What's new for zSecure 3.1.0

zSecure 3.1.0 new features and enhancements (General availability September 2023)

• Support for updated compliance standard STIG versions for RACF and ACF2 (8.12), and Top Secret (8.10).
  • Separate definitions for z/OS Products standards using the new STANDARD syntax.
  • z/OS STIG version 6.43 and single standard syntax z/OS Product STIGs are no longer included in the User Interface. However, you can still use the members with AU.R.T.
  • Partial support has been added for the CIS Benchmark.
  • Support for the GSD standard is no longer provided.
• New support has been added to Z Security and Compliance Center to run a Compliance Assessment from the Z Security and Compliance Center dashboard, and present the results in the dashboard. To provide this support, zSecure now has the capability to generate reports in JSON format.
• New fields have been added to several existing reports:
  • Additional Quantum Safe Algorithms (QSA) are shown in ICSF and SMF reports.
  • SMF support for Boot Validation.
  • Support for reporting on additional SMF 1154 Compliance Evidence records.
  • The PROTALLOWED option for generating Identity Tokens.
  • The ACEE field in the CFDEF segment to cache CSDATA field of USER in storage.
  • Support for the OPTAUDIT resource class.
  • The existing SYSTEM and SETROPTS reports have been enhanced to provide information about the following topics:
    • Applaudit for UNIX status.
    • Automatic revoke of SPECIAL users on password or password phrase (passphrase) violation for at least one APPLID.
    • Status of DIAGxx option to prevent instruction execution of parm data storage.
• The ISPF User Interface has been updated to provide new and updated reports:
  • RE.C.R Region now includes information about the active Db2 Connections (DB2CONN definitions).
  • RE.C.D DB2TRAN allows selection and reporting using the CICS_DB2TRAN newlist.
  • RE.C.E DB2ENTRY allows selection and reporting using the CICS_DB2ENTRY newlist.
  • RE.C.T Transactions allows selection on Db2 Connection attributes.
  • New option AU.I IDs has two new reports:
    • AU.I.I shows information from the ID newlist. It has information about attributes and where the ID is used.
    • AU.I.M shows information about unique MFA-capable IDs across all complexes that are present in the zSecure input sources.
  • Overtyping of MFA factor tag values.
• Several user requests for new functions were implemented:
  • Provide an option to delete relevant members in the C2PCUST data set when deleting an Alert configuration.
  • Add symbolic support to DSNPREF.
  • In the Access Monitor report selection (AM.1 and AM.2), it is now possible to select on the Profile Owner for Dataset or Resource Profiles.
  • CKNSERVE supports remote Access Monitor data sets.
  • CKFCOLL no longer blocks ICSF access to the Key Data Sets (KDS).
• RACF®-Offline now uses IEFU86 to manage SMF records.
• Sample jobs for Guardium VA integration now use UTS Table Spaces.
• Support for IBM Db2 V13R1M501.

Service Stream Enhancement (SSE) to zSecure 3.1.0 (April 2024)

• Support for updated and additional compliance standards:
  • CIS IBM z/OS V2R5 with RACF Benchmark v1.1.0.
  • CIS IBM Db2 13 for z/OS Benchmark v1.0.0 (partial implementation).
  • Multiple small updates and fixes have been incorporated for the STIG standard.
  Two technotes are available separately, that will be updated on a regular basis:
  • zSecure 3.1.0 compliance-related updates.
  • List of DISA STIG and CIS IBM z/OS with RACF Benchmark compliance standards available in zSecure 3.1.0.
• Several minor enhancements and fixes are implemented for the Compliance Standard framework. For example, configuration assertions can now truly be expired.
• The ISPF User Interface for Compliance Standards has been enhanced:
  • An option was added to remove previous Configuration Assertions.
  • All sensitivity types can now contain a description text.
• zSecure Access Monitor, zSecure Alert, and the zSecure SMF Collector are changed to allow starting the started task directly under the MSTR subsystem instead of under JES. This enables earlier start of data collection. Reporting and alerting on the collected events is done after JES (and TCPIP for zSecure Alert) is active.
• zSecure Admin and Audit and the ISPF User Interface have been enhanced:
  • Display the extended key usage information for digital certificates.
  • zSecure Admin: The CKGRACF command has a NOPROPAGATE option to stop RRSF propagation of the RACF database updates, and sorting in Report Scope now works as intended.
  • zSecure Audit: A new menu item RE.R has been added to show information about general resources and their protection. The resources can be used by operating system components or by subsystems and applications.
• zSecure Audit for ACF2 now shows the conditional access through the WHEN(CRITERIA) option.
• The zSecure Command Verifier product has been enhanced with a policy to control the authority to display profiles and profile names when using the RACF LISTDSD, RLIST, and SEARCH commands.
• Additional enhancements and bug fixes are applied:
  • Message CKF0546 now has additional debug information.
  • Message CKF1024 is now suppressed in zSecure Alert.
  • ISPF option RA.5.0 now has support for Show differences and Customize Title.
  • ISPF option RA.U/P now suppresses phrase validation when requested.
  • zSecure Alert extended monitoring data sets can be deleted more quickly.
  • ISPF options specified on SE.T are also used for recursive queries.
  • Print format output is now consistent with interactive reports and uses specified selection criteria.
  • LEEF format data sent to QRadar now uses SYSTEM name when full JobTag information is not available.
  • Active SMF record subtype information shows accurate information.

Documentation

The zSecure Suite 3.1.0 documentation includes the former licensed documentation:

• zSecure (Admin and) Audit User Reference Manual for RACF, ACF2, and Top Secret
• zSecure CARLa Command Reference

See also Documentation in Release notes.