Navigate

Check: ACF0770

zOS ACF2 STIG: ACF0770 (in versions v6 r43 through v6 r30)

Title

The LOGONID with the ACCTPRIV attribute must be restricted to the IAO. (Cat II impact)

Discussion

Individuals with the ACCTPRIV could add or delete users in SYS1.UADS and jeopardize the availability of the operating system, ACP, and customer data.

Check Content

Refer to the following report produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ATTACPRV) Automated Analysis Refer to the following report produced by the ACF2 Data Collection: - PDI(ACF0770) Ensure that logonids with the ACCTPRIV attribute specified are assigned to the IAO.

Fix Text

The IAO will ensure Logonids with the ACCTPRIV attribute are only reserved for use by the IAOs and/or IAMs. The ACCTPRIV attribute cannot be scoped, and will be restricted exclusively to a site IAO: Example: SET LID CHANGE logonid ACCTPRIV

Additional Identifiers

Rule ID: SV-173r2_rule

Vulnerability ID: V-173

Group Title: ACF0770

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000035	The information system provides the capability for privileged administrators to configure the organization-defined security policy filters to support different security policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-4 (11)	Configuration Of Security Policy Filters