Auditing z/OS data set encryption
This chapter focuses on the various system management facilities (SMF)1 records that can aid in monitoring the z/OS data set encryption environment.
Brief descriptions and references are provided to demonstrate specific uses and tasks that are related to auditing the z/OS data set encryption environment. If a reporting process or workflow for auditing purposes is not yet established, another option to create reports is IBM Security zSecure (for more information, see 2.3.6, “IBM Security zSecure Suite” on page 31).
This chapter includes the following topics:
 
 
 
6.1 Auditing encrypted sequential data sets and PDSEs
The z/OS Data Facility Storage Management Subsystem (DFSMS) creates SMF Type 14 and Type 15 records to audit data set activity for sequential data sets and PDSEs.
SMF Type 14, Subtype 9 and SMF Type 15, and Subtype 9 records provide DASD data set encryption information. They indicate the following information:
If the data set is encrypted.The data set encryption type.The data set encryption key label. For more information, see tDASD Data Set Encryption Information (Type 9).
6.2 Auditing encrypted VSAM data sets
z/OS DFSMS creates SMF Type 62 records to audit data set activity for VSAM data sets.
SMF Type 62 records indicate the following information about the data set encryption:
Type
Key label
6.3 Auditing crypto hardware activity
The Resource Measurement Facility (RMF) writes SMF Type 70 and Subtype 2 records, which show cryptographic coprocessor and accelerator usage, such as the following examples:
Cryptographic CCA Coprocessor data
Cryptographic Accelerator data
ICSF Services data
Cryptographic PKCS 11 Coprocessor data
In addition, overview criteria is shown for the Postprocessor in the Postprocessor Workload Activity Report - Goal Mode (WLMGL) report. For more information, see the following publications:
z/OS RMF User's Guide (SC34-2664)
z/OS RMF Report Analysis (SC34-2665)
6.4 Auditing security authorization attempts
The Resource Access Control Facility (RACF) writes SMF Type 80 records for scenarios, such as the following examples:
Authorized or unauthorized attempts to access RACF-protected resources.
Authorized or unauthorized attempts to modify profiles on a RACF database.
SMF Type 80 records can be examined to determine which users attempted to access the following information:
Key labels that are protected by the CSFKEYS class
Data sets that are protected by the DATASET class
Crypto services that are protected by the CSFSERV class
For more information about SMF Type 80 records, see Record type 80: RACF processing record.
For processing RACF SMF records, the RACF SMF Unload Utility is a good choice. Samples are available in SYS1.SAMPLIB(IRRICE).
Post-processing of the output can be done by using DFSORT. For more information about examples, see the IBM Systems and Technology Group presentation, As Cool as Ice: Analyzing Your RACF Data Using DFSORT and ICETOOL.
6.5 Auditing crypto engine, service, and algorithm usage
The z/OS Integrated Cryptographic Services Facility (ICSF) provides a means for security administrators and capacity planners to monitor the use of cryptographic resources with Crypto Usage Statistics. ICSF writes SMF Type 82, Subtype 31 records when cryptographic usage tracking is enabled.
 
Note: This feature is optional with ICSF FMID HCR77C1 and usage tracking algorithms can be turned on or off, depending on your needs. For more information about enabling crypto usage tracking, see 4.3.3, “CSFPRMxx and installation options” on page 83.
Crypto usage tracking helps users determine the following information:
Which jobs or tasks use the various crypto engines
Which crypto card types are receiving the most requests
If any crypto requests are being handled in software
The peak periods of crypto usage
ICSF services that are started by other z/OS components
Which jobs or tasks use out-of-date algorithms or key sizes
Cryptographic usage statistics are recorded in SMF data sets. Statistics are recorded for each SMF recording interval. The usage and interval recording allows you to determine usage over various time periods. For more information, see 4.4.2, “Configuring SMF recording options in SMFPRMxx” on page 106.
Each ICSF instance can track the usage of cryptographic engines (ENG), cryptographic services (SRV), and cryptographic algorithms (ALG) for the LPAR in which it runs.
SMF Type 82 Subtype 31 contains information about the cryptographic user’s HOME address space job ID, SECONDARY address space job name, HOME address space user ID, HOME task level user ID, and ASID.
By using Crypto Usage Statistics, you can assess your cryptographic usage and determine any areas that might need attention. By determining which applications are using which cryptographic engines, services, and algorithms, you can ensure that you are operating in the most secure manner. The use of Crypto Usage Statistics can also help you tune your systems for optimal performance.
For more information about a sample
6.6 Auditing key lifecycle transitions
Some regulations, such as PCI-DSS, require that specific key management activities are performed regularly. ICSF provides the capability for auditing the lifecycle of keys.
For z/OS data set encryption, which uses Common Cryptographic Architecture (CCA) symmetric data keys, ICSF writes SMF Type 82, Subtype 40 records to track key lifecycle transitions.
 
