Configuring parameters

Configure the product at startup by using parameters defined in one or more members of the partitioned data set that is defined on the RSSPARM data definition. Sample configuration members are provided in the samples library that is created during product installation.

The configuration members define the values required to start the product, such as:

  • Product key
  • IP address
  • Port number
  • Protocol for the browser interface
  • Message level

Related topics

Installation-overview

Configuring-ESM-definitions

Defining-the-started-task-to-the-ESM

Where the products require additional configuration parameters, you can add these parameters to the existing 

BMC AMI Resident Security Server

 (

RSS

) configuration parameters.This section describes all the configuration parameters supported by the product. Many of the parameters are optional and most implementations use only a subset.

Configuration parameter syntax

The parameters in the configuration data set conform to the following rules:

  • Enter only one parameter on each line. A parameter can start in any position on that line.
  • Specify parameters in full. They are not case sensitive except for HFS path names.
  • Add an asterisk (*) in the first position to make it a comment.
  • Use standard z/OS system-defined static system symbols, such as &SYSNAME.

Configuring SCOPE parameter

You can share parameters in the configuration data set between multiple address spaces and multiple LPARs.

The SCOPE parameter controls which parameters in the configuration data set are processed by which LPAR in each address space. Use the SCOPE keyword before a block of one or more configuration parameters to indicate that the block is processed only by the address spaces that have that LPAR. The scope for each address space is defined on the SCOPE= parameter in the EXEC PARM in the JCL procedure.

You can qualify the SCOPE keyword with the SYSID, allowing different parameter blocks to be processed depending on the system that Security Policy Manager is started on.

The following example displays different uses of the SCOPE parameter:

*
*  Following parameters will be processed by every
*  Address Space
*
Parameter Value
Parameter Value
*
*  Following parameters will be processed by every
*  Address Space started with Scope=Server
*
Scope Server
Parameter Value
Parameter Value
*
*  Following parameters will be processed by all
*  Address Spaces started with Scope=BASPM
*
Scope BASPM
Parameter Value
Parameter Value
*
*  Following parameters will be processed by Address
*  Spaces started with Scope=BASPM on system SYS1
*
Scope BASPM.SYS1
Parameter Value
Parameter Value

Multiple configuration parameter members

You can split the BMC AMI Security Policy Manager configuration parameters across multiple members for simplification, ease of administration, or to share commonly used blocks of parameters across multiple address spaces.

You can include other members in the parameters using the INCLUDE keyword, as displayed in the following example:

*
* SPM Global Parameters
*
Parameter Value
Parameter Value
*
* SPM Server Parameters
*
Scope Server
         Include member1                         
         Include member2

Configuration parameter groups

Except for the global configuration parameters , BMC AMI Security Policy Manager c onfiguration parameters are organized in groups, with a group header and group trailer parameter.

This enables similar parameter keywords, such as PORT or IPAddress, to be placed inside different groups without conflict. The typical format of a parameter group is displayed in the following example:

GroupType
          Group Parameters
          Group Parameters
          Group Parameters
EndGroupType

Do not split parameter groups across different configuration data set members.

Global configuration parameters

The global configuration parameters are applicable to every BMC AMI Security Policy Manager address space. Global configuration parameters are not defined within a parameter group.

They can be placed inside a SCOPE block to define different values for different address spaces. 

The following list of global configuration parameters are required unless otherwise specified.

With SPE2107 applied, support for ACF2 is available.

Parameter

Description

ClassName FACILITY | class

Class in which the RACF or Top Secret resources are defined

By default, the Security Policy Manager RACF or Top Secret resources are defined in the FACILITY class. If you placed the resources in a different class during product installation, specify it here.

ExpiryWarning 31 | nnn

Number of days to send an alert before the Security Policy Manager software key expires

The Alert message is in the following format:
License expires in nnn days

The default value is 31.

InternalTrace size

Number of entries in the RSS internal trace table

The internal trace content can be output by a command or  automatically formatted in the event of an abend.

Specifying a value of 0 disables internal tracing.

The default value is 4096.

CommandSecurity On | Off

Whether RSS should implement an additional layer of security for commands issued from the console of the administration facility

Activating this feature requires additional RACF or Top Secret profiles to be defined for each RSS subcommand and users permitted to that resource in order to issue the commands.

The RACF or Top Secret profile is:

RSM.RSSCMD. command

RSM.RSSCMD. command .subcommand

For example, you can use this facility to restrict which users can activate RSS traces with the RSM.RSSCMD.SETMSG profile.

