Check: TSS0-ES-000080
IBM z/OS TSS STIG:
TSS0-ES-000080
(in versions v9 r2 through v7 r1)
Title
IBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing. (Cat II impact)
Discussion
SMF data collection is the system activity journaling facility of the z/OS system. Unauthorized access could result in the compromise of logging and recording of the operating system environment, ESM, and customer data. Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000256-GPOS-00097, CCI-001494, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000080-GPOS-00048, SRG-OS-000206-GPOS-00084, SRG-OS-000324-GPOS-00125
Check Content
Refer to the SMFPRMxx member in SYS1.PARMLIB. Determine the SMF and/or Logstream data set name. If the following statements are true, this is not a finding. -The ESM data set rules for the SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) restrict ALTER access to only z/OS systems programming personnel. -The ESM data set rules for the SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) restrict UPDATE access to z/OS systems programming personnel, and/or batch jobs that perform SMF dump processing and others as approved by ISSM. -The ESM data set rules for the SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) restrict READ access to auditors and others approved by the ISSM. -The ESM data set rules for SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) specify that all (i.e., failures and successes) UPDATE and/or ALTER access are logged.
Fix Text
Ensure that allocate/alter authority to SMF collection files is limited to only systems programming staff and and/or batch jobs that perform SMF dump processing; access can be granted to others as determined by ISSM. Ensure that read access is limited to auditors. Access may be granted to others as determined by the ISSM. Ensure the accesses are being logged. Ensure that all (i.e., failures and successes) WRITE or greater access are logged. Ensure read access failures are logged.
Additional Identifiers
Rule ID: SV-223881r958434_rule
Vulnerability ID: V-223881
Group Title: SRG-OS-000057-GPOS-00027
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000162 |
Protect audit information from unauthorized access. |
CCI-000163 |
Protect audit information from unauthorized modification. |
CCI-000164 |
Protect audit information from unauthorized deletion. |
CCI-000165 |
Write audit records to hardware-enforced, write-once media. |
CCI-000213 |
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
CCI-001314 |
Reveal error messages only to organization-defined personnel or roles. |
CCI-001493 |
Protect audit tools from unauthorized access. |
CCI-001494 |
Protect audit tools from unauthorized modification. |
CCI-001495 |
Protect audit tools from unauthorized deletion. |
CCI-002235 |
Prevent non-privileged users from executing privileged functions. |