Overview

The BMC AMI Defender for z/OS product is an agent program that you install and run on one or more z/OS LPARs.

BMC AMI Defender performs the following activities:

  • Continuously monitors mainframe events from system management facilities (SMF) and collects SMF records.

    SMF is a z/OS component that collects system activity data. SMF is typically used for accounting, security, and performance monitoring.

  • Operates by installing the following z/OS exits on each LPAR on where you run BMC AMI Defender:
    • IEFU83
    • IEFU84
    • IEFU85
  • Reformats the SMF records that you specify as standard syslog messages.
  • Sends the reformatted messages using UDP/IP, TCP/IP, or encrypted TCP/IP (IPv4 or IPv6) to a specified syslog console or server (such as the BMC Defender Server).

Notes

  • In the documentation for this product, syslog refers to message streams traditionally produced by UNIX systems and routers, as documented in IETF RFC 3164 and subsequent RFCs.
  • To use BMC AMI Defender, you do not need to install it on the BMC Defender Server, or on any other computer or console.

 Support for security products

BMC AMI Defender supports SMF records from the following products:

  • Resource Access Control Facility (RACF)
  • CA ACF2
  • CA Top Secret

CZASEND

You can use the CZASEND program to send text as custom syslog messages to a specified syslog console or server. 

The CZASEND parameter file, CZAPSEND, contains parameters such as the IP address of the syslog console. Modify the parameter file to specify configuration options such as the target server IP address. For more information, see Parameter-file-statements

BMC AMI Defender sends messages that are compliant with the syslog standard, RFC 3164. There are several security information and event management (SIEM)-vendor proprietary or semi-standard enhancements that are layered on top of the syslog standard. BMC AMI Defender supports all of the common format extensions. For more information, see Proprietary-syslog-format-extensions.

Supplementary programs

You can operate the following supplementary programs as part of BMC AMI Defender:

  • CZAJOBLG streams the JES-spooled output of one or more running z/OS jobs, started tasks, or both, to any SIEM in real-time. The streaming of JES SYSOUT is commonly referred to as Job Log support. CZAJOBLG is installed automatically as part of the installation of BMC AMI Defender. For information about using the CZAJOBLG program, see Using-the-CZAJOBLG-program.
  • CZALDFIL transmits a file from BMC AMI Defender to a configured SIEM, reformatted as indicated by BMC AMI Defender field definitions. For information about using the CZALDFIL program, see Using-the-CZALDFIL-program.
  • CZALSPAC transmits a series of space-utilization messages for one or more DASD volumes fromBMC AMI Defender to  a SIEM. For information about using the CZALSPAC program, see Using-the-CZALSPAC-program
  • CZASEND sends a single message to a SIEM. For information about using the CZASEND program, see Using-the-CZASEND-program.

The supplementary programs are not required for normal installation, configuration, usage, and maintenance of the BMC AMI Defender mainframe agent program.

The supplementary programs do not apply to the BMC AMI Defender for Db2 product.


BMC AMI Defender for Db2

BMC AMI Defender for Db2 is a configuration alternative to BMC AMI Defender for z/OS. You can use BMC AMI Defender for Db2 to help you comply with the following regulatory standards:

  • Payment Card Industry Data Security Standard (PCI DSS)
  • Sarbanes-Oxley Act 2002 (SOX)
  • Health Information Portability and Accountability Act 1996 (HIPAA)
  • Gramm-Leach-Bliley Act 1999
  • IRS Publication 1075
  • Federal Homeland Security Modernization Act 2014 (FISMA)

BMC AMI Defender for Db2 performs the following activities:

  • Automatically captures IBM Db2 events
  • Audits file and database access
  • Monitors database activity
  • Monitors file integrity

BMC AMI Defender for Db2 supports IBM Db2 for z/OS Versions 11 and 12.1 (64 bit).

You can configure the BMC AMI Defender package as a McAfee Database Activity Monitor (DAM) or as a SIEM agent that captures z/OS system and subsystem session, transaction, security and statement activity.

The following table lists the SMF records applicable to various compliance activities. For more information about the SMF records referenced in the table, see Parameter-file-statements.

Activity

SMF records (IFCID)

Early IPL record support

00—IPL (SMF initialization)

08—I/O configuration

22—Device configuration

43—JES2 or JES3 startup

81—RACF initialization

Privileged user monitoring

361

Invalid logical access attempts

80, 140

Creation and deletion of system level objects

97

Data access

80 EVENT(.0), 143, 144, and 145

For the appropriate RACF data set profiles, specify AUDIT(ALL).

File integrity

42 and 80 EVENT(.0)

SMF 42 can notify you of changes to system libraries. For the appropriate RACF data set profiles, specify AUDIT(ALL(UPDATE)).

Backup and recovery

24 and 25

Architecture of the BMC AMI Defender for z/OS environment 

The following figure illustrates the relationship between various parts of the BMC AMI Defender environment:

BMC_AMI_Defender_architecture.png


Related topics

SMF-Db2-statement
Monitoring-data-access-using-Db2-traces

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*