STIG ID - BACF0009: Restrict Use of REFRESH Attribute
Define REFRESH attribute
Severity: 2 - Medium
Unauthorized users may be able to change the external security manager's (ESM) system options, which can compromise the confidentiality, integrity, and availability of the operating system, ESM, or customer data.
ACF2provides the ability to restrict who can activate security changes dynamically. For example, a logonid with the REFRESH command authority is able to dynamically activate changes made to
ACF2security on your system. The REFRESH attribute should be limited to security administrators and Information System Security Officers (ISSO).
Your organization must ensure that only authorized users can activate security changes dynamically.
This STIG article shows how to identify all logonids with the REFRESH command authority and how to remove that authority from unauthorized logonids. Ensure logonid records are defined in accordance with the recommendations set forth in this article.
Identify Audit Finding
Complete these steps to determine if you should consider remediation:
Follow these steps:
- Run the ACFRPTSL Selected Logonid List report. The ACFRPTSL report lists all logonid records that match a set of selection criteria specified in the report JCL parameters. Use the ACFRPTSL ISPF panel to create your input and process the report.
- View the report to identify all logonids with REFRESH command authority.
- REFRESH|NOREFRESHSpecifies that a user can issue the F ACF2,REFRESH operator command. The REFRESH command lets you implement changes to global system options in your system. If a user requires permission to use the REFRESH command, the user must have access update with logging to MVS.MODIFY.STC.jobname.logonid.
- If no unauthorized logonids include the REFRESH privilege,your organization does not have an audit finding.
- If unauthorized logonids include the REFRESH privilege,your organization has an audit finding. See Remediate Audit Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) roles are authorized to have the REFRESH attribute and can dynamically refresh security records upon making appropriate unscoped or scoped security changes.
Follow these steps:
- Remove the REFRESH privilege from the identified unauthorized logonid:SET LID LID CHANGE USER01 NOREFRESH LID
- Verify the REFRESH command was removed from logonid USER01:
USER01 no longer has the REFRESH privilege assigned to their logonid.SET LID LID LIST USER01 USER01 USER01 ...PRIVILEGESACCOUNT CICS DUMPAUTH IMS JOB SECURITY TSO ... LID
Keeping tight control on logonid privileges provides better protection to your organization's system and sensitive data.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG article. For more information, see the National Institute of Standards and Technology website.
CCI-002145 and CCI-002277
The information system enforces organization-defined circumstances or usage conditions for organization-defined information system accounts.
NIST: NIST SP 800-53 Revision 4 (v4): AC-2 (11)
The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define the value of associated security attributes.
NIST: NIST SP 800-53 Revision 4 (v4): AC-16 (2)