STIG ID - BACF0015: Specify GSO BACKUP Record Time Fields

Set automatic backup procedures for ACF2 databases.
Severity
: 2 - Medium
The GSO BACKUP record specifies the automatic backup procedures for the logonid, rule, and Infostorage databases. This record specifies a command that
ACF2
issues internally upon successful completion of backup processing. GSO BACKUP can also dynamically allocate the backup work files if they are not preallocated.
Your organization must ensure that risk is reduced by implementing automatic backup of the
ACF2
security databases.
This STIG article addresses how to set the automatic backup procedures for
ACF2
security databases.
Identify Audit Finding
Complete these steps to determine if you should consider remediation:
Follow these steps:
  1. List the GSO BACKUP record to determine if the CPUID(), PRISPACE(5), SECSPACE(5), STRING(S ACFBKUP), TIME(00:01), and WORKUNIT(VIO) fields are defined. These fields ensure that
    ACF2
    security databases are backed up automatically on a system.
    SET CONTROL(GSO) CONTROL LIST BACKUP XXXX / BACKUP LAST CHANGED BY XXXXXXXX on 02/10/20-15:01 #UNITS(1) BUFNO(1) SYSUT1
    TIME(00:00)
    CONTROL
    In this example, none of the fields listed in step 1 are defined except TIME, although the value of (00:00) is different than suggested.
    • CPUID(
      smfid
      )
      Specifies the SMF ID of the CPU designated to take the automatic backups in a multi-CPU environment.
      ACF2
      compares this field with the MVS system SMF ID. If the two do not match,
      ACF2
      bypasses the automatic backup. Operators can take backups at any time from any CPU. Designate a single CPU in a multi-system configuration as the sole automatic backup processor. Masking cannot be used in the CPUID( ) field value.
      ACF2
      interprets the dash and the asterisk as literal values and not as masking characters.
    • PRISPACE(
      5
      |
      nnn
      )
      Specifies the amount of primary work space to be allocated for backup processing. The units are expressed in cylinders. This field does not display if not entered.
      Default
      : 5
    • SECSPACE(
      5
      |
      nnnn
      )
      Specifies the amount of secondary workspace to be allocated for backup processing. Units are expressed in cylinders. If not entered, this field does not display.
      Default
      : 5
    • STRING(string)
      Specifies a text string that
      ACF2
      issues when backup is completed. This text is usually an MVS START console command used to perform additional site-required processing. As part of the
      ACF2
      database recovery facility, a procedure named ACFBKUP is placed into SYS1.PROCLIB during the installation process. You can use ACFBKUP or a similar facility to copy or merge the primary sequential backup data sets into the alternate VSAM clusters. If no string is specified,
      ACF2
      does not issue a console command.
    • TIME(
      hh:mm
      |
      00:01
      )
      Specifies the time of day (24-hour format) when the backup is initiated. If you specify TIME(00:00),
      ACF2
      does not perform a backup.
      Default
      : 00:01 AM
    • WORKUNIT(V
      IO
      |
      devicetype
      )
      Indicates the device type on which
      ACF2
      dynamically allocate its work files for backup processing. Device names are VIO, SYSDA, or DISK. VIO is the default. You can also use a name of your own choice. This field does not display if not entered.
  2. If the GSO BACKUP record field values in step 1 are defined,
    your organization does not have an audit finding.
  3. If the GSO BACKUP record field values are not defined 2,
    your organization has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the GSO BACKUP control option. Limit all access to change GSO control options to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps:
  1. Configure the GSO BACKUP record field values to CPUID() PRISPACE(5) STRING(S ACFBKUP) TIME(00:01) and WORKUNIT(VIO), to back up
    ACF2
    security databases on a system automatically.
    SET CONTROL(GSO) CONTROL CHANGE BACKUP
    CPUID() PRISPACE(5) SECSPACE(5) STRING(S ACFBKUP) TIME(00:01) WORKUNIT(VIO)
    F ACF2,REFRESH(BACKUP) CONTROL
  2. Verify the GSO BACKUP record fields values changed:
    SET CONTROL(GSO) CONTROL LIST BACKUP XXXX / BACKUP LAST CHANGED BY XXXXXXXX on 02/10/20-15:01 #UNITS(1) BUFNO(1)
    CPUID() PRISPACE(5) SECSPACE(5) STRING(S ACFBKUP) TIME(00:01) WORKUNIT(VIO)
    CONTROL
    Automatic backup is defined and
    ACF2
    issues the text string "S ACFBKUP" when a backup completes.
If
ACF2
security databases are shared with other systems, follow the steps in this document to ensure that the shared security databases are also backed up on those systems automatically.
Your organization's risk is reduced by implementing automatic backup of the
ACF2
security databases.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice.  The following CCI isrelated to this STIG article. For more information, see the National Institute of Standards and Technology website..
CCI-000537
CCI
:
CCI-000537
Published Date
:
2009-09-21
Definition
:
The organization conducts backups of system-level information contained in the information system per organization-defined frequency that is consistent with recovery time and point objectives.
Type
:
policy
References
:
NIST: NIST SP 800-53 (v3): CP-9 (b)
NIST: NIST SP 800-53 Revision 4 (v4): CP-9 (b)
NIST: NIST SP 800-53A (v1): CP-9.1 (v)