STIG ID - BACF1007: Specify Correct SMF Data Collection Options
Severity: 2 - Medium
SMF data collection is the basic unit of tracking all system functions and actions. SMF produces an audit trail of z/OS system events by recording events in SMF data sets or log streams. Included in the tracking data are audit trails from
ACF2. If the control options for recording the tracking are not properly maintained, then accountability cannot be monitored.
Your organization will ensure the control options for tracking SMF data are properly maintained.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps:
- Review all SMF recording specifications found in SYS1.PARMLIB(SMFPRMxx) members. Ensure that SMF recording options used are consistent with the following. The settings for these parameters are critical to the collection process.
- ACTIVEActivates the collection of SMF data.
- JWT(15)The maximum amount of consecutive time that an executing job spends as ineligible to use any CPU resources before being canceled for inactivity. The requirement for Job Wait Time (JWT) is 15 minutes. The JWT parameter can be greater than 15 minutes if the system is processing unclassified information and the following items are reviewed:
- If a session is not terminated, but is locked out after 15 minutes of inactivity, a process must be in place that requires user identification and authentication before the session is unlocked. Session lock-out will be implemented through system controls or terminal screen protections.
- A system’s default time for terminal lock-out or session termination can be lengthened to 30 minutes at the discretion of the Information Security Systems Officer (ISSO). The ISSO will maintain the documentation for each system with a time-out adjusted beyond the 15-minute recommendation to explain the basis for this decision.
- The ISSO can set selected userids to have a time-out of up to 60 minutes in order to complete critical reports or transactions without timing out. Each exception must meet the following criteria:
- The time-out exception cannot exceed 60 minutes.
- A letter of justification fully documenting the user requirements must be submitted and approved by the ISSO. This letter must identify an alternate means of access control for the terminals involved
- The requirement must be re-validated on an annual basis.
- MAXDORM(0500)Specifies the amount of real time that SMF allows data to remain in an SMF buffer before written to a recording data set.
- SIDSpecifies the system ID to be recorded in all SMF records.
- SYS(DETAIL)Controls the level of detail recorded.
- SYS(INTERVAL)Ensures the periodic recording of data for long running jobs.
- SYSSpecifies the types and subtypes of SMF records to be collected.
The site can use either form of this parameter to specify SMF record type collection. However, at a minimum all record types listed.
- SYS(TYPE)Specifies the record types to be collected. Record types not listed are not collected.
- SYS(NOTYPE)Specifies those record types not to be collected. Record types not listed are not collected.
- If the SMF recording options used are consistent with the above settings,your organization does not have an audit finding.
- If the SMF recording options used are not consistent with the above settings,your organization has an audit finding. See Remediate Audit Finding.
Remediate Audit Finding
The ISSO ensure that collection options for SMF data are consistent with the options specified in this STIG article.
Follow these steps:
- Using TSO, edit the SYS1.PARMLIB(SMFPRMxx) member to be consistent with the settings listed in the Identify Audit Findings section.
By ensuring the control options for recording the tracking are properly maintained, accountability can be monitored.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs: CCI-000057, CCI-000130, CCI-001844
The information system initiates a session lock after the organization-defined time period of inactivity.
NIST: NIST SP 800-53 (v3): AC-11 a
NIST: NIST SP 800-53 Revision 4 (v4): AC-11 a
NIST: NIST SP 800-53A (v1): AC-11.1 (ii)
The information system generates audit records containing information that establishes what type of event occurred.
NIST: NIST SP 800-53 (v3): AU-3
NIST: NIST SP 800-53 Revision 4 (v4): AU-3
NIST: NIST SP 800-53A (v1): AU-3.1
The information system provides centralized management and configuration of the content to be captured in audit records generated by organization-defined information system components.
NIST: NIST SP 800-53 Revision 4 (v4): AU-3 (2)