zsecure New features and functions

Transcription

1 zsecure New features and functions Rob van Hoboken zsecure architect IBM Corporation

2 Disclaimer 2 IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.

3 zsecure Products New releases for z/os products 5655-N25 IBM Security zsecure Compliance and Administration N23 IBM Security zsecure Administration N16 IBM Security zsecure Admin N20 IBM Security zsecure Visual N24 IBM Security zsecure Compliance and Auditing N17 IBM Security zsecure Audit N21 IBM Security zsecure Alert N19 IBM Security zsecure Command Verifier N18 IBM Security zsecure CICS Toolkit AD8 IBM Security zsecure Adapters for QRadar SIEM z/vm offering 5655-T13 IBM Security zsecure Manager for RACF z/vm 3

4 zsecure Products zsecure level >= z/os level zsecure 2.1 and zsecure 1.13 and Support z/os 1.10, 1.11, 1.12 and 1.13 zsecure Support z/os 1.12, 1.13 and 2.1 End of support September 30, 2015

5 Agenda zsecure Alert zsecure Audit 5 Compliance framework New data for automating controls Intelligent fields for SMF records DB2 zsecure Admin Customizable alerts Digital Certificate support Access Monitor QRadar

6 zsecure Alert Customizable alerts specify critical resource users that are allowed to access them Application specific alerts 6

7 New Customization options SE.A.P and SE.A.S New options P and S on SE.A After selecting PCI/Sensitive select which data set All Alert configuration members are from same library Use C2PCUST if you want alerts for separate set of resources or users, for example also alerts for Compliant and/or Authorized users 7

8 Customization members PCI-DSS related alerts (SE.A.P): Members CLASSIFY, PCIPAN, PCIPANCL, PCIAUTH Used for alerts: 1209, 1210, 1211 Sensitive resource related alerts (SE.A.S): Members SENSRSRC, SENSMEMB, SENSREAD, SENSUPDT, SENSAPFU Used for alerts: {1212,1213}, 1214, 1212, 1213, and

9 Customization members (Classify/SensRsrc) Use SIMULATE CLASS with PCI-AUTH, PCI-PAN, PCI-PAN-clr! 9 Or with Site-Dsn-R, Site-Dsn-U PCI/Site sensitivity only used when resource does not yet have sensitivity. Cannot override existing sensitivity, e.g. RACF back STC proclib Success auditing must be active for the resource!

10 Customization members (Authorized Users/Groups) 10 List of users and groups that can access certain resources without alert Separate members SENSREAD SENSUPDT, SENSAPFU

11 zsecure Audit Compliance Framework New data sources DB2 Integration to Guardium 11

12 Older zsecure versions drawbacks with compliance testing Builtin standards (C1 / C2 / B1) were inflexible Need to adapt more quickly to external standard updates Audit concern principle misses the positive confirmation that it is OK Audit concerns not customizable (exceptions / mitigating controls) Customers created ad-hoc reporting, partly 2-pass queries Need something less ad-hoc and easier to customize Need something that works almost out of the box Need to combine information from many report types Need to customize / define who is considered authorized Scope of external standards is increasing Need to collect more settings from more subsystems. 12

13 More flexibility please! The zsecure Compliance Testing Framework Support newer external standards DISA STIG for z/os RACF DISA STIG for z/os ACF2 PCI DSS IBM outsourcing GSD331/iSec Eliminate need for 2-pass queries * STIG: Security Technical Implementation Guide; Guidelines from US Defense Information Systems Agency (DISA) ** GSD331: IBM's primary information security controls documentation for Strategic Outsourcing customers * PCI DSS: Payment Card Industry Data Security Standard for retail payments Show positive compliance, not just non-compliance Summaries showing progress in compliance efforts Support in-standard customization Members with authorized (compliant) IDs (using STIG naming) Allow rule override (suppression) with reason visible in reporting Allow creation and seamless integration of site standards Extend data collection CICS, IMS, DB2, MQ, IP, FTP, TELNET, some UNIX 13

14 Compliance reporting Simple user interface Available in menu option AU.R - run all available STIG rules/tests - run all available GSD331 rules/tests - run all available PCI-DSS rules/tests - run individual rule Choose results to include in report (none=all) 14

