Configuring parameters

Configure the product at startup by using parameters defined in one or more members of the partitioned data set that is defined on the RSSPARM data definition. Sample configuration members are provided in the samples library that is created during product installation.

The configuration members define the values required to start the product, such as:

  • Product key
  • IP address
  • Port number
  • Protocol for the browser interface
  • Message level


Related topics

Installing

Where the products require additional configuration parameters, you can add these parameters to the existing 

BMC AMI Resident Security Server

 (

RSS

) configuration parameters.This section describes all the configuration parameters supported by the product. Many of the parameters are optional and most implementations use only a subset. 

Configuration parameter syntax

The parameters in the configuration data set conform to the following rules:

  • Enter only one parameter on each line. A parameter can start in any position on that line.
  • Specify parameters in full. They are not case sensitive except for HFS path names.
  • Add an asterisk (*) in the first position to make it a comment.
  • Use standard z/OS system-defined static system symbols, such as &SYSNAME.

Configuring SCOPE parameter

You can share parameters in the configuration data set between multiple address spaces and multiple LPARs.

The SCOPE parameter controls which parameters in the configuration data set are processed by which LPAR in each address space. Use the SCOPE keyword before a block of one or more configuration parameters to indicate that the block is processed only by the address spaces that have that LPAR. The scope for each address space is defined on the SCOPE= parameter in the EXEC PARM in the JCL procedure.

You can qualify the SCOPE keyword with the SYSID, allowing different parameter blocks to be processed depending on the system that SPM is started on.

The following example displays different uses of the SCOPE parameter:

*
*  Following parameters will be processed by every
*  Address Space
*
Parameter Value
Parameter Value
*
*  Following parameters will be processed by every
*  Address Space started with Scope=Server
*
Scope Server
Parameter Value
Parameter Value
*
*  Following parameters will be processed by all
*  Address Spaces started with Scope=BASPM
*
Scope BASPM
Parameter Value
Parameter Value
*
*  Following parameters will be processed by Address
*  Spaces started with Scope=BASPM on system SYS1
*
Scope BASPM.SYS1
Parameter Value
Parameter Value

Multiple configuration parameter members

You can split the BMC AMI Security Policy Manager configuration parameters across multiple members for simplification, ease of administration, or to share commonly used blocks of parameters across multiple address spaces.

You can include other members in the parameters using the INCLUDE keyword, as displayed in the following example:

*
* SPM Global Parameters
*
Parameter Value
Parameter Value
*
* SPM Server Parameters
*
Scope Server
         Include member1                         
         Include member2

Configuration parameter groups

Except for the global configuration parameters, BMC AMI Security Policy Manager configuration parameters are organized in groups, with a group header and group trailer parameter.

This enables similar parameter keywords, such as PORT or IPAddress, to be placed inside different groups without conflict. The typical format of a parameter group is displayed in the following example:

GroupType
          Group Parameters
          Group Parameters
          Group Parameters
EndGroupType

Do not split parameter groups across different configuration data set members.

Global configuration parameters

The global configuration parameters are applicable to every BMC AMI Security Policy Manager address space. Global configuration parameters are not defined within a parameter group.

They can be placed inside a SCOPE block to define different values for different address spaces. 

The following list of global configuration parameters are required unless otherwise specified.

Parameter

Description

ClassName FACILITY | class

Class in which the RACF or Top Secret resources are defined

By default, the SPM RACF or Top Secret resources are defined in the FACILITY class. If you placed the resources in a different class during product installation, specify it here.

ExpiryWarning 31 | nnn

Number of days to send an alert before the SPM software key expires

The Alert message is in the following format:
License expires in nnn days

The default value is 31.

InternalTrace size

Number of entries in the RSS internal trace table

The internal trace content can be output by a command or automatically formatted in the event of an abend.

Specifying a value of 0 disables internal tracing.

The default value is 4096.

CommandSecurity On | Off

Whether RSS should implement an additional layer of security for commands issued from the console of the administration facility

Activating this feature requires additional RACF or Top Secret profiles to be defined for each RSS subcommand and users permitted to that resource in order to issue the commands.

The RACF or Top Secret profile is:

RSM.RSSCMD.command

RSM.RSSCMD.command.subcommand

For example, you can use this facility to restrict which users can activate RSS traces with the RSM.RSSCMD.SETMSG profile.