AbendLimit count

Maximum number of recoverable abends before RSS shuts down

For applications that implement recoverable abend handling, this parameter controls the number of recoverable abends before RSS shuts down.

MessageLevel type type type

Type of messages to be output

You can specify as many MessageLevel parameters as required, or specify multiple types on a single line. The following table lists the available types:

Type

Description

AppTrace

Turns on specific tracing for Security Policy Manager

BufTrace

Traces data in all traced exchange as well as protocol information

Error

Output error messages

Info

Output information messages

HTTPTrace

Traces HTTP traffic generated by user interactions with the Security Policy Manager browser interface

RACFTrace

Traces all RACF or Top Secret commands and their output responses

TCPTrace

Traces all TCP communications including SSL exchanges when using HTTPS protocol

XCFTrace

Traces data sent and received across XCF communications

DLLTrace

Traces DLL calls

SQLTrace

Traces SQL calls

JSONTrace

Traces JSON streams over the REST API

DSTrace

Traces RSS dataspace activity

DataTrace

Traces detailed data buffers during communication

This trace should be used with care as sensitive data could be reported.

MutexTrace

Traces mutex operations

The recommended settings for normal use are Error and Info.

Activate component

Component to be activated during Security Policy Manager initialization

For all systems on which Security Policy Manager runs, specify Activate ZDETECT . If the HTTP server is also defined or required on a system, add Activate SERVER for that system.

For more information, see Security Policy Manager parameters later in this topic.

SyslogId ID

ID used in the name field of any syslogD record written by this instance of Security Policy Manager

The default value is enterpriseConnector.

HTTP server configuration

Use the following parameters if the HTTP server is used to support browser-based connections to the Security Policy Manager implementations.

Best practice

The server supports both unsecured and secured connections, although for security reasons, we recommend the using the IBM AT-TLS component of TCP/IP.

Regardless of the connection type, set the value of the Protocol parameter to HTTP, and the appropriate AT-TLS rules setup to achieve the secure connection.

Note

If you are using a secure connection, use the https:// prefix to access the web server in a browser. If you are using the HTTP server, an activate server configuration statement must be coded in Global configuration parameters.

The HTTP server parameters must be defined within an HTTPServer group:

Parameter

Description

HTTPServer

Heads a block of HTTP server definitions

Protocol HTTP

Whether Security Policy Manager uses secure or non-secure exchanges between logged-on users and the Security Policy Manager server on z/OS

The protocol should always be set to HTTP.

For security, you must use the IBM AT-TLS option for securing connections.

Port portNumber

Port on which the Security Policy Manager server listens for incoming browser connections

You can use any available and valid port number. Select an unused port number because without it, users cannot log on and use the product.

Buffersize bufferSize

Override of the default maximum buffer size (4096 bytes) for receiving HTTP header data

EndHTTPServer

Termination of the block of HTTP server definitions

Event targets configuration

Event target parameters are used to specify the details of external systems to receive events generated by BMC AMI Security Policy Manager. Every event generated is assigned a severity. Multiple target systems can be defined to receive events that are filtered by severity.

Security Policy Manager also supports routing events to the MVS console and the local syslog daemon, as well as external SIEM systems.

The target systems must be defined within an 'EventTarget' block. One EventTarget block is required for each target system:

Parameter

Description

EventTarget

Heads a block of definitions for a single target system

Name targetName

Name of this target system

This name is only used for reference purposes and does not have to match any name on the target system.

There are two reserved names for use by Security Policy Manager:

  • Console—Events written to MVS console
  • Syslog—Events written to syslog daemon

Severity severity severity severity

One or more event severity filters for events forwarded to this target system

The severity is set by Security Policy Manager when generating the event or alert. The severity name follows the priority value defined in the Syslog. (RFC 5424 supported.)

The following list contains valid severity names:

  • Emergency
  • Critical
  • Alert—(SPE2107) Summary compliance messages are sent to the target system
  • Error
  • Warning
  • Notice
  • Info—(SPE2107) Detail compliance records are sent to the target system
  • Debug

Format Console | Syslog | JSON | XML

Format in which the event will be forwarded to the target system

Note

RFC 3164 and RFC 5424 are supported and are specified with Format RFCnnnn. For more information, see:

https://tools.ietf.org/html/rfc5424

https://tools.ietf.org/html/rfc3164

Host Local | IPAddress

IP address of the target system to which the event is to be sent

Local should be specified (with Format Syslog) to write the event to the z/OS SyslogD daemon.

