vanguard security solutions™ suite v2.1 “what’s new” … · • in the vanguard version of...

Vanguard Security Solutions™ Suite

v2.1

“What’s New” Webinar

Presented by

Vanguard Integrity Professionals

Copyright

©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have

a limited license to view these materials for your organization’s internal

purposes. Any unauthorized reproduction, distribution, exhibition or use of these

copyrighted materials is expressly prohibited.

Trademarks

IBM, RACF, DB2, and z/OS are trademarks or registered trademarks of

International Business Machines Corporation in the United States, other countries,

or both. UNIX is a registered trademark of The Open Group in the United States

and other countries. Vanguard Security Solutions, Vanguard Administrator,

Vanguard Advisor, Vanguard Analyzer, Vanguard Offline, Vanguard Security

Center, Vanguard ez/Token, Vanguard ez/Signon, Vanguard Enforcer, Vanguard

Policy Manager, Vanguard Cleanup, Vanguard Configuration Manager, and

Vanguard inCompliance are trademarks of Vanguard Integrity Professionals –

Nevada.

Legal Notice

©2013 Vanguard Integrity Professionals - Nevada. All Rights Reserved. You have a limited

license to view these materials for your organization’s internal purposes. Any unauthorized

reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. 2

VSS 2.1 Now available

• Released for General Availability in October

• Reorganized into 2 Solution groups:

• IAM (Identity and Access Management)

• GRC (Governance, Risk Management, and Compliance)

• VCM (Vanguard Configuration ManagerTM) now integrated into the standard install

• Single Datecode for all licensed products.




Identity and Access Management

• Vanguard AdministratorTM

• Vanguard AdvisorTM

• Vanguard AnalyzerTM

• Vanguard OfflineTM

• Vanguard Security CenterTM

• Vanguard ez/TokenTM

• Vanguard ez/SignonTM




New Main Menu




Vanguard AdministratorTM

Compare Manager (option 21) • The Compare Manager feature provides reporting and update

functions based on Compare User, Group or Profile criteria.

Vanguard Unix Manager (VUM – Option 14) • UNIX® Security Manager allows customers to run a number of

reports on UNIX File Access Lists, The UNIX File System, UIDs and

GIDs as well as profiles that affect the access that are defined within IBM®RACF®.




Compare Manager




VUM – Vanguard UNIX Manager

A sample of the functions that can be performed with this new functionality that

can run either Live or against an Extract file

1. Summary of files by Owner, Group or World Permissions.

2. Summary of files by Owner and Group

3. Summary of files by File Attribute, File Audit bits, File Permissions, UID

in permission list, GID in permission list

4. Directories with the “x” bit off

5. Broken Symbolic Links

6. Files by a User Specified Masking Criteria.

7. All information based on the IBM® z/OS® definitions of the UNIX File

Systems(BPXPARMS)

8. A list of Users cross referenced with their UID, PROGRAM, HOME and

a STATUS (which indicates if their Home Directory is Valid and defined

in Unix)

9. A list of Groups with their GID and the number of users connected to

each group.

10.A list of CLASS profiles (FACILITY,UNIXPRIV,SURROGAT and

OPERCMDS) that affect UNIX Permissions and capabilities




VUM –UNIX Manager(Main Menu)

11

Same as before All new options

VUM –UNIX Security Manager(option 1)

12

VUM –UNIX File System (option 2)

13

VUM –Facility class profiles(option 5)

14

VUM –Surrogat class profiles(option 7)

15

Other Vanguard AdministratorTM Enhancements

Unusable Profile Summary This report lists discrete general resource profiles that have generic

characters (*, %) in their name, but are defined in a class not

enabled for generics (NOGENCMD or NOGENERIC)

NOTE: The NOGENERIC reporting and command generation

processes require RACF V1R12 or higher.

