STIG ID - BACF1034: Limit Access to SMF Collection Files Backup Data Sets

Severity
: 1- High
SMF data is offloaded to SMF backup data sets to ensure a historical tracking of individual user accountability. Unauthorized access to the SMF backup data sets used to backup SMF collection files and batch jobs that perform SMF dump processing could result in the compromise of the operating system environment, external security manager, and customer data.
The organization must ensure that write or greater access to SMF backup data sets used to backup SMF collection files and specific SMF batch jobs logonids that perform SMF dump processing is limited. Limited temporary write or greater access is allowed for specific system programmers performing approved required maintenance on the backup SMF collection files when approved. All access is logged.
This STIG article shows how to review access to SMF collection file backup data sets and how to limit write or greater access to only system programmers. 
Identify Audit Finding
Review the following data to determine if you should consider remediation.
Follow these steps
:
  1. Review access to system backup data sets used to backup SMF collection files and batch jobs that perform SMF dump processing and ensure the following:
    • Write or greater access is limited to specific SMF batch jobs that perform backups.
    • Limited temporary write or greater access is allowed for specific system programmers to perform approved maintenance on the SMF backup files when formally approved.
    • All access is logged.
    ACF ACCESS DSN('SYS1.backup') ACCESS Subcommand Results as of 08/07/20-4:05 for: SYS1.backup $Key: SYS1 Ruleline: BACKUP UID(*****SYSPROG) READ(L) WRITE(L) ALLOC(L) EXEC(L) ACF
    In this example, the system programmer (SYSPROG) has read, write, and allocate access to the SYS1.backup files and all activity is logged.
  2. If write or greater access to system backup data sets used to back SMF collection files and batch jobs that perform SMF dump processing are limited to system programmers and all access activity is logged,
    your organization does not have an audit finding.
  3. If write or greater access to system backup data sets used to back SMF collection files and batch jobs that perform SMF dump processing  is not limited to system programmers and all access activity is
    not
    logged,
    your organization has an audit finding.
    See Remediate Audit Findings.
Remediate Audit Finding
The Information System Security Officer (ISSO) is responsible for ensuring that write or greater access to SMF collection files is limited to system programmers and all activity is logged.
Follow these steps:
  1. Implement controls to specify only system programmers are authorized to write or greater access to the system backup data sets used to back SMF collection files.
    $KEY(SYS1) SYS1.BACKUP* UID(*****SYSPROG) READ(L) WRITE(L) ALLOC(L) EXEC(L)
  2. Verify that the changes were made to the system backup data sets.
    ACF ACCESS DSN('SYS1.backup') ACCESS Subcommand Results as of 08/07/20-4:25 for: SYS1.backup $Key: SYS1
    Ruleline: BACKUP* UID(*****SYSPROG) READ(L) WRITE(L) ALLOC(L) EXEC(L)
    ACF
Implementing controls to system backup data sets used to back SMF collection files protects your organization's historical tracking of individual user accountability, the operating system environment, external security manager, and customer data.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
Is
: CCI-000213
CCI
:
CCI-000213
Published Date
:
2009-09-14
Definition
:
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AC-3
NIST: NIST SP 800-53 Revision 4 (v4): AC-3
NIST: NIST SP 800-53A (v1): AC-3.1