An error occurred:

Check: ISLG0010

zOS ACF2 STIG: ISLG0010 (in versions v6 r43 through v6 r30)

Title

The Syslog daemon is not started at z/OS initialization. (Cat II impact)

Discussion

The Syslog daemon, known as SYSLOGD, is a z/OS UNIX daemon that provides a central processing point for log messages issued by other z/OS UNIX processes. The messages may be of varying importance levels including general process information, diagnostic information, critical error notification, and audit-class information. It is important that SYSLOGD be started during the initialization phase of the z/OS system to ensure that significant messages are not lost. Failure to collect and retain audit data may contribute to the loss of accountability and hamper security audit activities.

Check Content

a) Refer to the following report produced by the UNIX System Services Data Collection: - USSCMDS.RPT(ERC) Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(PARMLIB) NOTE: SYSLOGD may be started from the shell, a cataloged procedure (STC), or the BPXBATCH program. Additionally, other mechanisms (e.g., CONTROL-O) may be used to automatically start the Syslog daemon. To thoroughly analyze this PDI you may need to view the OS SYSLOG using SDSF, find the last IPL, and look for the initialization of SYSLOGD. b) If the Syslog daemon SYSLOGD is started automatically during the initialization of the z/S/ system, there is NO FINDING. c) If (b) is untrue, this is a FINDING.

Fix Text

Review the files used to initialize tasks during system IPL (e.g., /etc/rc, SYS1.PARMLIB, CONTROL-O definitions) to ensure the Syslog daemon is automatically started during z/OS system initialization. It is important that syslogd be started during the initialization phase of the z/OS system to ensure that significant messages are not lost. As with other z/OS UNIX daemons, there is more than one way to start SYSLOGD. It can be started as a process in the /etc/rc file or as a z/OS started task.

Additional Identifiers

Rule ID: SV-3242r2_rule

Vulnerability ID: V-3242

Group Title: ISLG0010

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000764

The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
CCI-002234

The information system audits the execution of privileged functions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-6 (9)

Auditing Use Of Privileged Functions
IA-2

Identification And Authentication (Organizational Users)