Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-3331 | ACP00320 | SV-3331r2_rule | ECAT-1 ECAT-2 | Medium |
Description |
---|
Each ACP has the ability to produce audit records, based on specific security-related events. Audit Trail, Monitoring, Analysis and Reporting provides automated, continuous on-line monitoring and audit trail creation capability, to alert personnel of any unusual or inappropriate activity with potential IA implications. Failure to perform audit log analysis would allow for unusual or inappropriate activity to continue without review and appropriate actions taken. |
STIG | Date |
---|---|
z/OS ACF2 STIG | 2015-06-24 |
Check Text ( C-26008r1_chk ) |
---|
At a Minimum Weekly Review for the z/OS Level: 1) A User attempting to read/update/delete/scratch/alter a critical dataset which the STIG prohibits: a) Security database files, and security setup (parmlib) b) System parmlib such as SYS1.PARMLIB 2) A user generating violation(s) while attempting to update (or greater level) operating system datasets which they do not have access to: a) SYS1*, SYS2*, SYS3*, SYS4*, SYS* 3) A user generating violation(s) while attempting to update (or greater level) APF libraries. 4) A user generating violation(s) while attempting Volume Level access. 5) Violations of JESSPOOL resources against domain level operations batch processing, system programmer submitted jobs, security related batch jobs and system level started tasks. 6) Violations generated against critical system level resources FACILITY/IBMFAC and OPERCMDS. 7) A review of users who incurred more than 10 password violations within a given day during the prior week – as an indicator for further review and research of possible unusual activity. 8) The site may choose to monitor, at the discretion of the site, any additional critical system level resources they deem necessary above and beyond the above specified. a) If any of the above unusual or inappropriate activity is found within the Audit Log records and documentation (email strings or other written documentation) exists showing actions were taken based upon the discovery of an unusual or inappropriate activity event, there is NO FINDING. b) If any of the above unusual or inappropriate activity is found within the Audit Log records and NO documentation exists, this is a FINDING. |
Fix Text (F-22544r1_fix) |
---|
An IAO has the responsibility of performing (review) audit log analysis for the level of resources which are under their responsibility and scope. Due to the potentially large amount of audit records, the IAO may employ other IAOs, security administrators or appropriate system programmers to assist in the review of the audit/violation reports. Following are the requirements concerning the performance of audit log analysis. To demonstrate compliance, if unusual or inappropriate activity as listed above is found within the audit logs of a given domain/AIS, written documentation (email strings or other written documents) shall be kept on file and only provided upon specific requests for the specific unusual or inappropriate activity found within the audit log/reports. IAO’s may produce a violation report for current period to show auditors in demonstration of compliance, security product capability and events being reported of resource and user violations. At a minimum on a weekly basis, the following audit logs will be analyzed looking for unusual or inappropriate activity such as listed below; and written documentation (email or other type of documentation) showing actions taken and correspondence with the other responsible parties involved of such activity. If a site/domain has a capability for trending of violations, it is recommended such capability to be implemented to assist in audit log analysis. 1) A User attempting to read/update/delete/alter a critical dataset which the STIG prohibits: a) Security database files, and security setup b) System parmlib such as SYS1.PARMLIB 2) A user attempting to update (or greater access levels) system datasets which they would not have access to: c) SYS1*, SYS2*, SYS3*, SYS4*, etc 3) A user generating violation(s) attempting to update (or greater access levels) APF libraries. 4) A user generating violation(s) attempting Volume Level access. 5) Violations of JESSPOOL resources against domain level operations batch processing, system programmer submitted jobs, security related batch jobs and system level started tasks. 6) Violations generated against critical system level resources FACILITY/IBMFAC and OPERCMDS. 7) A weekly review of users who incurred more than 10 password violations within a given day during the prior week – as an indicator for further review and research of possible unusual activity. 8) The site may choose to monitor, at the discretion of the site, any additional critical system level resources they deem necessary above and beyond the above specified. |