SV-223455r533198_rule
V-223455
SRG-OS-000080-GPOS-00048
ACF2-ES-000340
CAT II
10
Define WRITE or greater access to data sets used to back up and/or dump SMF collection files to be limited to system programmers and/or batch jobs that perform SMF dump processing. Ensure that all data set access is logged.
Define data set rules for the SMF dump/backup files to restrict UPDATE access to others approved by the ISSM.
Define READ Access to data sets used to back up and/or dumpSMF collection files to be limited to auditors and others approved by the ISSM.
Ensure that all WRITE or greater access authority to SMF history files will be logged using the ESM’s facilities.
Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect data sets used to back up and/or dump SMF Collection Files.
In z/OS systems, SMF data is the ultimate record of system activity. Therefore, SMF data is of the most sensitive and critical nature. While the length of time for which SMF data will be retained is not specifically regulated, it is imperative that the information is available for the longest possible time period in case of subsequent investigations. The statute of limitations varies according to the nature of a crime. It may vary by jurisdiction, and some crimes are not subject to a statute of limitations. Apply the following guidelines to the retention of SMF data for all DOD systems:
(a) Retain at least two (2) copies of the SMF data.
(b) Maintain SMF data for a minimum of one year.
(c) All WRITE or greater access authority to SMF history files will be logged using the ACP’s facilities. Only systems programming personnel and batch jobs that perform SMF functions will be authorized to update the SMF files.
Obtain the procedures and collection specifics for SMF data sets and backup.
If the ESM data set rules for the SMF dump/backup files do not restrict WRITE or greater access to authorized site personnel (e.g., systems programmers and batch jobs that perform SMF processing), this is a finding.
If the ESM dataset rules for the SMF dump/backup files do not restrict update access as documented in the site security plan, this is a finding.
If the ESM data set rules for the SMF dump/backup files do not restrict READ access to auditors and others approved by the ISSM, this is a finding.
If the ESM data set rules for the SMF dump/backup files do not specify that all (i.e., failures and successes) WRITE or greater access will be logged, this is a finding.
V-223455
False
ACF2-ES-000340
Obtain the procedures and collection specifics for SMF data sets and backup.
If the ESM data set rules for the SMF dump/backup files do not restrict WRITE or greater access to authorized site personnel (e.g., systems programmers and batch jobs that perform SMF processing), this is a finding.
If the ESM dataset rules for the SMF dump/backup files do not restrict update access as documented in the site security plan, this is a finding.
If the ESM data set rules for the SMF dump/backup files do not restrict READ access to auditors and others approved by the ISSM, this is a finding.
If the ESM data set rules for the SMF dump/backup files do not specify that all (i.e., failures and successes) WRITE or greater access will be logged, this is a finding.
M
4100