Check: ACF0660
zOS ACF2 STIG:
ACF0660
(in versions v6 r43 through v6 r30)
Title
There are maintenance LOGONIDs that do not have corresponding GSO MAINT records. (Cat III impact)
Discussion
Users may execute programs without ACP security checking or auditing. This could result in the compromise of the confidentiality, integrity, and availability of the operating system, ACP, and customer data.
Check Content
a) Refer to the following reports produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ACFGSO) - ACF2CMDS.RPT(ATTMAINT) Automated Analysis Refer to the following report produced by the ACF2 Data Collection Checklist: - PDI(ACF0660) b) If every maintenance logonid has a corresponding GSO MAINT record, there is NO FINDING. c) If any maintenance logonid does not have a corresponding GSO MAINT record, this is a FINDING.
Fix Text
The IAO will ensure that an associated GSO maintenance record exists for each special user logonid identifying the program(s) that it is permitted to access and the library where the program(s) resides. An associated GSO MAINT record will exist for each special user logonid, identifying the program(s) that it is permitted to access and the library where the program(s) resides. Every maintenance logonid has a corresponding GSO MAINT record. Example: SET C(GSO) INSERT MAINT.DFSMSHSM LIBRARY(SYS1.LINKLIB) LID(HSMDFDSS) PGM(ADRDSSU) F ACF2,REFRESH(MAINT)
Additional Identifiers
Rule ID: SV-166r2_rule
Vulnerability ID: V-166
Group Title: ACF0660
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-002145 |
The information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts. |
| CCI-002883 |
The information system restricts the use of maintenance tools to authorized personnel only. |