STIG ID - BACF1008: Collect the Required SMF Data Records Types

Severity
: 2 - Medium
SMF data collection is the basic unit of tracking of all system functions and actions. Included in this tracking data are the audit records. If the required SMF data record types are not being collected, then accountability cannot be monitored, and its use in the execution of a contingency plan could be compromised. SMF writes records for events such as:
  • Logon and logoff of TSO users.
  • Reconfiguraiton of devices.
  • Initiation and termination of jobs.
  • Signon and signoff of NJE users.
  • System status information such as data set status, VSAM catalog information, and job output statistics.
The organization will ensure SMF recording options are defined, collected, and reviewed.
This STIG article shows you how to define and review SMF data using
Auditor
.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. List the SMF record types defined for collection. The SMF Options Display lets you review the SMF options currently collected. SMF system options are obtained from the SMFPRMxx member of the logical parmlib. z/OS reads these options during IPL.
    • Select option 1 from the Primary menu. The Management Information menu is displayed.
    • Select option 5. The SMF Analysis submenu is displayed.
    • Select option 1. The SMF Options are displayed. Scroll down to see the entire display.
  2. Verify the following SMF record types are defined.
    00
    Initial Program Load (IPL)
    56
    JES2 network integrity record
    06
    External Writer/JES Output Writer / Print Services Facility (PSF)
    57
    JES2 network SYSOUT transmission record
    07
    SMF data lost
    58
    JES2 network signoff record
    14
    Input or RDBACK data set activity
    60
    VSAM volume data set updated
    15
    Output data set activyt
    61
    Integrated catalog facility define activity
    17
    Scratch data set status
    62
    VSAM component or cluster opened
    18
    Rename data set status
    64
    VSAM component or cluster status
    24
    JES2 spool offload
    65
    Integrated catalog facility delete authority
    25
    JES3 device allocation
    66
    Integrated catalog facility alter authority
    26
    JES3 job purge
    80
    Top Secret
    events or IBM RACF processing record
    30
    Common address space work
    81
    IBM RACF initialization record
    32
    TSO user work accounting record
    82
    Security (Cryptographic facility)
    41
    Data-in-virtual ACCESS/UNACCESS record
    83
    IBM RACF auditing record
    42
    DFSMS statistics
    90
    System status record
    43
    JES2 start
    92
    Open MVS file system activity
    45
    JES2 withdrawal
    102
    DB2 performance
    47
    JES3 signon/start line (BSC only)
    103
    IBM HTTP Server
    48
    JES2 signoff/stop line (BSC only)
    110
    CICS/ESA statistics
    49
    JES3 integrity
    118
    TCP/IP statistics
    52
    JES2 logon/start line (SNA only)
    119
    TCP/IP statistics
    53
    JES2 logoff/stop line (SNA only)
    199
    TSOMON
    54
    JES2 integrity (SNA only)
    230
    ACF2
    or as specified in ACFFDR (vendor-supplied default is 230)
    55
    JES2 network signon record
    231
    Top Secret
    logs USS environment security events under this record type
  3. If all required SMF record types identified above are being collected,
    your organization does not have an audit finding.
  4. If any required SMF record types identified above are not being collected,
    your organization has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
The z/OS Systems Programmer Team (ZOSYSP1) is responsible for defining the SMF record types to be collected.
Follow these steps:
  1. Define missing SMF record types.
    • Select option 1 from the Primary menu. The Management Information menu is displayed.
    • Select option 5. The SMF Analysis submenu is displayed.
    • Select option 1. The SMF Options are displayed.
    • Select the SMF record types identified in step 2 of Identify Audit Finding that are not already being collected.
By ensuring the required SMF record types are identified and collected allows your system to be effectively monitored.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000169, CCI-000172, CCI-001353, CCI-001487
CCI
:
CCI-000130
Published Date
:
2009-05-20
Definition
:
The information system generates audit records containing information that establishes what type of event occurred.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AU-3
NIST: NIST SP 800-53 Revision 4 (v4): AU-3
NIST: NIST SP 800-53A (v1): AU-3.1
CCI
:
CCI-000131
Published Date
:
2013-06-24
Definition
:
The information system generates audit records containing information that establishes when an event occurred.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AU-3
NIST: NIST SP 800-53 Revision 4 (v4): AU-3
NIST: NIST SP 800-53A (v1): AU-3.1
CCI
:
CCI-000132
Published Date
:
2009-05-20
Definition
:
The information system generate audit records containing information that establishes where the event occurred.
Type
:
technical
References
NIST: NIST SP 800-53 (v3): AU-3
NIST: NIST SP 800-53 Revision 4 (v4): AU-3
NIST: NIST SP 800-53A (v1): AU-3.1
CCI
:
CCI-000133
Published Date:
2009-05-20
Definition
:
The information system generates audit records containing information that established the source of the event.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AU-3
NIST: NIST SP 800-53 Revision 4 (v4): AU-3
NIST: NIST SP 800-53A (v1): AU-3.1
CCI
:
CCI-000134
Published Date:
2009-05-20
Definition
:
The information system generates audit records containing information that establishes the outcome of the event.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AU-3
NIST: NIST SP 800-53 Revision 4 (v4): AU-3
NIST: NIST SP 800-53A (v1): AU-3.1
CCI
:
CCI-000135
Published Date
:
2009-05-20
Definition
:
The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AU-3
NIST: NIST SP 800-53 Revision 4 (v4): AU-3
NIST: NIST SP 800-53A (v1): AU-3.1
CCI
:
CCI-000169
Published Date
:
2009-05-22
Definition
:
The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AU-12 a
NIST: NIST SP 800-53 Revision 4 (v4): AU-12 a
NIST: NIST SP 800-53A (v1): AU-12.1 (ii)
CCI
:
CCI-000172
Published Date
:
2009-09-15
Definition
The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AU-12 c
NIST: NIST SP 800-53 Revision 4 (v4): AU-12 c
NIST: NIST SP 800-53A (v1): AU-12.1 (iv)
CCI
:
CCI-001353
Published Date
:
2009-09-22
Definition
:
The information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AU-12 (2)
NIST: NIST SP 800-53 Revision 4 (v4): AU-12 (2)
NIST: NIST SP 800-53A (v1): AU-12 (2).1
CCI
:
CCI-001487
Published Date
:
2009-09-29
Definition
:
The information system generates audit records containing information that establishes the identity of any individuals or subjects associated with the event.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AU-3
NIST: NIST SP 800-53 Revision 4 (v4): AU-3
NIST: NIST SP 800-53A (v1): AU-3.1