Note: This feature is optional with ICSF and key lifecycle tracking can be turned on or off, depending on your needs. For more information about enabling key lifecycle tracking, see 4.3.3, “CSFPRMxx and installation options” on page 83.
A subset of the SMF Type 82, Subtype 40 fields include the following information:
Key event, such as the key token that is:
 – Added to KDS
 – Updated in KDS
 – Deleted from KDS
 – Archived
 – Restored
 – Metadata changed
 – Pre-activated
 – Activated
 – Deactivated
 – Exported
 – Generated
 – Imported
Key label
Key data set
Service that is associated with the event
Key token format
Key security
Key algorithm
Key length
6.7 Auditing key usage operations
Regulations can specify limitations on which key types are allowed for use in crypto operations or if a single key type is disallowed for multiple crypto operations. ICSF provides the key usage tracking to audit the use of keys.
Key usage data is recorded in SMF data sets. Data is recorded within key usage intervals, as defined in the CSFPRMxx member. The usage or interval recording allows you to analyze key usage over various time periods. For more information, see 4.3.3, “CSFPRMxx and installation options” on page 83.
 
Note: This feature is optional with ICSF and key use tracking can be turned on or off, depending on your needs. For more information about enabling key usage tracking, see 4.3.3, “CSFPRMxx and installation options” on page 83.
For z/OS data set encryption, which uses CCA symmetric data keys, ICSF writes SMF type 82, subtype 44 records to track key usage. Usage counts are accumulated during each key usage recording interval.
A subset of the SMF Type 82, Subtype 44 fields includes the following information:
Key label
Service that is associated with the event
Key token format
Key security
Key algorithm
Key length
Usage count
6.8 Formatting SMF Type 82 records
SMF Type 82 formatters for ICSF are available in SYS1.SAMPLIB members CSFSMFJ (JCL) and CSFSMFR (REXX). Consider the following points:
CSFSMFJ is the JCL to submit the job.
CSFSMFR is the REXX exec to run the report against the SMF records.
CSFSMFJ (shown in Example 6-1) reads Type 82 SMF records and formats them in a report.
Example 6-1 Sample JCL to unload type 82 SMF records
//*------------------------------------------------------------------*
//* UNLOAD SMF 82 RECORDS FROM VSAM TO VBS *
//*------------------------------------------------------------------*
//SMFDMP EXEC PGM=IFASMFDP
//DUMPIN DD DISP=SHR,DSN=PRICHAR.SMFRECS
//DUMPOUT DD DISP=(NEW,PASS),DSN=&&VBS,UNIT=3390,
// SPACE=(CYL,(1,1)),DCB=(LRECL=32760,RECFM=VBS,BLKSIZE=4096)
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
INDD(DUMPIN,OPTIONS(DUMP))
OUTDD(DUMPOUT,TYPE(82))
//*
//*------------------------------------------------------------------*
//* COPY VBS TO SHORTER VB AND SORT ON DATE/TIME *
//*------------------------------------------------------------------*
//COPYSORT EXEC PGM=SORT,REGION=6000K
//*TEPLIB DD DISP=SHR,DSN=SYS1.SORTLPA,VOL=SER=ttttt1,UNIT=3390
//* DD DISP=SHR,DSN=SYS1.SICELINK,VOL=SER=ttttt2,UNIT=3390
//SYSOUT DD SYSOUT=*
//SORTWK01 DD UNIT=3390,SPACE=(CYL,10)
//SORTIN DD DISP=(OLD,DELETE),DSN=&&VBS
//SORTOUT DD DISP=(NEW,PASS),DSN=&&VB,UNIT=3390,
// SPACE=(CYL,(1,1)),DCB=(LRECL=32752,RECFM=VB)
//SYSIN DD *
SORT FIELDS=(11,4,A,7,4,A),FORMAT=BI,SIZE=E4000
//*