Enhanced Digital Certificate Expiration Report This format of this report was enhanced to make it easier to read and

to include additional digital certificate data

Generic Characters as Literals for Masking

Example: ‘SYS1.*.**’

Quickgen Enhancements Reporting of Extract Statistics data

New Keyword: SKIPALLBLANKS

DB2® V10 Support added




Vanguard AdvisorTM

The output of an IDCAMS REPRO of a Vanguard Advisor™ Extract

File can be used as input to a batch report You can now specify the output of an IDCAMS REPRO of a Vanguard

Advisor™ Extract File as input to a batch report. One or more files can be

specified by using the VSRR DD statement.

Added support for new UNIX System Services masking parameters You can now mask on nine additional fields to produce a more granular

summary or detail report:

Effective GID, Effective UID, Real GID, Real UID, Saved GID, Saved

UID, Superuser, User Security Token, BPX.DEFAULT.USER

Inclusion of Earliest and last record in report Includes the earliest and latest date and time of input records, at the end of a

batch report, when the input source is an SMF file.

Active Alert Email Enhancement Added support to allow you to specify a unique Subject line for each type of

Active Alert email. The Subject text can be 1-60 characters and can contain

any symbolic defined on the system where Real-Time Notification is running

in addition to &SYSSMFID., to get the SMFID




Vanguard AdvisorTM

New OPTION RT added to help panel Added a display of supported SMF record types to the help panel that allow

customers to easily see which SMF records are supported and which

Vanguard Advisor™ report reports on which SMF record.

Unix System Services reports were enhanced

Added Event Code 67(initACEE), event qualifiers 09 and 10 and

Event code 69(RPKIEXPT), event qualifiers 09 and 09

System entry reports were enhanced Event Code 01, event qualifier 39 (No RACF user ID found for distributed

identity)

Support DB2 compressed SMF records DB2 V10 introduced compression for the SMF Type 100-102 records to

reduce the amount of space needed to store those records. ADVISOR uses

SMF Type 102 record for the DB2 Summary and Detail reports and changes

were made to accommodate this new format.




Vanguard AnalyzerTM

PDS/E Support

AUDITSETROPTS Enhancement During report generation the following two selections are now

available:

Exceptions only ===> YES

Class Detail ===> YES

Exceptions only

Specify Yes to list only entries with message severity equal to or

greater than that specified by the EXPTONLYLEVEL parameter

in the VSAOPT00 member of the options data set

Class detail

Specify Yes to list the properties and characteristics of each

class in the Class Descriptor Table.




Vanguard OfflineTM

Vanguard OfflineTM is a new offering in the Vanguard IAM suite that

allows customers to test proposed changes to a RACF database in an

environment that will not affect the production RACF database.

The test changes can then be tested against production accesses and

access attempts to validate that the changes made will have the

desired affect and that no unintended consequences will arise.

This means if we create, delete or modify a RACF profile we can test to

see what the effects of that changes against all user and group access

that will be affected by the profile changes.

NOTE: This product has been made available in 1.13 via maintenance




Vanguard OfflineTM – New Features

User access allowed and denied report –

(Vanguard Access History Report) Reports on access by users to datasets and general resources with

masking and quickgen capabilities. This new report can be used to gain

knowledge of access allowed, access requested, access granted and

access denied to resources and datasets without requiring SMF auditing.

History Master File Merge Process Allows more flexibility in execution of the product as now different systems

sharing a RACF database can have separate History Master Files (HMF)

which can be merged together later for reporting.




Vanguard OfflineTM




Vanguard Security CenterTM

Added View All Support to Vanguard Security CenterTM Vanguard Security Center™ has been enhanced to allow a customer to

designate individuals to see data that would otherwise be outside their scope

of authority.

This enhancement allows customers to view all of the data in the RACF

database without necessitating the conference of any extraordinary RACF

privileges to that user via the RIO$.SCOPE profile. It only confers view

capability.

Support for DB2 v10.1




Vanguard ez/TokenTM

• Added Started Task IAMEZSTC • In the Vanguard version of the ICHRIX01 exit TCPIP functions were used

that were not suitable for certain address spaces. To solve this issue the

TCPIP code was moved to an environment more suited to successful

completion of the TCPIP functions. The ICHRIX01 exit now queues

requests to the IAMEZSTC task to process.

