STIG ID - BACF0030: Review GSO SYNCOPTS Record Values
Define cache synchronization process for systems in a shared ACF2 database environment.
Severity: 2 - Medium
ACF2cache facility is an optional performance feature that expedites
ACF2processing of records stored in the databases reducing I/O processing time. The cache is an area of storage in the
ACF2address space that contains copies of selected records from the three
ACF2databases: Infostorage, Rule, and Logonid. The cache facility lets
ACF2have quick access to these records. When operating in a multiple CPU environment using the cache facility and shared databases,
ACF2provides a cache synchronization function to ensure that each cache contains the current records. If you have CPUs sharing
ACF2databases and at least one of the CPUs is using the cache facility,
you must activatethe
ACF2cache synchronizer for each CPU.The GSO SYNCOPTS record defines the cache synchronization processing for a system that runs in a
Your organization will ensure that cache synchronization processing is defined for systems in a shared
This STIG article shows how to determine if the
ACF2cache facility and the cache synchronizer are active.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps:
- Issue the SHOW ACTIVE command and find ' --ACF2 CACHE FACILITY--' in the display output:acf SHOW ACTIVE -- ACF2 CACHE FACILITY -- DATABASE CACHE = ACTIVE CACHE SYNCHRONIZER = INACTIVEIn this example, the ACF2 cache facility is active and is sharing theACF2databases, but cache synchronizer isnotactive.
- If SHOW ACTIVE shows that the ACF2 cache facility and cache synchronizer are active,your organization does not have an auditing finding.
- If SHOW ACTIVE shows that the cache facility is not in useorcache synchronizer is not active,your organization has an audit finding. See Remediate Audit Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the GSO SYNCOPTS record. Limit all access to change GSO records to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps:
- Configure the GSO SYNCOPTS record FILENAME, ACTIVE, and POLLINTV(10) field values, which defines the file name that is used for cache synchronization, specifies the CPU's synchronizer is activated, and specifies the number of seconds that elapses between synchronizations.SET CONTROL(GSO) CONTROL CHANGE SYNCOPTS ACTIVATE FILENAME(your.ACF2.SYNCFILE) POLLINTV(10) CONTROLDefine only one SYNCOPTS record for each SYSID (system). Since all synchronizers in the same sharedACF2database environment must use the same synchronization file, you must define the same FILENAME for those SYNCOPTS records.
- ACTIVATE|NOACTIVATESpecifies if this CPU's synchronizer is activated.Default:NOACTIVATE.
- FILENAME(ACF2.SYNCFILE|filename)Specifies the file that is used for cache synchronization. The default synchronization file name is ACF2.SYNCFILE. You can specify your own file name.Default: ACF2.SYNCFILE
- POLLINTV(5|nn)Specifies the number of seconds that elapses between accesses performed by the synchronizer to the synchronization file. Any number from 1 to 60 is permitted.Default: 5 seconds
- Define your synchronization data set with contiguous tracks when allocating your synchronization file. WhenACF2builds a synchronization file, it uses only the first extent of the defined data set.
Use the following formulas to determine the number of tracks your synchronization file needs:3390 DASD Disks - (# of LIDs/2500) + (# of RULEs/2500) + (# of INFOs/950) 3380 DASD Disks - (# of LIDs/2100) + (# of RULEs/2100) +(# of INFOs/810)The first time the file is opened the following message displays:The DCB attributes will be assigned when the file is opened by the synchronization subtask. If you prefer to allocate using ISPF, specify FORMAT=F, LRECL=32760, and BLKSIZE=32760. These specifications are optimal for 3390s.ACFCC203 ACF2 CACHE SYNCHRONIZATION DATA SET INITIAL READ FAILED
- You do not need to specify characteristics when you allocate the synchronization file.
- You must specify only the number of tracks.
- It is recommended you specify no more than five tracks for the synchronization file.
- Most sites require an average of three tracks. Allocate the file using IEFBR14. Specify the number of tracks to be allocated but do not specify any DCB attributes.
- Activate the GSO SYNCOPTS record:SET CONTROL(GSO) CONTROL F ACF2,REFRESH(SYNCOPTS) CONTROL
- Verify the GSO SYNCHOPTS record changed:SET CONTROL(GSO) CONTROL LIST SYNCOPTS XXXX / SYNCOPTS LAST CHANGED BY USER01 ON 03/20/17-10:20ACTIVATE FILENAME(CONTROLyour.ACF2.SYNCFILE) POLLINTV(10)
Cache synchronization processing is now defined for a CPU running in a shared
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs: CCI-000366, CCI-002357
The organization implements the security configuration settings.
NIST: NIST SP 800-53 (v3): CM-6 b
NIST: NIST SP 800-53 Revision 4 (v4): CM-6
NIST: NIST SP 800-53A (v1): CM-6.1 (iv)
The information system implements a reference monitor for organization-defined access control policies that is tamper proof.
NIST: NIST SP 800-53 Revision 4 (v4): AC-25