Check: ACF0670
zOS ACF2 STIG:
ACF0670
(in versions v6 r43 through v6 r30)
Title
There are GSO MAINT records that do not have corresponding maintenance LOGONIDs. (Cat III impact)
Discussion
LOGONIDs could be intentionally created that correspond to the GSO MAINT records. Then the maintenance programs could be used to gain unauthorized access to the system. This could result in the compromise of the confidentiality, integrity, and availability of the operating system, ACP, and customer data.
Check Content
a) Refer to the following reports produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ACFGSO) - ACF2CMDS.RPT(ATTMAINT) Automated Analysis Refer to the following report produced by the ACF2 Data Collection Checklist: - PDI(ACF0670) b) If every GSO MAINT record has a corresponding maintenance logonid, there is NO FINDING. c) If any GSO MAINT record does not have a corresponding maintenance logonid, this is a FINDING.
Fix Text
The IAO will ensure that an associated user logonid exists for each special GSO maintenance record identifying the program(s) that it is permitted to access and the library where the program(s) resides. An associated GSO MAINT record will exist for each special user logonid, identifying the program(s) that it is permitted to access and the library where the program(s) resides. Example: SET LID CHANGE DFSMSHSM MAINT
Additional Identifiers
Rule ID: SV-167r2_rule
Vulnerability ID: V-167
Group Title: ACF0670
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-002145 |
The information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts. |
| CCI-002883 |
The information system restricts the use of maintenance tools to authorized personnel only. |
| CCI-003014 |
The information system enforces organization-defined mandatory access control policies over all subjects and objects. |