//*------------------------------------------------------------------*
//* FORMAT TYPE 82 RECORDS *
//*------------------------------------------------------------------*
//FMT EXEC PGM=IKJEFT01,REGION=5128K,DYNAMNBR=100
//SYSPROC DD DISP=SHR,DSN=SYS1.SAMPLIB
//SYSTSPRT DD SYSOUT=*
//INDD DD DISP=(OLD,DELETE),DSN=&&VB
//OUTDD DD SYSOUT=*
//SYSTSIN DD *
%CSFSMFR
An excerpt of the Crypto Usage Statistics for SMF record type 82, subtype 31 is shown in Example 6-2.
Example 6-2 Excerpt from Crypto Usage Statistics
Subtype=001F Crypto Usage Statistics
Written periodically to record crypto usage counts
7 Nov 2017 17:10:30.00
TME... 005E5858 DTE... 0117311F SID... SC60 SSI... 00000000 STY... 001F
INTVAL_START.. 11/07/2017 22:02:24.247495
INTVAL_END.... 11/07/2017 22:10:30.001940
USERID_AS..... NET
USERID_TK.....
JOBID.........
JOBNAME....... NET
JOBNAME2......
PLEXNAME...... PLEX60
DOMAIN........ 84
SRV...CSFKGN..... 12
**************************************************
Subtype=001F Crypto Usage Statistics
Written periodically to record crypto usage counts
7 Nov 2017 17:10:30.00
TME... 005E5858 DTE... 0117311F SID... SC60 SSI... 00000000 STY... 001F
INTVAL_START.. 11/07/2017 22:02:24.247495
INTVAL_END.... 11/07/2017 22:10:30.001940
USERID_AS..... PE08
USERID_TK.....
JOBID......... TSU05881
JOBNAME....... PE08
JOBNAME2......
PLEXNAME...... PLEX60
DOMAIN........ 84
ENG...CARD...6C00/DV785304... 2
Example 6-2 on page 126 shows that the first usage event is recorded for jobname=NET. It occurred on system PLEX60 and used crypto domain 84.
The time interval for the event is 22:02 - 22:10 on 7 November, 2017. In the event, the CSFKGN (key generate) service was called 12 times. In the second usage event, two calls were made to the cryptographic card (6C00) by jobname=PE08.
6.9 Auditing Key management in EKMF
Having a key management system can simplify the process of showing compliance, by automating the logging of actions and by ensuring/enforcing that certain procedures are followed. For example: a financial institution must use dual-control/separation-of-privileges as specified by PCI, which they must comply with to be allowed to process payments.
The EKMF key management system provides an audit log that can be used by security administrators, key managers, and external auditors to monitor and audit the key management process.
EKMF will log all key management actions, performed in EKMF, to the EKMF audit log.
The audit log allows security administrators and key managers to determine the following information:
Key generation, including the key label for the generated key
Key state changes (activation, deactivation, mark compromised, deletion, etc) (see 10.3.6, “Key lifecycle” on page 225)
Key distribution to CKDS
Key removal from CKDS
Changes to the EKMF configuration
EKMF key templates are also relevant for audit purposes, as they document the type and attributes of keys as well as the systems the keys are distributed to.
For audit purposes, key templates can be used to document compliance with a process/policy with specific requirements for the keys.
For more information about EKMF logging and key templates, see Chapter 10, “IBM Enterprise Key Management Foundation Web Edition” on page 217.
 
1 For more information about a functional overview of SMF, see Abstract for MVS™ System Management Facility (SMF).
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.190.239.166