You are previewing IBM z/OS Mainframe Security and Audit Management Using the IBM Security zSecure Suite.
O'Reilly logo
IBM z/OS Mainframe Security and Audit Management Using the IBM Security zSecure Suite

Book Description

Every organization has a core set of mission-critical data that must be protected. Security lapses and failures are not simply disruptions—they can be catastrophic events, and the consequences can be felt across the entire organization. As a result, security administrators face serious challenges in protecting the company’s sensitive data. IT staff are challenged to provide detailed audit and controls documentation at a time when they are already facing increasing demands on their time, due to events such as mergers, reorganizations, and other changes. Many organizations do not have enough experienced mainframe security administrators to meet these objectives, and expanding employee skillsets with low-level mainframe security technologies can be time-consuming.

The IBM® Security zSecure suite consists of multiple components designed to help you administer your mainframe security server, monitor for threats, audit usage and configurations, and enforce policy compliance. Administration, provisioning, and management components can significantly reduce administration, contributing to improved productivity, faster response time, and reduced training time needed for new administrators.

This IBM Redbooks® publication is a valuable resource for security officers, administrators, and architects who wish to better understand their mainframe security solutions.

Table of Contents

  1. Front cover
  2. Notices
    1. Trademarks
  3. Preface
    1. The team who wrote this book
    2. Now you can become a published author, too!
    3. Comments welcome
    4. Stay connected to IBM Redbooks
  4. Summary of changes
    1. August 2011, Second Edition
  5. Part 1 Architecture and design
  6. Chapter 1. Business context
    1. 1.1 Today’s challenges
    2. 1.2 Risk management, IT governance, and compliance
      1. 1.2.1 Risk management
      2. 1.2.2 IT governance
      3. 1.2.3 Regulatory compliance
    3. 1.3 Business enablement
      1. 1.3.1 IT Service Management and IT Infrastructure Library
      2. 1.3.2 System z and IBM Security
    4. 1.4 Conclusion
  7. Chapter 2. IBM Security zSecure component structure
    1. 2.1 zSecure at a glance
      1. 2.1.1 Operating systems supported
      2. 2.1.2 Security systems supported
    2. 2.2 zSecure Admin
    3. 2.3 zSecure Visual
    4. 2.4 zSecure CICS Toolkit
      1. 2.4.1 Command interface
      2. 2.4.2 Application programming interface
    5. 2.5 zSecure Audit
    6. 2.6 zSecure Alert
    7. 2.7 zSecure Command Verifier
    8. 2.8 zSecure Manager for RACF z/VM
    9. 2.9 IBM Security zSecure Compliance Insight Manager Enabler for z/OS
    10. 2.10 Conclusion
  8. Chapter 3. IBM Security zSecure Admin
    1. 3.1 An easy to use RACF administration interface
      1. 3.1.1 Initial setup
      2. 3.1.2 An easy to use display of RACF profiles
      3. 3.1.3 Adding a new general resource profile
    2. 3.2 Automating and simplifying routine administration tasks
      1. 3.2.1 Mass changes to RACF and block command support
      2. 3.2.2 RACF Offline
      3. 3.2.3 Timed actions
      4. 3.2.4 Single action to perform an access check
      5. 3.2.5 Complete access report
      6. 3.2.6 Automated verification and cleanup
      7. 3.2.7 Access Monitor for additional cleanup
      8. 3.2.8 Automated reporting using CARLa
      9. 3.2.9 Recovering from administrator errors
    3. 3.3 Delegating RACF administration tasks
    4. 3.4 Preventing and identifying problems to minimize threats
      1. 3.4.1 Using reports provided by zSecure Admin
      2. 3.4.2 Customizing your own report display
      3. 3.4.3 Integration with zSecure Audit
    5. 3.5 Other enhancements for RACF administration
      1. 3.5.1 Storing user data and installation data in RACF
      2. 3.5.2 Access list display modes
      3. 3.5.3 RACF database merge processing
    6. 3.6 Conclusion
  9. Chapter 4. IBM Security zSecure Alert
    1. 4.1 Product positioning and features
    2. 4.2 zSecure Alert architecture and processing
      1. 4.2.1 zSecure Alert data flow
      2. 4.2.2 zSecure Alert components
