|
|
|
The system management facility (SMF) is the primary audit trail in the z/OS environment. It journals a wide variety of system events, including access control software information, to the SMF data files or log streams. Options specified in the system’s logical PARMLIB parameter library, (often SYS1.PARMLIB), control SMF. However, SMF exits and computer operator interventions can alter SMF processing.
Use the System Management Facility display (1.5) to review SMF information.
Auditor___________________________ Location___________________ Page____of____
Approved__________________________ CPU________________________ Date__________
|
Step |
Description |
W/P Ref |
Finding |
Remarks |
|---|---|---|---|---|
|
1 |
From the SMF Options Display (1.5.1), determine which member of the logical Parmlib was used for SMF option specification. Use the Parmlib Member Status display (2.1.2) to determine if this member was altered since the last review. |
|
|
|
|
2 |
If changes are detected in the logical Parmlib member that you reviewed in Step 1, follow the steps outlined in the Parameter Library Checklist to verify that proper change‑control authorization procedures were followed. |
|
|
|
|
3 |
Determine from the SMF Options Display (1.5.1) if operators are permitted to use the SETSMF command to change individual SMF parameters. |
|
|
|
|
4 |
If you found in Step 3 that operator overrides are permitted, verify that proper procedures and approvals control the use of the SETSMF command. The SETSMF command will generate SMF loggings in the form of SMF type 90 records; as appropriate, check your installations SMF options as noted in step 6 to ensure that these records are not discarded. Look for evidence of managerial review. |
|
|
|
|
5 |
Determine from the SMF Options Display (1.5.1) if computer operators have the opportunity to specify a reason for the next system load (IPL). The PROMPT (IPLR) SMF option specifies this feature. The system message that prompts the operator for the reason for the IPL is: IEE956A REPLY‑FTIME=HH.MM.SS, NAME=OPERATOR, REASON=(IPL REASON),OR 'U' This is similar to the message LOGREC management produces: IFB010D ENTER IPL REASON,SUBSYSTEM ID OR 'U' The SMF option does not control the LOGREC message. |
|
|
|
|
6 |
If data center procedures permit operators to specify an IPL reason, use the SMF Search Criteria display (1.5.4) to search for SMF records with record type 90. This lets you view the text of the operator’s reply. |
|
|
|
|
7 |
Determine from the SMF Options Display (1.5.1) if the key SMF record types for audit, control, and security use are collected: 0, 90 System IPL, System Status (includes SETSMF/SET SMF commands) 7 SMF lost data 5, 35 Job record (see type 30) 4, 34 Program record (see type 30) 14, 15, 17, 18 Data set information 60 through 69 VSAM information 80, 81 RACF, CA Top Secret information 230 CA ACF2 (default) 30 (replaces 4, 5, 34, 35) Combined record |
|
|
|
|
8 |
If log streams are not active, determine the name and location of each SMF file from the SMF Files display (1.5.2). You can use the ACCESS (“A”) line command to query the ESM-specific entitlement controls for this data set. Use your access control software system to verify that no one has update access authority to this critical system audit trail, except for operators that use the IFASMFDP SMF dump program. Any data set names can be used for SMF recording. Also, CA Auditor can review data on SMF data sets that were unloaded to tape with the appropriate TSO mount authority. If log streams are active, select a log stream to display the SMF record types being recorded. |
|
|
|
|
9 |
Determine that adequate procedures exist to ensure timely dumping of the SMF files or log streams to prevent data loss. Use the SMF Search Criteria display (1.5.4) to search SMF type 7 records to detect lost records. |
|
|
|
|
10 |
Determine that the SMF dump programs IFASMFDP and IFASMFDL are executed from a write‑protected library to ensure the program was not modified. Use the Program Statistics Display (5.2) to detect superzaps and exits to this program. |
|
|
|
|
11 |
Verify that adequate procedures and controls protect the SMF dump files for MANx files and log streams. Determine that the key SMF records listed in Step 7 are archived long enough to permit adequate audit review. |
|
|
|
|
12 |
SMF exits can alter system processing drastically. Use the SMF Exits display (1.5.3) to identify active exits. Then check the module length field to identify locally developed modules. IBM‑distributed stubs should be 8 or 20 hexadecimal bytes. Although active, stubs can be null exits. |
|
|
|
|
13 |
Use the Program Freezer option (5.5) to lock the approved version of each SMF exit program so that you can detect changes to these exits in a later review. |
|
|
|
|
14 |
Split the display screen and use ISPF/PDF Copy (3.3) to create an archival copy of each SMF exit program that CA Auditor identified. If the CA Auditor Program Freezer detects a change later, this lets the Program Comparison displays (5.3) show you exactly what was changed. |
|
|
|
|
15 |
The IEFU83, IEFU84, and IEFU85 exits can cancel SMF records. If you found any of these exits in Step 12, use the SMF Search Criteria display (1.5.4) to verify that key SMF records (listed in Step 7) are recorded in the SMF files. |
|
|
|
| Copyright © 2009 CA. All rights reserved. | Tell Technical Publications how we can improve this information |