• Network Performance Enhancement • In order to provide more timely responses to requests the Vanguard

ez/Token™ Started Task has been modified to track previous failures of

the authentication server or communications with it, and switch over to an

alternate authentication server.

• Support for CONSOLE Logons • Vanguard ez/Token™ can now be used for two factor authentication with

CONSOLE logons, thereby allowing you to better secure these logon

requests.




Vanguard ez/SignonTM

64 Bit support added Vanguard ez/Signon™ now supports 64bit processing on Windows &

Linux

Revoke/ resume processing User revokes and resume notification was added such that a userid

revoked or resumed on the mainframe can now be broadcast out to

other systems (AS/400 and Active Directory) so that userid access

removal or resumption can be centralized




Governance, Risk Management,

& Compliance

• Vanguard EnforcerTM

• Vanguard Policy ManagerTM

• Vanguard CleanupTM

• Vanguard Configuration ManagerTM

• Vanguard inComplianceTM




New Main Menu




Vanguard EnforcerTM

Baseline Build in Batch It is now possible to run the Baseline Build processing in batch. All of the

various Baseline Builds are supported.

NOTE: the following Baseline selections are NOT supported in batch:

• Alter Installation Baselines

• All Access List Expiration Processing selections

• All Refresh Selected Baseline Security information selections

• All Miscellaneous Processing selections

Compare LEVEL Values for Data Sets and General Resources The Vanguard Enforcer™ Sensor started task has been updated to check the

General Resource and DATASET profiles for differences between the LEVEL

values in the Baseline and in the Security Server database.

Enhancement to Active Alert 8 Provides for the installation to select what type of SETROPTS and RVARY

command should be processed by Vanguard Enforcer™ Active Alert 8.

All Enforcer ISPF Panels are now CUA Compliant The Vanguard Enforcer™ Baseline Build user interface (ISPF panels) is now

fully ‘Point and Shoot’ compatible.




Vanguard Policy ManagerTM

Added Password Exit Support has been added that allows installation to implement various new

password policies such as a user’s password can not:

• Contain more than two repeated characters

• Start with the user’s connect group

• Start with the user’s default group

• Start with the user’s user ID

Other policies allow installation to require that the password contains:

• Alphanumeric

• Mixed case

• National characters

This new feature also allows installation to restrict usage of a word from the

Vanguard dictionary (containing over 86,000 words) and/or installation defined

dictionary.




Vanguard Policy ManagerTM

New Check Added to Support CONNECT/REMOVE Policies This adds an additional check to control user-id against

CONNECT/REMOVE policy in following format:

GROUP.CONNECT.group-id.ID.user-id

This format conforms to the PERMIT policy format.

Support for RACVARS in Vanguard Policy ManagerTM profiles Support has been added to allow management of profile containing

RACVARS variables. Generic Character ‘&’ in profile will be replaced with

‘?’ in addition to the existing special character replacement before the

policy validation.

New Global Profile PW.EXEMPT.EXPIRED.PASSWORD added Added new PW.EXEMPT.EXPIRED.PASSWORD to dictate whether

password rules for new expired passwords will be checked against

password rules. Default is to not check the temporary password the same

as RACF does today




Vanguard CleanupTM

A new offering that identifies and creates the commands to remove unused users,

groups, connects, dataset and general resource profiles from the RACF database.

Vanguard Cleanup™ has a Started Task that installs RACF authorization exits that

capture the activity to the RACF database. These captured events are then stored

in a VSAM file for historical reporting purposes.

The customer runs the started tasks and exits in their environment for a user

decided period of time (should cover all processing cycles: monthly, quarterly,

annual).

This is fed into an analysis tool that provides a report and commands on all unused

users, groups, connects, dataset and general resource profiles from the RACF

database.

