STIG ID - BACF1027: Limit Access to Security Databases and Data Sets

Severity
: 1- High
ACF2
database files contain all access control information for the operating environment and system resources.
ACF2
verifies a user's identify and allows or denies access to data sets and resources.
ACF2
determines if a user has authority by searching one of its three databases: logonid, rule, and Infostorage. Unauthorized access could result in the compromise of your organization's operating system environment, external security manager, and customer data.
The organization must ensure that read or greater access to all
ACF2
files and databases are limited to system programmers or security personnel and batch jobs that perform
ACF2
maintenance. If additional batch job
ACF2
security database backups are performed, the batch job userid is authorized to have read access.
This STIG article shows how to review access authorizations to
ACF2
database files and how to limit write or greater access to only system programmers.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. Review access to
    ACF2
    database files and ensure the following:
    • ACF2
      started task has access as required.
    • Write or greater access is limited to system programmers for the limited period of time during performance of
      ACF2
      maintenance functions.
    • All access to
      ACF2
      files must be logged.
    • No other users have access to
      ACF2
      security database files.
    Issue the following
    ACF2
    command from TSO. The ACFUNIX command is available with
    ACF2
    maintenance CARS1912 or PTF SO07541. If you do not have this maintenance applied, issue "ACCESS DSN(SYS3.ACF2" from the ACF command to obtain the same results.
    TSO ACFUNIX access dsn('sys3.acf2') ACCESS Subcommand Results as of 08/04/20-2:20 for: SYS3.ACF2 $Key: SYS3 Ruleline: ACF2 UID(*****SYSPROG) READ(L) WRITE(L) ALLOC(L) EXEC(L) ***
    In this example, the system programmer (SYSPROG) has read, write, and allocate access to
    ACF2
    database files and all activity is logged.
  2. If write or greater access to
    ACF2
    database files is limited as indicated in step 2 and all access is logged,
    your organization does not have an audit finding.
  3. If any item in step 2 are found to be false,
    your organization has an audit finding.
    See Remediate Audit Findings.
Remediate Audit Finding
The Information System Security Officer (ISSO) is responsible for ensuring that write or greater access to
ACF2
database files and batch jobs that perform
ACF2
maintenance is limited to only system programmers, read access is limited to auditors and DASD batch on an as-needed basis, and all activity is logged.
Follow these steps:
  1. Evaluate the impact of correcting the deficiency and develop a plan of action to implement the required changes.
  2. Identify who has access to the
    ACF2
    database data sets.
    Set rule DECOMP SYS3 ACF75052 ACCESS RULE SYS3 STORED BY USER01 ON 04/29/20-10:15 $KEY(SYS3) - UID(*) READ(L) EXEC(L) ACF75051 TOTAL RECORD LENGTH= 93 BYTES, 2 PERCENT UTILIZED RULE
  3. Modify if access is not correct:
    RECKEY SYS3 MOD(ACF2.- uid(*****SYSPROG) READ(L) WRITE(L) ALLOC(L) EXEC(L)))
    Or, if using ROLES:
    RECKEY SYS3 MOD(ACF2.- ROLE(ZOSSYSP1) READ(L) WRITE(L) ALLOC(L) EXEC(L))
Implementing controls to the
ACF2
database files protects your organization's operating system environment, external security manager, and customer data.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000213, CCI-001499, CCI-002234, CCI-002357
CCI
:
CCI-000099
Published Date
:
2009-09-14
Definition
:
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AC-3
NIST: NIST SP 800-53 Revision 4 (v4): AC-3
NIST: NIST SP 800-53A (v1): AC-3.1
CCI
:
CCI-001499
Published Date
:
2009-09-29
Definition
:
The organization limits privileges to change software resident within software libraries.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): CM-5 (6)
NIST: NIST SP 800-53 Revision 4 (v4): CM-5 (6)
NIST: NIST SP 800-53A (v1): CM-5 (6).1
CCI
:
CCI-002234
Published Date
:
2013-06-24
Definition
:
The information system audits the execution of privileged functions.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): AC-6 (9)
CCI
:
CCI-002357
Published Date
:
2013-06-25
Definition
:
The information system implements a reference monitor for organization-defined access control policies that is tamperproof.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): AC-25