Configuring zsecure To Send Data to QRadar CONFIGURATION, SETUP, AND EXAMPLES Reminder: You must dial-in to the phone conference to listen to the panelists. The web cast does not include audio. USA toll-free: 866-803-2145 USA toll: 210-795-1099 Participant passcode: 3933241 NOTICE: By participating in this call, you give your irrevocable consent to IBM to record any statements that you may make during the call, as well as to IBM's use of such recording in any and all media, including for video postings on YouTube. If you object, please do not connect to this call.
About the panelists Alan Brown, zsecure Level 2 Support Jared Franze, zsecure Level 2 Support Jeroen Tiggelman, zsecure Level 3 Manager Hans Schoone, zsecure Chief Architect Guus Bonnes, zsecure Architect and Designer Jonathan Pechta, IBM Security QRadar - Support Technical Writer 2 IBM Security
A comprehensive suite of products zsecure Audit Vulnerability analysis for the mainframe infrastructure; automatically analyze and report on security events and monitor compliance zsecure Adapters for QRadar Collects, formats and sends enriched mainframe System Management Facility (SMF) audit records to IBM Security QRadar SIEM zsecure Alert Real-time mainframe threat monitoring of intruders and alerting to identify misconfigurations that could hamper compliance zsecure Command Verifier Policy enforcement solution that helps enforce compliance to company and regulatory policies by preventing erroneous commands zsecure Manager for RACF z/vm Combined audit and administration for RACF in the VM environment including auditing Linux on System z zsecure Admin Enables more efficient and effective RACF administration, identity governance, tracking and statistics using significantly fewer resources zsecure Visual Helps reduce the need for scarce, RACF-trained expertise through a Microsoft Windows based GUI for RACF administration zsecure CICS Toolkit Provides access RACF command and APIs from a CICS environment, allowing additional administrative flexibility 3 IBM Security
A comprehensive suite of products zsecure Audit Vulnerability analysis for the mainframe infrastructure; automatically analyze and report on security events and monitor compliance zsecure Adapters for QRadar Collects, formats and sends enriched mainframe System Management Facility (SMF) audit records to IBM Security QRadar SIEM 4 IBM Security
About the presentation Focus of this presentation is on setting up zsecure to send data to QRadar Security Information and Event Management (SIEM) We will only be looking at sending SMF data as enhanced by zsecure Using zsecure Alert to send data to QRadar SIEM is planned for a later presentation We will be utilizing screenshots and documentation from zsecure 2.2.0 5 IBM Security
Functional Overview A z/os image can contain many log sources: o z/os o RACF/ACF2/TSS o DB2 o CICS To integrate these sources with QRadar, a procedure must be in place to enrich standard SMF data into something QRadar can understand Log Event Enhanced Format (LEEF). These files are created and stored as z/os Unix files, and regularly fetched by QRadar SIEM for processing. 6 IBM Security
Methods Integrated functionality with zsecure Audit Standalone zsecure Adapters for QRadar SIEM product o The Adapters product uses fewer NEWLIST types, lookups, and members. It instead relies on a number of newly introduced fields in order to maintain functionally equivalent to the product built into zsecure Audit. Near Real-time integration with zsecure Alert (to be discussed at a later date) o This method transfers Alerts via UNIX Syslog 7 IBM Security
Key Benefits Integrating with QRadar replaces manual security event analysis with an automated and trusted process for detection of security exposures. Collecting event data from multiple z/os sources creates a comprehensive view of your system. Enriching data with audit and user information results in strong, and complete reports. The ability to use the data analytics and dashboard reporting built into QRadar. 8 IBM Security
