYPE or SENSITIVITY as a field name also accept the other as an alias. Likewise, the field names DSN, DATASET, and DSNAME are now accepted consistently throughout.