What's new for zSecure 2.5.0
zSecure 2.5.0 enhances mainframe security intelligence and automated compliance auditing.
- General availability zSecure 2.5.0 (September 2021)
- Enhancements that are made for the zSecure 2.5.0 Service Stream Enhancement (June 2022)
- Enhancements that are made for the zSecure 2.5.0 Service Stream Enhancement (February 2023)
Starting with the SSE of February 2023, the entire zSecure library is available at IBM® Documentation for IBM Security zSecure Suite. This includes the former licensed documentation; that is, the zSecure (Admin and) Audit User Reference Manuals for IBM RACF®, CA ACF2 and CA Top Secret. and the zSecure CARLa Command Reference. For more information about the zSecure documentation, see zSecure Suite Documentation.
For information about installation considerations like system requirements, incompatibility warnings, and known limitations, see Release notes for zSecure 2.5.0.
zSecure 2.5.0 (September 2021)
IBM Security zSecure 2.5.0 (announcement) includes the following new features and enhancements:
- zSecure 2.5.0 introduces the following new report types:
- A record in the TYPE=CERTIFICATE report type describes a digital certificate as it is present on a particular system.
- The IOAENV report type shows the security settings of active BMC INCONTROL IOA environments, and it includes information on the IOA, Control-D, Control-M, and Control-O products.
- The IP_INETD report type shows configuration of network services that the inetd daemon manages.
- The JES_DEVICE report shows the available JES2 devices and the information that is used to secure them.
- The JES_REMOTE report shows the available remote JES2 workstations, and the information that is used to secure them.
- The MQ_AUTHINFO report shows the MQ authentication information objects that have been defined for your MQ regions.
- The MQ_CHLAUTH report shows the MQ channel authentication records that have been defined for your MQ regions.
- The SSH_DAEMON report shows the configuration of the z/OS® OpenSSH SSH daemons that run in the UNIX address spaces in the system.
- The SUPSESS_REGION_CP newlist type can be used to report about IBM CL/SuperSession. Each record in the TYPE=SUPSESS_REGION_CP report describes a Network Access Manager Control Point.
- Several of the new report types are also available in the ISPF User Interface (UI). For example:
- RE.J: Security information of JES2 devices and remote workstations
- RE.K: Integrated Cryptographic Service Facility (ICSF) Master key information
- RA.5: Search on Certificate Label
- RE.Q: MQ channel authentication information objects and channel authentication records
- RE.N: IBM CL/SuperSession security settings
- RE.I: Configuration of network services managed by the inetd daemon
- MQ auditing:
- The MQ_REGION reports show the following:
- Authentication information object for user ID and password authentication.
- Certificates that the queue manager and queue sharing group use.
- Presence of various switch profiles.
- The MQ_CHANNEL report type identifies the security exit and the user data that is passed to it, as well as the channel's certification label.
- The disposition of inbound transmissions has been added to the MQ_INIT reports.
- The MQ_REGION reports show the following:
- Compliance and STIG controls:
- Automation of more STIG controls for IBM
RACF , and some for CA ACF2 and CA Top Secret. In particular:
- Multiple additional DISA STIG RACF compliance controls; several of these apply also to ACF2 and Top Secret.
- Additional rules have been added to STIG controls to ensure that a result is displayed when no objects are evaluated.
- Equivalents of STIG controls RACF0570 and RACF0580 that allow for password phrases in addition to passwords are provided in the zSecure Extra standard.
- General improvements for checking general access and logging requirements.
- Enhancements for parsing parameter members.
- Upgrade to STIG version 6.50.
- New library: SCKACUST
In previous zSecure versions, following a PTF, clients had to run job CKAZCUST to create new CKACUST members in the client's Site and User CKACUST data sets.
Starting with zSecure 2.5.0, the new SCKACUST library is added to the concatenation for DDname CKACUST. New CKACUST members that are introduced in compliance controls are now automatically provided in SCKACUST. Following specification of the relevant zSecure configuration information, these new members are automatically copied from SCKACUST to the client's Site or User CKACUST data sets.