NOTE: This product has been made available in 1.13 via maintenance




Vanguard CleanupTM Enhancements

History Master File Merge Process Allows more flexibility in execution of the product as now different systems

sharing a RACF database can have separate History Master Files (HMF)

which can be merged together later for reporting.

Use of &SYSNAME, &SYSSMFID and &SYSPLEX in VANOPTS Vanguard Cleanup™ and Vanguard Offline™ were modified such that the

VRO History Master File, VOF History Master File and the LOGSTREAM

dataset prefix can now be specified in the VCLOPT00 with the use of the

static system symbols (&SYSNAME and &SYSSMFID) so that a single

VCLOPT00 could be setup and used across multiple systems without

collision in the names of these files.

Allow the use of exclusion members in Vanguard CleanupTM

Allows you to specify the member (users, groups, datasets, general

resource classes and profiles) as being exempt for cleanup during

the cleanup process




Vanguard Cleanup™ Enhancements

Provide alternate VCLOPTxx members Allows you to specify the specific VCLOPTxx member when starting the

VCL started task. This allows you to provide System Specific settings for

each system that the Vanguard Cleanup™ started task is running on.

DLFCLASS specification The DLFCLASS is used by RACF to check whether or not a specific

resource should be placed into the Data Look Aside Facility. This new

enhancement allows you to tell the Vanguard Cleanup™ STC to ignore

any access records from the DLFCLASS and that it will not generate

Vanguard Cleanup™ commands for any profiles in the DLFCLASS. >




Vanguard Cleanup™ Enhancements

History Collection Detail Report improved Previously the area for the covering profile was left blank as NO PROFILE

was used by RACF to determine the access request. More information is

now provided to the end user as to why this is the case:

The access values are as follows:

<NO PROFILE USED>

<DISCRETE PROFILE>

<INT GENERIC PROFILE>

<GENERIC PROFILE>

<GLOBAL ACC PROFILE>

<NO PROFILE FOUND>

New VERIFY/VERIFY(X) report Provides you a report of users that authenticate via a VERIFY/VERIFYX vs

a normal user logon




Vanguard Configuration ManagerTM

Supports DISA STIGs Versions 6.10 - 6.16 VCM is constantly being updated to be compliant with the latest STIG

releases. This enhancement is the ongoing process of staying up to

date with the every three month release of new DISA STIG Checks

Group Synchronization to RACF for User Lists Now when you collect data and put a RACF group into the data collected,

we will remember the group and use that group of users for checking

against, rather than, Expanding the group and putting the users currently

connected to that group in the list.

Therefor, when you put in a group, any change you make to that RACF

group will be included in the data collection in the future

Improvement to Check ACP00340 ACP00340 was changed to become a baseline check that looks at APF,

LPA and Proclibs and can now be used to find any member that has

changed between executions.

Encrypt Results Data Set Enhancement The VCM results file can now be encrypted such that nobody from

outside the product can view the data contained within as it is encrypted

using an AES algorithm.




Vanguard Configuration ManagerTM

Cross Compare Enhancement Users can now compare across multiple different or similar versions of

the DISA STIG results files. This allows for comparison against checks

run against different versions of the STIGS or the same version of STIGS

contained within a different results set.

REPORTFINDINGS/REPORTNOFINDINGS

Prior to this, a detail report would provide a dumped list of all messages

produced by one or more checks. This allows you to request a more

specific report based on the set of messages they want to see. Users

can now get All messages, only Finding messages and only Nofinding

messages. This will help when you need to remediate findings or when

they are only interested in looking at Nofinding messages.

COLLECTIONQUESTIONS You can now get a list of all of the questions asked by the product. You

run a batch report that will return a complete list of all questions and the

help associated with the question.




Vanguard inComplianceTM

User Interface is ADA (Section 508) Compliant The Vanguard inCompliance™ user interface has been updated with new graphics,

and other cosmetic HTML changes. The UI was modified to be ADA compliant

(section 508) as required by the US Government when sales are made to the US

Govt.




Questions




vanguard security solutions™ suite v2.1 “what’s new” … · • in the vanguard version of...

Documents