Release notes for zSecure 2.5.0

Announcement

IBM Z Security and Compliance Center 1.1

On April 5, 2022, IBM announced the Z Security and Compliance Center. This new solution provides a dashboard for compliance evidence that is based on SMF 1154 records. It includes all the functionality of IBM Security zSecure Audit and relies on the zSecure CARLa and Collect engines.

The Z Security and Compliance Center includes the z/OS Compliance Integration Manager component, which provides a started task that is required to create SMF 1154 records for the following z/OS subsystems: Console, DFSMS, InetD, IMS, IMS-Connect, IMS-OM, IBM MQ, SMF, SSHD, and z/OS UNIX System Services. Other subsystems write their own SMF 1154 records.

The Program Directory for Z Security and Compliance Center, Compliance Integration Manager Component contains information concerning the material and procedures that are associated with the installation of the z/OS Compliance Integration Manager.

System requirements

For the Z Security and Compliance Center requirements, see the Program Directory for IBM Z Security and Compliance Center Compliance Integration Manager Component or the Technical information section in the announcement.

Supported platforms and applications

Installing IBM Security zSecure

For a complete installation roadmap on all steps to install, configure, and deploy a new installation of zSecure or an upgrade to zSecure 2.5.0, see the zSecure CARLa-Driven Components Installation and Deployment Guide.

This unlicensed documentation is available with the product and at the IBM Documentation for IBM Security zSecure Suite 2.5.0. To obtain access to the licensed documentation , send an email to zDoc@nl.ibm.com; include your IBM ID and your organization's customer number. Following registration, you will receive a link to the IBM Security zSecure Suite Library

Incompatibility warnings

Version changes in DISA z/OS STIG (February 2023)

z/OS STIG (Security Technical Implementation Guides) included controls that were specific to z/OS and z/OS Products. With z/OS STIG version 6, release 43 (6.43), DISA split z/OS STIG into two separate standards: z/OS Products STIG and z/OS STIG. z/OS STIG version 8 was introduced, while the z/OS Products STIGs continued to follow version 6.

With the implementation of this SSE, zSecure Audit incorporates the changes that DISA introduced into the implementation of the STIG standard. As a result of this split, the following changes are observed in zSecure:

• The reported version in z/OS RACF/ACF2/TSS STIG version 6 drops from 6.52 to 6.43. Release 43 is the last applicable release for z/OS RACF/ACF2/TSS STIG version 6.
• z/OS Products STIG continues to be updated under version 6. The release is now reported as LATEST, because the release number can vary among products.
• z/OS RACF/ACF2/TSS STIG version 8 is introduced.

To run a full STIG version 6 evaluation, use both the options z/OS RACF/ACF2/TSS STIG v6 and z/OS Products STIG simultaneously.

BMC INCONTROL IOA (February 2023)

The following DISA STIG controls no longer require the use of a SIMULATE SUBSYS statement to simulate an active INCONTROL IOA environment for the BMC INCONTROL family of products. zSecure now has the capability to automatically detect INCONTROL IOA resources and assign a sensitivity. As a result, existing configurations in the C2RG@IDF customization member are no longer needed and will be ignored when the controls are evaluated.

ZCTDA020 ZCTDR020 ZCTMA020 ZCTMR020

ZCTOA020 ZCTOR020 ZIOAA020 ZIOAR020

CSSMTP_TS_TYPE default output length increased (February 2023)

The default output length of the SMF newlist field CSSMTP_TS_TYPE has been increased from 6 to 7 characters.

LIST USER statements (July 2022)

The LIST USER TAG field U-PASSINT now shows NONE (instead of 255) for non-protected users that have no password interval. The output of LIST USER commands without a TAG option has a changed layout (and can show more information than before). The layout is not intended to be a programming interface.

