NewEra Software Inc. is a sponsor of the zExchange - A community of z/OS Citizens

Best Practices For Monitoring system security & integrity

ICE/Applications - Built, distributed,  and supported by NewEra Software, Inc.

Reveal the Full Picture of z/OS Integrity

ICE/SUPS Can Monitor Every Last z/OS Detail

There are lots of moving parts to a production z/OS system. Some are used repeatedly, inline, during an IPL and therefore fall within the scope of an ICE/IFO, Image FOCUS Inspection. Others, equally important, are outside the IPL and Inspection Paths requiring Supplemental processing to ensure an ongoing review of their changes and overall integrity. 

ICE/SUPS Reports on Configuration Changes

The various parts of a z/OS System,whether they are "At Rest", awaiting use during the next IPL, or "In Flight", being actively used Post-IPL, each presentsunique monitoring, control, and best practice questions. ICE/SUPS focuses primarily on building and storing baseline blueprints of named z/OS configuration components, "As Found", and reporting changes

Monitoring the Integrity of a z/OS LPAR - The first step towards System Security!


OSMON is an ICE application that supports the continuous monitoring of the current integrity of a z/OS LPAR. It does this at scheduled Intervals - Daily, Weekly or Monthly. As seen from the 3270 screen shown above, OSMON is easily programmed to monitor as few as one, or up tosixteen, 'Key Points of z/OS Integrity' and, in turn, send its findings to defined recipients.

When the techniques used by OSMON are applied within the System z Environment, they reinforce the Configuration Control Boundaries maintained by the Policy Rules defined to, and enforced by, the External Security Manager (ESM). Used in this way, OSMON establishes and enforces ‘Fine-Grained, Micro-Perimeter’ controls around critical System z Configuration Resources – IPLParm, ParmLib, ProcLib, Operator Commands, and others, as shown in the panel above. The result of continuous monitoring extends the System z Configuration Security-Control Continuum.

Here's an example of what OSMON can do for you. We all know that making a data set APF-authorized is not sufficient to bestow APF-authorization upon the modules/programs it contains. But it does open the door to a loss ofsystem integrity if the required additional authorization is not closely controlled by the originating author, when marking the module's Authorization Code (AC). Modules/Programs with AC=1 are fully authorized and should be checked carefully, before adding them to an APF Authorized Dataset,and monitored carefully, thereafter. 

OSMON is the ideal system utility for monitoring and reporting on changes to all aspects of the APF Dataset Configuration: Datasets added/deleted, Modules added/deleted, changes in Module attributes: alias references, size, location, mode of operation,and importantly, the level of AC. Some call it File Integrity Management (FIM)s; we call it common sense best practices. 

Learn More

We know that ICE/OPER/OSMON can enrich z/OS Monitoring. If you agree, or just find the possibility interesting, select the option below to contact us. At your request, we'll arrange a complimentary webcast to explain what ICE/OPER/OSMON can do and why we are so enthusiastic about it.

Monitoring RACF Settings Assures a Better Understanding of Security Changes


RACF® enables its users to protect system resources, but the protection it provides is only as good as the implementation. Your organization needs a way to verify that the security mechanisms actually in effect are the ones intended. Delivered with RACF, DSMON (The Dataset Security Monitor) is a source of this vital configuration information.

“Best Practice” calls for a constant, ongoing, systematic review of the security mechanisms configured to RACF. Doing so is often considered a critical first step in the identification of configuration changes that could potentially undermine the integrity of the operating system and the RACF security environment.  

Built on the proven base of DSMON, ICE/OPER/DSMON adds monitoring and automation functions, individually controlled baselines of selected DSMON source information, taken at intervals, comparing them with those created at prior intervals.


The goal? To identify changes, of up to sixteen specific RACF or System configurations, and alert system and security staff with a need to know of such changes.

Learn More

We know that ICE/OPER/DSMON can enrich RACF Monitoring. If you agree, or just find the possibility interesting, select the option below to contact us. At your request, we'll arrange a complimentary webcast to explain what ICE/OPER/DSMON can do and why we are so hyped-up about it.

When z/OS is in Flight, Operator Commands are the Critical Control Point


How often do you IPL? If you are like most z/OS shops, the answer is as little as possible, maybe once every six months, unless there is an emergency. Just like System Integrity and Security, Productivity "System Up-time" is everything. But things are far from static; environments and business conditions change, necessitating "On-the-fly" updates to spinning systems. 

Unlike ICE/OPER/OSMON and ICE/OPER/DSMON, described above, which monitor "At Rest" configurations, ICE/OPER/CMMD monitors for system updates, via Operator Commands that bypass static configuration updates and, therefore, may go undetected. The best examples of this possibility can be found in the SETPROG command set. For example, issuing the SETPROG APF, ADD command sequence, along with the permission to do so, will dynamically add a dataset directly to the APF Dataset List. 

While ICE/OPER/CMMD detects, logs, and reports in real-time, the APF add, described above can do more. Here are a few examples:

  • - ICE/OPER/CMMD can provide a secondary layer of control around the use of operator commands in support of those already provided by RACF, ACF2, or Top Secret, allowing you to "Fine-Tune" access to them and their use.
  • ICE/OPER/CMMD can provide invaluable guidance to both novice and seasoned system programmers in the use of operator commands. A good example would be the guidance provided when attempting to add or delete a LNKLST Dataset.
  • ICE/OPER/CMMD fully documents the useof operator commands, often an audit finding in compliance auditing. This includes not only the who, what, and when of the command usage, but also the system reply and, most importantly, required descriptive text provided by the insurer at time the command was issued.

Learn More

We know that ICE/OPER/CMMD can enrich z/OS "In Flight" Monitoring. If you agree, or just find the possibility interesting, select the option below to contact us. At your request, we'll arrange a complimentary webcast to explain what ICE/OPER/CMMD can do and why we are so excited about it. We believe you will be as well.

What Users are Saying About the ICE/Supplemental Detectors


"When we installed and customized the Control Editor, ICE/TCE, we noticed that certain critical z/OS Control Points, Load Modules for example, IODF Dataset, Health Checker, and others, were not monitored for changes. We discussed this with NewEra and were really pleased when they announced the availability of the ICE/SUPS Detectors to fill these gaps."

Interval Reporting

“Using the ICE/SUPS Detectors, we now monitor at intervals that we define: Health Checker - hourly, Load Modules - daily, IODF - weekly, PPT - monthly. The details associated with specific changes are sent via email to the responsible team for follow-up. We now have change history at our fingertips, for each z/OS system. Thanks, NewEra, problem solved.”

Investment Protection

"The thing we like best is the way NewEra is approaching the distribution of its ICE software and applications. It allowed us to get started with minimal effort and expense, focusing on what we believed to be our most critical issue, LPAR integrity. As we get comfortable with the process we can, at any time, move on to more global z/OS concerns."

ICE/OPER, like all NewEra Software Products, is licensed on an MSU, tiered price scale, 

for a defined term, or in perpetuity by CPU, Site, Region, or Globaly. 

Maintenance is included in the first license year and thereafter is 15% of the then current list price.

Contact Us

NewEra Software, Inc.

18625 Sutter Boulevard, Suite 950, Morgan Hill, CA 95037, US

(800) 421-5035

We are here for you, ready to help!