15 Compliance reporting Sample output RACF Priority Work! RULE_SET names and percentage compliant state 15

16 Compliance reporting Sample output ACF2 Percentage compliant 16

17 Compliance reporting Zoom in to test level Test names contain clear test numbers 17

18 Compliance reporting Zoom in to detail level 18

19 Compliance reporting detail level Scroll down to see 19

20 PCI-DSS rule set example 20

21 Populate PCI-DSS definitions Data set with members to populate New members for PCI-DSS: 21 CLASSIFY Sensitive data sets PCIAUTH Users authorized for Authentication data PCIPAN Users authorized for Primary Account Numbers PCIPANCL Users authorized for Cleartext Primary Account Numbers

22 Build your own STANDARD simplest structure STANDARD mystandard VER(version) DOMAIN mydomain SELECT(type) RULE myrule DOMAIN(mydomain) TEST mytest type(field=value) ENDRULE ENDSTANDARD 22

23 Sample RACF STIG multi-test rule member For instance member CKAGR244 for rule RACF0244: DOMAIN FACILITY_class, SELECT(class(class=FACILITY)) RULE RACF0244 domain(facility_class), DESC("FACILITY resource class is inactive") TEST facility_active class(active=yes), DESCRIPTION("FACILTY class is active") TEST facility_generic class(generic=yes), DESCRIPTION("Generic is active") TEST facility_gencmd class(gencmd=yes), DESCRIPTION("GENCMD is enabled for FACILITY class") TEST facility_racl class(raclist=yes), DESCRIPTION("FACILITY class is RACLISTed") ENDRULE 23

24 Simple example - ACF2 STIG rule ACF0760 Member C2AGA760 for rule ACF0760 DOMAIN LID_SECURITY, SELECT(ACF2_LID(Security=yes)) RULE ACF0760 DOMAIN(LID_SECURITY), DESC( All LOGONIDs with the SECURITY attribute have the RULEVLD and RSRCVLD attributes specified") TEST Rulevld_Specified ACF2_LID(Rulevld=yes), DESC("All logonids with Security attribute have RULEVLD specified") TEST Rsrcvld_Specified ACF2_LID(Rsrcvld=yes), DESC("All logonids with Security attribute have RSRCVLD specified") ENDRULE 24

25 New Data for Automating controls Needed to test for rules or rule applicability 25

26 RE new options N and Q (Network / Message Queue) 26

27 New RE.N option VTAM Application nodes - selection No authentication 27

28 New RE.N option for VTAM Major APPL nodes 28

29 New RE.N option for VTAM Minor APPL nodes Partner verification 29

30 RE.N - TYPE=VTAMAPPL Access list display 30 Detail display (Access Lists) ACF2_ACL and ACF2_RULE_ENTRY also supported/shown

31 New MQ_* newlist types with in total > 200 fields 31 MQ_REGION MQ_CHANNEL MQ_CONNECT MQ_INIT MQ_NAMELIST MQ_PROCESS MQ_QUEUE MQ_TOPIC 62 fields 21 fields 22 fields 12 fields 23 fields 24 fields 31 fields 24 fields

32 RE.Q.R - MQ region overview display 32

33 RE.Q.R - MQ Region details Empty for non-qsg region Startup Parameter module Use MQ/MX classes: Uppercase profiles 33

34 New TYPE=AS Show Address Space attributes Not yet in standard UI, only used in compliance controls Recognize subsystems needed for controls 34

35 New TYPE=AS_DD Show Address Space DDnames Not yet in standard UI, only used in compliance controls. Find parameter file 35

36 New TYPE=UNIX_PS UNIX Process Status UNIX process program names and program arguments Not yet in standard UI, only used in compliance controls 36

37 TYPE=SENSDSN new fields easing security analysis Sensitive data set ACL, RACF profiles and ACF2 rule entries RACF_CLASS, RACF_PROFILE, RACF_UACC, RACF_IDSTAR_ACCESS, RACF_WARN_ONLY, RACF_AUDITF, RACF_AUDITS SAF_VOLSER 37 VOLSER filled for VSAM with data component volume Not yet in standard UI, only used in compliance controls

