The z/OS System Integrity is born from the original statement issued in 1973 with the IBM MVS™ operating system. To learn more, read the Statement of z/OS System Integrity.
To maintain the highest levels of z/OS system integrity, IBM strongly recommends that users of the z/OS Operating System validate the currency of security and system integrity service and take action to promptly install all security and integrity PTFs.
Sign up and get your integrity information sooner
As a best practice, IBM strongly recommends that clients obtain access to the System z Security Portal and subscribe to the Security Portal’s automatic notification process to get access to the latest service information on security and system integrity APARs for z/OS. Note that IBM treats vulnerability information in connection with System z as IBM Confidential and by accessing the Security Portal you agree to treat such information as confidential in accordance with the terms set forth.
If you are not currently authorized to access the Security Portal, instructions to do so are located here. IBM makes available important information about security and system integrity APARs and associated fixes in this Security Portal which can help you to plan the timely installation of security and integrity fixes. Once you are registered at the Security Portal, you may subscribe and receive an email notification of all new posts.
What can the Security Portal give you?
In the Security Portal, the security / integrity data for z/OS is provided in three files. These files use a naming convention that includes a prefix including the date in the format “YYYY-MM-DD secint.”. The three suffixes for security / integrity APAR information are holds, asgn, and cvss. The holds file contains Enhanced HOLDDATA which can be used as input to SMP/E. The asgn file contains ++ASSIGN statements that are also used by SMP/E to help system maintenance installers to group PTFs. The cvss file contains Common Vulnerability Scoring System Version 2.0 (CVSS) data that can be used by security personnel to help evaluate the potential risk of a particular APAR. Base and Temporal scores are provided. Clients must complete any required Environmental score. An example file name might be “2014-05-03 secint.holds”, which would be a file that contains Enhanced HOLDDATA that was made available on May 3rd, 2014.
In addition to the Security Portal, IBM includes the pertinent Security / Integrity APAR fixes in the next Recommended Service Upgrade (RSU) after the fix is available (typically within 60 days.) Note however, that to obtain or use the Common Vulnerability Scoring System (CVSS) data and to obtain the most up to date notification clients must be authorized to use the System z Security Portal. For more information on the RSU process see URL: www.ibm.com/systems/z/os/zos/support/servicetest/
The process for the dissemination of Security / Integrity data on System z has evolved over a very long time. The current process has been formed by carefully listening to many clients’ needs and industry requirements. Based on feedback from our varied client set, IBM has a policy of treating security vulnerability information confidentially. IBM believes it important that a client feel secure coming to IBM with a problem report that may affect the security of their enterprise. IBM will hold the detailed vulnerability information in confidence throughout the lifecycle of the potential problem to help reduce the likelihood that detailed knowledge of the vulnerability will be made public. The System z Security Portal provides clients with the ability to determine what service needs to be applied to their systems to help mitigate identified security risks and the means to authenticate and retrieve the latest security / integrity data to help them stay current with maintenance.
There are many sources used by IBM to help investigate potential security vulnerability issues impacting System z . These sources include a team of individuals that comprise the System z System Integrity Competency Center utilizing inspection techniques, as well as various testing and scanning tools, ethical hackers from our Watson Research Lab, and some external sources. IBM has also developed relationships with organizations such as CERT, CVE, BugTraq, MIT, etc., which can provide notification of potential vulnerabilities, before they are made public in many cases, so we can develop and make fixes available to help mitigate potential risk to System z. In addition, on rare occasions clients may find and report system integrity or security concerns directly to IBM, and can do so with the knowledge that IBM will treat the information as confidential. IBM will investigate each report and when appropriate create APARs and make fixes available.
System z customers can gain access to the System z Security Portal by following the instructions found on at the Subscription Process