RecoveryMax

Number of times within a calendar day that the RSS High Level Task Manager will recycle SPM if an abend occurs during normal processing. The RSS HLM software automatically performs a cleanup and restarts SPM to ensure availability.

Valid values are 1 through 12, and the default value is 3.

MessageLevel type type type

Type of messages to be output

You can specify as many MessageLevel parameters as required, or specify multiple types on a single line. The following table lists the available types:

Type

Description

AppTrace

Turns on specific tracing for SPM

BufTrace

Traces data in all traced exchange as well as protocol information

Error

Output error messages

Info

Output information messages

HTTPTrace

Traces HTTP traffic generated by user interactions with the SPM browser interface

RACFTrace

Traces all RACF or Top Secret commands and their output responses

TCPTrace

Traces all TCP communications including SSL exchanges when using HTTPS protocol

XCFTrace

Traces data sent and received across XCF communications

DLLTrace

Traces DLL calls

SQLTrace

Traces SQL calls

JSONTrace

Traces JSON streams over the REST API

DSTrace

Traces RSS dataspace activity

DataTrace

Traces detailed data buffers during communication

This trace should be used with care as sensitive data could be reported.

MutexTrace

Traces mutex operations

The recommended settings for normal use are Error and Info.

Activate component

Component to be activated during SPM initialization

For all systems on which SPM runs, specify Activate ZDETECT. If the HTTP server is also defined or required on a system, add Activate SERVER for that system.

For more information, see Security Policy Manager parameters later in this topic.

SyslogId ID

ID used in the name field of any syslogD record written by this instance of SPM

The default value is enterpriseConnector.

HTTP server configuration

Use the following parameters if the HTTP server is used to support browser-based connections to the SPM implementations.

Best practice
The server supports both unsecured and secured connections, although for security reasons, we recommend using the IBM AT-TLS component of TCP/IP.

Regardless of the connection type, set the value of the Protocol parameter to HTTP, and the appropriate AT-TLS rules setup to achieve the secure connection.

Important

If you are using a secure connection, use the https:// prefix to access the web server in a browser. If you are using the HTTP server, an activate server configuration statement must be coded in Global configuration parameters.

The HTTP server parameters must be defined within an HTTPServer group:

Parameter

Description

HTTPServer

Heads a block of HTTP server definitions

Protocol HTTP

Whether 

SPM

 uses secure or non-secure exchanges between logged-on users and the 

SPM

 server on z/OSThe protocol should always be set to HTTP.

For security, you must use the IBM AT-TLS option for securing connections.

Port portNumber

Port on which the SPM server listens for incoming browser connections

You can use any available and valid port number. Select an unused port number because without it, users cannot log on and use the product.

Buffersize bufferSize

Override of the default maximum buffer size (4096 bytes) for receiving HTTP header data

EndHTTPServer

Termination of the block of HTTP server definitions

Event targets configuration

Event target parameters are used to specify the details of external systems to receive events generated by BMC AMI Security Policy Manager. Every event generated is assigned a severity. Multiple target systems can be defined to receive events that are filtered by severity.

SPM also supports routing events to the MVS console and the local syslog daemon, as well as external SIEM systems.

The target systems must be defined within an EventTarget block. One EventTarget block is required for each target system:

Parameter

Description

EventTarget

Heads a block of definitions for a single target system

Name targetName

Name of this target system

This name is used only for reference purposes and does not have to match any name on the target system.

There are two reserved names for use by SPM:

  • Console—Events that are written to the MVS console
  • Syslog—Events that are written to the syslog daemon

Severity severity severity severity

One or more event severity filters for events forwarded to this target system

The severity is set by SPM when generating the event or alert. The severity name follows the priority value defined in the Syslog. (RFC 5424 supported.)

The following list contains valid severity names:

  • Emergency
  • Critical
  • Alert—Summary compliance messages are sent to the target system
  • Error
  • Warning
  • Notice
  • Info—Detail compliance records are sent to the target system
  • Debug

Format Console | Syslog | JSON | XML

Format in which the event will be forwarded to the target system

Important

RFC 3164 and RFC 5424 are supported and are specified with Format RFCnnnn. For more information, see:

https://tools.ietf.org/html/rfc5424

https://tools.ietf.org/html/rfc3164

Host Local | IPAddress

IP address of the target system to which the event is to be sent

Local should be specified (with Format Syslog) to write the event to the z/OS SyslogD daemon.