- New library: SCKACUSV
The CKACUST data set has records that are limited to 80 characters. The CKACUSV data set allows specifying longer values; for example, the issuer name of a digital certificate. Your zSecure configuration (by default, C2R$PARM) must define which data set is to be used as the CKACUSV data set, or it must be set up manually through option Setup Command files (SE.8).
- Many STIG controls for RACF, ACF2, and Top Secret now include rule captions and domain descriptions.
- Support for tape data set sensitivities (TYPE=DSN and TYPE=SENSDSN new fields: DEVICE_CLASS, FIRST_VOLSER, FSEQN, IS_SCRATCH)
- Automatic sensitivities are added, for example, for inaccessible LPA or linklist libraries.
- New fields FALLBACK_DATASET and FALLBACK_DATASET_VOLSER are added to the SENSDSN report type to identify secondary, duplex, or backup RACF data sets.
- New ACF2_SENSDSN_ACCESS fields link logonids with started task to better determine their authorization.
- Performance improvements for ACF2 TRUSTED processing and to Sensitive Dataset processing. These also have a direct impact on the performance of Compliance reporting.
- General performance improvements for zSecure support for ACF2, such as reduced CPU and storage requirements for ACF2 STIG data set compliance evaluations.
- Automation of more STIG controls for IBM RACF , and some for CA ACF2 and CA Top Secret. In particular:
- Access Monitor enhancements:
- Program access events can now be collected. This can be activated through the
CAPTUREPROGRAMSkeyword on the OPTION statement. Suboptions specify for which programs data is collected. Event data does not have any success or failure information, and access simulation is not available. Program access events are reported in existing AM dialogs.
- Data for non-global RACLISTed resource classes can now be collected. This can be activated
CAPTURELOCALRACLISTkeyword on the OPTION statement.
- UNIX ﬁle/directory access events can now be captured. UNIX Syscall exits are called for all UNIX callable services; these must be activated per callable service. There are a
new Access record type and new fields for identification, event, and new value. this can be
activated through the
CAPTUREUSSEVENTSkeyword on the OPTION statement. UNIX file/directory access events are reported through the new AM.U dialog.
- All events now show if the user has the AUDITOR or ROAUDIT attribute.
- New DIAGNOSE option for operators show the status of UNIX Syscall Exits and hex dump of contents of UNIX Exit Table.
- IDIDMAP profiles names (UTF8) are now properly displayed.
- AM8 (remove) and AM.9 (cleanup) can now also be run as a batch job in the background.
- Job name collection can now be activated by specifying a prefix.
- PortOfEntry collection is activated also when the class is missing.
- Line length of ACCESS files was increased to 2123 to accommodate UNIX path information.
- Use of command=no no longer excludes FASTAUTH events.
- More DEFINE events are now recognized as command-related.
- Program access events can now be collected. This can be activated through the
- zSecure Alert enhancements:
- New alerts:
RACF ACF2 1124 2124 Logon from a not allowed IP address 1125 2125 Password spraying attack 1217 2217 Data set added to APF list using SETPROG (SMF based) 1218 2218 Data set removed from APF list using SETPROG (SMF based)
- zSecure Alert provides an option to exploit a CKRCARLA internal restart to refresh environment
information while retaining job information:
- The Keepalive option prevents dropping a TCPIP connection.
- Recovery for disconnected TCPIP sessions has been improved; this results in less frequent reconnect and reduced number of error messages.
- Batch jobs are now provided to ease upgrade, maintenance, test, and roll-out of zSecure Alert configuration changes.
- Ability to use longer messages and descriptions in alerts
- The maximum length of alert message strings was increased from 450 to approx. 15,000 characters and messages were improved for unrecognized PARMLIB statements.
- Some enhancements to the Alert configuration ISPF user interface: Copy of the configuration also copies the alert selection criteria and parameters and Alert destinations can be consistently managed by configuration, category, or Alert.
- New alerts:
- Command Verifier enhancements:
- Various enhancements have been made to the Command Audit Trail.
- Multiple commands can now be specified in a pre-command or post-command policy profile.