38 TYPE=RESOURCE sensitivity knowledge base New repeat group added to show risks per access level PRIV_PRIO, PRIV_SENSTYPE, PRIV_CONCERN, PRIV_CONDITION, PRIV_ACCESS Not yet in standard UI, only used in compliance controls Extra values for general resource sensitivity (previously resource ) Enables easy selectivity from compliance controls Currently around 150 values (11 characters) ActParmTSO, AddSiteCert, AddSiteCrt2, AddUserCert, AddUserCrt2, AllowAll, AltSiteCert, AltSiteCrt2, AltUserCert, AltUserCrt2, AnyDirUpd, AnyFileRead, AnyFileUpd, AnyTapeRdWr... CSVDYNL, DaemonACEE, DaemonSuid, Dflt ID map, DittoFullpk, DmsFiles, DssCopyAny, DssDumpAny... TestAuthTSO, ThreadACEE, TrustedDisk, TrustedFile, TrustedHome, UnscopedSec, UNIXdebugAP 38

39 AU.S RACF RESOURCE SENSITIVE TRUST 39

40 TYPE=SMF enhancements New fields SENSTYPE Sensitivity of data set USER_GROUP connects of the USER field in current security DB PRIV_USER_GROUP subset of USER_GROUP PRIVILEGES character summary of userid privileges 40 defined by SIMULATE PRIV_USER_GROUP important to installation RACF: special operations auditor grpspec grpoper grpaudit superuser ACF2: Acc (ACCOUNT) "Mnt MAINT "ncn" (NONCNCL) "Sec SECURITY STC (STC) RECORD_DECOMPRESSED Compressed CICS records are now processed New field enables error diagnosis by inspecting decompressed image Processing of compressed CICS records is transparent

41 DB2 reporting Automated collection of security parameters from running DB2 zsecure : Minimal region and classes support zsecure : Regions, Tables, Packages and Plans Limited ACL support (ACL NORMAL) zsecure 2.1.0: Databases, Tablespaces, Stored procedures, User functions, JARs, Storage groups, Sequences Full ACL support (ACL EXPLODE / RESOLVE / EFFECTIVE) zsecure 2.1.1: Buffer pools, Collections, Variables, Schemas, User data types 41

42 DB2_ACL internal authority display formats Can be set using ACL primary command Or using format specification in CARLa ACL ORIGIN NOORIGIN toggles individual GRANT lines versus one line per grantee where date and grantor show most recent change. Only applies to NORMAL mode of DB2_ACL Has no effect on other ACLs 42

43 DB2 Reporting RACF_DB2_ACL Shows access in RACF, in combination with DB2 internal security Exit uses SAF resources: Object-Specific resources (allow / deny / undecided) Database-Specific resources (ACL RESOLVE or EFFECTIVE) - allow Region-Specific resources (ACL RESOLVE or EFFECTIVE) - allow If no access and no Object-Specific profile, fallback to DB2 internal security (ACL EFFECTIVE) RACF_DB2_ACL also incorporates Different rules for user-tables versus non-user-tables Effect of SEPARATE_SECURITY Owning authid for DB2 objects (for certain object types) RACF profile OWNER CLAUTH in resource class 43

44 DB2 Reporting RACF_DB2_ACL Multiple formats supported. Can be set using ACL command NORMAL EXPLODE RESOLVE EFFECTIVE TRUST Standard format. Groups are exploded into connected user Ids. Default activation of SCOPE. Show one merged line per RACF user ID. Include effect of warning mode, UACC, ID(*). Include database and system authorizations. Include information about fallback to DB2 Internal security. Include DB2 Owner of object of applicable. Include information about administrative scope (separate output line). Also options to include All users in UNIVERSAL groups. Object within admin SCOPE over any contributing profile. 44

45 DB2 resources and DB2 ACL example 45

46 Guardium Vulnerability Assessment integration zsecure Audit job loads DB2 with CKADBVA tables Date and time of zsecure extract for each DB2 region User, Group and Connect information Pass RACF_DB2_ACL for all supported object types, in 2 forms: ACL NORMAL ACL EFFECTIVE (access control matrix) Guardium VA inside Guardium appliance picks up tables if new information applies policy creates exception and entitlement reports 46

