STIG ID - BACF0001: Set GSO OPTS Record MODE Field Value to ABORT

How to determine if your organization is configured to prevent unauthorized access.
Severity:
1 - High
The MODE field in the GSO OPTS record defines what action
ACF2
takes when an access request is considered a violation.
ACF2
does not prevent access to data except in ABORT mode. Any mode other than ABORT places your entire operating system, applications, and data at risk as security controls are not enforced. Your organization should ensure that the GSO OPTS record is set to abort mode, preventing unauthorized access.
The organization must ensure that the GSO OPTS record values are set to valid options.
This STIG article shows how to determine if your organization is configured to prevent unauthorized access.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps:
  1. List the
    ACF2
    SHOW STATE command to identify if the MODE field is set to
    ABORT
    . The ABORT mode defines what action
    ACF2
    takes when an access request is considered a violation.
    ACF SHOW STATE RUNNING CA ACF2 REL 16 /MVS SPx.x.x; WITH MODE =
    WARN
    USING FDR ASSEMBLY: xx:xx xx/xx/xx
    In this example, the MODE field is set to WARN, which differs from the suggested value of ABORT.
    • MODE(
      ABORT
      |LOG|QUIET|WARN|RULE,
      norule,no$mode
      )
      • MODE(
        ABORT
        )
        Prevents unauthorized access to data. Logs violations and issues a violation message to the user.
      • LOG
        Logs data set access violations and allows access. Use this mode after you have written basic access rules to generate access violation reports and determine what access rules to write.
      • MODE(QUIET)
        Data set accesses are not validated or logged. Logonid, source, and other validations still take place. Use this mode until you have written basic access rules for your system to reduce the number of access violations logged.
      • MODE(WARN)
        Logs data set access violations, issues warning messages, and allows access. The warning messages alert users that security is implemented on the system and authorization is required to access the data set. The users can inform the
        ACF2
        security administrator, who can decide whether or not to permit access to the data set.
      • RULE
        Validate rules for different data sets in different modes while migrating to full security.
        ACF2
        checks for a $MODE statement in the rule set when it validates an access request. If there is no $MODE statement in the rule set or if no rule set exists, the system-wide mode that is specified determines how access rules are processed.
      • norule
        Specifies the action (QUIET, LOG, WARN, and ABORT) for data set access request if no rule set is found. Set this value to ABORT to ensure that all data sets are protected.
      • no$mode
        Specifies the action (QUIET, LOG, WARN, and ABORT) for data set access request if no $MODE control statement is found in a rule set. Set this value to ABORT to ensure that all data sets are protected.
  2. If the GSO OPTS record
    is
    set to
    MODE(ABORT),
    your organization does not have an audit finding
    .
  3. If the GSO OPTS record MODE field
    is not
    set to ABORT,
    your organization has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the MODE. All access to change GSO OPTS should be limited to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps
:
  1. Configure the GSO OPTS record MODE field to ABORT:
    SET CONTROL(GSO) CONTROL CHANGE OPTS MODE(ABORT) F ACF2, REFRESH(OPTS) CONTROL
    Setting the GSO OPTS MODE to ABORT prevents access rule violations.
  2. Verify that MODE(ABORT) was added to the GSO OPTS record:
    ACF RUNNING CA ACF2 REL 16 / MVS SPx.x.x; WITH MODE =
    ABORT
    USING FDR ASSEMBLY: xx.xx xx/xx/xx
    ACF2
    is now set to prevent unauthorized access.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG article. For more information, see the National Institute of Standards and Technology website.
CCI-000366, CCI-002358
CCI
:
CCI-000366
Published Date
:
2009-09-18
Definition
:
The organization implements the security configuration settings.
Type
:
policy, technical
References
:
NIST: NIST SP 800-53 (v3): CM-6 b
NIST: NIST SP 800-53 Revision 4 (v4): CM-6 b
NIST: NIST SP 800-53A (v1): CM-6.1 (iv)
CCI
:
CCI-002358
Published Date
:
2013-06-25
Definition
:
The information system implements a reference monitor for organization-defined access control policies that is always invoked.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): AC-25