An error occurred:

Check: ACF0640

zOS ACF2 STIG: ACF0640 (in versions v6 r43 through v6 r30)

Title

There are started task LOGONIDs with the NON-CNCL attribute specified In the associated LOGONID record that are not listed as trusted and have not been specifically approved. (Cat II impact)

Discussion

The NON-CNCL privilege exempts the started tasks from security checking. This could result in the compromise of the confidentiality, integrity, and availability of the operating system, ACP, and customer data.

Check Content

a) Refer to the following report produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ATTNOCNL) Automated Analysis Refer to the following report produced by the ACF2 Data Collection Checklist: - PDI(ACF0640) b) Ensure that only logonids associated with trusted STCs have the NON-CNCL attribute specified. TRUSTED STCs: Certain started tasks perform critical operating system-related functions. The site can secure these started tasks in one of two ways: 1) By analyzing an STC's access requirements and granting the requisite accesses. 2) By considering these started tasks as trusted for the purpose of data set and resource access requests. The list of approved trusted started tasks is found in the TRUSTED STARTED TASKS Table in the zOS STIG Addendum. c) If (b) above is true, there is NO FINDING. d) If (b) above is untrue, there is a FINDING.

Fix Text

Review all LOGONIDs with the NON-CNCL attribute. The IAO will ensure that only STCs in the trusted STC list can have the NON-CNCL attribute. The list of approved trusted STCs is found in the TRUSTED STARTED TASKS Table in the zOS STIG Addendum. The use of default IDs prevents the identification of tasks with individual users as mandated by policy, and prevents adequate accountability. Default IDs for STCs will not be used. Certain started tasks performing critical operating system related functions may be considered trusted for the purposes of data set and resource access requests. For these STCs all access requests will be honored. These STCs will be given the following attribute to facilitate access while logging any accesses they would not ordinarily be granted by the access rule sets: NON-CNCL Example: SET LID CHANGE logonid STC NON-CNCL

Additional Identifiers

Rule ID: SV-1r2_rule

Vulnerability ID: V-1

Group Title: ACF0640

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002145

The information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-2 (11)

Usage Conditions