STIG ID - BACF0027: Review GSO RULEOPTS Record Values

Set GSO RULEOPTS record options when implementing resource and access rules.
Severity
: 2 - Medium
The GSO RULEOPTS record defines the options that determine how resource and access rules are used and maintained. If a GSO RULEOPTS record is not found with a matching SYSID during the system IPL, a default record is built dynamically by
ACF2
.
Your organization will ensure that the GSO RULEOPTS record options that determine how resource and access rules are used and maintained are defined to the guidelines set forth in this STIG article.
This STIG article addresses what GSO RULEOPTS fields to consider when implementing resource and access rules to ensure protection of your site's sensitive data.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. List the GSO RULEOPTS record to identify if the following fields are set:
    • CENTRAL|
      NOCENTRAL
      Specifies if the data owner has authority to store a set of access rules. By specifying CENTRAL, only security administrators and users authorized by the %CHANGE or %RCHANGE feature have this capability. You can combine the NO-STORE field of the logonid record and NOCENTRAL field of the GSO RULEOPTS record to give only selected users the ability to update their own rules.
      Default:
      NOCENTRAL, all users are able to update the access rule sets that correspond to the data sets they own.
    • $NOSORT|
      NO$NOSORT
      Specifies if the rule set's $NOSORT control statement is processed. If you specify the $NOSORT option,
      ACF2
      recognizes the $NOSORT control statement during rule compilation. During rule compilations, the $NOSORT control statement suppresses the normal
      ACF2
      sorting of rules from most specific to most general. If you specify the default option of NO$NOSORT,
      ACF2
      ignores any $NOSORT control statements during rule compilation, and automatically sorts rule sets.
      Default
      : NO$NOSORT
    • CHANGE
      NOCHANGE
      Specifies if the rule features, %CHANGE and %RCHANGE, are recognized. If you specify NOCHANGE,
      ACF2
      ignores any %CHANGE or %RCHANGE control statement in a rule set when it determines if a user has the authority to replace a rule.
      Default:
      CHANGE, which activates %CHANGE and %RCHANGE authorization.
    • COMPDYN|
      NOCOMPDYN
      Specifies whether to compile a rule set with the 32K compiler. With this option,
      ACF2
      defaults to use the 4K rule format compiler and will dynamically switch to use the 32K compiler if the 4K compiler fails due to an out-of-buffer condition. For example, the rule set is too large to fit in a 4K buffer. If COMPDYN is specified, then the $NORULELNG control statement is not needed to compile rule sets of varying size.
      Default:
      NOCOMPDYN
    • RULELONG|
      NORULELONG
      Specifies whether you want to use rules greater than 4K in length. NORULELONG, the default, indicates that rules are compiled and stored in the current format with a limit of 4K. RULELONG indicates a formatted access and resource rule record capable of expanding greater than 4K to a maximum of 32K. The Rules and Infostorage databases must be redefined to accommodate this greater length.
      Default
      : NORULELONG
    SET CONTROL(GSO) CONTROL XXXX / RULEOPTS LAST CHANGED BY USER01 ON 01/11/18-13:55
    NOCENTRAL NO$NOSORT CHANGE COMPDYN DECOMP(AUDIT SECURITY) RULELONG
    In this example, the NOCENTRAL field differs from the suggested value of CENTRAL. Ensure all GSO RULEOPTS record values are defined in accordance with the recommendations set forth in this article.
  2. If the GSO RULEOPTS record fields CENTRAL, NO$NOSORT, CHANGE, NOCOMPDYN, DECOMP(AUDIT SECURITY), and NORULELONG are defined,
    your organization does not have an audit finding.
  3. If the GSO RULEOPTS record fields CENTRAL, NO$NOSORT, CHANGE, NOCOMPDYN, DECOMP(AUDIT SECURITY), and NORULELONG, are not defined,
    your organization has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the GSO RULEOPTS record. Limit all access to change GSO records to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps
:
  1. Configure the GSO RULEOPTS record CENTRAL field to specify only security administrators have authority to store a set of access rules:
    SET CONTROL(GSO) CONTROL CHANGE
    CENTRAL
    F ACF2,REFRESH(RULEOPTS) CONTROL
  2. Verify the GSO RULEOPTS record CENTRAL field was changed:
    SET CONTROL(GSO) CONTROL XXXX / RULEOPTS LAST CHANGED BY USER01 ON 03/17/20-13:55
    CENTRAL
    NO$NOSORT CHANGE COMPDYN DECOMP(AUDIT SECURITY) RULELONG CONTROL
How resource and access rules are used and maintained are now defined to the suggested guidelines.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000366, CCI-000368, CCI-000369
CCI
:
CCI-000366
Published Date
:
2009-09-18
Definition
:
The organization implements the security configuration settings.
Type
:
policy, technical
References
:
NIST: NIST SP 800-53 (v3): CM-6 b
NIST: NIST SP 800-53 Revision 4 (v4): CM-6 b
NIST: NIST SP 800-53A (v1): CM-6.1 (iv)
CCI
:
CCI-00368
Published Date
:
2009-09-18
Definition
:
The organization documents any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements.
Type
:
policy
References
:
NIST: NIST SP 800-53 (v3): CM-6 c
NIST: NIST SP 800-53 Revision 4 (v4): CM-6 c
NIST: NIST SP 800-53A (v1): CM-6.1 (v)
CCI
:
CCI-00369
Published Date
:
2009-09-18
Definition
:
The organization approves any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements.
Type
:
policy
References
:
NIST: NIST SP 800-53 (v3): CM-6 c
NIST: NIST SP 800-53 Revision 4 (v4): CM-6 c
NIST: NIST SP 800-53A (v1): CM-6.1 (v)