Title

There are no procedures to utilize the LOGONID with the REFRESH attribute. (Cat III impact)

Discussion

Individuals could effect unauthorized or inadvertent changes to ACP global system options. This could result in the compromise of the confidentiality, integrity, and availability of the operating system, ACP, or customer data.

Check Content

a) Refer to the following report produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ATTREFSH) b) If procedures exist in accordance with the STIG requirements to utilize the logonid with the REFRESH attribute to refresh ACF2 global options, there is NO FINDING. Example: When the IAO determines it necessary to refresh the ACF2 global options, the IAO will do the following: 1) Activate the REFRESH ID with the following setting(s): NOSUSPEND NOPSWD EXP PASSWORD(new password) 2) Instruct Operations to perform the REFRESH. 3) Deactivate the REFRESH ID with the following setting: SUSPEND c) If no procedures exist in accordance with the STIG requirements to utilize the logonid with the REFRESH attribute to refresh ACF2 global options, this is a FINDING.

Fix Text

The IAO will ensure procedures and documentation as defined below only exists for the use of Logonids with the refresh attribute. Review security procedures for defining LOGONIDs and ensure documentation includes requirements for the LOGONID associated with the REFRESH attribute. Example: When the IAO determines it necessary to refresh the ACF2 global options, the IAO will do the following: 1) Activate the REFRESH ID with the following setting(s): NOSUSPEND NOPSWD EXP PASSWORD(new password) 2) Instruct Operations to perform the REFRESH. 3) Deactivate the REFRESH ID with the following setting: SUSPEND

Additional Identifiers

Rule ID: SV-170r2_rule

Vulnerability ID: V-170

Group Title: ACF0730

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.