Port portNumber

Port on the target system to which the event is sent

Protocol UDP | TCP

Protocol on which the event is sent to the target system

You can use TCP or UDP protocol

Encoding ASCII | EBCDIC

Encoding from which the event text is converted before sending to the target system

Before sending event text to the target system, convert the text from ASCII or EBCDIC.

EndEventTarget

Terminates a block of definitions for a single target system

Security Policy Manager and SIEM systems

Security Policy Manager sends alerts to SIEM systems from the following sources:

  • SMF 14—File closed after reading
  • SMF 15—File closed after writing
  • SMF 42—PDS activity
  • SMF 80—RACF or Top Secret events and audited events
  • SMF 230 (variable)—ACF2 events
  • z/OS commands—Commands entered on the console RACF or Top Secret commands. Any RACF-related command is valid.
  • z/OS console messages—All messages are checked and analyzed
  • SYSLOGD events—These events are analyzed, and if deemed of interest, they are sent to SIEMs or dashboards and stored in the database.

However, because the code is in place to intercept all SMF records and send to SIEMs, Security Policy Manager can intercept any SMF record type except for the types listed previously (SMF 14, 15, 42, and 80). With minor changes, Security Policy Manager can process them and send them to a SIEM system, or just forward the entire record to the SIEM (after sanitizing binary fields). Similarly, with Console Messages and Commands, Security Policy Manager can forward all commands.

For example, Security Policy Manager can receive a specific console message (such as from TPX), and send the result directly to the SIEM for further processing. This consists of a few dozen lines of code, and could be activated by a configuration change.

When a SIEM is configured and defined to Security Policy Manager, you can specify which of the following levels (as defined by RFC5424) is sent:

  • EVENT_EMERGENCY
  • EVENT_ALERT
  • EVENT_CRITICAL
  • EVENT_ERROR
  • EVENT_WARNING
  • EVENT_NOTICE
  • EVENT_INFO
  • EVENT_DEBUG

The following events are also used within Security Policy Manager:

  • EVENT_SUMMARY—Send to dashboard only
  • EVENT_DASHBOARD—Send to SIEM only

The levels are as follows:

Level

Description

Emergency

User is unloading the RACF or Top Secret database, sensitive data set is updated, user-monitored data set is updated

Alert

Suspicious activity, for example, a user given RACF or Top Secret special, sensitive data set updated due to WARN on RACF profile, misconfigured sensitive data set profile

Error

Sensitive data set does not have a fully-qualified generic profile, or audit settings are wrong

Warning

RACF or Top Secret command entered, RVARY issued, Compliance query failures

Notice

Password violations, Login violations, Monitored job started/ended, Monitored command entered. Potential ACEE modification. Multiple violations from same IP address

Info

Unused

Debug

Unused

Summary

Send compliance summary to dashboard only

Dashboard

Used in conjunction with the previous codes to send to a dashboard and to SIEM

Security Policy Manager parameters

Some additional configuration parameters are required for BMC AMI Security Policy Manager.

To start Security Policy Manager, you must set an Activate ZDETECT configuration statement in the global configuration parameters.

(SPE2107) You can use the RECONFIG command to configure some parameters later. For more information, see Reconfiguring-parameters.

Parameter

Description

SPMParms

Heads a block of Security Policy Manager definitions

AlertLog  severity1 severity2 …. severityN

(Optional) One or more of the following alert severity filters for alerts written to server logs:

  • Emergency
  • Critical
  • Alert
  • Error
  • Warning
  • Notice
  • Info
  • Debug

Example: AlertLog emergency critical error

Applid vtamAppID

(Optional) VTAM application ID

Checkpointname checkPointDSN

(Optional) Name of the checkpoint data set

Example: Checkpointname hlq.ZDTV21.CHKPNT

For more information about the checkpoint data set, see Defining-the-checkpoint-data-set.

Classified Yes | No

(Optional) Whether the system is designated as a DISA STIG classified system

The default value is No.

Compliance Yes | No

(Optional) Whether to run compliance

The default value is Yes.

ComplianceLog Yes | No

(SPE2107)

(Optional) Whether compliance results, including failures, should be logged to the dynamically allocated server SYSOUT ZDTCOMP

The default value is No.

Warning

The parameter is disabled because the sensitive information could assist a hacker in footprinting (gathering information about) the system. If you enable the parameter, ensure the output from BMC AMI Datastream is protected by RACF.

CustomDsnType dsnType dsnType dsnType...

