Required SMF data record types must be collected.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-102	AAMV0380	SV-102r5_rule		Medium

Description
SMF data collection is the basic unit of tracking of all system functions and actions. Included in this tracking data are the audit records from each of the ACPs and system. If the required SMF data record types are not being collected, then accountability cannot be monitored, and its use in the execution of a contingency plan could be compromised.

STIG	Date
z/OS ACF2 STIG	2019-12-12

Details

Check Text ( C-671r4_chk )
Refer to the following reports produced by the z/OS Data Collection: - EXAM.RPT(SMFOPTS) - EXAM.RPT(PARMLIB) - Alternate report; refer to the SMFPRMxx listing. Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(AAMV0380) If all of the required SMF record types identified below are collected, this is not a finding. IBM SMF Records to be collected at a minimum: 0 (00) – IPL 6 (06) – External Writer/ JES Output Writer/ Print Services Facility (PSF) 7 (07) – [SMF] Data Lost 14 (0E) – INPUT or RDBACK Data Set Activity 15 (0F) – OUTPUT, UPDAT, INOUT, or OUTIN Data Set Activity 17 (11) – Scratch Data Set Status 18 (12) – Rename Non-VSAM Data Set Status 24 (18) – JES2 Spool Offload 25 (19) – JES3 Device Allocation 26 (1A) – JES Job Purge 30 (1E) – Common Address Space Work 32 (20) – TSO/E User Work Accounting 41 (29) – DIV Objects and VLF Statistics 42 (2A) – DFSMS statistics and configuration 43 (2B) – JES Start 45 (2D) – JES Withdrawal/Stop 47 (2F) – JES SIGNON/Start Line (BSC)/LOGON 48 (30) – JES SIGNOFF/Stop Line (BSC)/LOGOFF 49 (31) – JES Integrity 52 (34) – JES2 LOGON/Start Line (SNA) 53 (35) – JES2 LOGOFF/Stop Line (SNA) 54 (36) – JES2 Integrity (SNA) 55 (37) – JES2 Network SIGNON 56 (38) – JES2 Network Integrity 57 (39) – JES2 Network SYSOUT Transmission 58 (3A) – JES2 Network SIGNOFF 60 (3C) – VSAM Volume Data Set Updated 61 (3D) – Integrated Catalog Facility Define Activity 62 (3E) – VSAM Component or Cluster Opened 64 (40) – VSAM Component or Cluster Status 65 (41) – Integrated Catalog Facility Delete Activity 66 (42) – Integrated Catalog Facility Alter Activity 80 (50) – RACF/TOP SECRET Processing 81 (51) – RACF Initialization 82 (52) – ICSF Statistics 83 (53) – RACF Audit Record For Data Sets 90 (5A) – System Status 92 (5C) except subtypes 10, 11 – OpenMVS File System Activity 102 (66) – DATABASE 2 Performance 103 (67) – IBM HTTP Server 110 (6E) – CICS/ESA Statistics 118 (76) – TCP/IP Statistics 119 (77) – TCP/IP Statistics 199 (C7) – TSOMON 230 (E6) – ACF2 or as specified in ACFFDR (vendor-supplied default is 230) 231 (E7) – TSS logs security events under this record type

Check Text ( C-671r4_chk )

Refer to the following reports produced by the z/OS Data Collection:

- EXAM.RPT(SMFOPTS)
- EXAM.RPT(PARMLIB) - Alternate report; refer to the SMFPRMxx listing.

Automated Analysis
Refer to the following report produced by the z/OS Data Collection:

- PDI(AAMV0380)

If all of the required SMF record types identified below are collected, this is not a finding.

IBM SMF Records to be collected at a minimum:

0 (00) – IPL
6 (06) – External Writer/ JES Output Writer/ Print Services Facility (PSF)
7 (07) – [SMF] Data Lost
14 (0E) – INPUT or RDBACK Data Set Activity
15 (0F) – OUTPUT, UPDAT, INOUT, or OUTIN Data Set Activity
17 (11) – Scratch Data Set Status
18 (12) – Rename Non-VSAM Data Set Status
24 (18) – JES2 Spool Offload
25 (19) – JES3 Device Allocation
26 (1A) – JES Job Purge
30 (1E) – Common Address Space Work
32 (20) – TSO/E User Work Accounting
41 (29) – DIV Objects and VLF Statistics
42 (2A) – DFSMS statistics and configuration
43 (2B) – JES Start
45 (2D) – JES Withdrawal/Stop
47 (2F) – JES SIGNON/Start Line (BSC)/LOGON
48 (30) – JES SIGNOFF/Stop Line (BSC)/LOGOFF
49 (31) – JES Integrity
52 (34) – JES2 LOGON/Start Line (SNA)
53 (35) – JES2 LOGOFF/Stop Line (SNA)
54 (36) – JES2 Integrity (SNA)
55 (37) – JES2 Network SIGNON
56 (38) – JES2 Network Integrity
57 (39) – JES2 Network SYSOUT Transmission
58 (3A) – JES2 Network SIGNOFF
60 (3C) – VSAM Volume Data Set Updated
61 (3D) – Integrated Catalog Facility Define Activity
62 (3E) – VSAM Component or Cluster Opened
64 (40) – VSAM Component or Cluster Status
65 (41) – Integrated Catalog Facility Delete Activity
66 (42) – Integrated Catalog Facility Alter Activity
80 (50) – RACF/TOP SECRET Processing
81 (51) – RACF Initialization
82 (52) – ICSF Statistics
83 (53) – RACF Audit Record For Data Sets
90 (5A) – System Status
92 (5C) except subtypes 10, 11 – OpenMVS File System Activity
102 (66) – DATABASE 2 Performance
103 (67) – IBM HTTP Server
110 (6E) – CICS/ESA Statistics
118 (76) – TCP/IP Statistics
119 (77) – TCP/IP Statistics
199 (C7) – TSOMON
230 (E6) – ACF2 or as specified in ACFFDR (vendor-supplied default is 230)
231 (E7) – TSS logs security events under this record type

