What's new for zSecure 3.1.0

Service Stream Enhancement (SSE) to zSecure 3.1 (January 2025)

• WebUI:
  • Multi-system support via CKNSERVE was added.
  • New option: CR.2 Command Review CKXLOG
• Support added for IBM Threat Detection for z/OS (TDz):
  • Support new SMF record types 83, subtype 8 and record type 98, subtypes 5-8.
  • Alert is enhanced to alert on anomalies detected by TDz (alerts 1807 and 2807).
  • SMF record type 83, subtype 8 (Anomaly detected) is passed to ArcSight and QRadar SIEM.
  • zSecure UI support (EV.A.T).
• Compliance: Further automation was added for the following CIS IBM z/OS RACF Benchmark and CIS IBM Db2 z/OS Benchmark controls:

  CIS ID	CARLa member	Description
  CIS IBM z/OS RACF Benchmark
  CIS-OS-5.2	CKAHR52	Ensure that a very limited number of users can use the Tape Bypass Label Processing (BLP)
  CIS-OS-9.4	CKAHR94	Ensure that RESTRICTED users cannot access UNIX files to which they are not explicitly permitted
  CIS-OS-9.14	CKAHR9E	Ensure that z/OS UNIX permission bits and audit bits are configured to audit sensitive file access
  CIS-OS-9.31	CKAHR9U	Ensure that file systems are mounted read-only wherever possible.
  CIS-OS-9.32	CKAHR9V	Ensure that file systems are mounted with set-id files disabled wherever possible.
  CIS-OS-9.33	CKAHR9X	Ensure that no file systems are mounted with security disabled.
  CIS IBM DB2 for z/OS Benchmark
  CIS-DB2-3.1.1	CKCHD311	Ensure that audit tracing is enabled during Db2 startup
  CIS-DB2-3.1.2	CKCHD312	Ensure that critical audit traces are always enabled
  CIS-DB2-3.1.4	CKCHD314	Enable audit policies to audit installation system administrator and system operator access

• CICS Toolkit: Added NOPASSWORD and NOPHRASE support and password and passphrase interval on ALTER USER and ADD USER.
• New and updated report types:
  • New report DB2_AUDITPOLICY enables you to audit the requirements of your security policies and to monitor data access by applications and individual users (UI: resource report RE.D.AP).
  • DB2_REGION new fields ACTIVE_AUDIT_IFCID_SMF and ANY_ACTIVE_AUDIT_POLICY report on audit policies that are applicable for the region.
  • New fields in IP_FTP_REGION (TLSCERTCROSSCHECK) and SUPSESS_REGION_CP (SECURITY_INTERFACE).
• CKGRACF and bigger counter support for RACF-Offline REPORT.
• Allow the use of system symbols in the SETUP Files dialog; for example, to use a single entry for a CKFREEZE file in a sysplex with many LPAR members and a CKFREEZE file per LPAR.

Service Stream Enhancement (SSE) to zSecure 3.1.0 (October 2024)

• Introducing the WebUI interface for zSecure Admin.
• A new primary command SHOWLOG displays the content of the CARLa SYSPRINT listing. If a high severity message is issued in the ISPF User Interface, it will be displayed automatically.
• zSecure Compliance enhancements:
  • PCI-DSS v4 support AU.R: Previously supported PCI-DSS 3.2 controls are converted to PCI-DSS v4 variant. All PCI-DSS v4 controls use multi-standard syntax.
  • Added CIS IBM Db2 for z/OS Benchmark v1.0.0 standard. This standard is only available with a Z Security and Compliance Center licence.
  • Further automation of RACF CIS IBM z/OS RACF Benchmark standard. Automation for the following controls is added:

    CIS ID	CARLa member	Control Description
    2.1.4	CKAHR214	Ensure that the ICHDSM00 program is protected
    2.1.9	CKAHR219	Ensure the RACF remote sharing facility files are protected
    2.1.11	CKAHR21B	Ensure that RACF remote sharing connections use the TCP/IP
    2.4.10	CKAHR24A	Ensure that MCS consoles access is protected through CONSOLE class profile
    2.4.5	CKAHR245	Ensure that started tasks requiring exceptional access rights use the TRUSTED attribute
    6.2.10	CKAHR62A	Ensure FTP Control cards are stored in a secure PDS file
    6.2.2	CKAHR622	Ensure startup parameters for the FTP daemon do not allow ANONYMOUS or INACTIVE keywords
    6.6.4	CKAHR664	Ensure AT-TLS protection is enabled for the TN3270 Telnet server
    7.1.4	CKAHR714	Ensure ICSF is configured to start during IPL
    7.2.4	CKAHR724	Ensure ICSF Key Data Sets have a system backup
    7.2.5	CKAHR725	Ensure ICSF Master Keys have a backup procedure
    7.3.5	CKAHR735	Ensure ICSF Key Store Policy controls are enabled
    7.3.6	CKAHR736	Ensure ICSF Key Datasets are protected
    7.3.8	CKAHR738	Ensure ICSF operator commands are protected
    8.4.1	CKAHR841	Ensure that data sets on SPOOL are encrypted as required
    9.17	CKAHR9H	Ensure that security commands in /etc/rc are safe

  • Added IBM Security zSecure for ACF2 v1.1 standard.
  • Updated list of DISA STIG and CIS IBM z/OS with RACF Benchmark compliance standards available in zSecure 3.1.0.
• Newlist types:
  • The new ACF2_DB2_RULE and ACF2_DB2_RULELINE newlists are used for the processing of ACF2 Option for DB2 rules. *)
  • The new DB2_COLUMN newlist type reports on table columns, which enables auditing the Db2 columns. *)
  • New fields for ACF2_LID.
  • New fields for SMF 1154 records, subtype 49 and SMF 42-6 records (ICN 1900).
  • New field ACCESS_IS_OWNER for ACCESS newlist type.
• Improved serialization when reading the live RACF database; exclusively enqueue the RACF database to ensure an unload has no structural errors caused by concurrent updates.
• User Interface enhancements:
  • Db2 Access control (RE.D.AC).
  • Db2 Permission/Mask (RE.D.CT).
  • Db2 Table columns (RE.D.TC). *)
• zSecure Command Verifier enhancements:
  • New policy profile for NOCSDATA parameter for User, Dataset, Group, and General Resource profiles.
  • Additional validation for policy profile C4R.*.ACL./GROUP.*.**
  • Command Verifier to invoke REXX or CLIST via =PSTCMD profiles.
  • Enhanced Audit Trail data insert.
  • Allows self-grant where user ID is HLQ of profile.
• zSecure Alert includes report on SMF record statistics.
• Miscellaneous user interface enhancements:
  • AU.R support for PCI-DSS v4.
  • Monitoring End-to-End access in EV; this allows reporting of all SMF records with the same UnitOfWorkId or TrackingToken across multiple environments.
  • Additional values for certificate signing algorithm and ICSF key attributes.

*) This function is available only if your organization has a license for Z Security and Compliance Center.

Service Stream Enhancement (SSE) to zSecure 3.1.0 (April 2024)

• Support for updated and additional compliance standards:
  • CIS IBM z/OS V2R5 with RACF Benchmark v1.1.0.
  • CIS IBM Db2 13 for z/OS Benchmark v1.0.0 (partial implementation).
  • Multiple small updates and fixes have been incorporated for the STIG standard.
  Two technotes are available separately, that will be updated on a regular basis:
  • zSecure 3.1.0 compliance-related updates.
  • List of DISA STIG and CIS IBM z/OS with RACF Benchmark compliance standards available in zSecure 3.1.0.
• Several minor enhancements and fixes are implemented for the Compliance Standard framework. For example, configuration assertions can now truly be expired.
• The ISPF User Interface for Compliance Standards has been enhanced:
  • An option was added to remove previous Configuration Assertions.
  • All sensitivity types can now contain a description text.
• zSecure Access Monitor, zSecure Alert, and the zSecure SMF Collector are changed to allow starting the started task directly under the MSTR subsystem instead of under JES. This enables earlier start of data collection. Reporting and alerting on the collected events is done after JES (and TCPIP for zSecure Alert) is active.
• zSecure Admin and Audit and the ISPF User Interface have been enhanced:
  • Display the extended key usage information for digital certificates.
  • zSecure Admin: The CKGRACF command has a NOPROPAGATE option to stop RRSF propagation of the RACF database updates, and sorting in Report Scope now works as intended.
  • zSecure Audit: A new menu item RE.R has been added to show information about general resources and their protection. The resources can be used by operating system components or by subsystems and applications.
• zSecure Audit for ACF2 now shows the conditional access through the WHEN(CRITERIA) option.
• The zSecure Command Verifier product has been enhanced with a policy to control the authority to display profiles and profile names when using the RACF LISTDSD, RLIST, and SEARCH commands.
• Additional enhancements and bug fixes are applied:
  • Message CKF0546 now has additional debug information.
  • Message CKF1024 is now suppressed in zSecure Alert.
  • ISPF option RA.5.0 now has support for Show differences and Customize Title.
  • ISPF option RA.U/P now suppresses phrase validation when requested.
  • zSecure Alert extended monitoring data sets can be deleted more quickly.
  • ISPF options specified on SE.T are also used for recursive queries.
  • Print format output is now consistent with interactive reports and uses specified selection criteria.
  • LEEF format data sent to QRadar now uses SYSTEM name when full JobTag information is not available.
  • Active SMF record subtype information shows accurate information.