Port portNumber

Port on the target system to which the event is sent

Protocol UDP | TCP

Protocol on which the event is sent to the target system

You can use TCP or UDP protocol

Encoding ASCII | EBCDIC

Encoding from which the event text is converted before sending to the target system

Before sending event text to the target system, convert the text from ASCII or EBCDIC.

EndEventTarget

Terminates a block of definitions for a single target system

SPM and SIEM systems

SPM sends alerts to SIEM systems from the following sources:

  • SMF 14—File closed after reading
  • SMF 15—File closed after writing
  • SMF 42—PDS activity
  • SMF 80—RACF or Top Secret events and audited events
  • SMF 230 (variable)—ACF2 events
  • z/OS commands—Commands entered on the console RACF or Top Secret commands. Any RACF-related command is valid.
  • z/OS console messages—All messages are checked and analyzed
  • SYSLOGD events—These events are analyzed, and if deemed of interest, they are sent to SIEMs or dashboards and stored in the database.

However, because the code is in place to intercept all SMF records and send them to SIEMs, SPM can intercept any SMF record type except for the types listed previously. With minor changes, SPM can process SMF records and send them to a SIEM system, or forward the entire record to the SIEM after sanitizing binary fields. Similarly, with console messages and commands, SPM can forward all commands.

For example, SPM can receive a specific console message (such as from TPX), and send the result directly to the SIEM for further processing. This consists of a few dozen lines of code and could be activated by a configuration change.

When a SIEM is configured and defined to SPM, you can specify which of the following levels (as defined by RFC5424) is sent:

  • EVENT_EMERGENCY
  • EVENT_ALERT
  • EVENT_CRITICAL
  • EVENT_ERROR
  • EVENT_WARNING
  • EVENT_NOTICE
  • EVENT_INFO
  • EVENT_DEBUG

The following events are also used within SPM:

  • EVENT_SUMMARY—Send to dashboard only
  • EVENT_DASHBOARD—Send to SIEM only

The levels are as follows:

Level

Description

Emergency

A user is unloading the RACF or Top Secret database, updating a sensitive data set, updating a user-monitored data set

Alert

Suspicious activity, such as a user given the SPECIAL attribute in RACF or Top Secret, a sensitive data set updated due to WARN on RACF profile, a misconfigured sensitive data set profile

Error

Sensitive data set does not have a fully-qualified generic profile or the audit settings are wrong

Warning

RACF or Top Secret command entered, RVARY issued, compliance query failures

Notice

Password violations, login violations, a monitored job has started or ended, a monitored command was entered, there was a potential ACEE modification, or multiple violations from same IP address

Info

Unused

Debug

Unused

Summary

Send compliance summary to dashboard only

Dashboard

Used in conjunction with the previous codes to send to a dashboard and to SIEM

SPM parameters

Some additional configuration parameters are required for BMC AMI Security Policy Manager.

To start SPM, you must set an Activate ZDETECT configuration statement in the global configuration parameters.

 You can use the RECONFIG command to configure some parameters later. For more information, see Reconfiguring-parameters.

Parameter

Description

SPMParms

Heads a block of SPM definitions

AlertLog  severity1 severity2 …. severityN

(Optional) One or more of the following alert severity filters for alerts written to server logs:

  • Emergency
  • Critical
  • Alert
  • Error
  • Warning
  • Notice
  • Info
  • Debug

Example: AlertLog emergency critical error

Applid vtamAppID

(Optional) VTAM application ID

Checkpointname checkPointDSN

(Optional) Name of the checkpoint data set

Example: Checkpointname hlq.ZDTV21.CHKPNT

For more information about the checkpoint data set, see Defining a checkpoint data set.

Classified Yes | No

(Optional) Whether the system is designated as a DISA STIG classified system

The default value is No.

Compliance Yes | No

(Optional) Whether to run compliance

The default value is Yes.

ComplianceLog Yes | No

(Optional) Whether compliance results, including failures, should be logged to the dynamically allocated server SYSOUT ZDTCOMP

The default value is No.

