What's new for zSecure V2.2.1
zSecure™ V2.2.1 enhances mainframe security intelligence and automated compliance auditing.
For information about installation considerations like system requirements, incompatibility warning, and known limitations, see Release notes.
IBM Security zSecure
V2.2.1
(announcement) includes the following new features and enhancements:
- Improved scalability for big data systems:
- Exploit storage above the 2 Gigabyte boundary ("The bar") to enable processing more data. Note that the ability to use more virtual memory can have implications for paging and real storage needs.
- Frees up storage below the bar for other programs.
- If your hardware allows it (z196 or higher), 64-bit addressing is activated automatically.
However, there are options to revert back to 31-bit addressing. In the ISPF UI you can select the
program to run on the second panel of menu option SE.0 (SETUP RUN).
The CARLa program consists of the following modules:
- CKR4Z: 31-bit mode program, requires z800 or higher.
- CKR8Z196: 64-bit mode program, exploits newer z196 instructions and thus requires z196 or higher.
- CKRCARLA: Auto-switching module, invokes CKR4Z or CKR8Z196 dependent on hardware.
This module structure already existed in zSecure 2.2.0 and was enabled by a Service Stream Enhancement (APAR OA50694) shipped in June 2016. zSecure 2.2.0 continues to run in 31-bit mode by default; 64-bit mode has to be enabled explicitly.
If you disable 64-bit mode explicitly in zSecure 2.2.1 by calling CKR4Z directly, it might be necessary to set up Program Access to Data Sets (PADS) access for CKR4Z.
- SETUP OUTPUT (SE.7) allows you to allocate larger output files for the ISPF UI.
- Ability to specify larger alert buffers in the zSecure Alert UI (in Megabytes).
- New integration with QRadar SIEM provides live general SMF event streaming using the UNIX Syslog
protocol (both UDP and TCP):
- This is an alternative to the existing integrations from zSecure Audit and zSecure Adapters for QRadar SIEM that use FTP polling.
- This is in addition to the existing integration from zSecure Alert which uses the UNIX Syslog protocol to send alerts in near real- time.
- The new near real-time interface uses the new z/OS SMF in-memory (INMEM) resource feature and the SMF real-time interface provided by APAR OA49263 (September 2016) for z/OS V2R1 and higher. Note that this interface requires the use of SMF log streams.
- Besides using a direct INMEM connection through an ALLOC TYPE=SMF
INMEM=resourcename statement, zSecure also provides an option to connect
to the System Data Engine (SDE) component of the IBM Common Data Provider for z Systems (CDP; program number
5698-ABJ) through an ALLOC TYPE=SMF CDP statement.
zSecure Audit and zSecure Adapters for QRadar SIEM ship with the code (FMID HHBO11E) for the SDE and a limited-scope entitlement to use the SDE for this purpose. Before you begin, take note of CDP HiPer APAR OA51414.
- The QRadar SIEM Device Support Modules (DSMs) for z/OS, RACF, ACF2, Top Secret, DB2, and CICS to which you send events must be configured to accept the UNIX Syslog protocol.
- Using the UNIX Syslog protocol provides better time stamps for the events in QRadar SIEM. On the other hand, the FTP polling protocol can run in off-peak hours and is able to further enrich information based on events that occurred later.
- Using the UNIX Syslog protocol over TCP (instead of UDP) provides a better guarantee for event delivery to QRadar.
- The main CARLa script for the new integration is CKQLEEFL. This can be used from the new started task CKQRADAR. The CARLa program now responds to operator commands STOP and MODIFY (STOP/ATTN/CANCEL/DISPLAY/RESTART).
- zSecure Alert configuration can now suppress CKR1481 ("Sending syslog alert n to addr port port on sockdesc n, namesourcesyslog_line").
- Alerts can now be sent to a UNIX Syslog destination with a Debug severity.
- zSecure Alert now assumes Write To Operator (WTO) messages issued using the NOTIME parameter to be timed at the last SMF or WTO record.
- Specific access events captured by zSecure Admin Access Monitor can now be forwarded to zSecure
Alert to be used in alerting:
- RACF often only writes SMF records if requested. The default is only for failures, or if the application requests logging. For example, TSO does not request logging for successful logons. The zSecure Access Monitor captures all RACF VERIFY events, even if not logged, and can send them to zSecure Alert.
- New predefined alert 1122 has been provided for when a user ID that is designated as sensitive logs on to the system.
- Compliance Testing Framework enhancements:
- Additional automated controls have been implemented, including 21 for RACF STIG, 17 for ACF2 STIG, and 17 for TSS STIG.
- New configuration members for FTP controls.
- New DOMAIN statement keyword CONFIG to specify a configuration member from within the standard itself.
