Title

There are LOGONIDs associated with started tasks that have the MUSASS requirement but do not have both the MUSASS and NO-SMC specified in corresponding LOGONID records. (Cat II impact)

Discussion

If the LOGONID does not have the MUSASS attribute specified, there is no individual accountability within the associated address space. If NO-SMC is not specified the potential for VSAM data set corruption exists.

Check Content

a) Refer to the following reports produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ATTSTC) - ACF2CMDS.RPT(ATTMUASS) Automated Analysis Refer to the following report produced by the ACF2 Data Collection Checklist: - PDI(ACF0610) b) Identify the started tasks that have a Multi-User Single Address Space System (MUSASS) requirement. c) If every logonid associated with a started task that has the MUSASS requirement has the MUSASS and NO-SMC attributes, there is NO FINDING. d) If any logonid associated with a started task that has the MUSASS requirement does not have the MUSASS and NO-SMC attributes, this is a FINDING.

Fix Text

The IAO will ensure that if the STC is a Multi User Single Address Space System (MUSASS), the STC logonid has the MUSASS and NO-SMC attributes. If the started task (STC) is a Multi User Single Address Space System (MUSASS), the STC logonid will also have the following attributes: MUSASS NO-SMC Example: SET LID INSERT logonid STC MUSASS NO-SMC

Additional Identifiers

Rule ID: SV-162r2_rule

Vulnerability ID: V-162

Group Title: ACF0610

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.