CKGRACF (June 2022)

When manipulating USRDATA through CKGRACF for fully qualified generic dataset profiles, it is now required to explicitly mark the profile as a GENERIC profile. Previously, all profiles that were not explicitly marked as either generic or discrete were assumed to be generic. Discrete profiles were not supported. With this update, discrete profiles are supported, but generic profiles without generic characters must be marked explicitly as generic.

SMF field CC_SERIAL is a repeated field (June 2022)

The NEWLIST TYPE=SMF field CC_SERIAL has become a repeated field. This implies that the field is shown on the detail display by default.

Support dropped for configurable sensitivity types BMCMVSTC_ and BMCIOASTC_

zSecure Audit now supports automatic determination of the data set names that belong to the started tasks of the BMC Integrated Operations Architecture (IOA) and BMC MainView products. As a consequence, the support for the configurable sensitivity types BMCMVSTC_ (used in rule set ZMVZR001) and BMCIOASTC_ (used in rule set ZIOAR001) was dropped. Be aware that these configurable assertions are now silently ignored in the compliance evaluation of the rule sets ZMVZR001 and ZIOAR001. If BMCMVSTC_ and BMCIOASTC_ configurations were specified in the past, these specifications will still be reported from the assertion history log (option AU.R.H).

The following changes apply:

• Users are no longer required to specify the started task data set names for the configurable sensitivity types BMCMVSTC_ and BMCIOASTC_
• The zSecure user interface no longer produces the CONFIGS and CONFIGX reports for controls CKAGOA01 and CKAGMV01 to enable configuration of sensitivity types BMCMVSTC_ and BMCIOASTC_
• Remaining SIMULATE statements for sensitivity types BMCMVSTC_ and BMCIOASTC_ in member ACPCNFG can be removed; these are ignored.

Generated output no longer held in spool

Sample procedures for the zSecure started tasks have been changed to no longer generate HELD output. If you require output to be HELD, modify the sample procedures to specify a different output class, or add the HOLD=YES specification to the SYSOUT file.

TN3270 Telnet SMF records sent to SIEM

In the representations of TN3270 Telnet server and client SMF records (record type 118 with subtypes 4, 20, 21, 200, and 201, and record type 119 with subtypes 20, 21, 22, and 23) that are sent to SIEM applications (for example, IBM QRadar® SIEM) using CARLa scripts CKQLEEF and CKQLEEFL, the cmd field was replaced with the action field.

action field replaces cmd field

Previous situation: cmd field values	Current® situation: action field values
LGON, LOGN	LOGON
LGOF, LOGF	LOGOFF

In the representations of TN3270 Telnet server and client SMF records SMF (record type 118, subtype 4, 20, 21, 200, 201, and record type 119, subtypes 20, 21, 22, and 23) that are sent to Micro Focus ArcSight using CARLa script CKQCEFG, the information that the request field used to convey is now found in the header of a record representation.

Header information replaces request field

type-subtype	Previous situation: request field value	Current situation: header value
118-4	LGON	logon TN3270 client
118-4	LGOF	logoff TN3270 client
118-20, 119-20	LOGN (or missing)	logon TN3270 server
118-21, 119-21	LOGF (or missing)	logoff TN3270 server
119-22	(missing)	init TN3270 client
119-23	(missing)	term TN3270 client

PROTECTED_ZVM was removed

The PROTECTED_ZVM variable was removed from the C2RXDEF1 include member. PROTECTED_ZVM was the equivalent of the PROTECTED variable for RACF for z/VM databases. You can now use the built-in field PROTECTED for both z/VM and z/OS.

CKXLOGID changed to CKXLOG

The CKXLOGID primary command was changed to CKXLOG to avoid confusion with the CKXLOGID TSO command.

zSecure Admin RACF Access Monitor: retain jobname information

In previous versions of RACF Access Monitor, it was possible to retain jobname information for user IDs that are a proper substring of another user ID, while removing jobname information for that second user ID. For example:

• Retain jobname information for user ID XYZZY
• Drop jobname information for user ID XYZZYZ

The use of a user ID that is a proper substring of an other user ID is generally strongly discouraged. Current versions of RACF Access Monitor do not allow retention of jobname information for the shorter ID (XYZZY) independent of that for the longer ID (XYZZYZ).

STIG members renamed

Several SCKRCARL members were renamed, either from a generic name to a member name that is specific to an External Security Manager (ESM), or from an ESM-specific member name to a general member name.

Table 1. SCKRCARL generic member names renamed for RACF, ACF2, and Top Secret systems

Control	Original member	Renamed members
		RACF	ACF2	Top Secret
AAMV0410	C2RGM410	CKAGM410	C2AGM410	CKTGM410
AAMV0420	C2RGM420	CKAGM420	C2AGM420	CKTGM420

Table 2. SCKRCARL member names for RACF, ACF2, and Top Secret systems renamed to generic member name

Control	Original members			Renamed member
	RACF	ACF2	Top Secret
IUTN0020	CKAGIU20	C2AGIU20	CKTGIU20	C2RGIU20

STIG ID ZCICR021 was renamed to STIG ID ZCICR038 as specified in the z/OS IBM CICS Transaction Server for RACF Security Technical Implementation Guide. The SCKRCARL member was renamed accordingly.

Table 3. SCKRCARL member name renamed for RACF

Control	Original member	Renamed RACF member
ZCICR021	CKAGCI21	CKAGCI38

Multi-line mixed SBCS/DBCS strings

With previous versions of CARLa and CKGRACF, within a string literal crossing a line boundary, if a line ended with a shift-in character and an optional space, and if the next line started with a shift-out character, the shift-in character, optional space, and shift-out character were trimmed away by the parser. This trimming behavior has been extended as follows.

Within a string literal crossing a line boundary, if a continuation line starts with a shift-out (SO) character, optionally preceded by SBCS (Single-byte Character Set) space characters, lines immediately preceding this line are trimmed away if they entirely consist of SBCS spaces. Trailing SBCS spaces in the line before these blank lines, if any, are trimmed away as well. If the trimmed line ends with a shift-in (SI) character and the continuation line starts with an SO character, these SI and SO characters are trimmed away, too.

For more information, see Syntax rules in zSecure CARLa Command Reference.

BMC_MAINVIEW_STC removed

The BMC_MAINVIEW_STC variable in NEWLIST TYPE=REPORT_STC cannot be used anymore to specify which non-default BMC MainView started tasks are defined on a system. Instead, the CKAGMV30 and CKAGMV32 (for RACF), and C2AGMV30 (for ACF2) DISA STIG controls use the names of started tasks that are specified in a customization member.

zSecure Audit for RACF and ACF2 automatically checks the following default BMC MainView started tasks:

BBIDLOG BBIILOG BBMCAS BBMPAS MV$ALMGR MV$LAS MVALARM

MVALMGR MVCAS MVLAS MVSPAS MV$CAS MV$PAS MV$MVS

OSZ$EXEC OSZ$INIT OSZ$RTCS OSZEXEC OSZINIT OSZRTCS

To further specify non-default BMC MainView started tasks, use the MVPROC customization member. For more information about customization members, see section Preparation for CKACUST members in the zSecure (Admin and) Audit User Reference Manual.

Sensitivity types

DspSysCfg (class SDSF, with audit concern text Can display system configuration information in SDSF) was changed to SDSFAppInfo (with audit concern text In SDSF, can display regular operation information). For more information, see Predefined sensitivity types related to newlists in zSecure CARLa Command Reference.

Migration consideration

Limitations and known problems

At the time of publication of this Release Notes® document, no problems exist.

Limitations and problems that arise after publication are documented in technotes. Therefore, regularly scan for updates on IBM Security zSecure at IBM's Search support and downloads site. A general documentation technote lists all updates to the documentation of 2.5.0 since availability.

You might also want to scan the following recommended fixes. Some of these fixes introduce new functions and features.