STIGQter: STIG Summary: z/OS CL/SuperSession for TSS STIG Version: 6 Release: 10 Benchmark Date: 27 Apr 2018:

CL/SuperSession is not properly configured to generate SMF records for audit trail and accounting reports.

DISA Rule

SV-27198r1_rule

Vulnerability Number

V-22689

Group Title

ZB000041

Rule Version

ZCLS0041

Severity

CAT II

CCI(s)

• CCI-000035 - The information system provides the capability for privileged administrators to configure the organization-defined security policy filters to support different security policies.

Weight

10

Fix Recommendation

The Systems Programmer and IAO will review all session manager security parameters and control options for compliance. To ensure that the Session Manager generates SMF records for audit trail and accounting reports.

To provide an audit trail of user activity in CL/SuperSession, configure the Network Accounting Facility (NAF) to require SMF recording of accounting and audit data. Accounting to the journal data set is optional at the discretion of the site. To accomplish this, configure the following NAF startup parameters in the KLVINNAF member of the RLSPARM initialization parameter library as follows:

DSNAME= dsname Name of the NAF journal data set. Required only if the site is collecting accounting and audit data in the journal data set in addition to the SMF data.

MOD If the journal data set is used, this parameter should be set to ensure that logging data in the data set is not overwritten.

SMF=nnn SMF record number. This field is mandatory to ensure that CL/SuperSession data is always written to the SMF files.

Check Contents

a) Review the member KLVINNAF in the TLVPARM DD statement concatenation of the CL/Supersession STC procedure. (This member is located in SYS3.OMEGAMON.qualifier.RLSPARM.)

Refer to the following report produced by the z/OS Data Collection:

- EXAM.RPT(SMFOPTS)

Automated Analysis
Refer to the following report produced by the z/OS Data Collection:

- PDI(ZCLS0041)

b) If the SMF= field specifies an SMF record number, review the SMFOPTS report to verify SMF is writing that record type.

c) If SMF is writing the record number specified by SMF=, there is NO FINDING.

d) If the SMF= field does not specify an SMF record number, or SMF is not writing the record number specified by SMF=, this is a FINDING.

Vulnerability Number

V-22689

Documentable

False

Rule Version

ZCLS0041

Severity Override Guidance

a) Review the member KLVINNAF in the TLVPARM DD statement concatenation of the CL/Supersession STC procedure. (This member is located in SYS3.OMEGAMON.qualifier.RLSPARM.)

Refer to the following report produced by the z/OS Data Collection:

- EXAM.RPT(SMFOPTS)

Automated Analysis
Refer to the following report produced by the z/OS Data Collection:

- PDI(ZCLS0041)

b) If the SMF= field specifies an SMF record number, review the SMFOPTS report to verify SMF is writing that record type.

c) If SMF is writing the record number specified by SMF=, there is NO FINDING.

d) If the SMF= field does not specify an SMF record number, or SMF is not writing the record number specified by SMF=, this is a FINDING.

Check Content Reference

M

Responsibility

Systems Programmer

Target Key

1857

Comments