      3. 4.2.3 Address space and data collection mechanism
    3. 4.3 Implementation suggestions
      1. 4.3.1 Initial setup
      2. 4.3.2 Selecting alerts ready for use
      3. 4.3.3 Sending alerts to their destination
      4. 4.3.4 Adding your own alerts
    4. 4.4 Integration guidelines
    5. 4.5 Conclusion
  10. Chapter 5. IBM Security zSecure Audit
    1. 5.1 zSecure Audit architecture
    2. 5.2 Initial setup of zSecure Audit
      1. 5.2.1 Input data used by zSecure Audit
      2. 5.2.2 Security controls for zSecure Audit
    3. 5.3 System environment reporting
      1. 5.3.1 Audit priorities and policies
      2. 5.3.2 Trust, profile audit concerns, and sensitive data trustees
      3. 5.3.3 Automated vulnerability analysis
      4. 5.3.4 Data sets used by System Status
    4. 5.4 Database verification and cleanup
      1. 5.4.1 Requirements for using verify reports
    5. 5.5 Event reporting
      1. 5.5.1 HTTP reporting
      2. 5.5.2 Requirements for using event and HTTP reports
    6. 5.6 Change tracking
      1. 5.6.1 Data sets used by change tracking
      2. 5.6.2 Security controls for change tracking use
    7. 5.7 Library and sequential data set audit
      1. 5.7.1 Data sets used by data set audit
      2. 5.7.2 Security controls for using library analysis
    8. 5.8 Conclusion
  11. Chapter 6. IBM Security zSecure Visual
    1. 6.1 zSecure Visual architecture and implementation
    2. 6.2 Usage scenarios
      1. 6.2.1 zSecure Visual default roles
      2. 6.2.2 RACF setup to support zSecure Visual
      3. 6.2.3 CKGRACF ID level scoping
      4. 6.2.4 CKGRACF USER and GROUP level scoping
      5. 6.2.5 Using RACF group special
      6. 6.2.6 Access level on scoping profiles
    3. 6.3 RACF scoping rules and examples
      1. 6.3.1 Local password administrator
      2. 6.3.2 Branch wide group connections administrator
      3. 6.3.3 Staff wide user administrator
      4. 6.3.4 Applications data administrator
      5. 6.3.5 Resource access list administrator
      6. 6.3.6 Multiple system support
    4. 6.4 Conclusion
  12. Chapter 7. IBM Security zSecure Command Verifier
    1. 7.1 zSecure Command Verifier architecture
    2. 7.2 Controlling RACF commands
      1. 7.2.1 Example policy profiles to control RACF changes
    3. 7.3 Replacing user exits
      1. 7.3.1 Profile locking
      2. 7.3.2 Temporary system special
    4. 7.4 Command audit trail feature
      1. 7.4.1 Activating command audit trail for profiles
      2. 7.4.2 Auditing changes failed by zSecure Command Verifier
      3. 7.4.3 Reviewing profile changes
      4. 7.4.4 Maintaining the command audit trail information
    5. 7.5 Alerting and action capabilities
    6. 7.6 Conclusion
  13. Chapter 8. IBM z/OS compliance enablers
    1. 8.1 What enablers are
    2. 8.2 Currently available Enablers for z/OS
    3. 8.3 Why you would want to use Enablers for z/OS
    4. 8.4 How Enablers for z/OS work
      1. 8.4.1 Enabler
      2. 8.4.2 Agent
      3. 8.4.3 Actuator
      4. 8.4.4 The data
      5. 8.4.5 The process
      6. 8.4.6 At a glance
    5. 8.5 Sample screen captures of Enablers for z/OS in action
    6. 8.6 Conclusion
  14. Chapter 9. IBM Security zSecure CICS Toolkit
    1. 9.1 zSecure CICS Toolkit architecture
      1. 9.1.1 Command interface architecture
      2. 9.1.2 Application programming interface architecture
    2. 9.2 Command interface usage
      1. 9.2.1 Customized panels
    3. 9.3 Application programming interface usage
      1. 9.3.1 Using the API for resource authorization checking
      2. 9.3.2 Using the API for RACF administration
    4. 9.4 Conclusion
  15. Chapter 10. Planning for deployment
    1. 10.1 Services engagement preparation
      1. 10.1.1 Implementation skills
      2. 10.1.2 Available resources
    2. 10.2 Solution descriptions
      1. 10.2.1 Audit and compliance solution
      2. 10.2.2 Administration solution
      3. 10.2.3 Monitoring solution
      4. 10.2.4 Reporting solution
    3. 10.3 Services engagement overview
      1. 10.3.1 Executive assessment
      2. 10.3.2 Demonstrating the system setup
      3. 10.3.3 Analyzing solution tasks
      4. 10.3.4 Creating a contract
      5. 10.3.5 Defining solution tasks
      6. 10.3.6 Deployment tasks
    4. 10.4 Conclusion
  16. Part 2 Customer scenario
