STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:

IBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing.

DISA Rule

SV-223701r604139_rule

Vulnerability Number

V-223701

Group Title

SRG-OS-000057-GPOS-00027

Rule Version

RACF-ES-000540

Severity

CAT II

CCI(s)

• CCI-001493 - The information system protects audit tools from unauthorized access.
• CCI-001494 - The information system protects audit tools from unauthorized modification.
• CCI-001495 - The information system protects audit tools from unauthorized deletion.
• CCI-001314 - The information system reveals error messages only to organization-defined personnel or roles.
• CCI-000162 - The information system protects audit information from unauthorized access.
• CCI-000163 - The information system protects audit information from unauthorized modification.
• CCI-000164 - The information system protects audit information from unauthorized deletion.
• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
• CCI-002235 - The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Weight

10

Fix Recommendation

Configure WRITE and above access to SMF collection files to be limited to only systems programming staff and and/or batch jobs that perform SMF dump processing, access can be granted to others as determined by ISSM.

Configure READ access to be limited to auditors. READ access may be granted to others as determined by the ISSM.

Access to other users specified must be documented in a security plan.

Ensure the accesses are being logged.

Check Contents

Refer to the SMFPRMxx member in SYS1.PARMLIB. Determine the SMF and/or Logstream dataset name.

If the following statements are true, this is not a finding.

The ESM data set rules for the SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) restrict WRITE or greater access to only z/OS systems programming personnel.

The ESM data set rules for the SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) restrict UPDATE access to z/OS systems programming personnel, and/or batch jobs that perform SMF dump processing and others approved by ISSM.

The ESM data set rules for the SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) restrict READ access to auditors and others approved by the ISSM.

The ESM data set rules for SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) specify that all (i.e., failures and successes) UPDATE and/or ALTER access are logged.

Vulnerability Number

V-223701

Documentable

False

Rule Version

RACF-ES-000540

Severity Override Guidance

Refer to the SMFPRMxx member in SYS1.PARMLIB. Determine the SMF and/or Logstream dataset name.

If the following statements are true, this is not a finding.

The ESM data set rules for the SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) restrict WRITE or greater access to only z/OS systems programming personnel.

The ESM data set rules for the SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) restrict UPDATE access to z/OS systems programming personnel, and/or batch jobs that perform SMF dump processing and others approved by ISSM.

The ESM data set rules for the SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) restrict READ access to auditors and others approved by the ISSM.

The ESM data set rules for SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) specify that all (i.e., failures and successes) UPDATE and/or ALTER access are logged.

Check Content Reference

M

Target Key

4101

Comments