STIG ID - BACF1044: Implement z/OS Baseline Reporting

Auditor
provides baseline functions that automatically detect audit-worthy changes to the system. This reduces the time to verify that a system complies with your organization's standards. Baseline is an
Auditor
function in which results have been reviewed and approved as a secure, reliable, and verifiable instance of the specific function. Changes, additions, or removal from APF and LPA libraries and SYS1.PARMLIB PDS members should be run against system libraries to provide a baseline analysis to allow monitoring of changes to these libraries. Failure to monitor, review, and validate these reports on a regular basis could threaten the integrity and availability of the operating system environment and compromise the confidentiality of customer data.
Your organization must ensure that z/OS baseline is established and results are reviewed and validated with the appropriate system programming staff on a weekly schedule or as your organizational continous monitoring strategy and policy requires.
This STIG article shows how to implement z/OS baseline reporting using
Auditor
.
Identify Audit Finding
Review the following data to determine if you should consider remediation.
Follow these steps
:
  1. Request your Information Systems Security Officer (ISSO) or system programming staff provide evidence of how baseline reporting was implemented using
    Auditor
    . The reports must be in accordance with your mainframe continuous monitoring policy. At a minimum, the following items should be included within baseline reporting:
    1. From the
      Auditor
      Primary Menu, select the following highlighted options. These items correspond directly with the baseline analysis that runs automatically from the
      Auditor
      policy file member POLTJS.
      1 MANAGEMENT - See z/OS overview, hardware, SMF, operator information
      1 OVERVIEW - Display z/OS version, level, IPL date, etc.
      2 HARDWARE - See and scan hardware configuration 3 ERRORS - Show hardware error rate for disk and tape 4 CONSOLE - Display information about operator consoles
      5 SMF - Analyze and search the System Management Facility
      1 OPTIONS - Examine current SMF options
      2 RECORDING - Display information about SMF files or logstreams
      2 CHOICES - Display z/OS installation choices, options, parameters
      1 PARMLIB - Analyze z/OS parameter library
      1 MAP - Display IPL tree structure
      2 STATUS - Identify library contents and detect changes
      3 DATASETS - Display Current IPL Logical PARMLIB dataset information
      2 APF - Analyze Authorized Program Facility
      1 STATISTICS - Display APF library statistics
      2 DUPLICATES - Find duplicate modules in APF libraries
      3 TSO - Show APF-authorized TSO commands and programs
      4 HFS ANALYSIS - Show APF-authorized HFS files 3 SMP/E - Analyze z/OS libraries using SMP/E
      4 KEY - Show key z/OS libraries
      1 APF - See libraries in Authorized Program Facility list
      2 LINKLIST - Display z/OS system LINKLIST libraries
      3 LPA - Show Link Pack Area libraries
      4 KEY - List all key z/OS files and libraries
      5 LINKDUPS - Find duplicates in LINKLIST libraries
      5 TSO - Analyze TSO user attribute file (UADS) 6 CATALOGS - List z/OS system catalogs
  2. If z/OS baseline processing is implemented,
    your organization does not have an audit finding
    .
  3. If z/OS baseline processing is
    not
    implemented,
    your organization has an audit finding
    . See Remediate Audit Findings.
Remediate Audit Finding
The ISSO is responsible for ensuring z/OS baseline reporting is established at your organization.
Follow these steps:
  1. Implement z/OS baseline. Baseline processing can set up and automatically generated using
    Auditor
    in a batch process. The baselines can be established automatically using the policy control records in member POLTJS of the baseline policy configuration file. Online and batch processing require the allocation of the baseline VSAM file. Use the BLDBASE job provided in the CAI.EXAMINE.JOBS library to create this file.
    1. Allocate the BASELINE history file to:
      • Your online TSO/ISPF session using the 'BASELINE' DD name for online baseline processing. This is done with a TSO ALLOC command, for example:
        TSO ALLOC F(BASELINE) DSN('CAI.EXAMINE.BASELINE') SHR REUSE
        This allocation may also be incorporated into a site defined start-up CLIST or REXX. The BASELINE DD name allocation may also be specified within a start-up TSO procedure.
