vanguard security solutions™ suite v2.1 “what’s new” … · • in the vanguard version of...
TRANSCRIPT
Vanguard Security Solutions™ Suite
v2.1
“What’s New” Webinar
Presented by
Vanguard Integrity Professionals
Copyright
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have
a limited license to view these materials for your organization’s internal
purposes. Any unauthorized reproduction, distribution, exhibition or use of these
copyrighted materials is expressly prohibited.
Trademarks
IBM, RACF, DB2, and z/OS are trademarks or registered trademarks of
International Business Machines Corporation in the United States, other countries,
or both. UNIX is a registered trademark of The Open Group in the United States
and other countries. Vanguard Security Solutions, Vanguard Administrator,
Vanguard Advisor, Vanguard Analyzer, Vanguard Offline, Vanguard Security
Center, Vanguard ez/Token, Vanguard ez/Signon, Vanguard Enforcer, Vanguard
Policy Manager, Vanguard Cleanup, Vanguard Configuration Manager, and
Vanguard inCompliance are trademarks of Vanguard Integrity Professionals –
Nevada.
Legal Notice
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 2
VSS 2.1 Now available
• Released for General Availability in October
• Reorganized into 2 Solution groups:
• IAM (Identity and Access Management)
• GRC (Governance, Risk Management, and Compliance)
• VCM (Vanguard Configuration ManagerTM) now integrated into the standard install
• Single Datecode for all licensed products.
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 3
Identity and Access Management
• Vanguard AdministratorTM
• Vanguard AdvisorTM
• Vanguard AnalyzerTM
• Vanguard OfflineTM
• Vanguard Security CenterTM
• Vanguard ez/TokenTM
• Vanguard ez/SignonTM
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 4
New Main Menu
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 5
Vanguard AdministratorTM
Compare Manager (option 21) • The Compare Manager feature provides reporting and update
functions based on Compare User, Group or Profile criteria.
Vanguard Unix Manager (VUM – Option 14) • UNIX® Security Manager allows customers to run a number of
reports on UNIX File Access Lists, The UNIX File System, UIDs and
GIDs as well as profiles that affect the access that are defined within IBM®RACF®.
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 6
Compare Manager
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 7
Compare Manager
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 8
Compare Manager
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 9
VUM – Vanguard UNIX Manager
A sample of the functions that can be performed with this new functionality that
can run either Live or against an Extract file
1. Summary of files by Owner, Group or World Permissions.
2. Summary of files by Owner and Group
3. Summary of files by File Attribute, File Audit bits, File Permissions, UID
in permission list, GID in permission list
4. Directories with the “x” bit off
5. Broken Symbolic Links
6. Files by a User Specified Masking Criteria.
7. All information based on the IBM® z/OS® definitions of the UNIX File
Systems(BPXPARMS)
8. A list of Users cross referenced with their UID, PROGRAM, HOME and
a STATUS (which indicates if their Home Directory is Valid and defined
in Unix)
9. A list of Groups with their GID and the number of users connected to
each group.
10.A list of CLASS profiles (FACILITY,UNIXPRIV,SURROGAT and
OPERCMDS) that affect UNIX Permissions and capabilities
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 10
Other Vanguard AdministratorTM Enhancements
Unusable Profile Summary This report lists discrete general resource profiles that have generic
characters (*, %) in their name, but are defined in a class not
enabled for generics (NOGENCMD or NOGENERIC)
NOTE: The NOGENERIC reporting and command generation
processes require RACF V1R12 or higher.
Enhanced Digital Certificate Expiration Report This format of this report was enhanced to make it easier to read and
to include additional digital certificate data
Generic Characters as Literals for Masking
Example: ‘SYS1.*.**’
Quickgen Enhancements Reporting of Extract Statistics data
New Keyword: SKIPALLBLANKS
DB2® V10 Support added
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 16
Vanguard AdvisorTM
The output of an IDCAMS REPRO of a Vanguard Advisor™ Extract
File can be used as input to a batch report You can now specify the output of an IDCAMS REPRO of a Vanguard
Advisor™ Extract File as input to a batch report. One or more files can be
specified by using the VSRR DD statement.
