Title

The SETROPTS LOGOPTIONS must be properly configured. (Cat III impact)

Discussion

Audit records are central to after-the-fact investigations of security incidents. Every effort should be taken to collect as much information as productively feasible for these investigative processes. The SETROPTS LOGOPTIONS option serves as a default auditing requirement. Auditing ‘Failures’ as a minimum will assure a base level of information is available for investigations.

Check Content

From the ISPF Command Shell enter: SETRopts List Alternately: Refer to the following report produced by the RACF Data Collection: RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: PDI(RACF0540) If the following options are specified at a minimum, this is not a finding. LOGOPTIONS "FAILURES" CLASSES = <all the classes listed in the “ACTIVE” class as a minimum> LOGOPTIONS "NEVER" CLASSES = NONE

Fix Text

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: Ensure that the following LOGOPTIONS are specified: LOGOPTIONS "FAILURES" CLASSES = <all the classes listed in the “ACTIVE” class as a minimum> LOGOPTIONS "NEVER" CLASSES = NONE The other LOGOPTIONS may be site determined.

Additional Identifiers

Rule ID: SV-85827r1_rule

Vulnerability ID: V-71203

Group Title: RACF0540

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.