Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-124 | ACP00190 | SV-124r2_rule | DCCS-1 DCCS-2 ECAR-1 ECAR-2 ECAR-3 ECCD-1 ECCD-2 | Medium |
Description |
---|
SMF backup data sets are those data sets to which SMF data has been offloaded in order to ensure a historical tracking of individual user accountability. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data. |
STIG | Date |
---|---|
z/OS ACF2 STIG | 2018-04-04 |
Check Text ( C-24487r1_chk ) |
---|
a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(SMFBKRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00190) Have the systems programmer supply the procedures and collection specifics for SMF datasets and backup. ___ The ACP data set rules for the SMF dump/backup files allow inappropriate access. ___ The ACP data set rules for the SMF dump/backup files do not restrict UPDATE and/or ALTER access to authorized DISA and site personnel (e.g., systems programmers and batch jobs that perform SMF processing). ___ The ACP data set rules for SMF dump/backup files do not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged. b) If all of the above are untrue, there is NO FINDING. c) If any of the above is true, or if these data sets cannot be identified due to a lack of requested information, this is a FINDING. |
Fix Text (F-17196r1_fix) |
---|
The IAO will ensure that update and allocate access to datasets used to backup and/or dump SMF collection files is limited to system programmers and/or batch jobs that perform SMF dump processing and all dataset access is logged. Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect datasets used to backup and/or dump SMF Collection Files. In z/OS systems, SMF data is the ultimate record of system activity. Therefore, SMF data is of the most sensitive and critical nature. While the length of time for which SMF data will be retained is not specifically regulated, it is imperative that the information is available for the longest possible time period in case of subsequent investigations. The statute of limitations varies according to the nature of a crime. It may vary by jurisdiction, and some crimes are not subject to a statute of limitations. Apply the following guidelines to the retention of SMF data for all DOD systems: (a) Retain at least two (2) copies of the SMF data. (b) Maintain SMF data for a minimum of one year. (c) All update and alter access authority to SMF history files will be logged using the ACP’s facilities. Only systems programming personnel and batch jobs that perform SMF functions will be authorized to update the SMF files. |