(SPE2110)

(Optional) Define custom DSN types for the sens (sensitive data sets) table. Use the custom DSN types to categorize data sets specified in the DatasetFilterssection.

Each type can be up to four characters long and  you can define up to 64 custom types.

Use the following CustomDsnType values with specified DISA STIGs:

DISA STIG

CustomDsnType

Description

V-120

SMPE

SMP/E product installation libraries

V-126

DASD

DASD backup files

V-3221

BTCP

Data set containing base TCP/IP components—that is, SMP/E distribution data sets with the prefix SYS1.TCPIP.AEZA and target data sets with the prefix SYS1.TCPIP. SEZA

V-29952

JCLL

JCL libraries or open access libraries or datasets for FTP

V-29952

FTPC

Data sets containing FTP control cards

V-6933
V-223815

DFSM

Load libraries to determine program resource definitions.
If the installation moves these modules to another load library, the installation-defined load library should be used. Else, use SYS1.DGTLLIB, SYS1.DFQLLIB

DatastreamInstance instanceName
(SPE2204)

(before SPE2204) DefenderInstance instanceName

(Optional) Name of the BMC AMI Datastream instance to which all messages are sent

Example: DatastreamInstance v610.B3405

(SPE2207) Deprecated (see DatastreamSSID). If both DatastreamInstance and DatastreamSSID are used, then DatastreamInstance is ignored.

DatastreamSSID ssid
(SPE2207)

(Optional) Subsystem identifier (SSID) of the BMC AMI Datastream writer to which all messages are sent

To use the parameter, make sure that the started task ID under which Security Policy Manager runs has write access to the BMC AMI Datastream Subsystem Writer. For more information, see Using z/OS SAF in the BMC AMI Datastream technical documentation.

ForwardSmf80 Yes | No

(Optional) Whether smf80 records should be forwarded to target systems defined using the EventTarget parameters

The default value is No.

ForwardSyslog Yes | No

(Optional) Whether syslog records should be forwarded to target SIEM systems defined using the Security Policy Manager DatastreamInstance parameter

The default value is No.

GroupName xcfGroupName

Name of the XCF group for this instance

Use GroupName to run multiple Security Policy Manager instances on one system.

Example: GroupName SPMGRP

ImportDataset dataSetName

(SPE2107)


(Optional) Name of the data set with the required SQL data to import

Use more than one ImportDataset parameter to import more than one data set.

Example:

    • ImportDataset hlq.IMPORT.SQL1
      ImportDataset hlq.IMPORT.SQL2

For more information, see Adding-custom-tables and Commands.

Inactivate component

(Optional) Inactivates one of the following components of the Security Policy Manager server:

Example:

    • Inactivate DB2
      Inactivate IMS

KnowledgeBase dataSetName

Name of the knowledge base data set

Example: KnowledgeBase hlq.ZDTV21.KNOWBASE

ESMAnalysis Yes | No
ACF2Analysis Yes | No (SPE2210)
RACFAnalysis Yes | No
TSSAnalysis Yes | No

(Optional) Whether to analyze the ESM database

For each LPAR that needs to analyze the ESM database, you must set this parameter, even if the databases are shared by all the LPARs.

You can set the parameter for a specific ESM, or use the ESMAnalysis parameter, which enables analysis for any ESM on the LPAR.

The default value is No for all the parameters.

RulesDataset dataSetName

Name of the compliance rules data set that you want to update

Example: RulesDataset hlq.ZDTV21.RULES

(SPE2110) To update a custom rules data set before the supplied rules data set, specify the custom rules data set in the JCL:

//COMPRULE DD DISP=SHR,DSN=custom.dataset
// DD DISP=SHR,DSN=supplied.rule.dataset

To update the queries from the browser, specify the custom rules data set in the config RulesDataset.

If you use a concatenation for the rules data sets, the INDEX member is read from only the first data set that it's found in.

SQLPath path

Location of z/OS OMVS where Security Policy Manager stores the events and alerts that are required to be saved between sessions

A database is also created in virtual storage to hold transient data required during the life of Security Policy Manager. This parameter defines the path to the location of the permanent database. The database is maintained by Security Policy Manager and does not require maintenance.

The path can be a standard USS path, or you can define a new aggregate ZFS file that can be automounted.

Example: SQLPath /u/spm/spmdb

Subnetmask mask

(Optional) Subnet mask to use

The default value is 255.255.255.255.