- New zSecure Command Verifier policies trigger a command when UID(0) or OWNER is assigned.
- CICS® Toolkit: Custom data support has been added for all RACF profile types and classes.
- RACF Custom Field names that are defined in the CFIELD class can now be used as a lookup target:
- Explicit lookup of USER and GROUP custom field names.
- Implicit lookup of custom field names for all RACF entity types.
- More ICSF settings are now reported, including IPL parameters.
- Selection on audit and global audit settings are added to the RA.D and RA.R menu options.
- The following (newly supported) record types are now (also) sent to IBM
QRadar® SIEM and Micro Focus ArcSight:
- Db2® 102 IFCid 92 (AMS start), 104 (DSID lookup), 105 (DBID/OBID lookup), 106 (Security parameters at start-up/reload), and 107 (Open/Close table space).
- Support for SMF record type 123, subtype 1 (z/OS Connect).
- Support for SSH-related SMF records (119 subtypes 94, 95, 96, 97, and 98).
- Additional general IMS settings are reported on the region level.
- Other enhancements for the data feed to SIEM:
- Extended support for z/VM RACF events in class VMXEVENT.
- OWNER information is included whenever a RACF profile is implied.
- A new WTO message in the CKQRADAR started task to highlight the start of real-time event security monitoring.
- Ability to specify a fall-back address for TCP traffic (DESTINATION)
- SSH-related SMF records (119 subtypes 94, 95, 96, 97, and 98) are shown in various EV reports in the UI.
- End-to-end event correlation between IBM z/OS Connect, CICS, and Db2 events.
- Support for SMF relocate section 443 and ID token extensions.
- Audit concern for UACC or ID(*) access of ALTER to discrete profiles
- Support for certificate fingerprints has been provided:
- Field CERTIFICATE_FINGERPRINT provided in the RACF and CERTIFICATE report types for matching with certificate fingerprints. (These fingerprints are shown in RA.5.)
- Field KEY_FINGERPRINT provided in the ICSF_PUBKEY, ICSF_SYMKEY, and ICSF_TOKEN report types.
- Fields FINGERPRINT provided in the DSN, DSN_MEMBER, MEMBER, REPORT_AC1, REPORT_PADS, REPORT_PROGRAM, and SENSDSN report types.
- Fields CERT_FP_ISSUER, CERT_FP_SUBJECT, and CERT_FP_SUBJECT_OLD provided in the SMF report type.
- Format FINGERPRINT to report hexadecimal data with colons between the bytes.
- The ability to run CKXLOGID authorized.
- Background run capabilities for RA.3.2, AM.8, and AM.9.
- Ability to use CARLa literals for sorting only (NONDISPLAY)
- Ability to sort command output from RECREATE by profile
- Ability to show OPERROUT in exploded format
Current® software support:
In support of new functionality that is provided in IBM z/OS 2.5, Security zSecure Suite 2.5.0 delivers the following:
- IBM z/OS 2.5
- IBM z/VM® 7.2
- CICS Transaction Server 5.6
- Support for enhanced security and data protection. These enhancements are designed to improve management of access and privileges in RACF 2.5 and IBM Integrated Cryptographic Service Facility (ICSF) HCR77D2. This includes support for the new RACF option to store its database in a Virtual Storage Access Method (VSAM) linear data set.
- Support for new general resource names protected in RACF and ACF2.
- Support for new ICSF policy settings and master key age.
- Support for new audit trail data in SMF; for instance, certificate fingerprints, new operator command, and more ICSF events.
zSecure 2.5.0 Service Stream Enhancement (June 2022)
On April 5, 2022, IBM announced the Z Security and Compliance Center. This new product provides a dashboard for compliance evidence that is based on SMF 1154 records. It includes all the functionality of IBM Security zSecure Audit and relies on the zSecure CARLa and Collect engines. The Z Security and Compliance Center includes the z/OS Compliance Integration Manager component that provides zSecure started task CKCS1154. This started task exploits new function in CKRCARLA to generate the SMF 1154 records for the following z/OS subsystems: Console, DFSMS, InetD, IMS, IMS-Connect, IMS-OM, IBM MQ, SMF, SSHD, and z/OS UNIX System Services. Other subsystems write their own SMF 1154 records.
