IBM Support

IBM Security zSecure Admin 3.1.1 and other updates in the zSecure 3.1.0 service stream (October 2024)

News


Abstract

This zSecure Service Stream Enhancement (SSE) includes IBM Security zSecure Admin 3.1.1 and other updates in the zSecure 3.1.0 service stream. The zSecure 3.1.0 documentation was refreshed with all the updates related to these enhancements.

Content

What's new for this 3.1.0 SSE
  • Introducing the WebUI interface for zSecure Admin.
  • A new primary command SHOWLOG displays the content of the CARLa SYSPRINT listing. If a high severity message is issued in the ISPF User Interface, it will be displayed automatically.
  • zSecure Compliance enhancements:
    1. PCI-DSS v4 support AU.R: Previously supported PCI-DSS 3.2 controls are converted to PCI-DSS v4 variant. All PCI-DSS v4 controls use multi-standard syntax.
    2. Added CIS IBM Db2 for z/OS Benchmark v1.0.0 standard. This standard is only available with a Z Security and Compliance Center licence.
    3. Further automation of RACF CIS IBM z/OS RACF Benchmark standard. Automation for the following controls is added:
      CIS ID CARLa member Control Description
      2.1.4 CKAHR214 Ensure that the ICHDSM00 program is protected
      2.1.9 CKAHR219 Ensure the RACF remote sharing facility files are protected
      2.1.11 CKAHR21B Ensure that RACF remote sharing connections use the TCP/IP
      2.4.10 CKAHR24A Ensure that MCS consoles access is protected through CONSOLE class profile
      2.4.5 CKAHR245 Ensure that started tasks requiring exceptional access rights use the TRUSTED attribute
      6.2.10 CKAHR62A Ensure FTP Control cards are stored in a secure PDS file
      6.2.2 CKAHR622 Ensure startup parameters for the FTP daemon do not allow ANONYMOUS or INACTIVE keywords
      6.6.4 CKAHR664 Ensure AT-TLS protection is enabled for the TN3270 Telnet server
      7.1.4 CKAHR714 Ensure ICSF is configured to start during IPL
      7.2.4 CKAHR724 Ensure ICSF Key Data Sets have a system backup
      7.2.5 CKAHR725 Ensure ICSF Master Keys have a backup procedure
      7.3.5 CKAHR735 Ensure ICSF Key Store Policy controls are enabled
      7.3.6 CKAHR736 Ensure ICSF Key Datasets are protected
      7.3.8 CKAHR738 Ensure ICSF operator commands are protected
      8.4.1 CKAHR841 Ensure that data sets on SPOOL are encrypted as required
      9.17 CKAHR9H Ensure that security commands in /etc/rc are safe

    4. Added IBM Security zSecure for ACF2 v1.1 standard.
    5. Updated list of DISA STIG and CIS IBM z/OS with RACF Benchmark compliance standards available in zSecure 3.1.0.
  • Newlist types:
    1. The new ACF2_DB2_RULE and ACF2_DB2_RULELINE newlists are used for the processing of ACF2 Option for DB2 rules. *)
    2. The new DB2_COLUMN newlist type reports on table columns, which enables auditing the Db2 columns. *)
    3. New fields for ACF2_LID.
    4. New fields for SMF 1154 records, subtype 49 and SMF 42-6 records.
    5. New field ACCESS_IS_OWNER for ACCESS newlist type.
  • Improved serialization when reading the live RACF database; exclusively enqueue the RACF database to ensure an unload has no structural errors caused by concurrent updates.
  • User Interface enhancements:
    1. Db2 Access control (RE.D.AC).
    2. Db2 Permission/Mask (RE.D.CT).
    3. Db2 Table columns (RE.D.TC). *)
  • zSecure Command Verifier enhancements:
    1. New policy profile for NOCSDATA parameter for User, Dataset, Group, and General Resource profiles.
    2. Additional validation for policy profile C4R.*.ACL./GROUP.*.**
    3. Command Verifier to invoke REXX or CLIST via =PSTCMD profiles.
    4. Enhanced Audit Trail data insert.
    5. Allows self-grant where user ID is HLQ of profile.
  • zSecure Alert includes report on SMF record statistics.
  • Miscellaneous user interface enhancements:
    1. AU.R support for PCI-DSS v4.
    2. Monitoring End-to-End access in EV; this allows reporting of all SMF records with the same UnitOfWorkId or TrackingToken across multiple environments.
    3. Additional values for certificate signing algorithm and ICSF key attributes.

*) This function is available only if your organization has a license for Z Security and Compliance Center.

The zSecure 3.1.0 documentation was updated for this Service Stream Enhancement (SSE). Each zSecure main topic includes a PDF file and HTML pages. If you would rather receive a single zip file with all the PDF files, you can download the following zip file: zSecure 310 doc SSE-Oct2024.zip

SSE2

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSPQTM","label":"IBM Security zSecure Admin"},"ARM Category":[{"code":"a8m0z000000GoZlAAK","label":"zSecure Admin-\u003EDocumentation"},{"code":"a8m0z000000GoZlAAK","label":"zSecure Admin-\u003EDocumentation"},{"code":"a8m0z000000GoZlAAK","label":"zSecure Admin-\u003EDocumentation"}],"ARM Case Number":"","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"3.1.1"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSPN95","label":"IBM Security zSecure Audit"},"ARM Category":[{"code":"a8m0z000000GoYsAAK","label":"zSecure Audit-\u003EDocumentation"}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"3.1.0"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCHPT","label":"IBM Security zSecure Adapters for SIEM"},"ARM Category":[{"code":"a8m0z000000GoWNAA0","label":"zSecure Data Preparation for SIEM-\u003EDocumentation"}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"3.1.0"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSPLQS","label":"IBM Security zSecure Alert"},"ARM Category":[{"code":"a8m0z000000GoZHAA0","label":"zSecure Alert-\u003EDocumentation"}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"3.1.0"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSRM9V","label":"IBM Security zSecure Command Verifier"},"ARM Category":[{"code":"a8m0z000000bm8NAAQ","label":"zSecure Command Verifier-\u003EDocumentation"}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"3.1.0"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSO5Y9T","label":"IBM Z Security and Compliance Center"},"ARM Category":[{"code":"a8m3p000000hC73AAE","label":"ZSCC-\u003EDocumentation"}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"1.2.0"}]

Document Information

Modified date:
03 February 2025

UID

ibm17173741

Page Feedback