Example: Subnetmask 255.255.0.0

TCPIPStacks stack1 stack2 … stackN

(Optional) Name of one or more TCP/IP stacks whose profile is to be monitored by Security Policy Manager

If this parameter is omitted, no TCP/IP monitoring is performed.

Example: TCPIPStacks TCPIP

TsscfileDataset dataSetName

(Top Secret only) The Top secret TSSCFILE data set name

Example: TsscfileDataset hlq.TSSDATA

TssparmsDataset  dataSsetName(member)

(Top Secret only) Data set and member name containing the Top Secret initialization parameter

Security Policy Manager uses this to determine whether the TSS configuration changed since system startup.

Example: TssparmsDataset hlq.PARMLIB(TSSPARM0)

EndSPMParms

Terminates a block of Security Policy Manager definitions

DatasetFilters dataSetName dataSetName


Heads a block of data set definitions

This list contains data set names to be monitored in addition to the standard sensitive data set names. If any of the listed data sets are updated, an alert is generated. After the DatasetFilters command, specify one data set per line, and terminate the list with an EndDatasetFilters command.

(SPE2110) (Optional) For each data set, you can specify one of the DSN types defined with the CustomDsnType parameter. If you do not specify a type, the type value USER is applied.

To enable different data sets to be monitored on different systems, you can specify DatasetFilters blocks with a Scope BASPM.sysid preceding the block.

EndDatasetFilters

Terminates a block of data set definitions

JobnameFilters jobName jobName

Heads a block of job definitions

This list contains job names to be monitored. If any of the listed jobs start or end, an alert is generated. After the JobnameFilters command, specify one job per line, and terminate the list with an EndJobnameFilters command.

To enable different job names to be monitored on different systems, you can specify JobnameFilters blocks with a Scope BASPM.sysid preceding the block.

EndJobnameFilters

Terminates a block of job definitions

Sample configuration parameters

A sample of the Security Policy Manager c onfiguration data set members using some of the parameters described earlier in this topic follows:

The sample uses different members to illustrate how multiple members are used, but all configuration parameters could be saved in a single member.

Sample Global Member

***********************************************
* Global Scope                                *
* These are RSS configuration parameters      *
***********************************************
ClassName         FACILITY                     
MessageLevel      Error Info                   
SMFRecordtype     230                          
SyslogId          xxxxxx                       
AuditLogOptions   SYSOUT Default               
Activate          Server                       
Activate          zDetect                      
*********************************************
* SPM Parameters                            *
*********************************************
Include           ZDT

*********************************************
* Server Parameters                         *
*********************************************
Scope             Server
  Include         SRVLIST
  Include         TARGETS

Sample Server Member(SRVSYS1)

*********************************************
* HTTP Server Configuration                 *
*********************************************
HTTPServer
  Protocol      HTTP
  Port          8181
EndHTTPServer

Sample Event Targets Member (TARGET)

************************************************  
* RSM Security Server V2.1                     *  
*                                              *  
* Sample Event Targets                         *  
*                                              *  
* (c) RSM Partners Ltd. 2017                   *  
************************************************  
EventTarget                                       
   Name     Console                               
   Severity Emergency Critical                    
EndEventTarget                                    
                                                 
EventTarget                                       
   Name     Syslog                                
   Host     Local                                 
   Format   Syslog                                
   Severity Emergency Critical Alert Error Warning
EndEventTarget                                    
                                                 
EventTarget                                       
   Name     Splunk                                
   Format   Syslog                                
   Host     192.168.10.60                         
   Port     8100                                  
   Protocol UDP                                   
   Encoding ASCII                                 
   Severity Emergency Critical Alert Error Warning
EndEventTarget   

Sample SPM Member (ZDT)

*********************************************
* SPM Configuration                         *
*********************************************
SPMParms
  SQLPath        /u/BASPM  
  RulesDataset   hlq.RSMRULE
  TCPIPStacks    TCPIP
  RACFAnalysis   Yes
  CustomDsnType  Payr Cust
EndSPMParms

DatasetFilters
  PAY.PAYROLL.DATA  RAYR
  SYS1.PARMLIB
EndDatasetFilters

Scope zDetect.SYS1
JobNameFilters
  SYSLOGD
  INETD1
  TCPIP
  VTAM
  JES2
  RACF
  CICSTS51
EndJobnameFilters

Scope zDetect.SYS2
JobNameFilters
  SYSLOGD
  INETD1 RSSTAM
  C2POLICE
  TCPIP
  VTAM
  JES2
  RACF
EndJobnameFilters

Where to go from here

After you configure the product parameters, create a started task user.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*