  17. Chapter 11. Delft Transport Authority
    1. 11.1 Delft Transport company profile
    2. 11.2 Delft Transport IT security architecture
    3. 11.3 Corporate business vision and objectives
    4. 11.4 Acquisition project
    5. 11.5 Conclusion
  18. Chapter 12. Project requirements and design
    1. 12.1 Business requirements
    2. 12.2 Functional requirements
    3. 12.3 Design approach
    4. 12.4 Implementation approach
    5. 12.5 Conclusion
  19. Chapter 13. Implementation phase I
    1. 13.1 Post systems programmer installation setup
    2. 13.2 CKFREEZE, Signature, and UNLOAD generation data groups
    3. 13.3 RACF security for IBM zSecure
      1. 13.3.1 Program Access to Datasets
      2. 13.3.2 Conclusion for RACF security
    4. 13.4 Running initial analysis reports
      1. 13.4.1 Status audit reports
      2. 13.4.2 Reviewing the current RACF group tree
    5. 13.5 Implementing initial improvements in system security posture
      1. 13.5.1 Implementing SETROPTS improvements
      2. 13.5.2 Cleaning up badly defined data set profiles
      3. 13.5.3 Implementing an improved RACF group tree structure
      4. 13.5.4 Planning for PROTECTALL implementation
    6. 13.6 Post implementation verification reports
      1. 13.6.1 Reducing trust levels
      2. 13.6.2 RACF group structure
    7. 13.7 Conclusion
  20. Chapter 14. Implementation phase II
    1. 14.1 Audit reporting
      1. 14.1.1 Using supplied reports
      2. 14.1.2 Sensitive data set analysis
      3. 14.1.3 XML format audit reporting using CARLa
    2. 14.2 Ongoing monitoring
      1. 14.2.1 Using the change tracking feature
      2. 14.2.2 Delta reporting: Comparing profiles and databases
      3. 14.2.3 SYSLOG trapping in zSecure Alert
      4. 14.2.4 Sending SNMP data
      5. 14.2.5 Monitoring specific resources
      6. 14.2.6 Monitoring for critical system events
      7. 14.2.7 Monitoring RACF OPERATIONS attribute use
    3. 14.3 Conclusion
  21. Chapter 15. Implementation phase III
    1. 15.1 Delegated RACF administration
      1. 15.1.1 Implementing zSecure Admin scoping
    2. 15.2 Ensuring system integrity
      1. 15.2.1 Enforcing standards
      2. 15.2.2 Preventing unwanted SETROPTS changes
      3. 15.2.3 No profiles in WARNING mode
      4. 15.2.4 No high UACC
      5. 15.2.5 Preventing or allowing elevation of authority
      6. 15.2.6 Lockdown profiles for segregation of responsibilities
      7. 15.2.7 Additional controls required for group special users
      8. 15.2.8 Assigning mandatory values
    3. 15.3 Processes for managing authorization
      1. 15.3.1 Timed (queued) commands
      2. 15.3.2 Temporary (queued) commands
      3. 15.3.3 Workflow for RACF commands
      4. 15.3.4 Access re-validation reporting
    4. 15.4 Reporting processes
      1. 15.4.1 Advanced use of CARLa for email bundle reporting
    5. 15.5 Joiners, leavers, and movers processing
      1. 15.5.1 Flagging users for revocation, revoking them, and changing ownership of those users
      2. 15.5.2 Reporting on deleted user IDs
      3. 15.5.3 Leavers processing
      4. 15.5.4 Joiners processing
      5. 15.5.5 Movers processing
    6. 15.6 Segregation of duties
      1. 15.6.1 Separating administrators by specialized function
      2. 15.6.2 Conflict detection in permits/roles
      3. 15.6.3 Mutually exclusive access reporting
    7. 15.7 Conclusion
  22. Part 3 Appendixes
  23. Appendix A. Troubleshooting
    1. Installation challenges
    2. How to get help from zSecure Support
    3. Conclusion
  24. Appendix B. An introduction to CARLa
    1. About CARLa
    2. Data sources
    3. Writing a CARLa program
    4. Basic CARLa to get you started
    5. Where to store your CARLa programs for reuse
    6. Useful primary commands
    7. Additional examples of CARLa
    8. Conclusion
  25. Appendix C. User roles for IBM Security zSecure Visual
    1. RACF commands to generate zSecure Visual user roles
  26. Appendix D. A look at the Consul to IBM Tivoli transformation
    1. Information for users migrating from previous releases
    2. Consul and zSecure history
    3. A personal note from Jamie Pease
    4. A personal note from Mike Cairns
  27. Related publications
    1. IBM Redbooks
    2. Other publications
    3. How to get Redbooks
    4. Help from IBM
  28. Back cover