      • The EXAMBASE JCL procedure generated with the 0.6.2 user profile function, using the 'BASELINE' DD name for batch baseline processing. If function 0.6.2 is executed while a BASELINE file is already allocated to your TSO session with a DD name of 'BASELINE' it is automatically added within the generated EXAMBASE JCL.
    2. Set up batch processing:
      • Allocate the Policy file
      • Run function 0.6.1 to create skeleton JCL used in the automatic batch job submission processing
      • Run function 0.6.2 to create members EXAMBASE, SYSIN, and SYSTSIN
      • Create a POLTJS member responsible for determining how often a baseline capture is executed and how often baseline compares are performed. The following is an example of setting up baseline functions to process every 7 days:
        MVS1 CAI.EXAMINE.POLICY(POLTJS) - 01.03 Command ===> ********************************* Top of Data **** 11 B 007 01 01 I EXAMJOB 151 B 007 01 01 I EXAMJOB 152 B 007 01 01 I EXAMJOB 153 B 007 01 01 I EXAMJOB 211 B 007 01 01 I EXAMJOB 212 B 007 01 01 I EXAMJOB 213 B 007 01 01 I EXAMJOB 221 B 007 01 01 I EXAMJOB 222 B 007 01 01 I EXAMJOB 223 B 007 01 01 I EXAMJOB 241 B 007 01 01 I EXAMJOB 242 B 007 01 01 I EXAMJOB 243 B 007 01 01 I EXAMJOB 244 B 007 01 01 I EXAMJOB 245 B 007 01 01 I EXAMJOB ******************************** Bottom of Data **
      • Start the EXAMMON procedure.
    Baseline reports should be saved for at least one year.
z/OS Baseline processing is now implemented at your organization, providing automatic detections of audit worthy changes to the system.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000294, CCI-000295, CCI-000296, CCI-001819, CCI-001823, CCI-002087
CCI
:
CCI-000294
Published Date
:
2009-09-17
Definition
:
The organization documents a baseline configuration of the information system.
Type
:
policy
References
:
NIST: NIST SP 800-53 (v3): CM-2
NIST: NIST SP 800-53 Revision 4 (v4): CM-2
NIST: NIST SP 800-53A (v1): CM-2.1 (i)
CCI
:
CCI-000295
Published Date
:
2009-09-17
Definition
:
The organization maintains, under configuration control, a current baseline configuration of the information system.
Type
:
policy
References
:
NIST: NIST SP 800-53 (v3): CM-2
NIST: NIST SP 800-53 Revision 4 (v4): CM-2
NIST: NIST SP 800-53A (v1): CM-2.1 (ii)
CCI
:
CCI-000296
Published Date
:
2009-09-17
Definition
:
The organization reviews and updates the baseline configuration of the information system at an organization-defined frequency.
Type
:
policy
References
:
NIST: NIST SP 800-53 (v3): CM-2 (a)
NIST: NIST SP 800-53 Revision 4 (v4): CM-2 (1) (a)
NIST: NIST SP 800-53A (v1): CM-2.1 (ii)
CCI
:
CCI-001819
Published Date
:
2013-03-01
Definition
:
The organization implements approved configuration-controlled changes to the information system.
Type
:
policy
References
NIST: NIST SP 800-53 Revision 4 (v4): CM-3 d
CCI
:
CCI-001823
Published Date
:
2013-03-01
Definition
:
The organization documents the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.
Type
:
policy
References
:
NIST: NIST SP 800-53 Revision 4 (v4): CM-1 a 2
CCI
:
CCI-002087
Published Date
:
2013-06-21
Definition
:
The organization establishes and defines the metrics to be monitored for the continuous monitoring program.
Type
:
policy
References
:
NIST: NIST SP 800-53 Revision 4 (v4):
CA 7
a