Overview

The BMC AMI Defender for z/OS product is an agent program that you install and run on one or more z/OS LPARs.

BMC AMI Defender performs the following activities:

  • Continuously monitors mainframe events from system management facilities (SMF) and collects SMF records.

    SMF is a z/OS component that collects system activity data. SMF is typically used for accounting, security, and performance monitoring.

  • Operates by installing the following z/OS exits on each LPAR on where you run BMC AMI Defender:
    • IEFU83
    • IEFU84
    • IEFU85
  • Reformats the SMF records that you specify as standard syslog messages.
  • Sends the reformatted messages using UDP/IP, TCP/IP, or encrypted TCP/IP (IPv4 or IPv6) to a specified syslog console or server (such as the BMC Defender Server).

Notes

  • In the documentation for this product, syslog refers to message streams traditionally produced by UNIX systems and routers, as documented in IETF RFC 3164 and subsequent RFCs. For more information, seeCZ messages.

  • To use BMC AMI Defender, you do not need to install it on the BMC Defender Server, or on any other computer or console.

Support for other products

BMC AMI Defender supports the following products:

  • Resource Access Control Facility (RACF).
  • CA ACF2.
  • CA Top Secret.

CZASEND

BMC AMI Defender includes a program for z/OS called CZASEND. You can use CZASEND, typically in a batch (JCL) job, to send text as custom syslog messages to a specified syslog console or server. 

The CZASEND parameter file, CZAPSEND, contains parameters such as the IP address of the syslog console. Modify the parameter file to specify configuration options such as the target server IP address. For more information, see Parameter-file-statements

BMC AMI Defender sends messages that are compliant with the syslog standard, RFC 3164. There are several security information and event management (SIEM)-vendor proprietary or semi-standard enhancements that are layered on top of the syslog standard. BMC AMI Defender supports all of the common format extensions. For more information, see Proprietary-syslog-format-extensions.

Supplementary programs

You can operate the following supplementary programs as part of BMC AMI Defender:

  • CZAJOBLG, a program that streams the JES-spooled output of one or more running z/OS jobs, started tasks, or both, to any SIEM in real-time. The streaming of JES SYSOUT is commonly referred to as Job Log support. CZAJOBLG is installed automatically as part of the installation of BMC AMI Defender. For information about using the CZAJOBLG program, see Using-the-CZAJOBLG-program.
  • CZALDFIL, a program that is calling BMC AMI Defender to transmit a file to a configured SIEM, reformatted as indicated by BMC AMI Defender field definitions. For information about using the CZALDFIL program, see Using-the-CZALDFIL-program.
  • CZALSPAC, a program that is using BMC AMI Defender to transmit to a SIEM a series of space utilization messages for one or more DASD volumes. For information about using the CZALSPAC program, see Using-the-CZALSPAC-program.
  • CZASEND, a batch program for sending a single message to an SIEM. For information about using the CZASEND program, see Using-the-CZASEND-program.

The supplementary programs are not required for normal installation, configuration, usage and maintenance of the mainframe agent program (BMC AMI Defender).

The supplementary programs do not apply to the BMC AMI Defender for Db2 program.

BMC AMI Defender for Db2

BMC AMI Defender for Db2 is a configuration alternative to BMC AMI Defender for z/OS. You can use BMC AMI Defender for Db2 to help you comply with the following regulatory standards:

  • Payment Card Industry Data Security Standard (PCI DSS).
  • Sarbanes-Oxley Act 2002 (SOX).
  • Health Information Portability and Accountability Act 1996 (HIPAA).
  • Gramm-Leach-Bliley Act 1999.
  • IRS Publication 1075.
  • Federal Homeland Security Modernization Act 2014 (FISMA).

BMC AMI Defender for Db2 performs the following activities:

  • Automatically captures IBM Db2 events.
  • Audits file and database access.
  • Monitors database activity.
  • Monitors file integrity.

BMC AMI Defender for Db2 supports IBM DB2 Versions 9.1, 10, 11, and 12.

You can configure the BMC AMI Defender package as a McAfee Database Activity Monitor (DAM) or as a SIEM agent that captures z/OS system and subsystem session, transaction, security and statement activity.

Warning

To avoid the potential of losing your customization changes due to maintenance, BMC recommends that you copy any member you need to modify to your own system procedure or user library and modify it there.

You can concatenate your user library in front of the CZAPARMS DD statements in the CZAJOBLG, CZASEND or CZAGENT JCL processes.

The following table lists the SMF records applicable to various compliance activities. For more information about the SMF records referenced in the table, see Parameter-file-statements.

Activity

SMF records (IFCID)

Privileged user monitoring

361.

Invalid logical access attempts

80, 140.

Creation and deletion of system level objects

97.

Data access

80 EVENT(.0), 143, 144, and 145.

For the appropriate RACF data set profiles, specify AUDIT(ALL).

File integrity

42 and 80 EVENT(.0).

SMF 42 can notify you of changes to system libraries. For the appropriate RACF data set profiles, specify AUDIT(ALL(UPDATE)).

Backup and recovery

24 and 25.

Architecture of the BMC AMI Defender for z/OS environment 

The following figure illustrates the relationship between various parts of the BMC AMI Defender environment:

BMC_AMI_Defender_architecture.png

Related topics

SMF-Db2-statement
Monitoring-data-access-using-Db2-traces

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*