What's new for zSecure V2.4.0

zSecure V2.4.0 enhances mainframe security intelligence and automated compliance auditing.

This topic lists what is new for zSecure V2.4.0 (September 2019) (September 2019) and for the zSecure V2.4.0 Service Stream Enhancement (December 2019) for administration, compliance automation, and event management.

For information about the documentation, see zSecure V2.4.0 documentation.

For information about installation considerations like system requirements, incompatibility warnings, and known limitations, see Release notes for V2.4.0.

zSecure V2.4.0 (September 2019)

IBM Security zSecure V2.4.0 (announcement ENUS219-370) includes the following new features and enhancements:

  • Command and Ticket Logging:
    • zSecure Admin and zSecure Command Verifier can send command logging requests to CKXLOG with an optional ticket ID defined in the new ISPF user interface fields. The CKXLOG started task writes to system or sysplex-wide CKXLOG log stream. It is possible to define a ticket's description as required by auditors.
    • In batch TSO command streams or home grown applications, the CKXLOGID command can be used to show the ticket ID. When zSecure Admin generates commands for different systems or queued execution, it also generates CKXLOGID SET commands.
    • CKXLOG input: SETUP FILES can select the active command log stream (last 24 hours), a specific log stream, or an offloaded or unloaded data set. In CARLa, the files are allocated with ALLOC TYPE=CKXLOG.
    • Command Review (CR): This new option enables you to run members with RACF commands (CR.1) or review and run commands in the CKXLOG command log (CR.2).
    • Command Log records: Pre-execution command detail shows submitter (where the command originated) and the ticket number. Commands and parameters were normalized to ease searching. Post-execution command detail (zSecure Command Verifier) shows the command return code and the original ticket number.
    • Line command R allows reissuing the command to the same or different systems according to SETUP CONFIRM.
    • Recreate commands in CR.2. Suppress pre-exec ESM cmds prevents generating commands twice (if you have zSecure Command Verifier). Pressing END on the display allows you to edit the command file.
  • File Integrity Monitoring in zSecure Collect:
    • zSecure Collect uses CHECK= to select critical data sets and CHECK_ALGORITHM= to select the algorithm. zSecure Collect is backward compatible using the old algorithm, and also supports the SHA2-512 and SHA3-512 algorithms.
    • zSecure Collect computes two types:
      • FINGERPRINT based on the content of a data set or library to identify duplicates.
      • ANTI_TAMPER_DIGEST based on the content and metadata for anti-malware protection. For example, names, IDR/ZAP, APF AC=1.
    • Use RE.F.M to report on which members changed. The UI uses new newlist DSN_MEMBER; it is similar to DSN but reports on members of libraries instead of libraries. It is possible to do a lookup to DSN, for example, to gather RACF information. Use the C command in SETUP FILES to designate the oldest CKFREEZE or UNLOAD file as the baseline. Do not include SMF / ACCESS / CKXLOG types in the base set that you use to show differences.
    • Use RE.F.D to report on which data sets changed. Omit BASE and SAME to see only the data sets for which the anti-tamper digest, fingerprint, sensitivity type, or attributes changed.
    • Migration considerations:
      • The default algorithm to compute checksums has changed. zSecure Collect now uses SHA3-512 on machines where that encryption is supported in hardware (z14 or newer), SHA2-512 on machines like z12 or z13, and the old (CRC32) algorithm on hardware that does not directly support either.
      • Use CHECK_ALGORITHM=OLD to ensure using the old algorithm when installing V2.4.0. In future, when installing a new hardware level that supplies stronger encryption, you can use, for example, CHECK_ALGORITHM=SHA2-512 to ensure using the prior algorithm.
      • When migrating from one algorithm to another, create CKFREEZEs with both the old and new algorithms at the same point in time, so that prior CKFREEZEs can be compared with the old result and newer CKFREEZEs with the new result.
      • The Library Audit application shows all members as changed when the algorithm is changed. It provides function to explicitly select a compatible algorithm, or to ignore all changes when the algorithm changes.
      • The default length of the CRC and CHECKSUM fields have changed from 8 to 128.
  • Integrated Cryptographic Service Facility (ICSF) support:
    • AU.S: SYSTEM - ICSF enforcement and configuration options
    • EV.U: LOGSTRX support for ICSF CICSAUDIT
    • SMF 82-18 support: New TYPE=SMF fields:
      • Crypto Coprocessor: CC_STATUS, CC_COMPLIANCE_MODE, CC_ACCELERATOR, CC_CCA_PROCESSOR, CCPKCS11, CC_NUMBER, CC_SERIAL, CC_TYPE
      • PCI HSM compliance: PCI_HSM_COMPLIANCE_MODE, PCI_HSM_COMPL_MIGR_MODE, PCI_HSM_2016_COMPL_MODE
    • RE.K.S: Symmetric Key Protection - resource name prefixing
      • Crypto audit: secured sign on or pass ticket enhancements (new fields SSKEY_KEYLABEL, SSKEY_CMDPARM)
      • Db2 Pervasive Encryption is at data set level; Db2 passes desired key label when allocating:
        System level (ZPRM)
        Default for Db2 catalog, directories, and archive logs.
        Tables / Table spaces
        The key label wil be the default when (re)creating a table.
        Storage groups
        The key label for table and index spaces in this storage group.
    • RE.K.T: Token Key Data Set - new columns for KDSR: encryption algorithm and strength, KDSR start and end of validity, secure key, more KDSR fields (archived/recalled/used while archived/prohibit archive).
  • z/OS V2.4 support:
    • RACF V2.4 new general resource and DATASET profile segments:
      • Select on presence, absence, display of three new general resource segment types:
        General resource DATASET profile Description
        CSDATA CSDATA Stores custom defined profile fields; to add new fields to user profiles, use the RACF CFIELD class to define the new fields and labels that you want to use for them.
        IDTPARMS   The IDTPARMS segment is used only for profiles in the IDTDATA resource class. It describes how the information in the Identity Token must be signed and when the information can be used to authenticate users.
        JES   Specifies the encryption key that is used for the jobs spool data (for future use).
    • Restricted Use CSA: New RUCSA and ERUCSA areas in TYPE=VSM
    • SMF: Success logging includes CRITERIA:
      • Field RECORDDESC extended: RACF ACCESS success for CRMBJU1: (READ,READ) with criteria SMS=DSENCRYPTION on CSFKEYS ZSECKEY8
      • New TYPE=SMF field CRITERIA shown with default prefix header: Criteria condition satisfied SMS=DSENCRYPTION
      • Identity token status and service return code
      • More ICSF record detail
      • SMF 83-7 MFA record: New TYPE=SMF fields MFA_FACTOR, MFA_POLICY. Aside from these two new fields, five fields that did not have a value before for these SMF records now do have a value.
    • Privilege Escalation Detection:
      • Detects ACEE updates not done by RACF
      • New class ACEECHK
      • New alert 1123 upon detection
      • New audit concern if software installed but class inactive
  • Compliance framework enhancements:
    • UNIX file protection check symlink support:
      • Selection of a UNIX path name can resolve symlink and variables
      • New field MOUNTED_OVER to suppress original directory of mount point
      • More automation for ZUSS category of STIG controls, for example about '/etc/hosts'
    • New sensitivities and subsystems added:
      • New subsystem type: ZCX - z/OS Container Extensions
      • IN.S shows all the sensitivity types, including the following new ones:
        TSS secfile
        BypAlCluChk
        Ichblp
        IMS OTMA
        J2Submit
        JES2 plcylb
        JES2 sublib
        PrivTCPport
        PrivUDPport
        PwPrTCPport
        PwPrUDPport
        SetGRSRNLxx
    • Privileges configured in the Db2 parms member (default DSNZPARM) are now merged into the existing reports of Db2 authorizations; for example, from Db2 GRANTs or from access to appropriate profiles.
      • Add to DB2_ACCESS for compliance checks
      • Add to DB2_ACL displays
      • Add to RACF_DB2_ACL for modifiers EXPLODE, RESOLVE, and EFFECTIVE
      • Columns H and L set to Z, Grantor is fixed field name, LastGranted is empty
    • IMS Region clarification OA56639:
      • Two new fields: ODBMSECURE effect, sign on is forced by other options
      • NRESTART fields are missing if not applicable
      • Help panel clarifications
    • IMS Region Open Transaction Manager Access (OTMA) support:
      • New repeat group in TYPE=IMS_REGION.
      • If OTMA is active in the region, repeat group fields are available at the bottom of the reports.
      • Show default and client RACF setting
      • Resource added: IMSXCF.group.mem
  • ACF2 resource access compliance:
    • New NEWLIST TYPE=ACF2_SENSRESOURCE_ACCESS (similar to ACF2_SENSDSN_ACCESS) for writing compliance rules for general resources in ACF2.
  • TYPE=COMPLIANCE* newlists have been enhanced to support comparisons:
    • Rule set compliance summary provides a management summary, comparing percentages, and indications of direction of changes.
    • Compliance test reports provides details of changes (like adding test-objects).
  • Miscellaneous:
    • CO.L enables easier access to the last CARLa query.
    • RA.Q quick admin display is extended: New password and passphrase-related fields .
    • SE.T Diagnostic trace: Four new options and one option was extended.
    • VERSION=BASE is automatically added if FUNCTION=BASE and no VERSION is defined.
    • L line command for a CKFREEZE data set entry in SETUP FILES (SE.1) and in INFORMATION DATA (IN.D) output shows space usage for each record type and subtype.
  • Other products:
    • zSecure CICS Toolkit: API support for pass phrases (OA57272) and support CSDATA fields dataset and general; control is similar to the existing USRDATA support
    • zSecure Visual V2.4.0:
      • CSDATA segment DATASET and GENERAL
      • IDTPARMS segment
      • JES segment
  • Migration and coexistence considerations:
    • AU.C (‘Change Track’) has been removed - use compliance assertion framework instead (AU.R) or other displays with ‘Show differences’.
    • Possible migration action: If you specifically called CKR4Z or CKR8Z196, you must now call CKR4Z196 or CKR8Z12. You might then also need to verify Program Access to Data Sets requirements (PADS). In general, call CKRCARLA instead; it dynamically selects the appropriate module for your environment.
    • More type 80 SMF records can be written from CKFCOLL 2.4 using trusted instead of privileged because of privilege escalation detection.
    • Migration checksum boundary: Consider the implications of changing the checksum algorithm. See Migration considerations.
    • Toleration/coexistence for earlier zSecure releases: To work with newer RACF templates on earlier zSecure releases, refer to APAR OA57892.
    • Coexistence: CKNSERVE can communicate with older versions on different nodes, but new functionality will be ignored on these nodes.

zSecure V2.4.0 Service Stream Enhancement for administration, compliance automation, and event management (December 2019)

This Service Stream Enhancement (SSE) includes enhancements for administration, compliance automation, and event management and consists of the following APARs:
  • PTF UJ01660 for APAR OA58802: this updates code specific to zSecure CICS Toolkit.
  • PTF UJ01661 for APAR OA58804: this updates code specific to zSecure Command Verifier.
  • PTF UJ01655 for APAR OA58799: this updates code shared among zSecure Admin, zSecure Audit, zSecure Command Verifier, zSecure Alert, and zSecure Adapters for SIEM.
  • PTF UJ01656 for APAR OA58801: this updates code specific to the ACF2 features of zSecure Audit, zSecure Alert, and zSecure Adapters for SIEM.
The SSE includes the following enhancements:
  • New CARLa functions SMF_SECTION_INDEX and SMF_SECTION12_INDEX for use with the DEFINE command, providing more options to process SMF data.
  • Support for SMF record type 123 subtype 1 (z/OS Connect) and type 119 subtypes 94-98  (ssh).
  • Enhancements to the event feed towards SIEM solutions:
    • Send over z/OS Connect and ssh events.
    • Add OWNER information (owner= tag) whenever a RACF profile is implied.
  • fromWhereTERMINAL and fromWhereSRCIP information in all alerts based on SMF records that contain TERMINAL or ACF2_SOURCE data, in the email, QRadar UNIX syslog (LEEF), ArcSight CEF, and SNMP alert formats.
  • fromWhereUSER and fromWhereSYSTEM information in alerts based on SMF records that contain UTOKEN_SUSER, UTOKEN_SNODE, or ACF2_SUBMITTER data (same formats); this provides direct access to, for example, SURROGAT source information.
  • New zSecure Command Verifier policies to trigger a command when UID(0) or OWNER is assigned.
  • Enhancements to the Command Audit Trail to track CLAUTH, AUDIT, and GAUDIT changes.
  • Custom data support in zSecure CICS Toolkit.

For details about the updated documentation for this SSE, see the technote; the updates themselves are included in the zSecure V2.4.0 documentation.

zSecure V2.4.0 documentation

For information about the documentation, see zSecure documentation. The IBM Security zSecure Suite Library Version 2.4.0 includes PDF files for the unlicensed publications as well as the zSecure licensed publications: zSecure (Admin and) Audit User Reference Manual for RACF, ACF2, or Top Secret, and zSecure CARLa Command Reference. If you participated in the zSecure V2.4.0 Early Support Program (ESP) and your IBM ID is registered, you have access to the zSecure licensed publications. If you do not see the licensed publications, you are either not signed in or your IBM ID is not yet registered. Send an email to zDoc@nl.ibm.com; include your organization's customer number and your IBM ID. If you do not have an IBM ID, see Create an IBM account.