STIG ID - BACF1009: Collect and Retain SMF Data Automatically

Severity
: 2 - Medium
SMF data collection is the basic unit of tracking of all system functions and actions. Included in this racking data is the audit trail. If the control options for the recording of this tracking are not properly maintained, then accountability cannot be monitored and its use in the execution of a contingency plan could be compromised. Failure to collect SMF data in a timely fashion can result in the loss of critical system data. To ensure that all SMF data is collected in a timely manner and to reduce the risk of data loss, automated mechanisms must be in place to collect and retain SMF data produced on the system.
The organization will ensure a collection and retention of SMF data is performed automatically.
This STIG article shows how to identify if automated mechanisms are in place to collect and retain SMF data produced on the system.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. Review the SMF data collection and retention process with your organization's Information Systems Security Officer (ISSO). Ensure one of the following procedures are included:
    1. Record SMF data using log streams. SMF utilizes system logger to record collected data, which improves the writing rate and avoids buffer shortages. Log streams provide flexibility, allowing the z/OS system to record to multiple log streams and, using keywords on the dump program, allow z/OS to read a set of SMF data once and write it many times. Use the IBM utility, IFASMFDL, to dump the SMF log stream, ensuring frequent dumping of the records as well as dumps at the end of each day.
      Or,
    2. Set up a process to automatically dump SMF collection files immediately upon their becoming full. Each SMF MANx file collects records until it is full. Recording is automatically switched to the next file in sequence. At the same time, the operator receive a message that indicates that a dump of the full SMF file is required. This process continues through the rest of the files, When the last file is full, the process starts over again with the first file in the sequence, but only if the first file is empty. Ensure the following:
      • Dump each SMF file (MANx) as it fills up during the normal course of daily processing.
      • Dump all remaining SMF data at the end of each processing day.
  2. After reviewing the SMF data collection and retention process with your organization's ISSO, and it is determined that an automated process is in place,
    your organization does not have an audit finding
    .
  3. If you cannot determine that a process to collect and retain SMF data is in place,
    your organization has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
The ISSO is responsible for maintaining the SMF data collection and retention process documentation.
Work with your ISSO to ensure that an automated process is developed to collect and retain SMF data.
By ensuring all SMF data is collected in a timely manner, your organization reduces the risk of data loss.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG.  For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-001348, CCI-001353
CCI
:
CCI-001348
Published Date
:
2009-09-22
Definition
:
The information system backs up audit records on an organization-defined frequency onto a different system or system component than the system or component being audited.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AU-9 (2)
NIST: NIST SP 800-53 Revision 4 (v4): AU-9 (2)
NIST: NIST SP 800-53A (v1): AU-9 (2).1 (iii)
CCI
:
CCI-001353
Published Date
:
2013-06-24
Definition
:
The information system generates audit records containing information that establishes when an event occurred.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AU-3
NIST: NIST SP 800-53 Revision 4 (v4): AU-3
NIST: NIST SP 800-53A (v1): AU-3.1