Non-standard SMF data collection options specified.

From z/OS TSS STIG

Part of AAMV0370

Associated with IA controls: DCCS-1, DCCS-2, ECAR-3, ECAR-2, ECAR-1

Associated with: CCI-000057 CCI-000130 CCI-001844 CCI-001851

SV-101r2_rule Non-standard SMF data collection options specified.

Vulnerability discussion

SMF data collection is the basic unit of tracking of all system functions and actions. Included in this tracking data are the audit trails from each of the ACPs. If the control options for the recording of this tracking are not properly maintained, then accountability cannot be monitored, and its use in the execution of a contingency plan could be compromised.

Check content

Refer to the following reports produced by the z/OS Data Collection: - EXAM.RPT(SMFOPTS) - EXAM.RPT(PARMLIB) - Alternate report; refer to the SMFPRMxx listing. Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(AAMV0370) NOTE: Issues with subtype 4 and 5 of type 30 records can be exempted from collection. The following is an example of the entry to perform this: SUBSYS(STC,EXITS(IEFU29,IEFU83,IEFU84,IEFUJP,IEFUSO), INTERVAL(SMF,SYNC),NODETAIL) NOTE: If the JWT parameter is greater than 15 minutes, and the system is processing unclassified information, review the following items. If any of these items is true, there is NO FINDING. 1) If a session is not terminated, but instead is locked out after 15 minutes of inactivity, a process must be in place that requires user identification and authentication before the session is unlocked. Session lock-out will be implemented through system controls or terminal screen protections. 2) A system’s default time for terminal lock-out or session termination may be lengthened to 30 minutes at the discretion of the IAM or IAO. The IAM and/or IAO will maintain the documentation for each system with a time-out adjusted beyond the 15-minute recommendation to explain the basis for this decision. 3) The IAM and/or IAO may set selected userids to have a time-out of up to 60 minutes in order to complete critical reports or transactions without timing out. Each exception must meet the following criteria: (a) The time-out exception cannot exceed 60 minutes. (b) A letter of justification fully documenting the user requirement(s) must be submitted and approved by the site IAM or IAO. In addition, this letter must identify an alternate means of access control for the terminal(s) involved (e.g., a room that is locked at all times, a room with a cipher lock to limit access, a password protected screen saver set to 30 minutes or less, etc.). (c) The requirement must be revalidated on an annual basis. Ensure SMF collection options are specified as stated below with exception of those specified in the above NOTEs. The settings for several parameters are critical to the collection process: ACTIVE Activates the collection of SMF data. JWT(15) The maximum amount of consecutive time that an executing job may spend as ineligible to use any CPU resources before being canceled for inactivity. (This may be extended if controlled through other means, e.g., a Session Manager or ACP.) MAXDORM(0500) Specifies the amount of real time that SMF allows data to remain in an SMF buffer before it is written to a recording data set. SID Specifies the system ID to be recorded in all SMF records SYS(DETAIL) Controls the level of detail recorded. SYS(INTERVAL) Ensures the periodic recording of data for long running jobs. SYS Specifies the types and sub types of SMF records that are to be collected. SYS(TYPE) indicates that the supplied list is inclusive (i.e., specifies the record types to be collected). Record types not listed are not collected. SYS(NOTYPE) indicates that the supplied list is exclusive (i.e., specifies those record types not to be collected). Record types listed are not collected. The site may use either form of this parameter to specify SMF record type collection. However, at a minimum all record types listed.

Fix text

The IAO will ensure that collection options for SMF Data are consistent with options specified below. Review all SMF recording specifications found in SMFPRMxx members. Ensure that SMF recording options used are consistent with those outlined below. The settings for several parameters are critical to the collection process: ACTIVE Activates the collection of SMF data. JWT(15) The maximum amount of consecutive time that an executing job may spend as ineligible to use any CPU resources before being canceled for inactivity. The requirement for Job Wait Time is 15 minutes. (This may be extended if controlled through other means, e.g., a Session Manager or ACP.) NOTE: The JWT parameter can be greater than 15 minutes if the system is processing unclassified information and the following items are reviewed. 1) If a session is not terminated, but instead is locked out after 15 minutes of inactivity, a process must be in place that requires user identification and authentication before the session is unlocked. Session lock-out will be implemented through system controls or terminal screen protections. 2) A system’s default time for terminal lock-out or session termination may be lengthened to 30 minutes at the discretion of the IAM or IAO. The IAM and/or IAO will maintain the documentation for each system with a time-out adjusted beyond the 15-minute recommendation to explain the basis for this decision. 3) The IAM and/or IAO may set selected userids to have a time-out of up to 60 minutes in order to complete critical reports or transactions without timing out. Each exception must meet the following criteria: (a) The time-out exception cannot exceed 60 minutes. (b) A letter of justification fully documenting the user requirement(s) must be submitted and approved by the site IAM or IAO. In addition, this letter must identify an alternate means of access control for the terminal(s) involved (e.g., a room that is locked at all times, a room with a cipher lock to limit access, a password protected screen saver set to 30 minutes or less, etc.). (c) The requirement must be revalidated on an annual basis. MAXDORM(0500) Specifies the amount of real time that SMF allows data to remain in an SMF buffer before it is written to a recording data set. SID Specifies the system ID to be recorded in all SMF records SYS(DETAIL) Controls the level of detail recorded. SYS(INTERVAL) Ensures the periodic recording of data for long running jobs. SYS Specifies the types and sub types of SMF records that are to be collected. SYS(TYPE) indicates that the supplied list is inclusive (i.e., specifies the record types to be collected). Record types not listed are not collected. SYS(NOTYPE) indicates that the supplied list is exclusive (i.e., specifies those record types not to be collected). Record types not listed are not collected. The site may use either form of this parameter to specify SMF record type collection. However, at a minimum all record types listed.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer