What's new for IBM Security zSecure Manager for RACF z/VM V1.11.2

IBM® Security zSecure™ Manager for RACF z/VM version 1.11.2 includes new features specifically for the z/VM platform. Other new features and enhancements are a result of updates included in the IBM Security zSecure Admin and IBM Security zSecure Audit for z/OS version 1.13.1, 2.1.0, and 2.1.1 product releases that share functionality with the z/VM version of the product.

The most notable of these features is the zSecure Audit Compliance Testing Framework introduced in zSecure 1.13.1 with the extensions to the user interface and configuration options provided by zSecure 2.1.0 and 2.1.1, allowing you to define your own security standard and report on compliance with it.

New enhancements to IBM Security zSecure Manager for RACF z/VM version 1.11.2 are described briefly here. See the specified topics in the library for more information.

• Compliance, auditing, and monitoring:
  • The compliance framework has been extended for automation and coverage for compliance verification.
    • Provides the capability to improve results through a comprehensive, automated audit referencing a built-in knowledge base.
    • Reduces the manual processes for gathering data to support activities for compliance.
    • Coverage for Security Technical Implementation Guide (STIG) for z/VM, and the ability to extend beyond STIG or define your own standard.
• Enhanced comparison processing:
  • ISPF user interface is enhanced to help you compare your security settings against an approved version or against other systems and databases.
• Enhanced multi-system support:
  • New concept: collection a group of sets of input files.
  • The D line command on profiles is now allowed on summaries to issue cross-complex deletions.
• CARLa enhancements:
  • DEFINE...PARSE(field,[begin sep][,end sep]):
    The begin separator specification and the end separator presence are now optional. This allows unwanted suffixes to be ignored.
  • New parameter for the REPORT SCOPE statement:
    Use extra parameter RACLIST_MERGE to switch from reporting individual profiles (GXFACILI/XFACILIT) to merged profiles ("XFACILIT").
  • New parameters for SHOW command:

    CKFIN

    The SHOW CKFIN command causes a message CKR2218 to be issued for each CKFREEZE data set with the CKFCOLL input parameters that limit or extend the information collected into the CKFREEZE snapshot data set.

    CKFMSG

    The SHOW CKFMSG command causes a message CKR2219 to be issued for each CKFREEZE data set with the error and warning messages issued by CKFCOLL during creation of the CKFREEZE snapshot data set.

• New CARLa report types and fields:
  • New fields for NEWLIST TYPE=DASDVOL:

    FORMAT

    Reflects the format of the disk volume (CP, AIX, LINUX, NOVTOC, or VTOCTRK0).

    MINIDISK

    This flag field is true if the disk volume is a nondedicated VM minidisk. It is part of the system repeat group.

    READ_ONLY

    This flag field is true if the volume is linked in read-only mode to the virtual machine that is running the operating system image.

    VMLINK

    This flag is true if the device is accessed through VM.

  • New: NEWLIST TYPE=ID:
    This report type shows attributes for ID in the current RACF source. This report type is not yet implemented in the user interface.
  • New field for NEWLIST TYPE=RACF:

    VOLSER_KEY, VOLUME_KEY

    For non-VSAM data set profiles and tape profiles, this field contains the first volume serial of the volume serial list. This value is the same as the value used on the VOLUME and FVOLUME parameters of the RACF ADDSD and ALTSD commands.

  • New: NEWLIST TYPE=RESOURCE:
    RESOURCE reports on the protection of users or groups collected from several subsystems. It shows the profiles and, optionally, the resources to which a user or group has direct or indirect access.
  • New fields for NEWLIST TYPE=SYSTEM and NEWLIST TYPE=SETROPTS:

    PWD_MIN_LEN

    This field returns the minimum user password length as a decimal number; the default output width is 2 digits. If no password length rule has been defined, the default returned value is 1.

    RACF_PWD_ALGORITHM

    This field shows the password algorithm in effect.

    RACF_PWD_SPECIAL_CHAR

    This flag field indicates whether special characters are allowed in passwords.

• Usability enhancements:
  • Profiles can be selected without specific ACL entry
  • OVM segment handling during copy user or group
  • Look up in the base segment from an application segment
  • SMF Event reporting based on Connected-to-Group
  • SMF Event reporting about superuser activity
  • Search for userid by name in restricted context
  • Tailor action commands per class and segment
• z/VM exploitation:
  • Exploitation of z/VM 6.3; for example, the ability to obtain SMF settings for RACF server.
  • The UI panels now support the Open Extensions OVM segment for the USER and GROUP classes.
  • z/VM exploitation and toleration support for z/VM 6.3 PTFs:
    • Exploitation: VM65498: NEW FUNCTION - ADDITIONAL INFORMATION FROM DIAGNOSE X'A0' SUBCODE X'50'
    • Toleration: VM65322: D/T2107 VM SUPPORT FOR SOFT FENCE AND QUERY HOST ACCESS
• Documentation:

  The chapters on the CARLa command language and the NEWLIST fields have been split off from the User Reference Manuals into a separate, licensed, book: IBM Security zSecure CARLa Command Reference, LC27-6548-00. This book combines the information about CARLa commands and NEWLIST fields for zSecure Manager for RACF® z/VM® and zSecure for RACF, ACF2, and Top Secret.