Check: ACF2-OS-000080
IBM z/OS ACF2 STIG:
ACF2-OS-000080
(in versions v9 r2 through v8 r7)
Title
IBM z/OS Required SMF data record types must be collected. (Cat II impact)
Discussion
Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know when events occurred (date and time). Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. SMF data collection is the basic unit of tracking of all system functions and actions. Included in this tracking data are the audit records from each of the ACPs and system. If the required SMF data record types are not being collected, then accountability cannot be monitored, and its use in the execution of a contingency plan could be compromised. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000064-GPOS-00033, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000255-GPOS-00096, SRG-OS-000303-GPOS-00120, SRG-OS-000327-GPOS-00127, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000476-GPOS-00221, SRG-OS-000477-GPOS-00222
Check Content
Refer to IEASYS00 member in SYS1.PARMLIB Concatenation. Determine proper SMFPRMxx member. If all of the required SMF record types identified below are collected, this is not a finding. IBM SMF Records to be collected at a minimum: 0 (00) - IPL 6 (06) - External Writer/ JES Output Writer/ Print Services Facility (PSF) 7 (07) - [SMF] Data Lost 14 (0E) - INPUT or RDBACK Data Set Activity 15 (0F) - OUTPUT, UPDAT, INOUT, or OUTIN Data Set Activity 17 (11) - Scratch Data Set Status 18 (12) - Rename Non-VSAM Data Set Status 24 (18) - JES2 Spool Offload 25 (19) - JES3 Device Allocation 26 (1A) - JES Job Purge 30 (1E) - Common Address Space Work 32 (20) - TSO/E User Work Accounting 41 (29) - DIV Objects and VLF Statistics 42 (2A) - DFSMS statistics and configuration 43 (2B) - JES Start 45 (2D) - JES Withdrawal/Stop 47 (2F) - JES SIGNON/Start Line (BSC)/LOGON 48 (30) - JES SIGNOFF/Stop Line (BSC)/LOGOFF 49 (31) - JES Integrity 52 (34) - JES2 LOGON/Start Line (SNA) 53 (35) - JES2 LOGOFF/Stop Line (SNA) 54 (36) - JES2 Integrity (SNA) 55 (37) - JES2 Network SIGNON 56 (38) - JES2 Network Integrity 57 (39) - JES2 Network SYSOUT Transmission 58 (3A) - JES2 Network SIGNOFF 60 (3C) - VSAM Volume Data Set Updated 61 (3D) - Integrated Catalog Facility Define Activity 62 (3E) - VSAM Component or Cluster Opened 64 (40) - VSAM Component or Cluster Status 65 (41) - Integrated Catalog Facility Delete Activity 66 (42) - Integrated Catalog Facility Alter Activity 80 (50) - RACF/TOP SECRET Processing 81 (51) - RACF Initialization 82 (52) - ICSF Statistics 83 (53) - RACF Audit Record For Data Sets 90 (5A) - System Status 92 (5C) except subtypes 10, 11 - OpenMVS File System Activity 102 (66) - DATABASE 2 Performance 103 (67) - IBM HTTP Server 110 (6E) - CICS/ESA Statistics 118 (76) - TCP/IP Statistics 119 (77) - TCP/IP Statistics 199 (C7) - TSOMON 230 (E6) - ACF2 or as specified in ACFFDR (vendor-supplied default is 230) 231 (E7) - TSS logs security events under this record type
Fix Text
Ensure that SMF recording options are consistent with those outlined below. IBM SMF Records to be collected at a minimum: 0 (00) - IPL 6 (06) - External Writer/ JES Output Writer/ Print Services Facility (PSF) 7 (07) - [SMF] Data Lost 14 (0E) - INPUT or RDBACK Data Set Activity 15 (0F) - OUTPUT, UPDAT, INOUT, or OUTIN Data Set Activity 17 (11) - Scratch Data Set Status 18 (12) - Rename Non-VSAM Data Set Status 24 (18) - JES2 Spool Offload 25 (19) - JES3 Device Allocation 26 (1A) - JES Job Purge 30 (1E) - Common Address Space Work 32 (20) - TSO/E User Work Accounting 41 (29) - DIV Objects and VLF Statistics 42 (2A) - DFSMS statistics and configuration 43 (2B) - JES Start 45 (2D) - JES Withdrawal/Stop 47 (2F) - JES SIGNON/Start Line (BSC)/LOGON 48 (30) - JES SIGNOFF/Stop Line (BSC)/LOGOFF 49 (31) - JES Integrity 52 (34) - JES2 LOGON/Start Line (SNA) 53 (35) - JES2 LOGOFF/Stop Line (SNA) 54 (36) - JES2 Integrity (SNA) 55 (37) - JES2 Network SIGNON 56 (38) - JES2 Network Integrity 57 (39) - JES2 Network SYSOUT Transmission 58 (3A) - JES2 Network SIGNOFF 60 (3C) - VSAM Volume Data Set Updated 61 (3D) - Integrated Catalog Facility Define Activity 62 (3E) - VSAM Component or Cluster Opened 64 (40) - VSAM Component or Cluster Status 65 (41) - Integrated Catalog Facility Delete Activity 66 (42) - Integrated Catalog Facility Alter Activity 80 (50) - RACF/TOP SECRET Processing 81 (51) - RACF Initialization 82 (52) - ICSF Statistics 83 (53) - RACF Audit Record For Data Sets 90 (5A) - System Status 92 (5C) except subtypes 10, 11 - OpenMVS File System Activity 102 (66) - DATABASE 2 Performance 103 (67) - IBM HTTP Server 110 (6E) - CICS/ESA Statistics 118 (76) - TCP/IP Statistics 119 (77) - TCP/IP Statistics 199 (C7) - TSOMON 230 (E6) - ACF2 or as specified in ACFFDR (vendor-supplied default is 230) 231 (E7) - TSS logs security events under this record type
Additional Identifiers
Rule ID: SV-223544r1001122_rule
Vulnerability ID: V-223544
Group Title: SRG-OS-000004-GPOS-00004
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000018 |
Automatically audit account creation actions. |
| CCI-000131 |
Ensure that audit records containing information that establishes when the event occurred. |
| CCI-000132 |
Ensure that audit records containing information that establishes where the event occurred. |
| CCI-000133 |
Ensure that audit records containing information that establishes the source of the event. |
| CCI-000134 |
Ensure that audit records containing information that establishes the outcome of the event. |
| CCI-000135 |
Generate audit records containing the organization-defined additional information that is to be included in the audit records. |
| CCI-000172 |
Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3. |
| CCI-001403 |
Automatically audit account modification actions. |
| CCI-001404 |
Automatically audit account disabling actions. |
| CCI-001405 |
Automatically audit account removal actions. |
| CCI-001487 |
Ensure that audit records containing information that establishes the identity of any individuals, subjects, or objects/entities associated with the event. |
| CCI-001814 |
The Information system supports auditing of the enforcement actions. |
| CCI-002130 |
Automatically audit account enabling actions. |
| CCI-002234 |
Log the execution of privileged functions. |
| CCI-002884 |
Log organization-defined audit events for nonlocal maintenance and diagnostic sessions. |
| CCI-003938 |
Automatically generate audit records of the enforcement actions. |
Controls
| Number | Title |
|---|---|
| AC-2(4) |
Automated Audit Actions |
| AC-6(9) |
Auditing Use of Privileged Functions |
| AU-3 |
Content of Audit Records |
| AU-3(1) |
Additional Audit Information |
| AU-12 |
Audit Generation |
| CM-5(1) |
Automated Access Enforcement / Auditing |
| MA-4(1) |
Auditing and Review |