Mainframe files/datasets are liable to change quite often. After all, people are using those files so they are likely to be modified/updated. So how could you tell whether there had been a legitimate change to the file or it had been hacked? How can you verify that your z/OS files have remained intact and your data is secure?
The answer seems to be to use File Integrity Monitoring (FIM) software. FIM software is quite prominent on non-mainframe platforms and is only now beginning to be utilized on z/OS. The software can monitor the following values for unexpected changes to files or configuration items including:
- Credentials
- Privileges and security settings
- Content
- Core attributes and size
- Hash values
- Configuration values.
File Integrity Monitoring makes sense on non-mainframe platforms where they don’t have the incredible level of security that comes out of the box with a z14 processor, so why use it on a mainframe? One big reason, not surprisingly is compliance with regulations. These regulations include: PCI-DSS (Payment Card Industry Data Security Standard), GDPR (General Data Protection Regulation), SOX (Sarbanes-Oxley Act), NERC CIP, FISMA (Federal Information Security Management Act), HIPAA (Health Insurance Portability and Accountability Act), NIST (National Institute of Standards and Technology), and SANS Critical Security Controls. As an example, PCI DSS Requirement 11.5 requires a FIM solution be in place on all platforms, including mainframes.
To comply with these regulations, mainframes need to be able to verify that z/OS files remain intact and data is secured. They also need to be able to continually scan and verify mainframe files, and log the results for auditing in order to comply with these regulations. That way they can produce verifiable proof that file integrity has been maintained. In fact, the FIM software installed should make it possible for either an internal or external compliance auditor to validate data integrity using an on-demand audit function.
Just looking at that in a bit more detail, the file integrity monitoring software needs to be able to scan files on a schedule or on demand. Using the information from the scan, it needs to swiftly identify even minor changes (and that means within seconds), and then send an alert to an existing SAF (System Authorization Facility like RACF) or a SIEM (Security Information and Event Management). And if nothing has changed in the files, the FIM software needs to be able to provide immediate and conclusive evidence that the mainframe environment is unaltered. And, thirdly, it needs to create a full audit trail so that there’s plenty of documented evidence to help prove compliance with the ever-increasing data security standards that apply to mainframe operations.
So what exactly should your mainframe’s file integrity monitoring software be looking out for unauthorized or unrecognized changes to? The answer would need to include:
- Executable programs and libraries
- JCL, HTML, panels, scripts, rate tables
- Configuration and control members
- Log files such as SMF, Db2, IMS
- Other sequential files and GDGs.
One problem with traditional reporting tools on a mainframe is that they tend to run overnight and the reports are looked at the following morning. In a world where mainframes are still less likely to be hacked than other platforms, that might be OK. But what’s to stop someone with a legitimate reason for accessing the mainframe from making illegal changes to files? The answer is probably nothing because they won’t be suspected until the next day. And at many sites, the person who looks through those nightly reports, is likely to be the person with the skillset to hack the mainframe’s files. The fox in charge of the hen house scenario.
Installing file integrity monitoring software brings with it two benefits. It gives you peace of mind that your files have not been maliciously attacked and your data is secure. And it means that you are compliant with the regulations affecting your industry.
