book

IBM z/OS Mainframe Security and Audit Management Using the IBM Security zSecure Suite

by Axel Buecker, Michael Cairns, Monique Conway, Mark S. Hahn, Deborah McLemore, Jamie Pease, Lili Xie

August 2011

Intermediate to advanced

494 pages

10h 25m

English

IBM Redbooks

Read now

Unlock full access

Front cover
Notices
Trademarks
Preface
The team who wrote this bookNow you can become a published author, too!Comments welcomeStay connected to IBM Redbooks
Summary of changes
August 2011, Second Edition
Part 1 Architecture and design
Chapter 1. Business context
1.1 Todayâ€™s challenges1.2 Risk management, IT governance, and compliance1.2.1 Risk management1.2.2 IT governance1.2.3 Regulatory compliance1.3 Business enablement1.3.1 IT Service Management and IT Infrastructure Library1.3.2 System z and IBM Security1.4 Conclusion
Chapter 2. IBM Security zSecure component structure
2.1 zSecure at a glance2.1.1 Operating systems supported2.1.2 Security systems supported2.2 zSecure Admin2.3 zSecure Visual2.4 zSecure CICS Toolkit2.4.1 Command interface2.4.2 Application programming interface2.5 zSecure Audit2.6 zSecure Alert2.7 zSecure Command Verifier2.8 zSecure Manager for RACF z/VM2.9 IBM Security zSecure Compliance Insight Manager Enabler for z/OS2.10 Conclusion
Chapter 3. IBM Security zSecure Admin
3.1 An easy to use RACF administration interface3.1.1 Initial setup3.1.2 An easy to use display of RACF profiles3.1.3 Adding a new general resource profile3.2 Automating and simplifying routine administration tasks3.2.1 Mass changes to RACF and block command support3.2.2 RACF Offline3.2.3 Timed actions3.2.4 Single action to perform an access check3.2.5 Complete access report3.2.6 Automated verification and cleanup3.2.7 Access Monitor for additional cleanup3.2.8 Automated reporting using CARLa3.2.9 Recovering from administrator errors3.3 Delegating RACF administration tasks3.4 Preventing and identifying problems to minimize threats3.4.1 Using reports provided by zSecure Admin3.4.2 Customizing your own report display3.4.3 Integration with zSecure Audit3.5 Other enhancements for RACF administration3.5.1 Storing user data and installation data in RACF3.5.2 Access list display modes3.5.3 RACF database merge processing3.6 Conclusion
Chapter 4. IBM Security zSecure Alert
4.1 Product positioning and features4.2 zSecure Alert architecture and processing4.2.1 zSecure Alert data flow4.2.2 zSecure Alert components4.2.3 Address space and data collection mechanism4.3 Implementation suggestions4.3.1 Initial setup4.3.2 Selecting alerts ready for use4.3.3 Sending alerts to their destination4.3.4 Adding your own alerts4.4 Integration guidelines4.5 Conclusion
Chapter 5. IBM Security zSecure Audit
5.1 zSecure Audit architecture5.2 Initial setup of zSecure Audit5.2.1 Input data used by zSecure Audit5.2.2 Security controls for zSecure Audit5.3 System environment reporting5.3.1 Audit priorities and policies5.3.2 Trust, profile audit concerns, and sensitive data trustees5.3.3 Automated vulnerability analysis5.3.4 Data sets used by System Status5.4 Database verification and cleanup5.4.1 Requirements for using verify reports5.5 Event reporting5.5.1 HTTP reporting5.5.2 Requirements for using event and HTTP reports5.6 Change tracking5.6.1 Data sets used by change tracking5.6.2 Security controls for change tracking use5.7 Library and sequential data set audit5.7.1 Data sets used by data set audit5.7.2 Security controls for using library analysis5.8 Conclusion