Fix Text (F-56703r3_fix)
Ensure that SMF recording options are consistent with those outlined below. IBM SMF Records to be collect at a minimum 0 (00) – IPL 6 (06) – External Writer/ JES Output Writer/ Print Services Facility (PSF) 7 (07) – [SMF] Data Lost 14 (0E) – INPUT or RDBACK Data Set Activity 15 (0F) – OUTPUT, UPDAT, INOUT, or OUTIN Data Set Activity 17 (11) – Scratch Data Set Status 18 (12) – Rename Non-VSAM Data Set Status 24 (18) – JES2 Spool Offload 25 (19) – JES3 Device Allocation 26 (1A) – JES Job Purge 30 (1E) – Common Address Space Work 32 (20) – TSO/E User Work Accounting 41 (29) – DIV Objects and VLF Statistics 42 (2A) – DFSMS statistics and configuration 43 (2B) – JES Start 45 (2D) – JES Withdrawal/Stop 47 (2F) – JES SIGNON/Start Line (BSC)/LOGON 48 (30) – JES SIGNOFF/Stop Line (BSC)/LOGOFF 49 (31) – JES Integrity 52 (34) – JES2 LOGON/Start Line (SNA) 53 (35) – JES2 LOGOFF/Stop Line (SNA) 54 (36) – JES2 Integrity (SNA) 55 (37) – JES2 Network SIGNON 56 (38) – JES2 Network Integrity 57 (39) – JES2 Network SYSOUT Transmission 58 (3A) – JES2 Network SIGNOFF 60 (3C) – VSAM Volume Data Set Updated 61 (3D) – Integrated Catalog Facility Define Activity 62 (3E) – VSAM Component or Cluster Opened 64 (40) – VSAM Component or Cluster Status 65 (41) – Integrated Catalog Facility Delete Activity 66 (42) – Integrated Catalog Facility Alter Activity 80 (50) – RACF/TOP SECRET Processing 81 (51) – RACF Initialization 82 (52) – ICSF Statistics 83 (53) – RACF Audit Record For Data Sets 90 (5A) – System Status 92 (5C) except subtypes 10, 11 – OpenMVS File System Activity 102 (66) – DATABASE 2 Performance 103 (67) – IBM HTTP Server 110 (6E) – CICS/ESA Statistics 118 (76) – TCP/IP Statistics 119 (77) – TCP/IP Statistics 199 (C7) – TSOMON 230 (E6) – ACF2 or as specified in ACFFDR (vendor-supplied default is 230) 231 (E7) – TSS logs security events under this record type

Fix Text (F-56703r3_fix)

Ensure that SMF recording options are consistent with those outlined below.

IBM SMF Records to be collect at a minimum

0 (00) – IPL
6 (06) – External Writer/ JES Output Writer/ Print Services Facility (PSF)
7 (07) – [SMF] Data Lost
14 (0E) – INPUT or RDBACK Data Set Activity
15 (0F) – OUTPUT, UPDAT, INOUT, or OUTIN Data Set Activity
17 (11) – Scratch Data Set Status
18 (12) – Rename Non-VSAM Data Set Status
24 (18) – JES2 Spool Offload
25 (19) – JES3 Device Allocation
26 (1A) – JES Job Purge
30 (1E) – Common Address Space Work
32 (20) – TSO/E User Work Accounting
41 (29) – DIV Objects and VLF Statistics
42 (2A) – DFSMS statistics and configuration
43 (2B) – JES Start
45 (2D) – JES Withdrawal/Stop
47 (2F) – JES SIGNON/Start Line (BSC)/LOGON
48 (30) – JES SIGNOFF/Stop Line (BSC)/LOGOFF
49 (31) – JES Integrity
52 (34) – JES2 LOGON/Start Line (SNA)
53 (35) – JES2 LOGOFF/Stop Line (SNA)
54 (36) – JES2 Integrity (SNA)
55 (37) – JES2 Network SIGNON
56 (38) – JES2 Network Integrity
57 (39) – JES2 Network SYSOUT Transmission
58 (3A) – JES2 Network SIGNOFF
60 (3C) – VSAM Volume Data Set Updated
61 (3D) – Integrated Catalog Facility Define Activity
62 (3E) – VSAM Component or Cluster Opened
64 (40) – VSAM Component or Cluster Status
65 (41) – Integrated Catalog Facility Delete Activity
66 (42) – Integrated Catalog Facility Alter Activity
80 (50) – RACF/TOP SECRET Processing
81 (51) – RACF Initialization
82 (52) – ICSF Statistics
83 (53) – RACF Audit Record For Data Sets
90 (5A) – System Status
92 (5C) except subtypes 10, 11 – OpenMVS File System Activity
102 (66) – DATABASE 2 Performance
103 (67) – IBM HTTP Server
110 (6E) – CICS/ESA Statistics
118 (76) – TCP/IP Statistics
119 (77) – TCP/IP Statistics
199 (C7) – TSOMON
230 (E6) – ACF2 or as specified in ACFFDR (vendor-supplied default is 230)
231 (E7) – TSS logs security events under this record type