IBM® Security zSecure™ Manager for RACF z/VM version 1.11.2 includes
new features specifically for the z/VM platform. Other new features
and enhancements are a result of updates included in the IBM Security zSecure Admin and IBM Security zSecure Audit for
z/OS version 1.13.1, 2.1.0, and 2.1.1 product releases that share
functionality with the z/VM version of the product.
The most notable of these features is the zSecure Audit Compliance
Testing Framework introduced in zSecure 1.13.1
with the extensions to the user interface and configuration options
provided by zSecure 2.1.0
and 2.1.1, allowing you to define your own security standard and report
on compliance with it.
New enhancements to IBM Security zSecure Manager for RACF z/VM version 1.11.2 are
described briefly here. See the specified topics in the library for
more information.
- Compliance, auditing, and monitoring:
- The compliance framework has been extended for automation and
coverage for compliance verification.
- Provides the capability to improve results through a comprehensive,
automated audit referencing a built-in knowledge base.
- Reduces the manual processes for gathering data to support activities
for compliance.
- Coverage for Security Technical Implementation Guide (STIG) for
z/VM, and the ability to extend beyond STIG or define your own standard.
- Enhanced comparison processing:
- ISPF user interface is enhanced to help you compare your security
settings against an approved version or against other systems and
databases.
- Enhanced multi-system support:
- New concept: collection a group of sets of input files.
- The D line command on profiles is now allowed
on summaries to issue cross-complex deletions.
- CARLa enhancements:
- DEFINE...PARSE(field,[begin
sep][,end sep]):
The
begin separator specification and the end separator presence are
now optional. This allows unwanted suffixes to be ignored.
- New parameter for the REPORT SCOPE statement:
Use
extra parameter RACLIST_MERGE to switch from reporting
individual profiles (GXFACILI/XFACILIT) to merged profiles ("XFACILIT").
- New parameters for SHOW command:
- CKFIN
- The SHOW CKFIN command causes a message CKR2218 to be issued for
each CKFREEZE data set with the CKFCOLL input parameters that limit
or extend the information collected into the CKFREEZE snapshot data
set.
- CKFMSG
- The SHOW CKFMSG command causes a message CKR2219 to be issued
for each CKFREEZE data set with the error and warning messages issued
by CKFCOLL during creation of the CKFREEZE snapshot data set.
- New CARLa report types and fields:
- New fields for NEWLIST TYPE=DASDVOL:
- FORMAT
- Reflects the format of the disk volume (CP, AIX, LINUX, NOVTOC,
or VTOCTRK0).
- MINIDISK
This flag field is true if the disk volume is a nondedicated
VM minidisk. It is part of the system repeat group.
- READ_ONLY
- This flag field is true if the volume is linked in read-only mode
to the virtual machine that is running the operating system image.
- VMLINK
- This flag is true if the device is accessed through VM.
- New: NEWLIST TYPE=ID:
This report
type shows attributes for ID in the current RACF source. This report
type is not yet implemented in the user interface.
- New field for NEWLIST TYPE=RACF:
- VOLSER_KEY, VOLUME_KEY
- For non-VSAM data set profiles and tape profiles, this field contains
the first volume serial of the volume serial list. This value is the
same as the value used on the VOLUME and FVOLUME parameters
of the RACF ADDSD and ALTSD commands.
- New: NEWLIST TYPE=RESOURCE:
RESOURCE
reports on the protection of users or groups collected from several
subsystems. It shows the profiles and, optionally, the resources to
which a user or group has direct or indirect access.
- New fields for NEWLIST TYPE=SYSTEM and NEWLIST
TYPE=SETROPTS:
- PWD_MIN_LEN
- This field returns the minimum user password length as a decimal
number; the default output width is 2 digits. If no password length
rule has been defined, the default returned value is 1.
- RACF_PWD_ALGORITHM
- This field shows the password algorithm in effect.
- RACF_PWD_SPECIAL_CHAR
- This flag field indicates whether special characters are allowed
in passwords.
- Usability enhancements:
- Profiles can be selected without specific ACL entry
- OVM segment handling during copy user or group
- Look up in the base segment from an application segment
- SMF Event reporting based on Connected-to-Group
- SMF Event reporting about superuser activity
- Search for userid by name in restricted context
- Tailor action commands per class and segment
- z/VM exploitation:
- Exploitation of z/VM 6.3; for example, the ability to obtain SMF
settings for RACF server.
- The UI panels now support the Open Extensions OVM segment for
the USER and GROUP classes.
- z/VM exploitation and toleration support for z/VM 6.3 PTFs:
- Exploitation: VM65498: NEW FUNCTION - ADDITIONAL INFORMATION
FROM DIAGNOSE X'A0' SUBCODE X'50'
- Toleration: VM65322: D/T2107 VM SUPPORT FOR SOFT FENCE
AND QUERY HOST ACCESS
- Documentation:
The chapters on the CARLa command language
and the NEWLIST fields have been split off from the User
Reference Manuals into a separate, licensed, book: IBM Security zSecure CARLa Command Reference, LC27-6548-00.
This book combines the information about CARLa commands and NEWLIST
fields for zSecure Manager
for RACF® z/VM® and zSecure for RACF, ACF2, and Top Secret.