Added support for new UNIX System Services masking parameters You can now mask on nine additional fields to produce a more granular
summary or detail report:
Effective GID, Effective UID, Real GID, Real UID, Saved GID, Saved
UID, Superuser, User Security Token, BPX.DEFAULT.USER
Inclusion of Earliest and last record in report Includes the earliest and latest date and time of input records, at the end of a
batch report, when the input source is an SMF file.
Active Alert Email Enhancement Added support to allow you to specify a unique Subject line for each type of
Active Alert email. The Subject text can be 1-60 characters and can contain
any symbolic defined on the system where Real-Time Notification is running
in addition to &SYSSMFID., to get the SMFID
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 17
Vanguard AdvisorTM
New OPTION RT added to help panel Added a display of supported SMF record types to the help panel that allow
customers to easily see which SMF records are supported and which
Vanguard Advisor™ report reports on which SMF record.
Unix System Services reports were enhanced
Added Event Code 67(initACEE), event qualifiers 09 and 10 and
Event code 69(RPKIEXPT), event qualifiers 09 and 09
System entry reports were enhanced Event Code 01, event qualifier 39 (No RACF user ID found for distributed
identity)
Support DB2 compressed SMF records DB2 V10 introduced compression for the SMF Type 100-102 records to
reduce the amount of space needed to store those records. ADVISOR uses
SMF Type 102 record for the DB2 Summary and Detail reports and changes
were made to accommodate this new format.
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 18
Vanguard AnalyzerTM
PDS/E Support
AUDITSETROPTS Enhancement During report generation the following two selections are now
available:
Exceptions only ===> YES
Class Detail ===> YES
Exceptions only
Specify Yes to list only entries with message severity equal to or
greater than that specified by the EXPTONLYLEVEL parameter
in the VSAOPT00 member of the options data set
Class detail
Specify Yes to list the properties and characteristics of each
class in the Class Descriptor Table.
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 19
Vanguard OfflineTM
Vanguard OfflineTM is a new offering in the Vanguard IAM suite that
allows customers to test proposed changes to a RACF database in an
environment that will not affect the production RACF database.
The test changes can then be tested against production accesses and
access attempts to validate that the changes made will have the
desired affect and that no unintended consequences will arise.
This means if we create, delete or modify a RACF profile we can test to
see what the effects of that changes against all user and group access
that will be affected by the profile changes.
NOTE: This product has been made available in 1.13 via maintenance
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 20
Vanguard OfflineTM – New Features
User access allowed and denied report –
(Vanguard Access History Report) Reports on access by users to datasets and general resources with
masking and quickgen capabilities. This new report can be used to gain
knowledge of access allowed, access requested, access granted and
access denied to resources and datasets without requiring SMF auditing.
History Master File Merge Process Allows more flexibility in execution of the product as now different systems
sharing a RACF database can have separate History Master Files (HMF)
which can be merged together later for reporting.
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 21
Vanguard OfflineTM
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 22
Vanguard OfflineTM
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 23
Vanguard Security CenterTM
Added View All Support to Vanguard Security CenterTM Vanguard Security Center™ has been enhanced to allow a customer to
designate individuals to see data that would otherwise be outside their scope
of authority.
This enhancement allows customers to view all of the data in the RACF
database without necessitating the conference of any extraordinary RACF
privileges to that user via the RIO$.SCOPE profile. It only confers view
capability.
Support for DB2 v10.1
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 24
Vanguard ez/TokenTM
• Added Started Task IAMEZSTC • In the Vanguard version of the ICHRIX01 exit TCPIP functions were used
that were not suitable for certain address spaces. To solve this issue the
TCPIP code was moved to an environment more suited to successful
completion of the TCPIP functions. The ICHRIX01 exit now queues
requests to the IAMEZSTC task to process.
