Introduction

IBM® Security zSecure™ Alert is a real-time monitor for z/OS systems protected with the Security Server (RACF) or CA-ACF2. zSecure Alert issues alerts for important events relevant to the security of the system at the time they occur. It is part of the IBM Security zSecure suite and builds on zSecure Audit. This chapter explains the functionality of zSecure Alert in terms of its relationship to basic z/OS components and other auditing, automation, and monitoring software.

The main audit log of a z/OS system is the System Management Facilities (SMF) log. This log records events for Data Facility Storage Management Subsystem (DFSMS); for example, opening a data set, z/OS® UNIX System Services, network functions (VTAM, TCP/IP), RMF (performance data), JES2/JES3 (job activity, TSO sessions, started task activity, SYSIN/SYSOUT/NJE processing), the external security manager (RACF, ACF2, TSS), and other applications. Data can be extracted by post-processing the SMF log for many different purposes. Commercial software is available for various purposes including accounting and billing based on resource use, performance analysis, capacity management, and monitoring security. zSecure Audit analyzes z/OS system security for RACF or ACF2 systems, using the SMF log as primary information for the event audit reports.

The traditional post-processing of SMF records has one major drawback: the time elapsed between the event and the post-processing can often be up to a day. While this drawback can be acceptable for billing and capacity management, it can pose a problem for security. If a real intrusion attempt is going on, you must respond to it right away. zSecure Alert is designed to do this job. You can deactivate part of your application or network, or collect data on the location and identity of the intruder while the trail is hot. You also know when a global security setting is changed to turn off logging for certain events to SMF.

zSecure Alert is active in your system, capturing SMF data before it is written to the SMF log. It can notify you in seconds to minutes about suspicious events. In addition, zSecure Alert also captures WTOs so that you can, for example, be notified the instant the SMF log becomes full. Notifications can be sent in the following forms:

• As an email
• As a text message to your pager or cell phone through an e-mail-based relay
• As a WTO, which can be used to trigger your automated operations package
• As an SNMP trap, which can be picked up by, for example, IBM Tivoli NetView for z/OS or your network console
• To the UNIX syslog

zSecure Alert also supports Extended Monitoring alerts. Unlike the event-based alerts triggered by SMF and WTO events, Extended Monitoring alerts are status-based. They are triggered by changes in the status of the system and security settings. These types of alerts are based on comparing a snapshot of the current system and security settings to a snapshot of previous system and security settings. The snapshots are taken at regular, user-specified intervals. The data is compared each time a new snapshot is taken. Whenever something significant changes, an alert can be generated. This alert type can notify you of changes that occur in the system, even when those changes do not generate an SMF or WTO event.

zSecure Alert comes with a set of predefined alerts described in Predefined alerts. You can also specify your own alerts. For information about the full power of the CARLa Auditing and Reporting Language (CARLa) and its great flexibility in selecting events and applying thresholds, see the User Reference Manual for your zSecure product and the IBM Security zSecure: CARLa Command Reference. You can also use CARLa to customize alerts by including installation-specific data such as user data or parts of the installation data held in the security database, and key-based lookups in general.

The following graph presents the zSecure Alert architecture.

Figure 1. zSecure Alert architecture