UCF STIG Viewer Logo

Update and allocate access to SMF collection files (i.e., SYS1.MANx) are not limited to system programmers and/or batch jobs that perform SMF dump processing.


Overview

Finding ID Version Rule ID IA Controls Severity
V-123 ACP00180 SV-123r2_rule DCCS-1 DCCS-2 ECAR-1 ECAR-2 ECAR-3 ECCD-1 ECCD-2 Medium
Description
SMF data collection is the system activity journaling facility of the z/OS system. With the proper parameter designations it serves as the basis to ensure individual user accountability. SMF data is the primary source for cost charge back in DISA. Unauthorized access could result in the compromise of logging and recording of the operating system environment, ACP, and customer data.
STIG Date
z/OS ACF2 STIG 2019-12-12

Details

Check Text ( C-836r1_chk )
a) Refer to the following report produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(SMFXRPT)

Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(ACP00180)

___ The ACP data set rules for the SMF data collection files (e.g., SYS1.MAN*) allow inappropriate access.

___ The ACP data set rules for the SMF data collection files (e.g., SYS1.MAN*) do not restrict ALTER access to only z/OS systems programming personnel.

___ The ACP data set rules for the SMF data collection files (e.g., SYS1.MAN*) do not restrict UPDATE access to z/OS systems programming personnel, and/or batch jobs that perform SMF dump processing.

___ The ACP data set rules for SMF data collection files (e.g., SYS1.MAN*) do not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged.

b) If all of the above are untrue, there is NO FINDING.

c) If any of the above is true, this is a FINDING.
Fix Text (F-17192r1_fix)
Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect modification or deletion of SMF collection files.

The IAO will ensure that allocate/alter authority to SMF collection files is limited to only systems programming staff and and/or batch jobs that perform SMF dump processing and ensure the accesses are being logged.