Check: RACF-OS-000150
IBM z/OS RACF STIG:
RACF-OS-000150
(in versions v8 r14 through v7 r1)
Title
IBM z/OS system administrators must develop an automated process to collect and retain SMF data. (Cat II impact)
Discussion
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Check Content
Ask the system administrator if there is an automated process is in place to collect and retain all SMF data produced on the system. If, based on the information provided, it can be determined that an automated process is in place to collect and retain all SMF data produced on the system, this is not a finding. If it cannot be determined this process exists and is being adhered to, this is a finding.
Fix Text
The ISSO will ensure that an automated process is in place to collect SMF data. Review SMF data collection and retention processes. Develop processes are automatically started to dump SMF collection files immediately upon their becoming full. To ensure that all SMF data is collected in a timely manner, and to reduce the risk of data loss, the site will ensure that automated mechanisms are in place to collect and retain all SMF data produced on the system. Dump the SMF files (MANx) in systems based on the following guidelines: -Dump each SMF file as it fills up during the normal course of daily processing -Dump all remaining SMF data at the end of each processing day or -Establish a process using Audit logging
Additional Identifiers
Rule ID: SV-223771r877390_rule
Vulnerability ID: V-223771
Group Title: SRG-OS-000342-GPOS-00133
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001851 |
The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited. |
Controls
Number | Title |
---|---|
AU-4 (1) |
Transfer To Alternate Storage |