Title

IBM z/OS must specify SMF data options to assure appropriate activation. (Cat II impact)

Discussion

SMF data collection is the basic unit of tracking of all system functions and actions. Included in this tracking data are the audit trails from each of the ACPs. If the control options for the recording of this tracking are not properly maintained, then accountability cannot be monitored, and its use in the execution of a contingency plan could be compromised. Satisfies: SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000269-GPOS-00103

Check Content

Refer to IEASYS00 member in SYS1.PARMLIB Concatenation. Determine proper SMFPRMxx member. If the following SMF collection options are specified as stated below, this is not a finding. The settings for several parameters are critical to the collection process: ACTIVE - Activates the collection of SMF data. MAXDORM - Specifies the amount of real time that SMF allows data to remain in an SMF buffer before it is written to a recording data set. Value is site defined. SID - Specifies the system ID to be recorded in all SMF records. SYS(DETAIL) - Controls the level of detail recorded. SYS(INTERVAL) - Ensures the periodic recording of data for long running jobs. SYS - Specifies the types and sub types of SMF records that are to be collected. SYS(TYPE) indicates that the supplied list is inclusive (i.e., specifies the record types to be collected). Record types not listed are not collected. SYS(NOTYPE) indicates that the supplied list is exclusive (i.e., specifies those record types not to be collected). Record types listed are not collected. The site may use either form of this parameter to specify SMF record type collection. However, at a minimum all record types listed.

Fix Text

Ensure that collection options for SMF Data are consistent with options specified below. Review all SMF recording specifications found in SMFPRMxx members. Ensure that SMF recording options used are consistent with those outlined below. The settings for several parameters are critical to the collection process: ACTIVE - Activates the collection of SMF data. MAXDORM(mmss) - Specifies the amount of real time that SMF allows data to remain in an SMF buffer before it is written to a recording data set. Use the MAXDORM parameter to minimize the amount of data lost because of system failure. This value is site determined and should be carefully configured. SID - Specifies the system ID to be recorded in all SMF records. SYS(DETAIL) - Controls the level of detail recorded. SYS(INTERVAL) - Ensures the periodic recording of data for long running jobs. SYS - Specifies the types and sub types of SMF records that are to be collected. SYS(TYPE) indicates that the supplied list is inclusive (i.e., specifies the record types to be collected). Record types not listed are not collected. SYS(NOTYPE) indicates that the supplied list is exclusive (i.e., specifies those record types not to be collected). Record types not listed are not collected. The site may use either form of this parameter to specify SMF record type collection. However, at a minimum all record types listed.

Additional Identifiers

Rule ID: SV-223769r604139_rule

Vulnerability ID: V-223769

Group Title: SRG-OS-000038-GPOS-00016

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.