Preparation Taken from Security zsecure CARLa-Driven Components Version 2.2.0 Installation and Deployment Guide, Chapter 15 Complete installation/configuration of zsecure even if only using the Adapters Ensure the following prerequisites are performed o The SCKRLOAD library must be APF-authorized o You must setup a process to periodically refresh your CKFREEZE and UNLOAD (N/A to Top Secret) datasets o If only licensed for the Adapters, you must use the live security database instead of an unload file o We provide a sample job (C2RJPREP) to assist you in setting up the creation of your CKFREEZE and the security database UNLOAD files. o You must have an FTP or SFTP server on your z/os image in order for QRadar to be able to download the LEEF files that are created o Your zsecure configuration must be updated to contain the specific parameters required for QRadar SIEM (specifics will be described later) 9 IBM Security
SMF Records SMF processing must be turned on and the appropriate records for your shop must be created and saved o The exact SMF records required must be determined by your security staff o A list of standard records is on page 152 of the installation Guide Making the SMF records available to QRadar o Determine whether you are using SMF data from a dataset or a logstream When using an SMF logstream, ensure that your data collection for QRadar runs on a frequency to ensure that the SMF data retention period does not expire before data is collected For dataset processing, the SMF data must be prepared using your SMF offload process (e.g., IFASMFDP or a third-party utility that performs the same function) o When using SMF data from multiple z/os images The SMF data must be broken out by z/os image (examples to follow) The CKFREEZE and UNLOAD (not applicable to Top Secret or an Adapter-only license) from the SMF source images must be available 10 IBM Security
Using combined SMF data from multiple z/os images Specify an EXCLUDE statement in member CKQXES or C2EQXES in your zsecure configuration dataset o Each collection process will require its own member in its zsecure configuration dataset. o The combined SMF dataset is read multiple times when using this method Run a special CARLa job or job step that will read the combined SMF data and output separate datasets for each of the z/os images o The combined SMF dataset is read only once o Sample CARLa code snippet for one system is below alloc type=smf DD=C1SMF0 <== combined SMF input dataset newlist type=smf name=smfsel select system(ipo1) type=(0:69,80:120,230) <== SMF records to extract unload dd=smfunld <== SMF file for system IPO1 (allocated in JCL) 11 IBM Security
Setup of the collection process HEADER CONTENT 1 HEADER CONTENT 2 Two sets of members are provided o The C2E prefixed members are only for zsecure Audit o The CKQ prefixed members are for zsecure Audit and zsecure Adapters for QRadar SIEM o New installations should use CKQ prefixed members and are what we use in this presentation Decide how the collection process should be run o Batch using a job scheduling system o Started task Customize the JCL and point to the zsecure configuration member (default is C2R$PARM) o Store configuration member where it can be accessed For a started task, this is the JES procedure library For batch, use the JCLLIB statement o Customize C2EQCUST/CKQCUST and C2EQPATH/CKQPATH 12 IBM Security
Setup of the collection process - continued HEADER CONTENT 1 HEADER CONTENT 2 Assigning a user ID for the collection process and creating a z/os Unix directory for the LEEF data o Use supplied jobs as described on page 155 for your specific security subsystem C2EQAUSA/CKQAUSA for ACF2 C2EQAUSR/CKQAUSR for RACF C2EQAUST/CKQAUST for Top Secret o We will use CKQAUSR for our RACF system Preparing the LEEF directory Customize the configuration members Start the job or started task 13 IBM Security
WALKTHROUGH Configuration examples
Customize CKQCLEEF Proc HEADER CONTENT 1 HEADER CONTENT 2 Source: Title, Published date, author, company 15 IBM Security
zsecure Configuration Member 16 IBM Security
Assigning a userid and preparing a directory to store the LEEF data 17 IBM Security
