STIG ID - BACF0026: Set the GSO RESVOLS Record VOLMASK Field to Default

Define DASD and mass storage volumes to prevent exposure.
Severity
: 2 - Medium
The GSO RESVOLS record defines DASD and mass storage volumes. All DASD volumes are protected by default. Volume access to data sets residing on a given volume presents an exposure. To ensure that the default is not compromised, you must submit justification documentation to the ZSECTEAM, who is responsible for setting the GSO RESVOLS record values.
The organization ensures that the GSO RESVOLS record value is set to the default to prevent exposure on storage volumes.
Changes to the GSO RESVOLS records must be justified, in writing, with supporting documentation.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. List the GSO RESVOLS determine if the default of VOLMASK(-) is defined:
    SET CONTROL(GSO) CONTROL LIST RESVOLS XXXX / RESRULE LAST CHANGED BY USER01 ON 07/25/19-09:20
    VOLMASK(-)
    CONTROL
    In this example, the default VOLMASK(-) is defined, which is the suggested guideline.
    • VOLMASK(
      mask1,...,mask255
      )
      Specifies 1 to 255 volume serial masks up to six characters each. Two symbols can be used in RESVOLS to signify masking, the asterisk (*) and the dash (-). A dash represents all valid volumes that begin with the specified characters that precede the dash or all volumes if the dash is used alone. An asterisk represents one or more masking or wild card characters that can be specified anywhere in the RESVOLS. You can specify up to 255 volume masks. The default is VOLMASK(-), all DASD volumes are protected by default at the data set name level. If the default setting is altered, you must specify each DASD volume in the GSO RESVOLS and SECVOLS records to ensure that the data is secure. The GSO SECVOLS record defines the DASD and tape volumes for which
      ACF2
      provides volume-level protection.
  2. If the GSO RESVOLS record VOLMASK(-) field value is defined,
    your organization does not have an audit finding
    .
  3. If the GSO RESVOLS record VOLMASK field default is not defined,
    your organization has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the GSO RESVOLS record. Limit all access to change GSO records to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps
:
  1. Verify that the required justification documentation was received by the ZSECTEAM before making changes to the GSO RESVOLS record.
    Do not
    proceed to the next step if authorization documentation was not received.
  2. Configure the GSO RESVOLS record VOLMASK field to the default (-), which signifies all DASD volumes are protected at the data set name level:
    SET CONTROL(GSO) CONTROL CHANGE RESVOLS VOLMASK(-) F ACF2,REFRESH(RESVOLS) CONTROL
  3. Verify that the GSO RESVOLS record was changed:
    SET CONTROL(GSO) CONTROL LIST RESVOLS XXXX / RESVOLS LAST CHANGED BY USER01 ON 03/05/20-13:23
    VOLMASK(-)
    CONTROL
  4. List the GSO SECVOLS record to identify if the default setting of VOLMASK() is set. The SECVOLS record defines the DASD and tape volumes, providing volume-level protection.
    LIST SECVOLS XXXX / SECVOLS LAST CHANGED BY USER01 ON 07/25/19-9:20
    VOLMASK(-)
    The default is set. No changes are required to the GSO SECVOLS record.
All DASD volumes at the data set name level are now protected.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-001399, CCI-001199, CCI-00368, CCI-00369
CCI
:
CCI-001399
Published Date
:
2009-09-22
Definition
:
The information system supports and maintains the binding of organization-defined security attributes to information in storage.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AC-16
NIST: NIST SP 800-53A (v1): AC-16.1 (ii)
CCI
:
CCI-001199
Published Date
:
2009-09-21
Definition
:
The information system protects the confidentiality and/or integrity of organization-defined information at rest.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): SC-28
NIST: NIST SP 800-53 Revision 4 (v4): SC-28
NIST: NIST SP 800-53A (v1): SC-28.1
CCI
:
CCI-00368
Published Date
:
2009-09-18
Definition
:
The organization documents any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements.
Type
:
policy
References
:
NIST: NIST SP 800-53 (v3): CM-6 c
NIST: NIST SP 800-53 Revision 4 (v4): CM-6 c
NIST: NIST SP 800-53A (v1): CM-6.1 (v)
CCI
:
CCI-00369
Definition
:
The organization approves any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements.
Type
:
policy
References
:
NIST: NIST SP 800-53 (v3): CM-6 c
NIST: NIST SP 800-53 Revision 4 (v4): CM-6 c
NIST: NIST SP 800-53A (v1): CM-6.1 (v)