Warning

The parameter is disabled because the sensitive information could assist a hacker in footprinting (gathering information about) the system. If you enable the parameter, ensure the output from BMC AMI Datastream is protected by RACF.

CommandTimeoutSeconds or CMDTimeout nnnnn

(SPE2407)

Security Policy Manager issues various z/OS commands to obtain monitored configuration information. These commands are expected to respond promptly to extract the necessary data.

You can use the CommandTimeoutSeconds or CMDTimeout nnnnn parameters to specify the number of seconds that Security Policy Manager must wait for the response to the command. This value can vary from 3 to 43200 seconds.

The default value is 15 seconds. If you specify a value outside the specified range, the default is taken.

The lower the value, the higher the likelihood of the command response timing out and the requisite data not being available for compliance analysis.

The higher the value, any potential delay in waiting for the command response might delay compliance analysis.

CustomDsnType dsnType dsnType dsnType...

(Optional) Define custom DSN types for the sens (sensitive data sets) table. Use the custom DSN types to categorize data sets specified in the DatasetFilterssection.

Each type can be up to four characters long and you can define up to 64 custom types.

Use the following CustomDsnType values with specified DISA STIGs:

DISA STIG

CustomDsnType

Description

V-223680

SMPE

SMP/E product installation libraries

V-223670

DASD

DASD backup files

V-223826

BTCP

Data set containing base TCP/IP components—that is, SMP/E distribution data sets with the prefix SYS1.TCPIP.AEZA and target data sets with the prefix SYS1.TCPIP. SEZA

V-29952

JCLL

JCL libraries or open access libraries or datasets for FTP

V-29952

FTPC

Data sets containing FTP control cards

V-223815

DFSM

Load libraries to determine program resource definitions.
If the installation moves these modules to another load library, the installation-defined load library should be used. Else, use SYS1.DGTLLIB, SYS1.DFQLLIB

V-223846

UNIX

Specify the z/OS UNIX data sets that should be restricted for update by system programmers only. The default data set name masks for the UNIX data sets are as follows:

  • SYS1.ABPX*
  • SYS1.AFOM*
  • SYS1.BPA.ABPA*
  • SYS1.CMX.ACMX*
  • SYS1.SBPX*
  • SYS1.SFOM*
  • SYS1.CMX.SCMX*

You must validate these names with your system programmer.

V-223849

Create the /etc/steplib system directory by using the OSTEPLIB /etc/steplib operator command and specify the APF-authorized PDSs or STEPLIBs.

This data set is captured as type USTP in the sensitive data set table.

V-223671

Specify SYS1.TRACE TRAC as the PDS name under data set filters because the custom DSN type is TRAC.

This data set is captured as type TRAC in the sensitive data set table.

Example

SPMParms                                       
 parameterA      
  CustomDSNType      JCLL FTPC                 
parameterB                    
EndSPMParms                                    
Scope zDetect.RSM2                             
DatasetFilters                                 
  TSGCW.JCL.CNTL1 FTPC                         
  TSGCW.JCL.CNTL1 JCLL                         
PDSnameA                         
EndDatasetFilters                

DatastreamInstance instanceName

(Optional) Name of the BMC AMI Datastream instance to which all messages are sent

Example: DatastreamInstance v610.B3405

 Deprecated (see DatastreamSSID). If both DatastreamInstance and DatastreamSSID are used, then DatastreamInstance is ignored.

DatastreamSSID ssid

(Optional) Subsystem identifier (SSID) of the BMC AMI Datastream writer to which all messages are sent

To use the parameter, make sure that the started task ID under which SPM runs has write access to the BMC AMI Datastream Subsystem Writer. For more information, see Using z/OS SAF in the BMC AMI Datastream technical documentation.

ForwardSmf80 Yes | No

(Optional) Whether smf80 records should be forwarded to target systems defined using the EventTarget parameters

The default value is No.

ForwardSyslog Yes | No

(Optional) Whether syslog records should be forwarded to target SIEM systems defined using the SPM DatastreamInstance parameter

The default value is No.

GroupName xcfGroupName

Name of the XCF group for this instance

Use GroupName to run multiple SPM instances on one system.

Example: GroupName SPMGRP

ImportDataset dataSetName


(Optional) Name of the data set with the required SQL data to import

Use more than one ImportDataset parameter to import more than one data set.

