Navigate

Check: ACF0310

zOS ACF2 STIG: ACF0310 (in versions v6 r43 through v6 r37)

Title

The EXITS GSO record value must specify the module names of site written ACF2 exit routines. (Cat II impact)

Discussion

The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any one of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during a migration process or contingency plan activation.

Check Content

a) Refer to the following report produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ACFGSO) Automated Analysis requires Additional Analysis. Automated Analysis Refer to the following report produced by the ACF2 Data Collection: - PDI(ACF0310) b) If the GSO EXITS record values conform to the following requirements, there is NO FINDING. Specifies the module names of site written ACF2 exit routines. NOTE: The DSNPOST exit is optional and is not required to be specified in the GSO EXITS record. DSNPOST(module) SEVPRE(SEVPRE01) SEVPOST(SEVPST01) NOTE: No other exits are authorized at this time. NOTE: Local changes will be documented in writing with supporting documentation. c) If there is any deviation from the above requirements in the GSO EXITS record values, this is a FINDING.

Fix Text

The IAO will ensure the EXITS GSO value specifies the module names of site written ACF2 exit routines. Specifies the module names of site written ACF2 exit routines. NOTE: The DSNPOST exit is optional and is not required to be specified in the GSO EXITS record. DSNPOST(module) SEVPRE(SEVPRE01) SEVPOST(SEVPST01) Example: SET C(GSO) INSERT EXITS DSNPOST(module) SEVPRE(SEVPRE01) SEVPOST(SEVPST01) F ACF2,REFRESH(EXITS) NOTE: No other exits are authorized at this time. NOTE: Local changes will be justified in writing with supporting documentation.

Additional Identifiers

Rule ID: SV-136r3_rule

Vulnerability ID: V-136

Group Title: ACF0310

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000021	The information system enforces dual authorization for organization-defined privileged commands and/or other organization-defined actions.
CCI-000366	The organization implements the security configuration settings.
CCI-000368	The organization documents any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements.
CCI-000764	The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
CCI-000765	The information system implements multifactor authentication for network access to privileged accounts.
CCI-001764	The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-3 (2)	Dual Authorization
CM-6	Configuration Settings
CM-7 (2)	Prevent Program Execution
IA-2	Identification And Authentication (Organizational Users)
IA-2 (1)	Network Access To Privileged Accounts