• Network Performance Enhancement • In order to provide more timely responses to requests the Vanguard
ez/Token™ Started Task has been modified to track previous failures of
the authentication server or communications with it, and switch over to an
alternate authentication server.
• Support for CONSOLE Logons • Vanguard ez/Token™ can now be used for two factor authentication with
CONSOLE logons, thereby allowing you to better secure these logon
requests.
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 25
Vanguard ez/SignonTM
64 Bit support added Vanguard ez/Signon™ now supports 64bit processing on Windows &
Linux
Revoke/ resume processing User revokes and resume notification was added such that a userid
revoked or resumed on the mainframe can now be broadcast out to
other systems (AS/400 and Active Directory) so that userid access
removal or resumption can be centralized
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 26
Governance, Risk Management,
& Compliance
• Vanguard EnforcerTM
• Vanguard Policy ManagerTM
• Vanguard CleanupTM
• Vanguard Configuration ManagerTM
• Vanguard inComplianceTM
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 27
New Main Menu
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 28
Vanguard EnforcerTM
Baseline Build in Batch It is now possible to run the Baseline Build processing in batch. All of the
various Baseline Builds are supported.
NOTE: the following Baseline selections are NOT supported in batch:
• Alter Installation Baselines
• All Access List Expiration Processing selections
• All Refresh Selected Baseline Security information selections
• All Miscellaneous Processing selections
Compare LEVEL Values for Data Sets and General Resources The Vanguard Enforcer™ Sensor started task has been updated to check the
General Resource and DATASET profiles for differences between the LEVEL
values in the Baseline and in the Security Server database.
Enhancement to Active Alert 8 Provides for the installation to select what type of SETROPTS and RVARY
command should be processed by Vanguard Enforcer™ Active Alert 8.
All Enforcer ISPF Panels are now CUA Compliant The Vanguard Enforcer™ Baseline Build user interface (ISPF panels) is now
fully ‘Point and Shoot’ compatible.
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 29
Vanguard Policy ManagerTM
Added Password Exit Support has been added that allows installation to implement various new
password policies such as a user’s password can not:
• Contain more than two repeated characters
• Start with the user’s connect group
• Start with the user’s default group
• Start with the user’s user ID
Other policies allow installation to require that the password contains:
• Alphanumeric
• Mixed case
• National characters
This new feature also allows installation to restrict usage of a word from the
Vanguard dictionary (containing over 86,000 words) and/or installation defined
dictionary.
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 30
Vanguard Policy ManagerTM
New Check Added to Support CONNECT/REMOVE Policies This adds an additional check to control user-id against
CONNECT/REMOVE policy in following format:
GROUP.CONNECT.group-id.ID.user-id
This format conforms to the PERMIT policy format.
Support for RACVARS in Vanguard Policy ManagerTM profiles Support has been added to allow management of profile containing
RACVARS variables. Generic Character ‘&’ in profile will be replaced with
‘?’ in addition to the existing special character replacement before the
policy validation.
New Global Profile PW.EXEMPT.EXPIRED.PASSWORD added Added new PW.EXEMPT.EXPIRED.PASSWORD to dictate whether
password rules for new expired passwords will be checked against
password rules. Default is to not check the temporary password the same
as RACF does today
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 31
Vanguard CleanupTM
A new offering that identifies and creates the commands to remove unused users,
groups, connects, dataset and general resource profiles from the RACF database.
Vanguard Cleanup™ has a Started Task that installs RACF authorization exits that
capture the activity to the RACF database. These captured events are then stored
in a VSAM file for historical reporting purposes.
The customer runs the started tasks and exits in their environment for a user
decided period of time (should cover all processing cycles: monthly, quarterly,
annual).
This is fed into an analysis tool that provides a report and commands on all unused
users, groups, connects, dataset and general resource profiles from the RACF
database.
