Vanguard Security Solutions

Features Summary
Version 1.13

Table of Contents
Vanguard Security Solutions Version 1.13 Features Summary ................................ 3
All Vanguard Products: IBM z/OS Compatibility and Support ................................................. 3
Vanguard Administrator .......................................................................................................... 3
User Certificate Report (New).................................................................................................. 3
Rename Group Command Option Added ................................................................................ 3
REBUILD Command Request Redesigned.............................................................................. 4
Expanded Internal Storage Capacity ........................................................................................ 4
Extract Supports Secured Signon Encrypted Keys................................................................... 4
Enhanced OBSOLETE Process ................................................................................................ 4
Enhanced Clone Group and Clone User Processing ................................................................ 5
Improved Clone Group User Interface ..................................................................................... 5
New Report: WORKATTR Account with Connect Groups .................................................... 5
Vanguard Advisor.................................................................................................................... 5
Larger SMF Record Capacity ................................................................................................... 5
Support Added for OPN and SPC Log Reason Codes ............................................................. 6
Improved the Extract File Create Process ................................................................................ 6
Improved Log Stream Unavailability Processing and Notification .......................................... 7
Vanguard ez/SignOn................................................................................................................ 7
New Distribution Method ......................................................................................................... 7
Adds Support for Microsoft Platforms ..................................................................................... 7
Vanguard ez/Token.................................................................................................................. 7
Supports Authentication per Application ................................................................................. 7
Vanguard Enforcer .................................................................................................................. 8
Enhanced Active Alert 14 ........................................................................................................ 8
Enhanced Baseline Build User Interface .................................................................................. 8
Improved Diagnostics............................................................................................................... 9
Enhanced Baseline Build.......................................................................................................... 9
Vanguard inCompliance .......................................................................................................... 9
Enhanced Reporting ................................................................................................................. 9
Exception Migration and Database Backup/Restore Utility Created ..................................... 10
Performance Improvements on Load and Analyze ................................................................ 11
Improved Memory Utilization for IRRDBU00 Usage ........................................................... 11
Enhanced Global Settings....................................................................................................... 11
Improved Upgrade Migration Path ......................................................................................... 12
New Messages ........................................................................................................................ 12
Vanguard PasswordReset ...................................................................................................... 12
Enhanced Email Options ........................................................................................................ 12
Masking Available for Authentication Questions .................................................................. 13

Page 1

Vanguard Policy Manager ..................................................................................................... 13

Controlling the Security of Targeted Profiles through $LEVEL Policy ................................ 13
Support for SEARCH Command ........................................................................................... 14
Honor FROM Keyword in Lieu of OWNER ......................................................................... 14
Protect all GS profiles from RDELETE ................................................................................. 14
Improved Datecode Processing .............................................................................................. 15
Vanguard SecurityCenter ...................................................................................................... 15
Microsoft Certifications Earned ............................................................................................. 15
Display the Number of Entries in Access Lists ...................................................................... 15
Support for DB2 Long Table Names...................................................................................... 16
Started Task and Associated Task Names Customizable ....................................................... 16
Client Installation No Longer Requires Administrative Rights ............................................. 16

2011 Vanguard Integrity Professionals Nevada

Page 2

Vanguard Security Solutions Version 1.13

Features Summary
All Vanguard Products: IBM z/OS Compatibility and Support
All supported versions of Vanguard Security Solutions, including Version 1.13, support all
z/OS releases currently supported by IBM to ensure enhanced security and data protection
for IBM System z customers.

Vanguard Administrator
User Certificate Report (New)
Vanguard Administrator now has a new report, referred to as the User Certificate Report,
that captures and reports on digital certificate expiration information. It provides reporting
insight into the expiration status of digital certificates that have expired, or will be expiring,
in a number of specified days. This report, available through batch job VRADCRP1,
provides advanced notice of certificate expiration which enables security personnel to avoid
operational outages and ensure the seamless continuation of secure data transmissions. The
sample JCL is available in member VRADCRP1 of the Vanguard Sample Library.
Benefits

Captures digital certificate expiration information.

Avoids operational outages due to expiring certificates.

Assists with seamless continuation of secure data transmissions.