- New ASSERT keyword on the TEST statement to allow assertion of compliance for controls that cannot be automated.
- New report type ORGANIZATION introduces the concept of asserting compliance for a particular organization (for multi-tenancy).
- New DEFSENS statement to more easily specify site-specific sensitive resource types.
- New report type ACF2_SENSDSN_ACCESS to show the access of logonids to sensitive data sets.
- More predefined sensitivities, including for guarding the integrity of the setups for zSecure Alert, zSecure Access Monitor, and the QRadar feed.
- Currency with STIG 6.29 and PCI-DSS 3.2.
- zSecure Command Verifier enhancements:
- Facility to show an additional site message when a policy profile denies access to link to an external security rule (for example, company policy).
- Policy to declare users or groups as "locked".
- New policy tested when SHARED keyword is used for OMVS UID/GID.
- Allow removal of PROTECTED status if ID has never been used.
- ISPF User Interface enhancements:
- RA.Q enhancement: TSO and OMVS information shown on RA.Q options 3 and 4, activated through SE.5 (view options).
- New primary commands RA.U and RA.G: pick up word at cursor position and start a recursive query with that word as a user ID or group. Can be assigned to PF keys.
- X and XF primary commands for profile lists, exclude all lines with specified string or exclude all lines except those with the specified string. The column to match against can be specified by name or position. Can be used as preparation for the FORALL command.
- RA.R search on *string* to find all profiles where the string occurs in profile key, across all resource classes.
- ''Show differences'' no longer requires a CKFREEZE for a database compare, and no longer requires a security database for comparing system information.
- Extended Monitoring alerts no longer require update of the C2PSGLOB skeleton to specify a COMPAREOPT statement.
- RACLIST merge support option for REPORT SCOPE (RA.3.4).
- Scope processing now handles system-wide attributes (SPECIAL, AUDITOR).
- RECREATE now uses the new (scoped) CKGRACF RECREATE command instead of the (globally authorized) CKGRACF FIELD command.
- When WRAP is used on a character field on a SUMMARY, the value is now wrapped instead of truncated.
- SMTP atsign support for national language.
- Currency support for ACF2 16:
- New privileges and attributes for the RETIRE feature.
- New global security options for password encryption and password reserved words.
- Support for new resource class ACF2PVIO to exempt logon IDs from password violation processing.
- Support for the &LID variable in access rules.
- Support for resource rules resident above the bar.
- Support for Multi-Factor Authentication:
- New fields in profile displays and selections for MFA data.
- Availability indicator in SETROPTS report.
- SMF reporting and Access Monitor updated to report the authentication method used.
- New Command Verifier policies (and recognition of the command keywords).
- RACF-Offline disables all interaction with the MFA server when working with an offline database.
- Currency support for Integrated Cryptographic Services Faciliy HCR77B1:
- New SMF 82 subtype 43 (Regional cryptographic server information) including new fields RCS_GEO and RCS_STATUS.
- SMF field PROFILE is now also filled in for subtypes 9, 13 and 23.
- ICSF level indicator is added to the list of software levels in the SYSTEM report in AU.S - MVS tables.
- Support for reporting the use of Bypass Authorization as provided by z/OS
APAR OA48124 from SMF 14 and 15:
- New SMF fields BYPASS, BYPASS_REQUEST and CALLER_APF (only filled in when DCBE Bypass Authorization support is installed).
- The field RECORDDESC has been adapted to show this new data.
- Currency support for MQ 9:
- New MQ_REGION fields OPMODE, OPMODE_FUNCLEVEL, and OPMODE_COMPLEVEL for Operation mode.
- Currency support for Top Secret 16 and Windows Server 2016; and toleration for z/VM 6.4.
- Performance, scalability and serviceability improvements:
- IMBED has a new LIST keyword in addition to NOLIST. Previous LIST/NOLIST setting is restored when returning from imbed.
- DB2 Performance Collections no longer retain all PACKAGE information for COLLECTION report.
- More DB2 objectid lookups to CKFREEZE data are now also done if DBID cannot be resolved through SMF.
- ACF2 storage area restructure allows the processing of more logonids.
- ACF2 performance improvements for resolving data ownership and resource access and for processing XROL definitions.
- zSecure Server starts self-connect at startup.
- zSecure Server issues an extra message CKN227I when system date changes.
- ZSECSYS=* specification will now include the local system.
- Performance enhancement in zSecure Access Monitor for fragmented ECSA storage.
- Heartbeat message shows statistics about captured events with new OPTION SHOWSTATISTICS (C2P8000I-C2P8002I).
- New SIM_VIA value SPOOLRCVR for when the Spool Display and Search Facility (SDSF) tells RACF to bypass JESSPOOL resources, and new flag REQ_SPOOLRCVR.