In addition, the following enhancements were made for zSecure 2.5.0:
- To collect compliance-relevant data from configuration files, zSecure Collect now supports a PARM=YES option to collect information from such files, even when UNIX=NO or VTOC=NO is specified. zSecure Collect now also issues progress messages about the type of data being collected.
- CKRCARLA now includes the following new reports:
- CICS Db2 entry definition
- CICS Db2 transaction definition
- IMS Connect subsystem
- IMS Operations Manager subsystem
- The new IMS-related reports are also available in the ISPF user interface.
- Existing reports have been enhanced to provide information about the following topics:
- SMF options, including a new list of the status of security-relevant SMF record types
- SSL and coupling facility structure names for IBM MQ
- CICS fields in support of Db2 connections
- Installation data in CKDS/PKDS
- Definition of Quantum Safe Dlithium keys
- SMF event reporting was enhanced with improved or new formatting of SMF records for ICSF.
- Support was added to process and format several of the new SMF 1154 records.
- The started tasks running Access Monitor, Alert, and the SMF-Collector now run, by default, in the WLM SYSSTC service class.
- Recovery for failing TCP/IP connections was improved for zSecure Alert and SIEM data providers like CKQRADAR.
- Several alerts have been added or improved; for example, for inactivation of SMF records and changes to SVC routines. zSecure Alert now also supports automatic staggering of the Collect start time across a sysplex.
- The zSecure Server (CKNSERVE) is enhanced to support remote access to CKXLOG files. If allocation of any remote file fails, the application immediately terminates and returns control to the user.
- Several enhancements were made for STIG, including the following:
- 69 new ACF2 STIG controls were added. zSecure now supports 325 out of the 359 ACF2 STIG controls published by DISA.
- All RACF and ACF2 STIG controls now produce only output that is applicable to the involved (or interrogated) external security manager (ESM).
- zSecure can now automatically detect active and installed NCPASS subsystems; custom definitions for reporting on these are no longer needed.
- Product STIGs were updated to version 6.52.
- zSecure now supports CICS 6.1. Several new fields were added, including the new CICS region tag information.
- Access Monitor was enhanced to allow collecting data into multiple daily collection files (one per global SMF interval), and to use a temporary data set for the active collecting data set. The data set that is used for collecting events during the day uses X000000.X0000 for the date and time qualifiers. It is renamed later using the creation date and time.
zSecure 2.5.0 Service Stream Enhancement (February 2023)
This Service Stream Enhancement (SSE) contains changes in the following areas of zSecure 2.5.0:
- The most important enhancement is support for compliance standard STIG version 8.10. To enable
organizations to gradually convert to the new standard, several changes were made:
- The compliance standard framework now supports multiple versions of a security standard and multiple standards.
- STIG version 8.10 compliance controls, covering both RACF and ACF2.
- STIG version 6: additional automation is provided for ACF2.
- The following enhancements apply to the user interface of the compliance standards:
- The user interface supports working with multiple standards and versions.
- It is now possible to enter assertions or overrides for all systems or all complexes zSCC and related functions.
- Support for additional SMF 1154 subtypes (from zSCC) is provided in the ISPF interface.
- Support is provided for reading an encrypted RACF database (APAR OA62267).
- Several client requests for minor enhancements have been implemented, including the following
update for RACF Access Monitor:
- It is now possible to select on additional user attributes in AM.1 and AM.2 in the ISPF interface.
- A new zSecure alert is provided for an ICSF Master key switch or activation.
- Several Reliability, Availability, and Serviceability (RAS) items:
- Additional verification of control block version indicators ensures that mixed levels of code cannot be used.
- Performance improvement of resolving path names in Access Monitor Unix data collection.
- Improvement of handling privilege escalation in various components.
- Change in Access Monitor buffer handling to reduce contention.
- A new Command Verifier policy is provided to facilitate Phrase-only IDs.
- Some small MFA-related updates were made.