What's new for zSecure 2.5.0

zSecure 2.5.0 (September 2021)

IBM Security zSecure 2.5.0 (announcement) includes the following new features and enhancements:

• zSecure 2.5.0 introduces the following new report types:

  CERTIFICATE

  A record in the TYPE=CERTIFICATE report type describes a digital certificate as it is present on a particular system.

  IOAENV

  The IOAENV report type shows the security settings of active BMC INCONTROL IOA environments, and it includes information on the IOA, Control-D, Control-M, and Control-O products.

  IP_INETD

  The IP_INETD report type shows configuration of network services that the inetd daemon manages.

  JES_DEVICE

  The JES_DEVICE report shows the available JES2 devices and the information that is used to secure them.

  JES_REMOTE

  The JES_REMOTE report shows the available remote JES2 workstations, and the information that is used to secure them.

  MQ_AUTHINFO

  The MQ_AUTHINFO report shows the MQ authentication information objects that have been defined for your MQ regions.

  MQ_CHLAUTH

  The MQ_CHLAUTH report shows the MQ channel authentication records that have been defined for your MQ regions.

  SSH_DAEMON

  The SSH_DAEMON report shows the configuration of the z/OS® OpenSSH SSH daemons that run in the UNIX address spaces in the system.

  SUPSESS_REGION_CP

  The SUPSESS_REGION_CP newlist type can be used to report about IBM CL/SuperSession. Each record in the TYPE=SUPSESS_REGION_CP report describes a Network Access Manager Control Point.

  For details, see the documentation updates for the zSecure CARLa Command Reference.
• Several of the new report types are also available in the ISPF User Interface (UI). For example:
  • RE.J: Security information of JES2 devices and remote workstations
  • RE.K: Integrated Cryptographic Service Facility (ICSF) Master key information
  • RA.5: Search on Certificate Label
  • RE.Q: MQ channel authentication information objects and channel authentication records
  • RE.N: IBM CL/SuperSession security settings
  • RE.I: Configuration of network services managed by the inetd daemon
• MQ auditing:
  • The MQ_REGION reports show the following:
    • Authentication information object for user ID and password authentication.
    • Certificates that the queue manager and queue sharing group use.
    • Presence of various switch profiles.
  • The MQ_CHANNEL report type identifies the security exit and the user data that is passed to it, as well as the channel's certification label.
  • The disposition of inbound transmissions has been added to the MQ_INIT reports.
• Compliance and STIG controls:
  • Automation of more STIG controls for IBM RACF® , and some for CA ACF2 and CA Top Secret. In particular:
    • Multiple additional DISA STIG RACF compliance controls; several of these apply also to ACF2 and Top Secret.
    • Additional rules have been added to STIG controls to ensure that a result is displayed when no objects are evaluated.
  • Equivalents of STIG controls RACF0570 and RACF0580 that allow for password phrases in addition to passwords are provided in the zSecure Extra standard.
  • General improvements for checking general access and logging requirements.
  • Enhancements for parsing parameter members.
  • Upgrade to STIG version 6.50.
  • New library: SCKACUST
    In previous zSecure versions, following a PTF, customers had to run job CKAZCUST to create new CKACUST members in the customer's Site and User CKACUST data sets.
    Starting with zSecure 2.5.0, the new SCKACUST library is added to the concatenation for DDname CKACUST. New CKACUST members that are introduced in compliance controls are now automatically provided in SCKACUST. Following specification of the relevant zSecure configuration information, these new members are automatically copied from SCKACUST to the customer's Site or User CKACUST data sets.
  • New library: SCKACUSV
    The CKACUST data set has records that are limited to 80 characters. The CKACUSV data set allows specifying longer values; for example, the issuer name of a digital certificate. Your zSecure configuration (by default, C2R$PARM) must define which data set is to be used as the CKACUSV data set, or it must be set up manually through option Setup Command files (SE.8).
  • Many STIG controls for RACF, ACF2, and Top Secret now include rule captions and domain descriptions.
  • Support for tape data set sensitivities (TYPE=DSN and TYPE=SENSDSN new fields: DEVICE_CLASS, FIRST_VOLSER, FSEQN, IS_SCRATCH)
  • Automatic sensitivities are added, for example, for inaccessible LPA or linklist libraries.
  • New fields FALLBACK_DATASET and FALLBACK_DATASET_VOLSER are added to the SENSDSN report type to identify secondary, duplex, or backup RACF data sets.
  • New ACF2_SENSDSN_ACCESS fields link logonids with started task to better determine their authorization.
  • Performance improvements for ACF2 TRUSTED processing and to Sensitive Dataset processing. These also have a direct impact on the performance of Compliance reporting.
  • General performance improvements for zSecure support for ACF2, such as reduced CPU and storage requirements for ACF2 STIG data set compliance evaluations.
• Access Monitor enhancements:
  • Program access events can now be collected. This can be activated through the CAPTUREPROGRAMS keyword on the OPTION statement. Suboptions specify for which programs data is collected. Event data does not have any success or failure information, and access simulation is not available. Program access events are reported in existing AM dialogs.
  • Data for non-global RACLISTed resource classes can now be collected. This can be activated through CAPTURELOCALRACLIST keyword on the OPTION statement.
  • UNIX file/directory access events can now be captured. UNIX Syscall exits are called for all UNIX callable services; these must be activated per callable service. There are a new Access record type and new fields for identification, event, and new value. this can be activated through the CAPTUREUSSEVENTS keyword on the OPTION statement. UNIX file/directory access events are reported through the new AM.U dialog.
  • All events now show if the user has the AUDITOR or ROAUDIT attribute.
  • New DIAGNOSE option for operators show the status of UNIX Syscall Exits and hex dump of contents of UNIX Exit Table.
  • IDIDMAP profiles names (UTF8) are now properly displayed.
  • AM8 (remove) and AM.9 (cleanup) can now also be run as a batch job in the background.
  • Job name collection can now be activated by specifying a prefix.
  • PortOfEntry collection is activated also when the class is missing.
  • Line length of ACCESS files was increased to 2123 to accommodate UNIX path information.
  • Use of command=no no longer excludes FASTAUTH events.
  • More DEFINE events are now recognized as command-related.
• zSecure Alert enhancements:
  • New alerts:

    RACF	ACF2
    1124	2124	Logon from a not allowed IP address
    1125	2125	Password spraying attack
    1217	2217	Data set added to APF list using SETPROG (SMF based)
    1218	2218	Data set removed from APF list using SETPROG (SMF based)

  • zSecure Alert provides an option to exploit a CKRCARLA internal restart to refresh environment information while retaining job information: RefreshMode(External|Internal)
  • The Keepalive option prevents dropping a TCPIP connection.
  • Recovery for disconnected TCPIP sessions has been improved; this results in less frequent reconnect and reduced number of error messages.
  • Batch jobs are now provided to ease upgrade, maintenance, test, and roll-out of zSecure Alert configuration changes.
  • Ability to use longer messages and descriptions in alerts
  • The maximum length of alert message strings was increased from 450 to approx. 15,000 characters and messages were improved for unrecognized PARMLIB statements.
  • Some enhancements to the Alert configuration ISPF user interface: Copy of the configuration also copies the alert selection criteria and parameters and Alert destinations can be consistently managed by configuration, category, or Alert.
• Command Verifier enhancements:
  • Various enhancements have been made to the Command Audit Trail.
  • Multiple commands can now be specified in a pre-command or post-command policy profile.
  • New zSecure Command Verifier policies trigger a command when UID(0) or OWNER is assigned.
• CICS® Toolkit: Custom data support has been added for all RACF profile types and classes.
• RACF Custom Field names that are defined in the CFIELD class can now be used as a lookup target:
  • Explicit lookup of USER and GROUP custom field names.
  • Implicit lookup of custom field names for all RACF entity types.
• More ICSF settings are now reported, including IPL parameters.
• Selection on audit and global audit settings are added to the RA.D and RA.R menu options.
• The following (newly supported) record types are now (also) sent to IBM QRadar® SIEM and Micro Focus ArcSight:
  • Db2® 102 IFCid 92 (AMS start), 104 (DSID lookup), 105 (DBID/OBID lookup), 106 (Security parameters at start-up/reload), and 107 (Open/Close table space).
  • Support for SMF record type 123, subtype 1 (z/OS Connect).
  • Support for SSH-related SMF records (119 subtypes 94, 95, 96, 97, and 98).
  • Additional general IMS settings are reported on the region level.
• Other enhancements for the data feed to SIEM:
  • Extended support for z/VM RACF events in class VMXEVENT.
  • OWNER information is included whenever a RACF profile is implied.
• A new WTO message in the CKQRADAR started task to highlight the start of real-time event security monitoring.
• Ability to specify a fall-back address for TCP traffic (DESTINATION)
• SSH-related SMF records (119 subtypes 94, 95, 96, 97, and 98) are shown in various EV reports in the UI.
• End-to-end event correlation between IBM z/OS Connect, CICS, and Db2 events.
• Support for SMF relocate section 443 and ID token extensions.
• Audit concern for UACC or ID(*) access of ALTER to discrete profiles
• Support for certificate fingerprints has been provided:
  • Field CERTIFICATE_FINGERPRINT provided in the RACF and CERTIFICATE report types for matching with certificate fingerprints. (These fingerprints are shown in RA.5.)
  • Field KEY_FINGERPRINT provided in the ICSF_PUBKEY, ICSF_SYMKEY, and ICSF_TOKEN report types.
  • Fields FINGERPRINT provided in the DSN, DSN_MEMBER, MEMBER, REPORT_AC1, REPORT_PADS, REPORT_PROGRAM, and SENSDSN report types.
  • Fields CERT_FP_ISSUER, CERT_FP_SUBJECT, and CERT_FP_SUBJECT_OLD provided in the SMF report type.
  • Format FINGERPRINT to report hexadecimal data with colons between the bytes.
• The ability to run CKXLOGID authorized.
• Background run capabilities for RA.3.2, AM.8, and AM.9.
• Ability to use CARLa literals for sorting only (NONDISPLAY)
• Ability to sort command output from RECREATE by profile
• Ability to show OPERROUT in exploded format