Rename Group Command Option Added

Vanguard Administrator now provides a new rename processing option, the Rename Group
command option, which enables the renaming of a group profile and then replaces all
references to the old group name with the new name specified. This option is easily
accessible from the Task Administration Menu (Fastpath 1;23) and is more efficient than
using the rename function of CLONE Group processing. To support this new functionality
in batch mode, the RENAMEG command was also added.
Benefits

Provides an easier and more efficient method for rename processing.

Easily accessible from the Task Administration Menu.

2011 Vanguard Integrity Professionals Nevada

Page 3

REBUILD Command Request Redesigned

The Vanguard Administrator REBUILD command now generates a RACF command
structure of one ALTUSER (ALU) command per segment, including all parameters and
their values, for the WORKATTR and OMVS segments of the user profile specified.
ALU USERID01 TSO(ACCTNUM(000TSO) MAXSIZE(0128000) SIZE(0128000)+
PROC(@RACF) UNIT(SYSALLDA)
+
COMMAND(ISPF)
ALU USERID01 TSO(ACCTNUM(000TSO) MAXSIZE(0128000) SIZE(0128000)+
PROC(@RACF) UNIT(SYSALLDA) COMMAND(ISPF)
ALU USERID01 WORKATTR (WANAME(E1031029)WAADR1(2)
ALU USERID01 OMVS (UID(1001031029) HOME(/home/USERID01)
+
PROGRAM (/bin/sh)

Benefits

Increases efficiency of command execution.

Improves use of system resources in a sysplex environment.

Expanded Internal Storage Capacity

Vanguard Administrator now holds up to 100,000 member entries of group class and crossreference reports.
Benefits

Improves processing.

Improves performance.

Improves reporting capabilities.

Extract Supports Secured Signon Encrypted Keys

The Vanguard Administrator extract process now recognizes the KEYENCRYPTED
parameter in the KEYSMSTR class, which stores the cryptographic product master keys for
the secured signon function installed.
Benefits

Supports encryption key information used for secured signon function.

Enhanced OBSOLETE Process

The Administrator OBSOLETE process now recognizes specific profiles required by the
WebSphere Application Server for z/OS to ensure that these profiles are not deleted.
Benefits

Ensures that profiles required by WebSphere Application Server for z/OS are
not inadvertently deleted.

2011 Vanguard Integrity Professionals Nevada

Page 4

Enhanced Clone Group and Clone User Processing

The Vanguard Administrator Clone Group process ensures operational efficiency by
validating that a new name does not already exist as a user ID or group name prior to
RACF command generation and execution.
The Vanguard Administrator Clone User process now validates that the new user ID does
not exist as a group name or user ID prior to RACF command generation and execution.
Benefits

Helps ensure operational efficiency.

Supports RACF rules regarding unique identification names.

Avoids incomplete processing and unnecessary errors from RACF.

Improved Clone Group User Interface

The Clone Group panel now provides help text for the Access, Connect and Rename fields
appears closer to the data entry area for better ease-of-use.
Benefits

Better ease-of-use for field entry requirements.

New Report: WORKATTR Account with Connect Groups

A new report in Vanguard Administrator, WORKATTR Account with Connect Groups,
now provides a list of users which details all groups that each user is connected to, and
information from the WORKATTR RACF segment for simplified reporting and data
mining. This report enables an administrator to now view the information from a single
report and eliminates the need to gather this same information from multiple reports or
panels. The WORKATTR Account with Connect Groups report is available through batch
job VRAWKATG. The sample JCL is in the VRAWKATG member of the Vanguard
Sample Library. The JCL contains instructions and examples of report control parameters.
Benefits

Simplifies reporting and data mining

Provides efficient reporting for better operational management.

Vanguard Advisor
Larger SMF Record Capacity

The Vanguard Advisor Detail Report Table now enables additional event
reporting to improve the batch report process.

The Summary Table, produced for Standard Summary Reports, can now be
adjusted through a new parameter, referred to as the SUMTABMAXSTOR in
the VSROPT00 member of the Options library. This parameter enables the
internal table to be adjusted for size so it controls the amount of internal

2011 Vanguard Integrity Professionals Nevada

Page 5

storage, in megabytes, utilized for the Summary Reports.

