Collection releases

Version 1.0.0

Initial release of the ibm.ibm_eda_zos collection, that provides Event Driven Ansible solutions for IBM Z security monitoring and automated response capabilities. This collection integrates with zSecure alerts and provides comprehensive security event handling for z/OS environments.

Major Changes

  • Added security_alerts event filter plugin for processing zSecure alerts from Kafka.

  • Initial release of ibm.ibm_eda_zos collection for Event Driven Ansible on IBM Z.

Minor Changes

Documentation

  • Add documentation for collection usage and examples.

Rulebooks

  • Added rulebook for detecting invalid password limit exceeded events (alert 1111).

  • Added rulebook for detecting logon attempts by unknown users (alert 1101).

  • Added rulebook for monitoring superuser logon events (alert 1103).

  • Added rulebook for tracking group authorization status changes (alerts 1107/1108).

Playbooks

  • Created gather_listuser_information playbook for user account details.

  • Created gather_password_policy_information playbook for policy compliance checks.

  • Created quarantine_user playbook for automated account suspension.

  • Created remove_uid_access playbook for emergency access revocation.

  • Created send_alert_email playbook for security notification distribution.

  • Created setr_jes_batchallracf playbook for JES batch security configuration.

  • Created unquarantine_user playbook for account restoration.

Templates

  • Added HTML email templates for formatted security alert notifications with alert-specific layouts.

  • Included base template with consistent styling and reusable components for RACF user information.

Availability

Reference

  • Supported by IBM Ansible Content for IBM Z.

Known Issues

Alert Format Compatibility

The security_alerts event filter extracts attributes based on user-specific zSecure alert message patterns. Some custom or non-standard alert formats may not be fully parsed.

Workaround: For unsupported formats, you can use Ansible-supported operators in rule conditions to identify specific alerts, and Jinja2 filters (including Python string methods) in the action section to extract data for playbook variables.

Example for Event Structure

Below is an example of an incoming Kafka event for alert “Update on APF data set (1204)”:

{
  "headerName": "zOS-SYSLOG-Console:1.0.0",
  "hasHeaderTopic": "true",
  "metadata": "sample_host.ibm.com,SYSLOG,1.0.0,zOS-SYSLOG-Console,ZOS_HOST-SYSLOG,-0400,XESDEV,ZOS_HOST,1774419235120",
  "message": "NC,002B,26083 23.13.55.120 -0700,ZOS_HOST,TSU00121,USRT004 ,00000000000000000000000000000000,00000210,USRT004 ,80,\" C2P1204I Update by user C##ASCH on APF data set C##A.D.C##NEW.APF.LOAD\""
}

Custom Parsing Example

The following rulebook demonstrates how to parse custom alert formats using Ansible operators in conditions and Jinja2 filters in actions:

- name: Process APF dataset alert
  hosts: all
  sources:
    - ansible.eda.kafka:
        host: localhost
        port: 9092
        topic: zsecure-alerts
  rules:
    - name: Extract username and dataset from APF alert
      # Condition: Use Ansible operator to match specific alert code C2P1204I
      condition: event.body.message is search("C2P1204I", ignore_case=false)

      action:
        run_playbook:
          name: handle_apf_alert.yml
          extra_vars:
            # Action: Use Jinja2 filters to extract username (C##ASCH) and
            # dataset name (C##A.D.C##NEW.APF.LOAD) to pass to playbook
            username: "{{ event.body.message.split('user')[1].strip().split()[0] }}"
            dataset_name: "{{ event.body.message.split('data set')[1].strip().split()[0] }}"
            full_event: "{{ event }}"

This approach allows you to handle any alert format by customizing the parsing logic in your rulebooks.