Auditing z/OS data set encryption
This chapter focuses on the various system management facilities (SMF) records that can aid in monitoring the z/OS data set encryption environment.
Brief descriptions and references are provided to demonstrate specific uses and tasks that are related to auditing the z/OS data set encryption environment. If a reporting process or workflow for auditing purposes is not yet established, another option to create reports is IBM Security zSecure (for more information, see
2.3.6, “IBM Security zSecureSuite” on page 22).
This chapter includes the following topics:
6.1 Auditing encrypted sequential data sets
The z/OS Data Facility Storage Management Subsystem (DFSMS) creates SMF Type 14 and Type 15 records to audit data set activity for sequential data sets.
SMF Type 14, Subtype 9 and SMF Type 15, and Subtype 9 records provide DASD data set encryption information. They indicate the following information:
•If the data set is encrypted.
•The data set encryption type.
•The data set encryption key label.
6.2 Auditing encrypted VSAM data sets
z/OS DFSMS creates SMF Type 62 records to audit data set activity for VSAM data sets.
SMF Type 62 records indicate the following information about the data set encryption:
•Type
•Key label
6.3 Auditing crypto hardware activity
The Resource Measurement Facility (RMF) writes SMF Type 70 and Subtype 2 records, which show cryptographic coprocessor and accelerator usage, such as the following examples:
•Cryptographic CCA Coprocessor data
•Cryptographic Accelerator data
•ICSF Services data
•Cryptographic PKCS 11 Coprocessor data
In addition, overview criteria is shown for the Postprocessor in the Postprocessor Workload Activity Report - Goal Mode (WLMGL) report. For more information, see the following publications:
6.4 Auditing security authorization attempts
The Resource Access Control Facility (RACF) writes SMF Type 80 records for scenarios, such as the following examples:
•Authorized or unauthorized attempts to access RACF-protected resources
•Authorized or unauthorized attempts to modify profiles on a RACF database
SMF Type 80 records can be examined to determine which users attempted to access the following information:
•Key labels that are protected by the CSFKEYS class
•Data sets that are protected by the DATASET class
•Crypto services that are protected by the CSFSERV class
For more information about SMF Type 80 records, see
this page of IBM Knowledge Center.
For processing RACF SMF records, the RACF SMF Unload Utility is a good choice. Samples are available in SYS1.SAMPLIB(IRRICE).
Post-processing of the output can be done by using DFSORT. For more information about examples, see the IBM Systems and Technology Group presentation,
As Cool as Ice: Analyzing Your RACF Data Using DFSORT and ICETOOL.
6.5 Auditing crypto engine, service, and algorithm usage
The z/OS Integrated Cryptographic Services Facility (ICSF) provides a means for security administrators and capacity planners to monitor the use of cryptographic resources with Crypto Usage Statistics. ICSF writes SMF Type 82, Subtype 31 records when cryptographic usage tracking is enabled.
Crypto usage tracking helps users determine the following information:
•Which jobs or tasks use the various crypto engines
•Which crypto card types are receiving the most requests
•If any crypto requests are being handled in software
•The peak periods of crypto usage
•ICSF services that are started by other z/OS components
•Which jobs or tasks use out-of-date algorithms or key sizes
Cryptographic usage statistics are recorded in SMF data sets. Statistics are recorded for each SMF recording interval. The usage and interval recording allows you to determine usage over various time periods. For more information, see
4.4.2, “Configuring SMF recording options in SMFPRMxx” on page 96.
Each ICSF instance can track the usage of cryptographic engines (ENG), cryptographic services (SRV), and cryptographic algorithms (ALG) for the LPAR in which it runs.
SMF Type 82 Subtype 31 contains information about the cryptographic user’s HOME address space job ID, SECONDARY address space job name, HOME address space user ID, HOME task level user ID, and ASID.
By using Crypto Usage Statistics, you can assess your cryptographic usage and determine any areas that might need attention. By determining which applications are using which cryptographic engines, services, and algorithms, you can ensure that you are operating in the most secure manner. The use of Crypto Usage Statistics can also help you tune your systems for optimal performance.
For more information about a sample SMF Type 82, Subtype 31 record, see
Example 6-2 on page 126.
6.6 Auditing key lifecycle transitions
Some regulations, such as PCI-DSS, require that specific key management activities are performed regularly. ICSF provides the capability for auditing the lifecycle of keys.
For z/OS data set encryption, which uses Common Cryptographic Architecture (CCA) symmetric data keys, ICSF writes SMF Type 82, Subtype 40 records to track key lifecycle transitions.
Note: This feature is optional with ICSF FMID HCR77C0 (in the base of z/OS 2.3) and key lifecycle tracking can be turned on or off, depending on your needs. For more information about enabling key lifecycle tracking, see 4.3.3, “CSFPRMxx and installation options” on page 72.
|
A subset of the SMF Type 82, Subtype 40 fields include the following information:
•Key event, such as the key token that is:
– Added to KDS
– Updated in KDS
– Deleted from KDS
– Archived
– Restored
– Metadata changed
– Pre-activated
– Activated
– Deactivated
– Exported
– Generated
– Imported
•Key label
•Key data set
•Service that is associated with the event
•Key token format
•Key security
•Key algorithm
•Key length
6.7 Auditing key usage operations
Regulations can specify limitations on which key types are allowed for use in crypto operations or if a single key type is disallowed for multiple crypto operations. ICSF provides the key usage tracking to audit the use of keys.