Benefits

The number of events in a Detail Report is now only limited by the amount of
available DASD space; thus, decreasing the risk of data loss.

The size of the Summary Table can now be adjusted through a new
SUMTABMAXSTOR parameter enabling greater control over internal storage
utilization.

Support Added for OPN and SPC Log Reason Codes

Vanguard Advisor now provides two new log reason codes, OPN and SPC, to support the
IBM SMF80REA field change, which documents the actual auditing in effect when access
to a resource is checked. These additional log reason codes provide additional SMF detail
and represent the following SETROPTS options: OPERAUDIT, NOOPERAUDIT,
SAUDIT and NOSAUDIT. Each log reason code is defined as follows:

OPN indicates that the user has the Operations attribute and SETROPTS
NOOPERAUDIT in effect.

SPC indicates that the user has the Special attribute and SETROPTS
NOSAUDIT in effect.

Benefits

Supports IBM SMF80REA field changes.

Provides additional SMF detail.

Improved the Extract File Create Process

The Vanguard Advisor Extract File Create process has now been improved to allocate the
LookAside Table (LAT) in above-the-bar storage whenever storage is not available abovethe-line.
LAT contains RACF user ID and group information from SMF Type 30 records that will be
assigned to z/OS Data Set Activity SMF records: 14, 15, 17, 18, 61, 62, 65 and 66. Five
new messages have been added: VSR191 through VSR198. These messages display:

Allocated LAT information.

Failed LAT allocated error information.

When the VSRSMF2 (2nd phase of the process) input file was not created by
VSRASMF1 (1st phase of the process).

When the RECSIN is empty.

Benefits

Increases the number entries during the Extract File Create process.

No JCL changes are required.

Allows users to process additional log files by increasing the amount of storage

2011 Vanguard Integrity Professionals Nevada

Page 6

available to process.

Provides better information concerning the LAT.

Improved Log Stream Unavailability Processing and Notification

Only one system can be connected to a DASD-only SMF log stream. When another system
is connected and a new connection is attempted, Vanguard Advisor reports a new status
called Not Allowed, which informs users that the log stream is in use by another system.
This status report avoids operational outages caused by users attempting to use a log stream
with multiple processes and now better informs users of the log streams current status.
Benefits

Better informs users of the current status of log streams.

Avoids outages caused by users attempting to use a log stream with multiple
processes.

Vanguard ez/SignOn
New Distribution Method
Vanguard ez/SignOn can now be installed easily and more efficiently across the enterprise.
ez/SignOn now uses a Group Policy Object (GPO) distribution method that will deploy
software across the network even if the File and Printer sharing networking feature is
disabled.
Benefits

Provides easy and efficient installation across the enterprise.

Adds Support for Microsoft Platforms

ez/SignOn now supports Windows Server 2008 (R1 and R2) and Windows 7 (32-bit and
64-bit) as part of an ongoing initiative to deliver support for newer versions of Microsoft
platforms.
Benefits

Provides ongoing support for newer versions of Microsoft platforms.

Vanguard ez/Token
Supports Authentication per Application
When ez/Token is implemented, applications that users log on to such as TSO, CICS, IMS
and others will now, by default, authenticate through ez/Token two-factor authentication in
lieu of a RACF password only. Users now also have the ability to limit the applications
authenticating through ez/Token (i.e., opt out of the default setting).

2011 Vanguard Integrity Professionals Nevada

Page 7

Benefits

All applications using ez/Token for authentication will automatically default to

two-factor authentication.

Users have the ability to limit applications authenticating through ez/Token.

Vanguard Enforcer
Enhanced Active Alert 14
Vanguard Enforcer now has the ability to detect and notify personnel when particular user
IDs are revoked. This new active alert saves time and alleviates frustration when user IDs
are revoked without authorization by providing an instant notification associated with the
event.
Benefits

Provides an instant notification when particular user IDs are revoked.

Enhanced Baseline Build User Interface

Vanguard Enforcer now provides an enhanced baseline build user interface:

ISPF panels are now fully point-and-shoot compatible (text fields on an ISPF
dialog screen are cursor-sensitive - if a field is selected (cursor placement and
pressing the ENTER key), the action described in that field is performed).