Example:

    • ImportDataset hlq.IMPORT.SQL1
      ImportDataset hlq.IMPORT.SQL2

For more information, see Adding-custom-tables and Commands.

Inactivate component

(Optional) Inactivates one of the following components of the SPM server:

  • DB2
  • DCOLLECT
  • CICS
  • IMS
  • MQ

Example:

    • Inactivate DB2
      Inactivate IMS 

KnowledgeBase dataSetName

Name of the knowledge base data set

Example: KnowledgeBase hlq.ZDTV21.KNOWBASE

ESMAnalysis Yes | No
ACF2Analysis Yes | No 
RACFAnalysis Yes | No
TSSAnalysis Yes | No

(Optional) Whether to analyze the ESM database

For each LPAR that needs to analyze the ESM database, you must set this parameter, even if the databases are shared by all the LPARs.

You can set the parameter for a specific ESM, or use the ESMAnalysis parameter, which enables analysis for any ESM on the LPAR.

The default value is No for all the parameters.

RulesDataset dataSetName

Name of the compliance rules data set that you want to update

Example: RulesDataset hlq.ZDTV21.RULES

To update a custom rules data set before the supplied rules data set, specify the custom rules data set in the JCL:

//COMPRULE DD DISP=SHR,DSN=custom.dataset
// DD DISP=SHR,DSN=supplied.rule.dataset

To update the queries from the browser, specify the custom rules data set in the config RulesDataset.

If you use a concatenation for the rules data sets, the INDEX member is read from only the first data set that it's found in.

SQLPath path

Location of z/OS OMVS where SPM stores the events and alerts that are required to be saved between sessions

A database is also created in virtual storage to hold transient data required during the life of SPM. This parameter defines the path to the location of the permanent database. The database is maintained by SPM and does not require maintenance.

The path can be a standard USS path, or you can define a new aggregate ZFS file that can be automounted.

Example: SQLPath /u/spm/spmdb

Subnetmask mask

(Optional) Subnet mask to use

The default value is 255.255.255.255.

Example: Subnetmask 255.255.0.0

TCPIPStacks stack1 stack2 … stackN

(Optional) Name of one or more TCP/IP stacks whose profile is to be monitored by SPM

If this parameter is omitted, no TCP/IP monitoring is performed.

Example: TCPIPStacks TCPIP

TsscfileDataset dataSetName

(Top Secret only) Top secret TSSCFILE data set name

Example: TsscfileDataset hlq.TSSDATA

TssparmsDataset  dataSsetName(member)

(Top Secret only) Data set and member name containing the Top Secret initialization parameter

Security Policy Manager uses this to determine whether the TSS configuration changed since system startup.

Example: TssparmsDataset hlq.PARMLIB(TSSPARM0)

RACFDBUnload unloadOption syncLevel

Whether to unload the RACF database into SQLite tables, and if so, whether to synchronize the database during unload

To unload the RACF database into SQLite tables, set the unload option to YES. The unload process uses the IBM RACF database unload utility, IRRDBU00.

If you set the unload option to YES, set the synchronization level:

  • LOCKINPUT synchronizes the RACF database unload.
  • NOLOCKINPUT prevents synchronization.

The LOCKINPUT option prevents access to the RACF database during the unload process. LOCKINPUT impacts overall system performance. However, it makes sure that the SPM tables are fully synchronized with the RACF database.

For information about the unloaded tables, see RACF-database-unload-tables.

The default value for the unload option is NO.

REPORTRESynctime hh:mm

Local time to refresh all active rules in a 24-hour clock

Valid values are 00:00 through 23:59.

Examples:

  • REPORTRESynctime 00:00 refreshes the report data daily at midnight.
  • REPORTRESynctime 05:30 refreshes the report data daily at 5:30 A.M.
  • REPORTRESynctime 17:30 refreshes the report data daily at 5:30 P.M.

The default value is 07:00.

EndSPMParms

Terminates a block of SPM definitions

DatasetFilters dataSetName dataSetName


Heads a block of data set definitions

This list contains data set names to be monitored in addition to the standard sensitive data set names. If any of the listed data sets are updated, an alert is generated. After the DatasetFilters command, specify one data set per line, and terminate the list with an EndDatasetFilters command.

