STIGQter STIGQter: STIG Summary: IBM z/OS TSS Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

IBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing.

DISA Rule

SV-223881r561402_rule

Vulnerability Number

V-223881

Group Title

SRG-OS-000057-GPOS-00027

Rule Version

TSS0-ES-000080

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Ensure that allocate/alter authority to SMF collection files is limited to only systems programming staff and and/or batch jobs that perform SMF dump processing; access can be granted to others as determined by ISSM.

Ensure that read access is limited to auditors. Access may be granted to others as determined by the ISSM.

Ensure the accesses are being logged.

Ensure that all (i.e., failures and successes) WRITE or greater access are logged.

Ensure read access failures are logged.

Check Contents

Refer to the SMFPRMxx member in SYS1.PARMLIB. Determine the SMF and/or Logstream data set name.

If the following statements are true, this is not a finding.

-The ESM data set rules for the SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) restrict ALTER access to only z/OS systems programming personnel.
-The ESM data set rules for the SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) restrict UPDATE access to z/OS systems programming personnel, and/or batch jobs that perform SMF dump processing and others as approved by ISSM.
-The ESM data set rules for the SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) restrict READ access to auditors and others approved by the ISSM.
-The ESM data set rules for SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) specify that all (i.e., failures and successes) UPDATE and/or ALTER access are logged.

Vulnerability Number

V-223881

Documentable

False

Rule Version

TSS0-ES-000080

Severity Override Guidance

Refer to the SMFPRMxx member in SYS1.PARMLIB. Determine the SMF and/or Logstream data set name.

If the following statements are true, this is not a finding.

-The ESM data set rules for the SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) restrict ALTER access to only z/OS systems programming personnel.
-The ESM data set rules for the SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) restrict UPDATE access to z/OS systems programming personnel, and/or batch jobs that perform SMF dump processing and others as approved by ISSM.
-The ESM data set rules for the SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) restrict READ access to auditors and others approved by the ISSM.
-The ESM data set rules for SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) specify that all (i.e., failures and successes) UPDATE and/or ALTER access are logged.

Check Content Reference

M

Target Key

4102

Comments