Fields that are point-and-shoot enabled can be displayed by using the ISPF 0
selection and then selecting the Colors action bar item and then the Point-andshoot selection.

All PF key functions allow commands to be executed.

Enforcer now starts from an ISPF command line entry (not the VSSSPF or
VRASPF menus).

The Enforcer Help menu has been improved.

Benefits

Provides better performance and security.

Improves the overall user experience.

2011 Vanguard Integrity Professionals Nevada

Page 8

Improved Diagnostics
Changes to the Vanguard Enforcer PTF Analysis now provide extensive problem
diagnostics to ensure an efficient and simpler resolution. Examines all data sets allocated
by ISPF session and shows the PTF level of each member found as well as the DD name
and DS name of where it was found. Additionally, the PTF level of each object member is
shown, not just the PTF level of the load module.
Benefits

Easily identify the PTF level of each object.

Ensures an efficient and simpler resolution.

Enhanced Baseline Build

Vanguard Enforcer now saves previous error information in the Baseline data set.
Benefits

Error information does not need to be re-built during new baseline build.

Vanguard inCompliance
Enhanced Reporting
A new Reports web page enables users to configure reports, specify email options, set
daily automation settings for report generation and generate reports immediately. Vanguard
inCompliance can now generate and email reports as PDF files.
The following five system reports are now available:
General Summary Report (for all Systems)
The General Summary Report is a high-level report that details which systems are being
audited, the last Review Result (FAILED, BORDERLINE or PASSED), Tests Performed,
Tests Not Compliant, Exclusions, Test Compliant, Zero Tolerance, Compliant Categories,
Not Compliant Categories, Active Categories and Inactive Categories.
Summary Report by Category (for all Systems)
The Summary Report by Category (for all Systems) utilizes data from the General
Summary Report, that provides a report for each system detailed by Category (Users,
Groups, Data Sets, General Resources and System Resources) with information on Total
Tests Performed, Not Compliant, Exclusions, Compliant and Zero Tolerance by Category.
Summary Report by Subcategory (for all Systems)
The Summary Report by Subcategory (for all Systems) contains all information from the
General Summary Report plus a breakdown by Category into Subcategories the Total Tests
Performed, Not Compliant, Exclusions, Compliant and Zero Tolerance. This report
provides a more detailed view by Subcategory, where the Subcategories are based on the
category.

2011 Vanguard Integrity Professionals Nevada

Page 9

Check Settings Report (for all Systems)

The Check Settings Report (for all Systems) provides reporting for all different settings
used to execute the analysis against the target system. With this report, administrators are
now able to ensure that proper compliance categories were active and that user configurable
settings remain set as expected.
System Detail Report (lists all failed checks)
The System Detail Report lists all failed checks and can be generated for one or multiple
systems. This is a complete report of all checks run on a specific system; however, because
this report can be extremely large, the user has the ability to limit the number of specific
detailed records to be included by Not Compliant or Exclusions.
Benefits

Provides the ability to generate inCompliance reports as PDF files.

Provides the ability to set the start time for the report automation process.

Allows users to specify which email addresses the reports will be automatically
emailed to.

Enables users to include summaries and detail information; provides the ability
to limit the number of records for Not Compliant and Exclusions.

Provides the ability to generate a system detail report for each system that
inCompliance is configured to.

Exception Migration and Database Backup/Restore Utility Created

Vanguard inCompliance now provides Exception Migration during an upgrade or
reinstallation of the product. Exception Migration enables users to backup and subsequently
restore exceptions, which are individual findings marked as an exception to a rule, thus
eliminating the need to reestablish a baseline of acceptable findings.
With the new database backup/restore utility, the inCompliance database can now be
retained in a format that enables users to simply and efficiently restore all defined systems,
history and marked exclusions, without understanding the database structure.
Benefits

Ensures data security.

Enables exception migration eliminating the need to reestablish a baseline of

acceptable findings.

Provides the ability to simply and efficiently backup and restore an

inCompliance database when required.

Facilitates inCompliance migration to another operating system and provides

greater flexibility when retaining mission critical security information.

Eliminates the need to redefine Category Settings and redo Exclusions after
reinstalling inCompliance through a backup utility.

