Integrate Broadcom CA ACF2 with IBM QRadar by using audit scripts

The Broadcom CA Access Control Facility (ACF2) DSM collects events and audit transactions on the IBM® mainframe with the Log File protocol.

QexACF2.load.trs is a TERSED file that contains a PDS loadlib with the QEXACF2 program. A TERSED file is similar to a zip file and requires you to use the TRSMAIN program to decompress the contents. The TRSMAIN program is available from IBM Support (www.ibm.com/support).

To upload a TRS file from a workstation, you must preallocate a file with the following DCB attributes: DSORG=PS, RECFM=FB, LRECL= 1024, BLKSIZE=6144. The file transfer type must be BINARY APPEND. If the transfer type is TEXT or TEXT APPEND, then the file cannot decompress properly.

After you upload the file to the mainframe into the allocated dataset, the TERSED file can be UNPACKED with the TRSMAIN utility by using the sample JCL also included in the tar package. A return code of 0008 from the TRSMAIN utility indicates that the dataset is not recognized as a valid TERSED file. This code (0008) error might be the result of the file not being uploaded to the mainframe with the correct DCB attributes, or because the transfer was not performed with the BINARY APPEND transfer mechanism.

After you have successfully UNPACKED the loadlib file, you can run the QEXACF2 program with the sample JCL file. The sample JCL file is contained in the tar collection. To run the QEXACF2 program, you must modify the JCL to your local naming conventions and JOB card requirements. You might also need to use the STEPLIB DD if the program is not placed in a LINKLISTED library.

To integrate CA ACF2 events into IBM QRadar:

  1. The IBM mainframe records all security events as Service Management Framework (SMF) records in a live repository.
  2. The CA ACF2 data is extracted from the live repository with the SMF dump utility. The SMF file contains all of the events and fields from the previous day in raw SMF format.
  3. The QexACF2.load.trs program pulls data from the SMF formatted file. The QexACF2.load.trs program pulls only the relevant events and fields for QRadar and writes that information in a compressed format for compatibility. The information is saved in a location accessible by QRadar.
  4. QRadar uses the Log File protocol source to retrieve the output file information on a scheduled basis. QRadar then imports and processes this file.