(Optional) For each data set, you can specify one of the DSN types defined with the CustomDsnType parameter. If you do not specify a type, the type value USER is applied.

To enable different data sets to be monitored on different systems, you can specify DatasetFilters blocks with a Scope BASPM.sysid preceding the block.

EndDatasetFilters

Terminates a block of data set definitions

JobnameFilters jobName jobName

Heads a block of job definitions

This list contains job names to be monitored. If any of the listed jobs start or end, an alert is generated. After the JobnameFilters command, specify one job per line, and terminate the list with an EndJobnameFilters command.

To enable different job names to be monitored on different systems, you can specify JobnameFilters blocks with a Scope BASPM.sysid preceding the block.

EndJobnameFilters

Terminates a block of job definitions

USSIntervalMins minutes

Frequency in minutes at which the USS cycle collects statistics for USS processes and threads running for use in Security Policy Manager

Valid values are from 1 to 1440 minutes (one day).

You can change the value depending on the size and volume of your USS processing needs:

  • Setting the value too low might result in excessive CPU usage.
  • Setting the value too high might result in information that is less current than you require.

The default value is 1440.

UssFileScan compact | full | disable

(SPE2501)

(Optional) Use to control the scanning of the USS File system. Valid values are as follows:

  • Disable – Disables full scans of the USS file system. In such cases, the DS223840 and DS223811 DISA STIG reports are not accurate.
  • Full – Enables full scans of the USS file system. SPM captures information of all identified directories and certificate files in the USS file system, in the ussfile table.
  • Compact – Enables full scans of the USS file system. SPM captures information of all identified certificate files and directories that have the write permission enabled for other users, in the ussfile table.

The default value is Compact.

Sample configuration parameters

A sample of the SPM configuration data set members using some of the parameters described earlier in this topic follows:

The sample uses different members to illustrate how multiple members are used, but all configuration parameters could be saved in a single member.

Sample Global Member

***********************************************
* Global Scope                                *
* These are RSS configuration parameters      *
***********************************************
ClassName         FACILITY                     
MessageLevel      Error Info                   
SMFRecordtype     230                          
SyslogId          xxxxxx                       
AuditLogOptions   SYSOUT Default               
Activate          Server                       
Activate          zDetect                      
*********************************************
* SPM Parameters                            *
*********************************************
Include           ZDT

*********************************************
* Server Parameters                         *
*********************************************
Scope             Server
  Include         SRVLIST
  Include         TARGETS

Sample Server Member(SRVSYS1)

*********************************************
* HTTP Server Configuration                 *
*********************************************
HTTPServer
  Protocol      HTTP
  Port          8181
EndHTTPServer

Sample Event Targets Member (TARGET)

************************************************  
* Sample Event Targets                         *  
************************************************  
EventTarget                                       
   Name     Console                               
   Severity Emergency Critical                    
EndEventTarget                                    
                                                 
EventTarget                                       
   Name     Syslog                                
   Host     Local                                 
   Format   Syslog                                
   Severity Emergency Critical Alert Error Warning
EndEventTarget                                    
                                                 
EventTarget                                       
   Name     Splunk                                
   Format   Syslog                                
   Host     192.168.10.60                         
   Port     8100                                  
   Protocol UDP                                   
   Encoding ASCII                                 
   Severity Emergency Critical Alert Error Warning
EndEventTarget   

Sample SPM Member (ZDT)

*********************************************
* SPM Configuration                         *
*********************************************
SPMParms
  SQLPath        /u/BASPM  
  RulesDataset   hlq.RSSRULE
  TCPIPStacks    TCPIP
  RACFAnalysis   Yes
  CustomDsnType  Payr Cust
  RACFDBUnload   NO  NOLOCKINPUT
EndSPMParms

DatasetFilters
  PAY.PAYROLL.DATA  RAYR
  SYS1.PARMLIB
EndDatasetFilters

Scope zDetect.SYS1
JobNameFilters
  SYSLOGD
  INETD1
  TCPIP
  VTAM
  JES2
  RACF
  CICSTS51
EndJobnameFilters

Scope zDetect.SYS2
JobNameFilters
  SYSLOGD
  INETD1 RSSTAM
  C2POLICE
  TCPIP
  VTAM
  JES2
  RACF
EndJobnameFilters

Where to go from here

After you configure the product parameters, create a started task user.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*