2011 Vanguard Integrity Professionals Nevada

Page 10

Performance Improvements on Load and Analyze

Loading and analyzing RACF and z/OS System Resource data has been optimized for
better performance.
Benefits

Provides a 30% reduction in time over the same work load previously.

Improved Memory Utilization for IRRDBU00 Usage

The started task has been enhanced to improve memory utilization. The started task
invokes the IRRDBU00 using an ATTACH rather than a CALL to improve memory
utilization.
Benefits

Allows the z/OS started task to run more efficiently.

Saves time by requiring less operator involvement.

Enhanced Global Settings

inCompliance now provides additional and renamed Global Settings fields to improve
operational efficiencies and enable better ease-of-use. The start time for daily automation
processing can be changed and specified the From Email Address to deliver emails.
Global Settings field enhancements include:

SMTP Mail Server New field to enter the address of the SMTP server used to
send email messages at an organization. The entry can be in DNS or IP format.

Start Time For Daily Automation Process New field to select the Hour and
Minute in 24-hour time format which the Windows Service will use to start the
daily automation process.

Enable Service Logging renamed to Windows Service Logging Windows

Service Logging is a log file that contains comprehensive information about the
many different processes of the Windows Service.

Email User ID renamed to Error Notification Email Address The Error

Notification Email Address is the address of the person that needs to respond to
error notifications.

Benefits

Improves operational efficiencies.

Enables administrators to easily find and change system wide settings by being
better informed.

Enables inCompliance processes to fit easily into the user's IT infrastructure.

Greater ease-of-use.

2011 Vanguard Integrity Professionals Nevada

Page 11

Improved Upgrade Migration Path

The migration path for any version of inCompliance prior to 8.2.008.000, that was installed
on DB2 version 9.5 or higher, has been improved. Once the build number is identified,
the proper migration path can be determined. The following is a list of inCompliance
builds:

Builds Prior to 7.1.001.000

Builds 7.1.001.000 through 7.1.013.000

Builds 7.1.014.000 through 7.1.021.000

Builds 7.1.022.000 through 7.1.028.000

Builds 7.1.029.000 through 8.2.007.000

Benefits

Helps clients to understand which inCompliance build requires which

migration solution along with the appropriate file to migrate with.

New Messages
New messages have been added to Vanguard inCompliance for INC Web and the ICMG
Started Task.
The new INC Web messages are reporting messages for the Reports web page. These
messages, for example, inform administrators when report settings have been updated, an
invalid email address was entered or an incorrect email address format was input.
The new ICMG Started Task messages are started task messages such as: ICMG055 - Load
library is not APF authorized and ICMG056 - Attach of IRRDBU00 failed.
Benefits

Enables inCompliance administrator to remain informed of inCompliance

activities.

Provides detailed descriptions and recommended actions to correct the

situation.

Vanguard PasswordReset
Enhanced Email Options
Vanguard Password reset can now be configured to recognize and require a particular
corporate email domain (i.e. @mycompany.com) as the default for email accounts. This
ensures that only corporate email accounts are used to register with PasswordReset.
Additionally, users now have the ability to log in to PasswordReset using only the local
part of an email address (for example, jsmith, without the @mycompany.com) to increase
efficiency.

2011 Vanguard Integrity Professionals Nevada

Page 12

Benefits

Enforces standardized company email policies.

Eliminates error and increases efficiency.

Masking Available for Authentication Questions

Vanguard PasswordReset enables users to reset their own passwords and the answers are
difficult to socially engineer. Now the text field where the users type the answers to the
security questions in order to identify and authenticate themselves can be masked. This
feature eliminates the possibility of a third party obtaining answers to the authentication
questions by observation while the user is resetting a password.
Benefits

Provides better security.

Eliminates unnecessary risk.

Vanguard Policy Manager

Controlling the Security of Targeted Profiles through $LEVEL Policy
A new category of policy profiles, referred to as $LEVEL policies, provides the ability to
lock down multiple data set and/or general resource profiles based on the numerical value
contained in the Level field of an applicable profile. For example, if all data set and general
resource related profiles that support Payment Card Industry (PCI) compliance are assigned
a level value of 10, then a single $LEVEL policy can be defined to lock down that
particular group of profiles.
This enhancement increases productivity by providing a single policy that can lock down
multiple existing, and future, profiles associated with a specific level value.
Benefits

Enables disassociated profiles to be easily protected.

