What's new in IronSphere STIGs V7?

What's new in IronSphere STIGs V7?

DISA published a draft version of Z/OS STIG V7. This version introduces some changes. Some of the changes affects IronSphere clients and requires some modifications to the STIGS. Below is a short description of the major changes. We took the opportunity and make some minor changes to IronSphere, described under “IronSphere Architectural changes”.

 

DISA STIG changes.

 

Naming Convention.

Previous versions of the Z/OS STIGs used to name the FINDING after the component name they monitor. For example, JES findings used to have version name such as ZJESnnnn. Verson 7 consolidate all findings into a single prefix. 

 

IronSphere uses the Component name for filtering views and access control (Role-Component assignment). We added a new field to maintain these facilities while keeping the new naming conventions.

 

            FINDING-ID.

The FINDING-ID field, used to uniquely identify finding (checks) has been removed and will not be part of the new version. IronSphere doesn’t use this field, so users are not affected.

 

            Details section.

The details section is the defines the security controls and their allowed values. Previous versions used predefined reporting system that allowed some automation in data collection. This facility has been removed from V7, which now only instruct the commands used to collect the data.  IronSphere clients are not affected from this change. They do not access the mainframe for this purpose anyway.

 

 

IronSphere Architectural changes.

 

            Checkpoint Encryption.

IronSphere uses a checkpoint mechanism to save check results in case of a transmission errors. The Checkpoint dataset (SQIFCKPT) is not encrypted and requires that only administrators can read the dataset.

 

The SQIFCKPT checkpoint dataset is now encrypted using AES 256.

 

Check executables.   

IronSphere check load modules (Rexx compiled execs, or CEXECs) now include more information about the level of the check. The purpose of this change is to help clients identify the exact version of the executable in case of an error.

 

This information includes:

·      STIG version number.

·      PTF number and short PTF description.