Configuring Broadcom CA ACF2 that uses audit scripts to integrate with IBM QRadar

IBM QRadar uses scripts to audit events from Broadcom CA ACF2 installations, which are collected by using the log file protocol.

Procedure

  1. From the IBM® support website (http://www.ibm.com/support), download the following compressed file:

    qexacf2_bundled.tar.gz

  2. On a Linux® operating system, extract the file:

    tar -zxvf qexacf2_bundled.tar.gz

    The following files are contained in the archive:
    • QexACF2.JCL.txt - Job Control Language file
    • QexACF2.load.trs - Compressed program library (requires IBM TRSMAIN)
    • trsmain sample JCL.txt - Job Control Language for TRSMAIN to decompress the .trs file
  3. Load the files onto the IBM mainframe by using the following methods:

    Upload the sample QexACF2_trsmain_JCL.txt and QexACF2.JCL.txt files by using the TEXT protocol.

  4. Upload the QexACF2.load.trs file by using a BINARY mode transfer and append to a preallocated data set. The QexACF2.load.trs file is a tersed file that contains the executable file (the mainframe program QexACF2). When you upload the .trs file from a workstation, preallocate a file on the mainframe with the following DCB attributes: DSORG=PS, RECFM=FB, LRECL=1024, BLKSIZE=6144. The file transfer type must be binary mode and not text.
    Note: QexACF2 is a small C mainframe program that reads the output of the TSSUTIL (EARLOUT data) line by line. QexACF2 adds a header to each record that contains event information, for example, record descriptor, the date, and time. The program places each field into the output record, suppresses trailing blank characters, and delimits each field with the pipe character. This output file is formatted for QRadar and the blank suppression reduces network traffic to QRadar. This program does not consume CPU or I/O disk resources.
  5. Customize the trsmain sample_JCL.txt file according to your installation-specific parameters.
    Example: Jobcard, data set naming conventions, output destinations, retention periods, and space requirements.

    The trsmain sample_JCL.txt file uses the IBM utility TRSMAIN to extract the program that is stored in the QexACF2.load.trs file.

    An example of the QexACF2_trsmain_JCL.txt file includes the following information:

    //TRSMAIN JOB (yourvalidjobcard),Q1labs,
    // MSGCLASS=V
    //DEL EXEC PGM=IEFBR14
    //D1 DD DISP=(MOD,DELETE),DSN=<yourhlq>.QEXACF2.LOAD.TRS
    // UNIT=SYSDA,
    // SPACE=(CYL,(10,10))
    //TRSMAIN EXEC PGM=TRSMAIN,PARM='UNPACK'
    //SYSPRINT DD SYSOUT=*,DCB=(LRECL=133,BLKSIZE=12901,RECFM=FBA)
    //INFILE DD DISP=SHR,DSN=<yourhlq>.QEXACF2.LOAD.TRS
    //OUTFILE DD DISP=(NEW,CATLG,DELETE),
    // DSN=<yourhlq>.LOAD,
    // SPACE=(CYL,(10,10,5),RLSE),UNIT=SYSDA
    //

    The .trs input file is an IBM TERSE formatted library and is extracted by running the JCL, which calls the TRSMAIN. This tersed file, when extracted, creates a PDS linklib with the QexACF2 program as a member.

  6. You can STEPLIB to this library or choose to move the program to one of the LINKLIBs that are in LINKLST. The program does not require authorization.
  7. After you upload, copy the program to an existing link listed library or add a STEPLIB DD statement with the correct data set name of the library that will contain the program.
  8. The QexACF2_jcl.txt file is a text file that contains a sample JCL. You must configure the job card to meet your configuration.

    The QexACF2_jcl.txt sample file includes:

    //QEXACF2 JOB (T,JXPO,JKSD0093),DEV,NOTIFY=Q1JACK,
    // MSGCLASS=P,
    // REGION=0M
    //*
    //*QEXACF2 JCL VERSION 1.0 OCTOBER, 2010
    //* 
    //************************************************************
    //* Change below dataset names to sites specific datasets names*
    //QEXACF2 JOB (T,JXPO,JKSD0093),DEV,NOTIFY=Q1JACK,
    // MSGCLASS=P,
    // REGION=0M
    //*
    //*QEXACF2 JCL VERSION 1.0 OCTOBER, 2010
    //*
    //************************************************************
    //* Change below dataset names to sites specific datasets names*
    //************************************************************
    //SET1 SET SMFIN='MVS1.SMF.RECORDS(0)',
    // QEXOUT='Q1JACK.QEXACF2.OUTPUT',
    // SMFOUT='Q1JACK.ACF2.DATA'
    //************************************************************
    //* Delete old datasets *
    //************************************************************
    //DEL EXEC PGM=IEFBR14
    //DD1 DD DISP=(MOD,DELETE),DSN=&SMFOUT,
    // UNIT=SYSDA,
    // SPACE=(CYL,(10,10)),
    // DCB=(RECFM=FB,LRECL=80)
    //DD2 DD DISP=(MOD,DELETE),DSN=&QEXOUT,
    // UNIT=SYSDA,
    // SPACE=(CYL,(10,10)),
    // DCB=(RECFM=FB,LRECL=80)
    //*************************************************************
    //* Allocate new dataset *
    //*************************************************************
    //ALLOC EXEC PGM=IEFBR14
    //DD1 DD DISP=(NEW,CATLG),DSN=&QEXOUT,
    // SPACE=(CYL,(100,100)),
    // DCB=(RECFM=VB,LRECL=1028,BLKSIZE=6144)
    //*************************************************************
    //* Execute ACFRPTPP (Report Preprocessor GRO) to extract ACF2*
    //* SMF records *
    //*************************************************************
    //PRESCAN EXEC PGM=ACFRPTPP
    //SYSPRINT DD SYSOUT=*
    //SYSUDUMP DD SYSOUT=*
    //RECMAN1 DD DISP=SHR,DSN=&SMFIN
    //SMFFLT DD DSN=&SMFOUT,SPACE=(CYL,(100,100)),DISP=(,CATLG),
    // DCB=(RECFM=FB,LRECL=8192,BLKSIZE=40960),
    // UNIT=SYSALLDA
    //************************************************************
    //* execute QEXACF2 *
    //************************************************************
    //EXTRACT EXEC PGM=QEXACF2,DYNAMNBR=10,
    // TIME=1440
    //STEPLIB DD DISP=SHR,DSN=Q1JACK.C.LOAD
    //SYSTSIN DD DUMMY
    //SYSTSPRT DD SYSOUT=*
    //SYSPRINT DD SYSOUT=*
    //CFG DD DUMMY
    //ACFIN DD DISP=SHR,DSN=&SMFOUT
    //ACFOUT DD DISP=SHR,DSN=&QEXOUT
    //************************************************************
    //FTP EXEC PGM=FTP,REGION=3800K
    //INPUT DD *
    <IPADDR>
    <USER>
    <PASSWORD>
    PUT '<ACFOUT>' EARL_<THEIPOFTHEMAINFRAMEDEVICE>/<ACFOUT>
    QUIT
    //OUTPUT DD SYSOUT=*
    //SYSPRINT DD SYSOUT=*
    //*
  9. After the output file is created, schedule a job to a transfer the output file to an interim FTP server. The output file is forwarded to an interim FTP server.

    You must configure the following parameters in the sample JCL to successfully forward the output to an interim FTP server:

    Example:
    //FTP EXEC PGM=FTP,REGION=3800K
    //INPUT DD *
    <IPADDR>
    <USER>
    <PASSWORD>
    PUT '<ACFOUT' EARL_<THEIPOFTHEMAINFRAMEDEVICE>/<ACFOUT>
    QUIT
    //OUTPUT DD SYSOUT=*
    //SYSPRINT DD SYSOUT=*

    Where:

    <IPADDR> is the IP address or host name of the interim FTP server to receive the output file.

    <USER> is the user name that is needed to access the interim FTP server.

    <PASSWORD> is the password that is needed to access the interim FTP server.

    <THEIPOFTHEMAINFRAMEDEVICE> is the destination of the mainframe or interim FTP server that receives the output.

    Example:
    PUT 'xxxxxx.xxxxxxx.OUTPUT.C320' /<IP_address>/ACF2/QEXACF2.OUTPUT.C320

    <QEXOUTDSN> is the name of the output file that is saved to the interim FTP server.

    You are now ready to configure the Log File protocol.

  10. Schedule QRadar to retrieve the output file from CA ACF2.

    If the zOS platform is configured to serve files through FTP, SFTP, or allow SCP, then no interim FTP server is needed and QRadar can pull the output file directly from the mainframe. The following text must be commented out using //* or deleted from the QexACF2_jcl.txt file:

    //FTP EXEC PGM=FTP,REGION=3800K
    //INPUT DD *
    <IPADDR>
    <USER>
    <PASSWORD>
    PUT '<ACFOUT>' EARL_<THEIPOFTHEMAINFRAMEDEVICE>/<ACFOUT>
    QUIT
    //OUTPUT DD SYSOUT=*
    //SYSPRINT DD SYSOUT=*

What to do next

You are now ready to configure the log source in QRadar.