Chapter 6. IBM Security zSecure Visual
6.1 zSecure Visual architecture and implementation6.2 Usage scenarios6.2.1 zSecure Visual default roles6.2.2 RACF setup to support zSecure Visual6.2.3 CKGRACF ID level scoping6.2.4 CKGRACF USER and GROUP level scoping6.2.5 Using RACF group special6.2.6 Access level on scoping profiles6.3 RACF scoping rules and examples6.3.1 Local password administrator6.3.2 Branch wide group connections administrator6.3.3 Staff wide user administrator6.3.4 Applications data administrator6.3.5 Resource access list administrator6.3.6 Multiple system support6.4 Conclusion
Chapter 7. IBM Security zSecure Command Verifier
7.1 zSecure Command Verifier architecture7.2 Controlling RACF commands7.2.1 Example policy profiles to control RACF changes7.3 Replacing user exits7.3.1 Profile locking7.3.2 Temporary system special7.4 Command audit trail feature7.4.1 Activating command audit trail for profiles7.4.2 Auditing changes failed by zSecure Command Verifier7.4.3 Reviewing profile changes7.4.4 Maintaining the command audit trail information7.5 Alerting and action capabilities7.6 Conclusion
Chapter 8. IBM z/OS compliance enablers
8.1 What enablers are8.2 Currently available Enablers for z/OS8.3 Why you would want to use Enablers for z/OS8.4 How Enablers for z/OS work8.4.1 Enabler8.4.2 Agent8.4.3 Actuator8.4.4 The data8.4.5 The process8.4.6 At a glance8.5 Sample screen captures of Enablers for z/OS in action8.6 Conclusion
Chapter 9. IBM Security zSecure CICS Toolkit
9.1 zSecure CICS Toolkit architecture9.1.1 Command interface architecture9.1.2 Application programming interface architecture9.2 Command interface usage9.2.1 Customized panels9.3 Application programming interface usage9.3.1 Using the API for resource authorization checking9.3.2 Using the API for RACF administration9.4 Conclusion
Chapter 10. Planning for deployment
10.1 Services engagement preparation10.1.1 Implementation skills10.1.2 Available resources10.2 Solution descriptions10.2.1 Audit and compliance solution10.2.2 Administration solution10.2.3 Monitoring solution10.2.4 Reporting solution10.3 Services engagement overview10.3.1 Executive assessment10.3.2 Demonstrating the system setup10.3.3 Analyzing solution tasks10.3.4 Creating a contract10.3.5 Defining solution tasks10.3.6 Deployment tasks10.4 Conclusion
Part 2 Customer scenario
Chapter 11. Delft Transport Authority
11.1 Delft Transport company profile11.2 Delft Transport IT security architecture11.3 Corporate business vision and objectives11.4 Acquisition project11.5 Conclusion
Chapter 12. Project requirements and design
12.1 Business requirements12.2 Functional requirements12.3 Design approach12.4 Implementation approach12.5 Conclusion
Chapter 13. Implementation phase I
13.1 Post systems programmer installation setup13.2 CKFREEZE, Signature, and UNLOAD generation data groups13.3 RACF security for IBM zSecure13.3.1 Program Access to Datasets13.3.2 Conclusion for RACF security13.4 Running initial analysis reports13.4.1 Status audit reports13.4.2 Reviewing the current RACF group tree13.5 Implementing initial improvements in system security posture13.5.1 Implementing SETROPTS improvements13.5.2 Cleaning up badly defined data set profiles13.5.3 Implementing an improved RACF group tree structure13.5.4 Planning for PROTECTALL implementation13.6 Post implementation verification reports13.6.1 Reducing trust levels13.6.2 RACF group structure13.7 Conclusion
Chapter 14. Implementation phase II
14.1 Audit reporting14.1.1 Using supplied reports14.1.2 Sensitive data set analysis14.1.3 XML format audit reporting using CARLa14.2 Ongoing monitoring14.2.1 Using the change tracking feature14.2.2 Delta reporting: Comparing profiles and databases14.2.3 SYSLOG trapping in zSecure Alert14.2.4 Sending SNMP data14.2.5 Monitoring specific resources14.2.6 Monitoring for critical system events14.2.7 Monitoring RACF OPERATIONS attribute use14.3 Conclusion
Chapter 15. Implementation phase III
15.1 Delegated RACF administration15.1.1 Implementing zSecure Admin scoping15.2 Ensuring system integrity15.2.1 Enforcing standards15.2.2 Preventing unwanted SETROPTS changes15.2.3 No profiles in WARNING mode15.2.4 No high UACC15.2.5 Preventing or allowing elevation of authority15.2.6 Lockdown profiles for segregation of responsibilities15.2.7 Additional controls required for group special users15.2.8 Assigning mandatory values15.3 Processes for managing authorization15.3.1 Timed (queued) commands15.3.2 Temporary (queued) commands15.3.3 Workflow for RACF commands15.3.4 Access re-validation reporting15.4 Reporting processes15.4.1 Advanced use of CARLa for email bundle reporting15.5 Joiners, leavers, and movers processing15.5.1 Flagging users for revocation, revoking them, and changing ownership of those users15.5.2 Reporting on deleted user IDs15.5.3 Leavers processing15.5.4 Joiners processing15.5.5 Movers processing15.6 Segregation of duties15.6.1 Separating administrators by specialized function15.6.2 Conflict detection in permits/roles15.6.3 Mutually exclusive access reporting15.7 Conclusion
Part 3 Appendixes
Appendix A. Troubleshooting
Installation challengesHow to get help from zSecure SupportConclusion
Appendix B. An introduction to CARLa
About CARLaData sourcesWriting a CARLa programBasic CARLa to get you startedWhere to store your CARLa programs for reuseUseful primary commandsAdditional examples of CARLaConclusion
Appendix C. User roles for IBM Security zSecure Visual
RACF commands to generate zSecure Visual user roles
Appendix D. A look at the Consul to IBM Tivoli transformation
Information for users migrating from previous releasesConsul and zSecure historyA personal note from Jamie PeaseA personal note from Mike Cairns
Related publications
IBM RedbooksOther publicationsHow to get RedbooksHelp from IBM
Back cover

Content preview from IBM z/OS Mainframe Security and Audit Management Using the IBM Security zSecure Suite

Project requirements and design

In this chapter, we give an overview of the RACF Security Improvement Project in place at TRA as a result of their acquisition by Delft Transport.

The project is divided into three phases, each concerned with specific areas of functional improvement in security and audit management to make the TRA systems comply with Delft Transport security policy.

This chapter covers the following topics:

•Business requirements

•Functional requirements

•Design approach

•Implementation approach

•Conclusion

12.1 Business requirements ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

ABCs of IBM z/OS System Programming Volume 2

Publisher Resources

ISBN: 0738435880Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

IBM z/OS Mainframe Security and Audit Management Using the IBM Security zSecure Suite

by Axel Buecker, Michael Cairns, Monique Conway, Mark S. Hahn, Deborah McLemore, Jamie Pease, Lili Xie

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.