47 47

48 zsecure Admin Digital Certificate management Access Monitor 48

49 Digital certificate management zsecure support New Digital Certificate interface Using standard zsecure interface: select-display-action Selection panel with main options Also options to directly create new objects Action via line commands and overtyping Options for follow-on commands (workflow) Most parameters verified before execution Last specified parameters are retained for easy correction Use of templates to specify values (site / user) Allow forcing value or just default Commands can be routed using zsecure server Contrary to RRSF 49

50 Digital certificate management the RA.5 menu New main certificate menu RA.5 Work with items use selection interface for existing profiles Other items allow adding/importing/creating new objects 50

51 New template setup menu SE.9 Use F column to force the value entered 51

52 Digital certificate management Line commands Issue / line command to get popup with list 52

53 Access Monitor enhancements RACINIT reporting support New intercept routine (ICHRIX02), installed automatically. New fields in newlist type=access New newlist type=racf_access_id Counts are based on RACINIT events Dates are based on any recorded event STATUS=ACCESS request bit added (explains ALTER access) New field SIM_VIA_GROUPS List of all connect groups that would allow access New SIMULATE SETROPTS CLASSACT GENERIC GENCMD RACLIST 53

54 New options on AM AM.V for reporting about recorded events AM.I for reporting usage of IDs in RACF database 54

55 AM.V selection on new flags 55

56 Access Monitor SIM_VIA and SIM_VIA_GROUPS 56

57 IBM Security zsecure helps address mainframe security challenges Vulnerability analysis for the mainframe infrastructure. Automatically analyze and report on security events & detect security exposures Combined audit and administration for RACF in the VM environment including auditing Linux on System z Collects, formats and sends enriched mainframe System Management Facility (SMF) audit records to IBM Security QRadar SIEM Enables more efficient and effective RACF administration, using significantly fewer resources Real-time mainframe threat monitoring permits you to monitor intruders and identify misconfigurations that could hamper your compliance efforts Helps reduce the need for scarce, RACF-trained expertise through a Microsoft Windows based GUI for RACF administration Policy enforcement solution that helps enforce compliance to company and regulatory policies by preventing erroneous commands Provides access RACF command & APIs from a CICS environment, allowing additional administrative flexibility * Supports RACF, CA ACF2 and CA Top Secret ** Supports RACFand CA ACF2 ACF2 and Top Secret are either registered trademarks or trademarks of CA, Inc. or one of its subsidiaries. 57

58 Security Monitoring - zsecure integration with QRadar SIEM Event sources from System z... z/os 58 RACF CA ACF2 CA Top Secret CICS DB2

59 Use QRadar to monitor security events from System z zsecure integration with QRadar can be used to monitor user behaviour - verify if users are complying with policy and standards 59 Event data collected by zsecure Audit

60 Using QRadar to monitor those privileged users on your mainframe Highly sensitive resource keys to the kingdom! 60 Could be used to circumvent system security

61 QRadar Drilling into events collected from the mainframe Drill down 61

62 Security is a process Monitor, analyze audit records and create compliance reports Collect information, assess, and establish security policy Security Security Intelligence Intelligence Automatically and continuously enforce security policy Automate corrective actions by updating access controls IBM Security zsecure Compliance and Admin 62

63 Security is a process, zsecure is the toolbox zsecure Audit: compliance reports zsecure Audit: automated vulnerability finder QRadar SIEM Security Security Intelligence Intelligence zsecure Audit reports zsecure Alert zsecure Admin: Access Monitor RACF Offline zsecure Command Verifier IBM Security zsecure Compliance and Admin 63

64 zsecure Products New releases for z/os products 5655-N16 IBM Security zsecure Admin N20 IBM Security zsecure Visual N17 IBM Security zsecure Audit N21 IBM Security zsecure Alert N19 IBM Security zsecure Command Verifier N18 IBM Security zsecure CICS Toolkit AD8 IBM Security zsecure Adapters for QRadar SIEM z/vm offering 5655-T13 IBM Security zsecure Manager for RACF z/vm zsecure solution sets 5655-N25 IBM Security zsecure Compliance and Administration N24 IBM Security zsecure Compliance and Auditing N23 IBM Security zsecure Administration

65 IBM Security zsecure Suite knowledge center 65

66 Questions 66 66

67 Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. ibm.com/security 67 Copyright IBM Corporation All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.