There are lots of moving parts to a production z/OS system. Some are used repeatedly, inline, during an IPL and therefore fall within the scope of an ICE/IFO, Image FOCUS Inspection. Others, equally important, are outside the IPL and Inspection Paths requiring Supplemental processing to ensure an ongoing review of their changes and overall integrity.
The various parts of a z/OS System,whether they are "At Rest", awaiting use during the next IPL, or "In Flight", being actively used Post-IPL, each presentsunique monitoring, control, and best practice questions. ICE/SUPS focuses primarily on building and storing baseline blueprints of named z/OS configuration components, "As Found", and reporting changes
OSMON is an ICE application that supports the continuous monitoring of the current integrity of a z/OS LPAR. It does this at scheduled Intervals - Daily, Weekly or Monthly. As seen from the 3270 screen shown above, OSMON is easily programmed to monitor as few as one, or up tosixteen, 'Key Points of z/OS Integrity' and, in turn, send its findings to defined recipients.
When the techniques used by OSMON are applied within the System z Environment, they reinforce the Configuration Control Boundaries maintained by the Policy Rules defined to, and enforced by, the External Security Manager (ESM). Used in this way, OSMON establishes and enforces ‘Fine-Grained, Micro-Perimeter’ controls around critical System z Configuration Resources – IPLParm, ParmLib, ProcLib, Operator Commands, and others, as shown in the panel above. The result of continuous monitoring extends the System z Configuration Security-Control Continuum.
Here's an example of what OSMON can do for you. We all know that making a data set APF-authorized is not sufficient to bestow APF-authorization upon the modules/programs it contains. But it does open the door to a loss ofsystem integrity if the required additional authorization is not closely controlled by the originating author, when marking the module's Authorization Code (AC). Modules/Programs with AC=1 are fully authorized and should be checked carefully, before adding them to an APF Authorized Dataset,and monitored carefully, thereafter.
OSMON is the ideal system utility for monitoring and reporting on changes to all aspects of the APF Dataset Configuration: Datasets added/deleted, Modules added/deleted, changes in Module attributes: alias references, size, location, mode of operation,and importantly, the level of AC. Some call it File Integrity Management (FIM)s; we call it common sense best practices.
We know that ICE/OPER/OSMON can enrich z/OS Monitoring. If you agree, or just find the possibility interesting, select the option below to contact us. At your request, we'll arrange a complimentary webcast to explain what ICE/OPER/OSMON can do and why we are so enthusiastic about it.
RACF® enables its users to protect system resources, but the protection it provides is only as good as the implementation. Your organization needs a way to verify that the security mechanisms actually in effect are the ones intended. Delivered with RACF, DSMON (The Dataset Security Monitor) is a source of this vital configuration information.
“Best Practice” calls for a constant, ongoing, systematic review of the security mechanisms configured to RACF. Doing so is often considered a critical first step in the identification of configuration changes that could potentially undermine the integrity of the operating system and the RACF security environment.
Built on the proven base of DSMON, ICE/OPER/DSMON adds monitoring and automation functions, individually controlled baselines of selected DSMON source information, taken at intervals, comparing them with those created at prior intervals.
The goal? To identify changes, of up to sixteen specific RACF or System configurations, and alert system and security staff with a need to know of such changes.
We know that ICE/OPER/DSMON can enrich RACF Monitoring. If you agree, or just find the possibility interesting, select the option below to contact us. At your request, we'll arrange a complimentary webcast to explain what ICE/OPER/DSMON can do and why we are so hyped-up about it.
How often do you IPL? If you are like most z/OS shops, the answer is as little as possible, maybe once every six months, unless there is an emergency. Just like System Integrity and Security, Productivity "System Up-time" is everything. But things are far from static; environments and business conditions change, necessitating "On-the-fly" updates to spinning systems.
Unlike ICE/OPER/OSMON and ICE/OPER/DSMON, described above, which monitor "At Rest" configurations, ICE/OPER/CMMD monitors for system updates, via Operator Commands that bypass static configuration updates and, therefore, may go undetected. The best examples of this possibility can be found in the SETPROG command set. For example, issuing the SETPROG APF, ADD command sequence, along with the permission to do so, will dynamically add a dataset directly to the APF Dataset List.
While ICE/OPER/CMMD detects, logs, and reports in real-time, the APF add, described above can do more. Here are a few examples:
We know that ICE/OPER/CMMD can enrich z/OS "In Flight" Monitoring. If you agree, or just find the possibility interesting, select the option below to contact us. At your request, we'll arrange a complimentary webcast to explain what ICE/OPER/CMMD can do and why we are so excited about it. We believe you will be as well.
"When we installed and customized the Control Editor, ICE/TCE, we noticed that certain critical z/OS Control Points, Load Modules for example, IODF Dataset, Health Checker, and others, were not monitored for changes. We discussed this with NewEra and were really pleased when they announced the availability of the ICE/SUPS Detectors to fill these gaps."
“Using the ICE/SUPS Detectors, we now monitor at intervals that we define: Health Checker - hourly, Load Modules - daily, IODF - weekly, PPT - monthly. The details associated with specific changes are sent via email to the responsible team for follow-up. We now have change history at our fingertips, for each z/OS system. Thanks, NewEra, problem solved.”
"The thing we like best is the way NewEra is approaching the distribution of its ICE software and applications. It allowed us to get started with minimal effort and expense, focusing on what we believed to be our most critical issue, LPAR integrity. As we get comfortable with the process we can, at any time, move on to more global z/OS concerns."