Check: ACF2-TN-000020
IBM z/OS ACF2 STIG:
ACF2-TN-000020
(in versions v9 r2 through v7 r1)
Title
IBM z/OS SMF recording options for the TN3270 Telnet Server must be properly specified. (Cat II impact)
Discussion
If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000032-GPOS-00013
Check Content
Refer to the Profile configuration file specified on the PROFILE DD statement in the TCPIP started task JCL. If the following configuration statement settings are in effect in the TCP/IP Profile configuration data set, this is not a finding. NOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration data set, the data set specified on this statement must be checked for the following items as well. The TELNETPARMS SMFINIT statement is coded with the TYPE119 operand within each TELNETPARMS statement block. The TELNETPARMS SMFTERM statement is coded with the TYPE119 operand within each TELNETPARMS statement block. NOTE: Effective in z/OS release 1.2, the SMFINIT and SMFTERM statement can appear in both TELNETGLOBAL and TELNETPARM statement blocks.
Fix Text
Configure the TELNETPARMS SMFINIT and SMFTERM statements in the PROFILE.TCPIP file to conform to the requirements specified below. NOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. The TELNETPARMS SMFINIT statement is coded with the TYPE119 operand within each TELNETPARMS statement block. The TELNETPARMS SMFTERM statement is coded with the TYPE119 operand within each TELNETPARMS statement block. NOTE: Effective in z/OS release 1.2, the SMFINIT and SMFTERM statement can appear in both TELNETGLOBAL and TELNETPARM statement blocks.
Additional Identifiers
Rule ID: SV-223609r958846_rule
Vulnerability ID: V-223609
Group Title: SRG-OS-000392-GPOS-00172
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000067 |
Employ automated mechanisms to monitor remote access methods. |
CCI-002884 |
Log organization-defined audit events for nonlocal maintenance and diagnostic sessions. |