Key usage data is recorded in SMF data sets. Data is recorded within key usage intervals, as defined in the CSFPRMxx member. The usage or interval recording allows you to analyze key usage over various time periods. For more information, see
4.3.3, “CSFPRMxx and installation options” on page 72.
Note: This feature is optional with ICSF FMID HCR77C0 (in the base of z/OS 2.3) and key use tracking can be turned on or off, depending on your needs. For more information about enabling key usage tracking, see 4.3.3, “CSFPRMxx and installation options” on page 72.
|
For z/OS data set encryption, which uses CCA symmetric data keys, ICSF writes SMF type 82, subtype 44 records to track key usage. Usage counts are accumulated during each key usage recording interval.
A subset of the SMF Type 82, Subtype 44 fields includes the following information:
•Key label
•Service that is associated with the event
•Key token format
•Key security
•Key algorithm
•Key length
•Usage count
6.8 Formatting SMF Type 82 records
SMF Type 82 formatters for ICSF are available in SYS1.SAMPLIB members CSFSMFJ (JCL) and CSFSMFR (REXX). Consider the following points:
•CSFSMFJ is the JCL to submit the job
•CSFSMFR is the REXX exec to run the report against the SMF records.
CSFSMFJ (as shown in
Example 6-1) reads Type 82 SMF records and formats them in a report.
Example 6-1 Sample JCL to unload type 82 SMF records
//*------------------------------------------------------------------*
//* UNLOAD SMF 82 RECORDS FROM VSAM TO VBS *
//*------------------------------------------------------------------*
//SMFDMP EXEC PGM=IFASMFDP
//DUMPIN DD DISP=SHR,DSN=PRICHAR.SMFRECS
//DUMPOUT DD DISP=(NEW,PASS),DSN=&&VBS,UNIT=3390,
// SPACE=(CYL,(1,1)),DCB=(LRECL=32760,RECFM=VBS,BLKSIZE=4096)
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
INDD(DUMPIN,OPTIONS(DUMP))
OUTDD(DUMPOUT,TYPE(82))
//*
//*------------------------------------------------------------------*
//* COPY VBS TO SHORTER VB AND SORT ON DATE/TIME *
//*------------------------------------------------------------------*
//COPYSORT EXEC PGM=SORT,REGION=6000K
//*TEPLIB DD DISP=SHR,DSN=SYS1.SORTLPA,VOL=SER=ttttt1,UNIT=3390
//* DD DISP=SHR,DSN=SYS1.SICELINK,VOL=SER=ttttt2,UNIT=3390
//SYSOUT DD SYSOUT=*
//SORTWK01 DD UNIT=3390,SPACE=(CYL,10)
//SORTIN DD DISP=(OLD,DELETE),DSN=&&VBS
//SORTOUT DD DISP=(NEW,PASS),DSN=&&VB,UNIT=3390,
// SPACE=(CYL,(1,1)),DCB=(LRECL=32752,RECFM=VB)
//SYSIN DD *
SORT FIELDS=(11,4,A,7,4,A),FORMAT=BI,SIZE=E4000
//*
//*------------------------------------------------------------------*
//* FORMAT TYPE 82 RECORDS *
//*------------------------------------------------------------------*
//FMT EXEC PGM=IKJEFT01,REGION=5128K,DYNAMNBR=100
//SYSPROC DD DISP=SHR,DSN=SYS1.SAMPLIB
//SYSTSPRT DD SYSOUT=*
//INDD DD DISP=(OLD,DELETE),DSN=&&VB
//OUTDD DD SYSOUT=*
//SYSTSIN DD *
%CSFSMFR
An excerpt of the Crypto Usage Statistics for SMF record type 82, subtype 31 is shown in
Example 6-2.
Example 6-2 Excerpt from Crypto Usage Statistics
Subtype=001F Crypto Usage Statistics
Written periodically to record crypto usage counts
7 Nov 2017 17:10:30.00
TME... 005E5858 DTE... 0117311F SID... SC60 SSI... 00000000 STY... 001F
INTVAL_START.. 11/07/2017 22:02:24.247495
INTVAL_END.... 11/07/2017 22:10:30.001940
USERID_AS..... NET
USERID_TK.....
JOBID.........
JOBNAME....... NET
JOBNAME2......
PLEXNAME...... PLEX60
DOMAIN........ 84
SRV...CSFKGN..... 12
**************************************************
Subtype=001F Crypto Usage Statistics
Written periodically to record crypto usage counts
7 Nov 2017 17:10:30.00
TME... 005E5858 DTE... 0117311F SID... SC60 SSI... 00000000 STY... 001F
INTVAL_START.. 11/07/2017 22:02:24.247495
INTVAL_END.... 11/07/2017 22:10:30.001940
USERID_AS..... PE08
USERID_TK.....
JOBID......... TSU05881
JOBNAME....... PE08
JOBNAME2......
PLEXNAME...... PLEX60
DOMAIN........ 84
ENG...CARD...6C00/DV785304... 2
Example 6-2 on page 126 shows that the first usage event is recorded for
jobname=NET. It occurred on system PLEX60 and used crypto domain 84.
The time interval for the event is 22:02 - 22:10 on 7 November, 2017. In the event, the CSFKGN (key generate) service was called 12 times. In the second usage event, two calls were made to the cryptographic card (6C00) by jobname=PE08.