Allows users the flexibility to categorize their policies by a Level number.

Allows users to create a single policy manager profile to protect multiple

related resources even when the resources are otherwise unrelated.

Helps to ensure SOX compliance by providing a method to protect financial

resources easily.

Helps to ensure PCI-DSS compliance by providing a method to protect credit

card information easily.

Helps to ensure HIPAA compliance by providing a method to protect health

care related data easily.

2011 Vanguard Integrity Professionals Nevada

Page 13

Support for SEARCH Command

Vanguard Policy Manager now provides better control over users authorized to execute the
SEARCH command and parameters.
Benefits

Controls which users are authorized to execute the SEARCH command and
associated parameters.

Prevents users from displaying RACF classes that contain large quantities of
profiles, such as the USER class.

Prevents users from displaying resource information that could be used for
malicious purposes.

Honor FROM Keyword in Lieu of OWNER

Vanguard Policy Manager will now honor the FROM keyword in lieu of OWNER if the
OWNER parameter is not specified in the ADDSD or RDEFINE command, and the FROM
parameter is specified, when creating a new data set or general resource profile. The owner
of the FROM profile will then be used for all applicable Policy Manager compliance
checking.
Benefits

Increases productivity and ensures consistent group ownership because the

command issuer does not have to spend time researching data set and general
resource profile owners when using the FROM parameter.

Protect all GS profiles from RDELETE

All users, regardless of authority, are prevented from deleting a profile in the $VPM class
that is required to support Policy Manager.
Benefits

Prevents inadvertent profile deletions required to support Vanguard Policy

Manager.

Ensures continuous security policy management.

2011 Vanguard Integrity Professionals Nevada

Page 14

Improved Datecode Processing

To verify licensing, Vanguard Policy Manager will check all datecodes in the member field
of the GS.DATECODE profile when it is initially loaded on the system to validate that a
proper datecode is present for Vanguard Policy Manager.
The APPLDATA field of the GS.DATECODE profile may now contain the customer
number with or without the datecode.
Benefits

Eliminates any confusion as to whether or not Vanguard Policy Manager is

properly licensed.

Streamlines the datecode process to make the licensing process easier for users.

Customers can now load multiple datecodes into the GS.DATECODE profile.

Vanguard SecurityCenter
Microsoft Certifications Earned
Vanguard SecurityCenter has attained the following Microsoft certifications:

Windows 7 Platform Ready certification.

Windows 7 Logo certification.

Benefits

Windows 7 Platform Ready Certification assures users that Vanguard

SecurityCenter is easy to install, meets Microsoft Windows compatibility
standards and performs well on the Windows 7 platform.

Windows 7 Logo Certification of Vanguard SecurityCenter represents a shared

commitment to quality between Microsoft Corporation and Vanguard Integrity
Professionals.

Display the Number of Entries in Access Lists

Vanguard SecurityCenter now displays the number of entries in the access lists for Data
Set, General Resource and DB2 profiles. This feature provides an easy and efficient method
to quickly determine the number of entries in access lists, which enhances auditing and
verification of access to resources.
Benefits

Improves auditing and verification of access to resources.

Provides a quick and easy method of counting the number of access list entries
for Data Set, Group and DB2 profiles.

2011 Vanguard Integrity Professionals Nevada

Page 15

Support for DB2 Long Table Names

SecurityCenter now supports up to 128 characters for IBM DB2 table names to provide
optimal support this number of characters.
Benefits

Provides ongoing support for IBM DB2.

Started Task and Associated Task Names Customizable

SecurityCenter now enables users to assign a standard naming convention prefix to the
started task and its associated task names to provide fewer installation requirements,
improve monitoring of system workload and ensure that tasks can be quickly and easily
identified in the workload management list.
Benefits

Identifies tasks in a workload management list quickly and easily.

Improves monitoring of system workload.

Eases installation requirements.

Client Installation No Longer Requires Administrative Rights

Users can now install and upgrade the SecurityCenter client without having Administrator
Rights.
Benefits

Easier installation.

2011 Vanguard Integrity Professionals Nevada

Page 16