STIG ID - BACF1033: Limit Access to SMF Collection Files

Severity
: 1- High
SMF data collection is the basic system activity journaling facility of the z/OS system recording all system events including security events, audit records, and security changes. With the proper parameter designations, SMF data collection serves as the basis to ensure user accountability. Unauthorized access could result in the compromise of logging and recording of the operating system environment, external security manager, and customer data.
Unauthorized disclosure of SMF data could reveal system and configuration data to attackers, compromising its confidentiality. SMF Audit information includes details (audit records, audit settings, audit reports, security changes) needed to successfully audit operating system activity.
The organization must ensure that write or greater access to SMF collection files (for example, SYS1.MAN or Log-streams) is limited to the system programmers and access is logged. Authorized batch job processes may also be granted write access.
General users should not have access to SMF data unless explicitly approved by the Information Security Systems Officer (ISSO) with written justification provided and limitations to specific SMF record types. Ensure least privilege access principal is applied with role based access.
This STIG article is a severity 1 (high) only if unauthorized write or greater access has been granted. Otherwise, if inappropriate READ access has been granted, it is a severity 2 (medium) finding.
This STIG article shows how to review access authorizations to SMF collection files, how to limit write or greater access to only system programmers, and how to log all activity.
Identify Audit Finding
Review the following data to determine if you should consider remediation.
Follow these steps
:
  1. Review SMFPRMxx member in SYS1.PARMLIB. Determine the SMF or Logstream data set name.
    • From the ISPF Primary Option Menu, select option 3.4 to display a list of data set names.
    • Type the data set under "Dsname Level".
    • Type B next to SYS1.PARMLIB to browse the data set.
    • Type S next to SMFPRM
      xx
      member and identify the SMF or logstream data set name
  2. Review access to the identified SMF collection files system data sets and ensure the following:
    • Write or greater access is limited to system programmers.
    • All access is logged.
    ACF ACCESS DSN('SYS1.MAN*') ACCESS Subcommand Results as of 08/07/20-4:05 for: SYS1.MAN* $Key: SYS1 Ruleline: SYS1.MAN* UID(*****SYSPROG) READ(A) WRITE(L) ALLOC(L) EXEC(A) ACF
    In this example, the system programmer (SYSPROG) has read, write, and allocate access to the SYS1.MAN files and all activity is logged. SYS1.MAN is the repository for newly created SMF records
  3. If the following conditions are true,
    your organization does not have an audit finding
    .
    • The
      ACF2
      data set rules for the SMF data collection files (for example, SYS1.MAN* or IFASMF.SYS1.*) restrict allocate access to only z/OS systems programming personnel.
    • The
      ACF2
      data set rules for the SMF data collection files (for example, SYS1.MAN* or IFASMF.SYS1.*) restrict write access to z/OS systems programming personnel, and batch jobs that perform SMF dump processing and others as approved by ISSO.
    • The
      ACF2
      data set rules for the SMF data collection files (for example, SYS1.MAN* or IFASMF.SYS1.*) restrict READ access to auditors and others approved by the ISSO.
    • The
      ACF2
      data set rules for SMF data collection files (for example, SYS1.MAN* or IFASMF.SYS1.*) specify that all (failures and successes) UPDATE or ALTER access are logged.
  4. If any of the conditions listed in step 3 are false,
    your organization has an audit finding.
    See Remediate Audit Findings
Remediate Audit Finding
The Information System Security Officer (ISSO) is responsible for ensuring that write or greater access to SMF collection files is limited to system programmers and all activity is logged.
Follow these steps:
  1. Evaluate the impact of correcting the deficiency and develop a plan of action to implement the required changes.
  2. Implement controls to specify only system programmers are authorized to write or greater access to SMF collection files:
    $KEY(SYS1) SYS1.MAN* UID(*****SYSPROG) READ(A) WRITE(L) ALLOC(L) EXEC(A)
    or
    $KEY(SYS1) ROLESET SYS1.MAN* ROLE(ZSYSPROG) READ(A) WRITE(L) ALLOC(L) EXEC(A)
Implementing controls to SMF collection files protects your organization's operating system environment, external security manager, and customer data.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000162, CCI-000163, CCI-00164, CCI-000213, CCI-002234
CCI
:
CCI-000162
Published Date
:
2009-05-22
Definition
:
The information system protects audit information from unauthorized access.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AU-9
NIST: NIST SP 800-53 Revision 4 (v4): AU-9
NIST: NIST SP 800-53(A) (v1): AU-9.1
CCI
:
CCI-000163
Published
Date
:
2009-05-22
Definition
:
The information system protects audit information from unauthorized modification.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AU-9
NIST: NIST SP 800-53 Revision 4 (v4): AU-9
NIST: NIST SP 800-53(A) (v1): AU-9.1
CCI
:
CCI-000164
Published Date
:
2009-05-22
Definition
:
The information system protects audit information from unauthorized deletion.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AU-9
NIST: NIST SP 800-53 Revision 4 (v4): AU-9
NIST: NIST SP 800-53(A) (v1): AU-9.1
CCI
:
CCI-000213
Published Date
:
2009-09-14
Definition
:
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AC-3
NIST: NIST SP 800-53 Revision 4 (v4): AC-3
NIST: NIST SP 800-53A (v1): AC-3.1
CCI
:
CCI-002234
Published Date
:
2013-06-24
Definition
:
The information system audits the execution of privileged functions.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): AC-6 (9)