Check: ACP00180
zOS RACF STIG:
ACP00180
(in versions v6 r43 through v6 r30)
Title
Update and allocate access to SMF collection files (i.e., SYS1.MANx) are not limited to system programmers and/or batch jobs that perform SMF dump processing. (Cat II impact)
Discussion
SMF data collection is the system activity journaling facility of the z/OS system. With the proper parameter designations it serves as the basis to ensure individual user accountability. SMF data is the primary source for cost charge back in DISA. Unauthorized access could result in the compromise of logging and recording of the operating system environment, ACP, and customer data.
Check Content
a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(SMFXRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00180) ___ The ACP data set rules for the SMF data collection files (e.g., SYS1.MAN*) allow inappropriate access. ___ The ACP data set rules for the SMF data collection files (e.g., SYS1.MAN*) do not restrict ALTER access to only z/OS systems programming personnel. ___ The ACP data set rules for the SMF data collection files (e.g., SYS1.MAN*) do not restrict UPDATE access to z/OS systems programming personnel, and/or batch jobs that perform SMF dump processing. ___ The ACP data set rules for SMF data collection files (e.g., SYS1.MAN*) do not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged. b) If all of the above are untrue, there is NO FINDING. c) If any of the above is true, this is a FINDING.
Fix Text
Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect modification or deletion of SMF collection files. The IAO will ensure that allocate/alter authority to SMF collection files is limited to only systems programming staff and and/or batch jobs that perform SMF dump processing and ensure the accesses are being logged.
Additional Identifiers
Rule ID: SV-123r2_rule
Vulnerability ID: V-123
Group Title: ACP00180
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000162 |
The information system protects audit information from unauthorized access. |
| CCI-000163 |
The information system protects audit information from unauthorized modification. |
| CCI-000164 |
The information system protects audit information from unauthorized deletion. |
| CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
| CCI-002234 |
The information system audits the execution of privileged functions. |