STIGQter STIGQter: STIG Summary: z/OS RACF STIG Version: 6 Release: 43 Benchmark Date: 24 Jan 2020: The ACP audit logs must be reviewed on a regular basis .

DISA Rule

SV-3331r3_rule

Vulnerability Number

V-3331

Group Title

ACP00320

Rule Version

ACP00320

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

The site must provide a Security Log Management policy that documents and implements a process to review and analyze information system audit records every seven days or more frequently if required by the site Security Log Management policy. This process must contain an audit trail of reviews. Recommend NIST Special Publication 800-92, Guide to Computer Security Log Management as a guideline for establishing Log Management policy.

DoD has defined the information system auditable events as successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels), successful and unsuccessful logon attempts, privileged activities or other system level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system. All account creations, modifications, disabling, and terminations. All kernel module loads, unloads, and restarts.

Possible areas for review may be as follows:

1) A User attempting to read/update/delete/alter a critical dataset which the STIG prohibits:
a) Security database files, and security setup
b) System parmlib such as SYS1.PARMLIB
2) A user attempting to update (or greater access levels) system datasets which they would not have access to:
c) SYS1*, SYS2*, SYS3*, SYS4*, etc.
3) A user generating violation(s) attempting to update (or greater access levels) APF libraries
4) A user generating violation(s) attempting Volume Level access
5) Violations of JESSPOOL resources against domain level operations batch processing, system programmer submitted jobs, security related batch jobs, and system level started tasks
6) Violations generated against critical system level resources FACILITY/IBMFAC and OPERCMDS
7) A weekly review of users' password violations within a given day during the prior week - is an indicator for further review and research of possible unusual activity
8) The site may choose to monitor, at the discretion of the site, any additional critical system level resources they deem necessary above and beyond the above specified

Check Contents

Examine the documented process for audit trail reviews as well as the audit trail showing the reviews to ensure reviews and analysis of information system audit records are performed every seven days or more frequently if required by the site Security Log Management policy. DoD has defined the information system auditable events as successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels), successful and unsuccessful logon attempts, privileged activities or other system level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system. All account creations, modifications, disabling, and terminations. All kernel module loads, unloads, and restarts.

Possible areas for review may be as follows:

1) A User attempting to read/update/delete/scratch/alter a critical dataset which the STIG prohibits:
a) Security database files, and security setup (parmlib)
b) System parmlib such as SYS1.PARMLIB
2) A user generating violation(s) while attempting to update (or greater level) operating system datasets which they do not have access to:
a) SYS1*, SYS2*, SYS3*, SYS4*, SYS*
3) A user generating violation(s) while attempting to update (or greater level) APF libraries
4) A user generating violation(s) while attempting Volume Level access
5) Violations of JESSPOOL resources against domain level operations batch processing, system programmer submitted jobs, security related batch jobs and system level started tasks
6) Violations generated against critical system level resources FACILITY/IBMFAC and OPERCMDS
7) A review of users' password violations within a given day during the prior week - is an indicator for further review and research of possible unusual activity
8) The site may choose to monitor, at the discretion of the site, any additional critical system level resources they deem necessary above and
beyond the above specified

a) If any of the above unusual or inappropriate activity is found within the Audit Log records and documentation (email strings or other written documentation) exists showing actions were taken based upon the discovery of an unusual or inappropriate activity event, this is not a finding.

b) If any of the above unusual or inappropriate activity is found within the Audit Log records and NO documentation exists, this is a finding.

Vulnerability Number

V-3331

Documentable

False

Rule Version

ACP00320

Severity Override Guidance

Examine the documented process for audit trail reviews as well as the audit trail showing the reviews to ensure reviews and analysis of information system audit records are performed every seven days or more frequently if required by the site Security Log Management policy. DoD has defined the information system auditable events as successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels), successful and unsuccessful logon attempts, privileged activities or other system level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system. All account creations, modifications, disabling, and terminations. All kernel module loads, unloads, and restarts.

Possible areas for review may be as follows:

1) A User attempting to read/update/delete/scratch/alter a critical dataset which the STIG prohibits:
a) Security database files, and security setup (parmlib)
b) System parmlib such as SYS1.PARMLIB
2) A user generating violation(s) while attempting to update (or greater level) operating system datasets which they do not have access to:
a) SYS1*, SYS2*, SYS3*, SYS4*, SYS*
3) A user generating violation(s) while attempting to update (or greater level) APF libraries
4) A user generating violation(s) while attempting Volume Level access
5) Violations of JESSPOOL resources against domain level operations batch processing, system programmer submitted jobs, security related batch jobs and system level started tasks
6) Violations generated against critical system level resources FACILITY/IBMFAC and OPERCMDS
7) A review of users' password violations within a given day during the prior week - is an indicator for further review and research of possible unusual activity
8) The site may choose to monitor, at the discretion of the site, any additional critical system level resources they deem necessary above and
beyond the above specified

a) If any of the above unusual or inappropriate activity is found within the Audit Log records and documentation (email strings or other written documentation) exists showing actions were taken based upon the discovery of an unusual or inappropriate activity event, this is not a finding.

b) If any of the above unusual or inappropriate activity is found within the Audit Log records and NO documentation exists, this is a finding.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

106

Comments