Assigning a userid and preparing a directory to store the LEEF data 18 IBM Security
Assigning a userid and preparing a directory to store the LEEF data 19 IBM Security
Assigning a userid and preparing a directory to store the LEEF data 20 IBM Security
Configuring environment - CKQSPEC 21 IBM Security
LEEF Files and maxdate file 22 IBM Security
Resources HEADER CONTENT 1 HEADER CONTENT 2 Documentation on IBM Knowledge Center http://www.ibm.com/support/knowledgecenter/ss2rws_2.2.0/kc_gen/toc_kc_master220-gen1.html zsecure Forum on developerworks https://www.ibm.com/developerworks/community/forums/html/forum?id=11111111-0000-0000-0000- 000000001255 zsecure Wiki on developerworks https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/wa6857722838e_491e_ 9968_c8157c8cf491 zsecure Q&A on dw Answers https://developer.ibm.com/answers/topics/zsecure/ and https://developer.ibm.com/answers/search.html?f=&type=question&redirect=search%2fsearch&sort=r elevance&q=zsecure Technotes - QRadar Processing large amounts of SMF data http://www.ibm.com/support/docview.wss?uid=swg21688548 Loading CARLa EXCLUDES for zsecure QRadar http://www.ibm.com/support/docview.wss?uid=swg21967519 User group 23 IBM Security
Questions HEADER CONTENT 1 HEADER CONTENT 2? 24 IBM Security
Appendix Complete job log for splitting an SMF file by system name (1 of 4) //SMFEXT JOB (),'Alan Brown', MSGCLASS=X,MSGLEVEL=(1,1), // NOTIFY=&SYSUID //CKRCARLA EXEC PGM=CKRCARLA,REGION=64M,PARM='I DD=CKRSPROF' //********************************************************************* //* Change ZSEC220 to the location your zsecure installation * //********************************************************************* //STEPLIB DD DISP=SHR,DSN=ZSEC220.SCKRLOAD //CKRCARLA DD DISP=SHR,DSN=ZSEC220.SCKRCARL //********************************************************************* //SYSPRINT DD SYSOUT=* //CKREPORT DD SYSOUT=* //CKRCMD DD SYSOUT=* //CKR2PASS DD SYSOUT 25 IBM Security
Appendix Complete job log for splitting an SMF file by system name (2 of 4) //****************************************************************** //* Replace the following DSN with the DSN of your SMF unload file * //****************************************************************** //C1SMF0 DD DSN=CRMA.X.TVT8010.SMF.DAY, DISP=SHR //****************************************************************** //* //************************************************************** //* Replace the DSN with the name of your new system-specific * //* and SMF-filtered SMF unload file. * //* Replace space parameter as needed to accommodate the size * //* of your output SMF unload file. * //* If you reuse this file, change DISP to OLD after first run * //************************************************************** //SMFUNLD DD DISP=(NEW,CATLG), DSN=CRMBAB1.P01395.IPO1.SMF, // SPACE=(27998,(300,300),RLSE,,ROUND), // DCB=(LRECL=32760,BLKSIZE=27998,RECFM=VBS) //************************************************************** //* 26 IBM Security
Appendix Complete job log for splitting an SMF file by system name (3 of 4) //* //************************************ //* Standard CARLa environment setup * //************************************ //CKRCMD01 DD SYSOUT=* //* Standard profile for zsecure Suite run //CKRSPROF DD DATA,DLM='\/' PRINT DD=CKREPORT SUP CONNECTOWNER; IMBED MEMBER=CKRXDEF1 NOLIST \/ 27 IBM Security
Appendix Complete job log for splitting an SMF file by system name (4 of 4) //**************************************************** //* CARLA code to extract SMF records that //* meet the following criteria: * * //* 1. System is IPO1 * //* 2. SMF records are equal to the following ranges * //* A. 0-69 * //* B. 80-120 * //* C. 230 * //* Input is from DD C1SMF0 * //* Output is to DD SMFUNLD * //**************************************************** /SYSIN DD DATA,DLM='\/' /* Daily SMF dump */ alloc type=smf DD=C1SMF0 alloc type=ckrcmd DD=CKRCMD01 suppress CKFREEZE newlist type=smf name=smfsel select system(ipo1) type=(0:69,80:120,230) unload dd=smfunld include member=ckalfsum \/ /* 28 IBM Security
THANK YOU FOLLOW US ON: ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.