• Current® software support:

  • IBM z/OS 2.5
  • IBM z/VM® 7.2
  • CICS Transaction Server 5.6
  In support of new functionality that is provided in IBM z/OS 2.5, Security zSecure Suite 2.5.0 delivers the following:

  • Support for enhanced security and data protection. These enhancements are designed to improve management of access and privileges in RACF 2.5 and IBM Integrated Cryptographic Service Facility (ICSF) HCR77D2. This includes support for the new RACF option to store its database in a Virtual Storage Access Method (VSAM) linear data set.
  • Support for new general resource names protected in RACF and ACF2.
  • Support for new ICSF policy settings and master key age.
  • Support for new audit trail data in SMF; for instance, certificate fingerprints, new operator command, and more ICSF events.

zSecure 2.5.0 Service Stream Enhancement (June 2022)

On April 5, 2022, IBM announced the Z Security and Compliance Center. This new solution provides a dashboard for compliance evidence that is based on SMF 1154 records. It includes all the functionality of IBM Security zSecure Audit and relies on the zSecure CARLa and Collect engines. The Z Security and Compliance Center includes the z/OS Compliance Integration Manager component that provides zSecure started task CKCS1154. This started task exploits new function in CKRCARLA to generate the SMF 1154 records for the following z/OS subsystems: Console, DFSMS, InetD, IMS, IMS-Connect, IMS-OM, IBM MQ, SMF, SSHD, and z/OS UNIX System Services. Other subsystems write their own SMF 1154 records.

In addition, the following enhancements were made for zSecure 2.5.0:

• To collect compliance-relevant data from configuration files, zSecure Collect now supports a PARM=YES option to collect information from such files, even when UNIX=NO or VTOC=NO is specified. zSecure Collect now also issues progress messages about the type of data being collected.
• CKRCARLA now includes the following new reports:
  • CICS Db2 entry definition
  • CICS Db2 transaction definition
  • IMS Connect subsystem
  • IMS Operations Manager subsystem
• The new IMS-related reports are also available in the ISPF user interface.
• Existing reports have been enhanced to provide information about the following topics:
  • SMF options, including a new list of the status of security-relevant SMF record types
  • SSL and coupling facility structure names for IBM MQ
  • CICS fields in support of Db2 connections
  • Installation data in CKDS/PKDS
  • Definition of Quantum Safe Dlithium keys
• SMF event reporting was enhanced with improved or new formatting of SMF records for ICSF.
• Support was added to process and format several of the new SMF 1154 records.
• The started tasks running Access Monitor, Alert, and the SMF-Collector now run, by default, in the WLM SYSSTC service class.
• Recovery for failing TCP/IP connections was improved for zSecure Alert and SIEM data providers like CKQRADAR.
• Several alerts have been added or improved; for example, for inactivation of SMF records and changes to SVC routines. zSecure Alert now also supports automatic staggering of the Collect start time across a sysplex.
• The zSecure Server (CKNSERVE) is enhanced to support remote access to CKXLOG files. If allocation of any remote file fails, the application immediately terminates and returns control to the user.
• Several enhancements were made for STIG, including the following:
  • 69 new ACF2 STIG controls were added. zSecure now supports 325 out of the 359 ACF2 STIG controls published by DISA.
  • All RACF and ACF2 STIG controls now produce only output that is applicable to the involved (or interrogated) external security manager (ESM).
  • zSecure can now automatically detect active and installed NCPASS subsystems; custom definitions for reporting on these are no longer needed.
  • Product STIGs were updated to version 6.52.
• zSecure now supports CICS 6.1. Several new fields were added, including the new CICS region tag information.

zSecure 2.5.0 documentation

For information about the documentation, see zSecure documentation. The unlicensed documentation is publicly available at IBM Documentation for IBM Security zSecure Suite. The licensed documentation is available to zSecure clients only: zSecure (Admin and) Audit User Reference Manual for RACF, ACF2, or Top Secret, and zSecure CARLa Command Reference.

To obtain access to the licensed documentation, send an email to zDoc@nl.ibm.com. Provide your organization's client name and number, as well as your own name and IBM ID and the version (2.5.0). Following registration, you will receive a link to the IBM Security zSecure Suite Library, where you can find PDF files of all zSecure publications, as well as documentation updates for 2.5.0 Service Stream Enhancements. If you do not have an IBM ID, see Create an IBM account.