STIG ID - BACF0030: Review GSO SYNCOPTS Record Values

Define cache synchronization process for systems in a shared ACF2 database environment.
Severity
: 2 - Medium
The
ACF2
cache facility is an optional performance feature that expedites
ACF2
processing of records stored in the databases reducing I/O processing time. The cache is an area of storage in the
ACF2
address space that contains copies of selected records from the three
ACF2
databases: Infostorage, Rule, and Logonid. The cache facility lets
ACF2
have quick access to these records. When operating in a multiple CPU environment using the cache facility and shared databases,
ACF2
provides a cache synchronization function to ensure that each cache contains the current records. If you have CPUs sharing
ACF2
databases and at least one of the CPUs is using the cache facility,
you must activate
the
ACF2
cache synchronizer for each CPU.The GSO SYNCOPTS record defines the cache synchronization processing for a system that runs in a
shared
ACF2
database environment.
Your organization will ensure that cache synchronization processing is defined for systems in a shared
ACF2
database environment.
This STIG article shows how to determine if the
ACF2
cache facility and the cache synchronizer are active.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. Issue the SHOW ACTIVE command and find ' --ACF2 CACHE FACILITY--' in the display output:
    acf SHOW ACTIVE -- ACF2 CACHE FACILITY -- DATABASE CACHE = ACTIVE CACHE SYNCHRONIZER = INACTIVE
    In this example, the ACF2 cache facility is active and is sharing the
    ACF2
    databases, but cache synchronizer is
    not
    active.
  2. If SHOW ACTIVE shows that the ACF2 cache facility and cache synchronizer are active,
    your organization does not have an auditing finding.
  3. If SHOW ACTIVE shows that the cache facility is not in use
    or
    cache synchronizer is not active,
    your organization has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the GSO SYNCOPTS record. Limit all access to change GSO records to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps
:
  1. Configure the GSO SYNCOPTS record FILENAME, ACTIVE, and POLLINTV(10) field values, which defines the file name that is used for cache synchronization, specifies the CPU's synchronizer is activated, and specifies the number of seconds that elapses between synchronizations.
    SET CONTROL(GSO) CONTROL CHANGE SYNCOPTS ACTIVATE FILENAME(
    your.ACF2.SYNCFILE
    ) POLLINTV(10) CONTROL
    Define only one SYNCOPTS record for each SYSID (system). Since all synchronizers in the same shared
    ACF2
    database environment must use the same synchronization file, you must define the same FILENAME for those SYNCOPTS records.
    • ACTIVATE|
      NOACTIVATE
      Specifies if this CPU's synchronizer is activated.
      Default:
      NOACTIVATE.
    • FILENAME(
      ACF2.SYNCFILE
      |
      filename
      )
      Specifies the file that is used for cache synchronization. The default synchronization file name is ACF2.SYNCFILE. You can specify your own file name.
      Default
      : ACF2.SYNCFILE
    • POLLINTV(
      5
      |
      nn
      )
      Specifies the number of seconds that elapses between accesses performed by the synchronizer to the synchronization file. Any number from 1 to 60 is permitted.
      Default
      : 5 seconds
  2. Define your synchronization data set with contiguous tracks when allocating your synchronization file. When
    ACF2
    builds a synchronization file, it uses only the first extent of the defined data set.
    • You do not need to specify characteristics when you allocate the synchronization file.
    • You must specify only the number of tracks.
    • It is recommended you specify no more than five tracks for the synchronization file.
    • Most sites require an average of three tracks. Allocate the file using IEFBR14. Specify the number of tracks to be allocated but do not specify any DCB attributes.
    Use the following formulas to determine the number of tracks your synchronization file needs:
    3390 DASD Disks - (# of LIDs/2500) + (# of RULEs/2500) + (# of INFOs/950) 3380 DASD Disks - (# of LIDs/2100) + (# of RULEs/2100) +(# of INFOs/810)
    The DCB attributes will be assigned when the file is opened by the synchronization subtask. If you prefer to allocate using ISPF, specify FORMAT=F, LRECL=32760, and BLKSIZE=32760. These specifications are optimal for 3390s.
    The first time the file is opened the following message displays:
    ACFCC203 ACF2 CACHE SYNCHRONIZATION DATA SET INITIAL READ FAILED
  3. Activate the GSO SYNCOPTS record:
    SET CONTROL(GSO) CONTROL F ACF2,REFRESH(SYNCOPTS) CONTROL
  4. Verify the GSO SYNCHOPTS record changed:
    SET CONTROL(GSO) CONTROL LIST SYNCOPTS XXXX / SYNCOPTS LAST CHANGED BY USER01 ON 03/20/17-10:20
    ACTIVATE FILENAME(
    your.ACF2.SYNCFILE
    ) POLLINTV(10)
    CONTROL
Cache synchronization processing is now defined for a CPU running in a shared
ACF2
database environment.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000366, CCI-002357
CCI
:
CCI-000366
Published Date
:
2009-09-18
Definition
:
The organization implements the security configuration settings.
Type
:
policy, technical
References
:
NIST: NIST SP 800-53 (v3): CM-6 b
NIST: NIST SP 800-53 Revision 4 (v4): CM-6
NIST: NIST SP 800-53A (v1): CM-6.1 (iv)
CCI
:
CCI-002357
Published Date
:
2013-06-05
Definition
:
The information system implements a reference monitor for organization-defined access control policies that is tamper proof.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): AC-25