zSecure 3.1.0 new features and enhancements (General availability September 2023)

• Support for updated compliance standard STIG versions for RACF and ACF2 (8.12), and Top Secret (8.10).
  • Separate definitions for z/OS Products standards using the new STANDARD syntax.
  • z/OS STIG version 6.43 and single standard syntax z/OS Product STIGs are no longer included in the User Interface. However, you can still use the members with AU.R.T.
  • Partial support has been added for the CIS Benchmark.
  • Support for the GSD standard is no longer provided.
• New support has been added to Z Security and Compliance Center to run a Compliance Assessment from the Z Security and Compliance Center dashboard, and present the results in the dashboard. To provide this support, zSecure now has the capability to generate reports in JSON format.
• New fields have been added to several existing reports:
  • Additional Quantum Safe Algorithms (QSA) are shown in ICSF and SMF reports.
  • SMF support for Boot Validation.
  • Support for reporting on additional SMF 1154 Compliance Evidence records.
  • The PROTALLOWED option for generating Identity Tokens.
  • The ACEE field in the CFDEF segment to cache CSDATA field of USER in storage.
  • Support for the OPTAUDIT resource class.
  • The existing SYSTEM and SETROPTS reports have been enhanced to provide information about the following topics:
    • Applaudit for UNIX status.
    • Automatic revoke of SPECIAL users on password or password phrase (passphrase) violation for at least one APPLID.
    • Status of DIAGxx option to prevent instruction execution of parm data storage.
• The ISPF User Interface has been updated to provide new and updated reports:
  • RE.C.R Region now includes information about the active Db2 Connections (DB2CONN definitions).
  • RE.C.D DB2TRAN allows selection and reporting using the CICS_DB2TRAN newlist.
  • RE.C.E DB2ENTRY allows selection and reporting using the CICS_DB2ENTRY newlist.
  • RE.C.T Transactions allows selection on Db2 Connection attributes.
  • New option AU.I IDs has two new reports:
    • AU.I.I shows information from the ID newlist. It has information about attributes and where the ID is used.
    • AU.I.M shows information about unique MFA-capable IDs across all complexes that are present in the zSecure input sources.
  • Overtyping of MFA factor tag values.
• Several user requests for new functions were implemented:
  • Provide an option to delete relevant members in the C2PCUST data set when deleting an Alert configuration.
  • Add symbolic support to DSNPREF.
  • In the Access Monitor report selection (AM.1 and AM.2), it is now possible to select on the Profile Owner for Dataset or Resource Profiles.
  • CKNSERVE supports remote Access Monitor data sets.
  • CKFCOLL no longer blocks ICSF access to the Key Data Sets (KDS).
• RACF®-Offline now uses IEFU86 to manage SMF records.
• Sample jobs for Guardium VA integration now use UTS Table Spaces.
• Support for IBM Db2 V13R1M501.

Documentation

The zSecure Suite 3.1.0 documentation includes the former licensed documentation:

• zSecure (Admin and) Audit User Reference Manual for RACF, ACF2, and Top Secret
• zSecure CARLa Command Reference

See also Documentation in Release notes.