I've been spending some time with my favourite software, IBM Tivoli zSecure. I'm actually on the beta test programme for release 1.12 but that release is embargoed so I'll stick to the new features in the current GA release. Version 1.11 comes with additional Detective controls in zSecure Audit, and today I'll look at PDS member auditing.
To quote from the zSecure Newsletter #2, 2010: "For many years, customers have been asking for the ability to be able to log and report when a member within a dataset has been initialised, deleted, added, changed, replaced or renamed. Well the good news is that from z/OS V1.11 this is now finally possible. SMF record type 42 now records this information and providing your system programmer has not disabled this record type in your SMFPRMxx member, member level changes will be recorded. Even more good news, using zSecure Audit or Alert V1.11, you can report and alert on this record type."
I'm going to try this out, with a PROCLIB library called USER.PROCLIB. Because it is in the proclib concatenation in the JES2 started task, is considered sensitive. If someone was to update a member in here, they could change, augment or adversely affect running processes. They could do this accidentally, where the effect most likely would be to prevent a started task from starting correctly thus impacting availability of service, or deliberately. Deliberate attacks on a JES2 proclib might include addition of a job step to copy data, escalate user privileges or start a second privileged process. As many started tasks run either PRIVILEGED, TRUSTED or with a highly-privileged user account, this is quite a fruitful attack vector if not closed down.
So let's have a look at auditing for PROCLIB changes action. I'm going to edit "USER.PROCLIB" and change a started task, then see what zSecure knows about this. Here I am editing USER.PROCLIB member ITIAGNT (incidentally this is the ITIM agent for RACF which I installed recently):-
Now I'm going to change something. If I was an attacker I could add some JCL "payload" here, but I'm just going to add a comment instead for this demonstration.
I've saved this now, so in theory a new SMF record type 42 has been cut for my actions, because we're running z/OS 1.11 here. So what does zSecure think? Let's go into zSecure and select the Events, Data Set options EV.D
In the resulting panel, we can fill in USER.PROCLIB and see the events that have been logged against that dataset.
Now I hit Enter and see the results of this query, and we can see that with my UserID "PIREAN1" I replaced the member ITIAGNT today.
This is the new functionality, only available with z/OS 1.11 and zSecure 1.11 or later, and assuming your sysprogs have not suppressed the new SMF record type 42.
Don't forget, preventive controls always trump detective ones so make sure you operate Least Privilege access control (and zSecure Admin will help, while zSecure Command Verifier will prevent drift) but you may want to Audit the small group of privileged users who have sensitive library access, and this is a new tool in the box. Have fun with it!
Matching: zsecure X
I've uploaded my white paper on "Achieving PCI-DSS with zSecure" here for ease of reference. If you're considering a mainframe PCI compliance project then you may find this helpful.
For a more detailed exploration of PCI DSS and the mainframe you can read this document from independent consultants Atsec.
For a general discussion of mainframe security in 2011 and the security journey don't forget my z/Journal article here.
I'm attending this next month:-
System z Security Event for Today and Tomorrow...
Note the dates have changed but the website still shows the old dates (in a GIF which is messy to edit, there's a lesson there for all webmasters!)
New dates are Tue 28th Sep to Fri 1st Oct 2010.
If you use LinkedIN then I've added the event here - please update if you're attending and maybe we can meet up.
Topics for the 4-day conference are
alan.harrison 270002QUNN Tags:  z11 blog zfuture znext racf zsecure zenterprise system_z 1 Comment 3,176 Views
Greetings and welcome to zSecurity, my blog about all things System z with a focus on Enterprise Security. Here you will find out what I'm up to in the field including things like the zSecure beta program, Tivoli Security software for z/OS and for Linux on z, and of course all things RACF. You may know me from my Blogger output, notably my Practically Secure blog on the wider security landscape. Or you may have come here from LinkedIn, where I participate in Security and System z groups.
I'll be contributing my System z and IBM-related work to this blog on developerWorks, while continuing to write about InfoSec matters on Practically Secure. You can subscribe to either blog by RSS or you can follow me, @alanjharrison on Twitter to receive a tweet when my blogs are updated, and also to keep in touch. I try to follow the System z and InfoSec worlds and regularly tweet about what I'm reading and my own thoughts on the matter.
Thanks for coming and I hope you stay!
Alan Harrison, CISSP, System z Technical Specialist, System z Software "Top Gun".
Pirean Ltd, IBM Premier Business Partners.
Just time before Montpellier to tell you there is some new System z related content at http://www.pirean.com/Systemz.htm including now four PDFs for download. These are
I continue to be amazed at the worrying stories of PCIDSS non-compliance in UK organisations, many of which are certain to have System z at the heart of their payment operations.
To that end I am writing a paper on how zSecure can help you achieve compliance with the PCIDSS (Payment Card Industry Data Security Standard) - which becomes mandatory for Level 1 merchants in the Visa and Mastercard schemes from next month. That will be available on Pirean.com soon but here are some highlights. The numbered list is the "Digital Dozen" - the twelve basic requirements of the PCIDSS, and the bullets describe briefly how zSecure can help you deliver against that requirement cost effectively.
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.
I'll let you know when the full doc is available, meantime check out my thoughts on compliance for System z in my earlier white paper here.
As promised, here is my analysis of how IBM Tivoli zSecure can help you achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a set of twelve requirements designed to secure and protect customer payment data. As of September 2010 the revised standard is mandatory for members of the Visa and MasterCard schemes, with fines for violations running into hundreds of thousands of pounds.
If you have zSecure then this document might help you on your way. If not, read this to see how it can help you achieve PCI compliance, implement your security policy goals and reduce the overall cost of security administration and compliance activity.
As usual, this quarter's zSecure newsletter is a good read. Topics include:
The good news is that the inaugural European zSecure Conference was a success and will be repeated next year. On that subject, I will blog my highlights soon, as well as the RACF "Template" and "Role" discussion, watch this space!
IBM z Business Partners can join Destination z and attend the regular conference calls with IBM and other BPs. I'm presenting on our solutions for System z on 22 September including details of our security offerings. Here's a sneak preview of one of my slides, showing Pirean's Extended System z Adapter (PEZA) for IBM Tivoli Identity Manager. Full details can be downloaded from Pirean.com here.
The big break in my blogging habit was because - as those who know me IRL (in real life) will understand - I've changed jobs and there was a heck of a lot to do when I arrived in my new post! The good news is that I am working almost exclusively on RACF and zSecure and will be able to share experiences with zSecure 1.12 and beyond, including zSecure Visual and Access Monitor, two features I've not previously played with.
Meantime, I'll be catching up by blogging some bits and pieces relating to IBM Security zSecure and RACF in the coming days.
Firstly, here is the zSecure Newsletter - Issue 1, 2011. Out in April, this includes the following topics:
To get on the mailing list for this Newsletter, please send an e-mail to
I've just spotted this article by Mike Cairns on zSecure in April's ibmsystemsmag, thanks to Mike posting it on LinkedIn last month. It's a good summary of the more recent features of the product including RACF Offline and Access Monitor.