NOTE: This product has been made available in 1.13 via maintenance
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 32
Vanguard CleanupTM Enhancements
History Master File Merge Process Allows more flexibility in execution of the product as now different systems
sharing a RACF database can have separate History Master Files (HMF)
which can be merged together later for reporting.
Use of &SYSNAME, &SYSSMFID and &SYSPLEX in VANOPTS Vanguard Cleanup™ and Vanguard Offline™ were modified such that the
VRO History Master File, VOF History Master File and the LOGSTREAM
dataset prefix can now be specified in the VCLOPT00 with the use of the
static system symbols (&SYSNAME and &SYSSMFID) so that a single
VCLOPT00 could be setup and used across multiple systems without
collision in the names of these files.
Allow the use of exclusion members in Vanguard CleanupTM
Allows you to specify the member (users, groups, datasets, general
resource classes and profiles) as being exempt for cleanup during
the cleanup process
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 33
Vanguard Cleanup™ Enhancements
Provide alternate VCLOPTxx members Allows you to specify the specific VCLOPTxx member when starting the
VCL started task. This allows you to provide System Specific settings for
each system that the Vanguard Cleanup™ started task is running on.
DLFCLASS specification The DLFCLASS is used by RACF to check whether or not a specific
resource should be placed into the Data Look Aside Facility. This new
enhancement allows you to tell the Vanguard Cleanup™ STC to ignore
any access records from the DLFCLASS and that it will not generate
Vanguard Cleanup™ commands for any profiles in the DLFCLASS. >
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 34
Vanguard Cleanup™ Enhancements
History Collection Detail Report improved Previously the area for the covering profile was left blank as NO PROFILE
was used by RACF to determine the access request. More information is
now provided to the end user as to why this is the case:
The access values are as follows:
<NO PROFILE USED>
<DISCRETE PROFILE>
<INT GENERIC PROFILE>
<GENERIC PROFILE>
<GLOBAL ACC PROFILE>
<NO PROFILE FOUND>
New VERIFY/VERIFY(X) report Provides you a report of users that authenticate via a VERIFY/VERIFYX vs
a normal user logon
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 35
Vanguard Configuration ManagerTM
Supports DISA STIGs Versions 6.10 - 6.16 VCM is constantly being updated to be compliant with the latest STIG
releases. This enhancement is the ongoing process of staying up to
date with the every three month release of new DISA STIG Checks
Group Synchronization to RACF for User Lists Now when you collect data and put a RACF group into the data collected,
we will remember the group and use that group of users for checking
against, rather than, Expanding the group and putting the users currently
connected to that group in the list.
Therefor, when you put in a group, any change you make to that RACF
group will be included in the data collection in the future
Improvement to Check ACP00340 ACP00340 was changed to become a baseline check that looks at APF,
LPA and Proclibs and can now be used to find any member that has
changed between executions.
Encrypt Results Data Set Enhancement The VCM results file can now be encrypted such that nobody from
outside the product can view the data contained within as it is encrypted
using an AES algorithm.
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 36
Vanguard Configuration ManagerTM
Cross Compare Enhancement Users can now compare across multiple different or similar versions of
the DISA STIG results files. This allows for comparison against checks
run against different versions of the STIGS or the same version of STIGS
contained within a different results set.
REPORTFINDINGS/REPORTNOFINDINGS
Prior to this, a detail report would provide a dumped list of all messages
produced by one or more checks. This allows you to request a more
specific report based on the set of messages they want to see. Users
can now get All messages, only Finding messages and only Nofinding
messages. This will help when you need to remediate findings or when
they are only interested in looking at Nofinding messages.
COLLECTIONQUESTIONS You can now get a list of all of the questions asked by the product. You
run a batch report that will return a complete list of all questions and the
help associated with the question.
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 37
Vanguard inComplianceTM
User Interface is ADA (Section 508) Compliant The Vanguard inCompliance™ user interface has been updated with new graphics,
and other cosmetic HTML changes. The UI was modified to be ADA compliant
(section 508) as required by the US Government when sales are made to the US
Govt.
©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 38