Getting started

The BMC AMI Security Policy Manager product is a security policy manager engine that gathers real-time data and reports events that do not match your company's security and compliance policies. This topic introduces some of the key concepts.

Compliance testing

The core of the BMC AMI Security Policy Manager product is the collection of key events and data detected within the z/OS operating system and related subsystems, such as RACF, CICS, and IMS. Potential issues are detected, often in real time, and reported to the Security Policy Manager dashboard or off-host SIEM systems.

Compliance testing is periodically analyzing an organization's system and security settings against a published set of rules to ensure that the system is compliant with the policies of the enterprise. Many of the rules are handled by Security Policy Manager, but many are specific to an organization or require different settings to those tested by Security Policy Manager.

With the Security Policy Manager compliance testing feature, your organization can define a set of rules to be evaluated at your defined frequencies. You can generate reports—and optionally forwarded to them to a SIEM—and highlight where the system complies with the rule set and where it is inconsistent with the rules.

You can use the product to automatically execute rules when specific system events occur which necessitate a new compliance test of one or more rules. You can also run rules manually by command or from the Security Policy Manager interface. For more information about rules, see Compliance testing.

Rules

Rules are members of a partitioned data set (PDS) or partitioned data set extended (PDSE).

An INDEX member lists each rule, its execution frequency, and its descriptions. The rule includes the facility to define an ID which can be used as a cross-check against standards documents.

The INDEX member defines the member name for each rule. The member for a rule generally contains SQL statements which searches the extensive BMC AMI Security Policy Manager database looking for entries that violate the rules. Alternatively, the rule member can specify the name of a REXX procedure to be executed. This REXX can perform any permitted function available to a normal TSO REXX procedure, such as issuing system commands, issuing RACF commands and reading files. Specific REXX extension functions are provided to return compliance result messages to the Security Policy Manager report.

Each rule can be assigned a category. Multiple rules can share a single category. When a system event or a manual command is issued, all rules with the category specified can be executed rather than having to execute one rule at a time.

The rules dataset is defined by the RuleDataset keyword in the Security Policy Manager configuration.
Rules can be executed by several different methods:

• Automatically at Security Policy Manager start-up
• Automatically at user defined timer intervals
• Automatically when Security Policy Manager receives specific system events
• By operator (or automated operations) command
• Manually via a browser interface

For more information about rules, see the Security policy rule configuration section in the Compliance testing topic.

Sensitive data set discovery

External security manager (ESM) software, such as IBM RACF, CA Top Secret, and CA ACF2 (with SPE2107 ), help prevent unauthorized access to sensitive data. Monitoring such controls and access can provide information about suspected or suspicious behavior. For more information, see Creating ESM resources.

On startup, BMC AMI Security Policy Manager enters a discovery phase, where it locates APF, LINKLIST, PROCLIB, and PARMLIB libraries.

Security Policy Manager locates the following from storage:

• RACF databases
• TSS databases
• ACF2 databases
• SPM libraries, for example, loadlibs and rules
• ACS (SMS) data sets
• CSF data sets
• Dump data sets
• Mounted HFS/ZFS files
• IODF
• IPL
• JES2
• LPA
• MCAT
• PAGE
• PARM
• SMF
• SMS
• TFS
• UADS
• UCAT
• VIO

To monitor additional data sets, specify the data set names with the DatasetFilters entry of the configuration member.

Tools feature

From the browser, you can execute commands and reload rules without having to restart BMC AMI Security Policy Manager on z/OS. For more information, see Administering.