Check: ACP00340
zOS RACF STIG:
ACP00340
(in versions v6 r43 through v6 r30)
Title
z/OS Baseline reports are not reviewed and validated to ensure only authorized changes have been made within the z/OS operating system. This is a current DISA requirement for change management to system libraries. (Cat II impact)
Discussion
A product that generates reports validating changes, additions or removal from APF and LPA libraries, as well as changes to SYS1.PARMLIB PDS members, should be run against system libraries to provide a baseline analysis to allow monitoring of changes to these libraries. Failure to monitor and review these reports on a regular bases and validating any changes could threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.
Check Content
Note: For DISA sites the product used to generate these reports is CA-Auditor. z/OS Baseline Reporting – Review period is based upon 10% random selection of z/OS Domains at the given site by the IAO. Such schedule shall not be published or known – selection of z/OS domains shall be randomly selected each week. a) The z/OS Baseline reports (as indentified by report/function CS212C (Updates to SYS1.PARMLIB), CS221C (APF library statistics) and CS243C (LPA library statistics) shall be reviewed and validated with the appropriate system programming staff on a weekly schedule, or as required based on INFOCON Level requirements. Note: Sites that do not utilize CA-Auditor, review the z/OS STIG Addendum for the samples of the CA-Auditor report to identify the information to collect. The INFOCON Level requirements can be found in STRATEGIC COMMAND DIRECTIVE (SD) 527-1. b) Such reports shall be compared with known and authorized changes to the specific z/OS domain. Any anomalies found shall be documented as a potential incident and must be investigated with written documentation as proof showing such review was completed. c) If the baseline reports are being reviewed and samples of the baseline reports exist, there is NO FINDING. d) If the baseline reports are not being reviewed or samples of the reports do not exist this is a FINDING.
Fix Text
Validate the results of the z/OS Baseline reports with the appropriate system programming staff. For sites that have CA-Auditor, minimally the following functional reports shall be validated: CS212C, CS221C and CS243C.. Compliance of this would be for the appropriate system programming staff to review the specific baseline reports and to affirm the changes are legitimate. Any identified exception or anomaly shall be reported, researched and documented. Such documentation shall be made available for auditor reviews. The baseline reports should be created as GDGs, and should be saved for at least a year. Please see the z/OS Addendum under ACP00340 for additional instructions, and a sample of the CA-Auditor reports that should be run for that utilizes CA-Auditor.
Additional Identifiers
Rule ID: SV-28773r3_rule
Vulnerability ID: V-23837
Group Title: ACP00340
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000294 |
The organization documents a baseline configuration of the information system. |
CCI-000295 |
The organization maintains, under configuration control, a current baseline configuration of the information system. |
CCI-000296 |
The organization reviews and updates the baseline configuration of the information system at an organization-defined frequency. |
CCI-001819 |
The organization implements approved configuration-controlled changes to the information system. |
CCI-001823 |
The organization documents the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. |
CCI-002087 |
The organization establishes and defines the metrics to be monitored for the continuous monitoring program. |