STIG ID - BACF0032: Clear Password During TSO Logon Process

Define GSO TSOCRT record fields to clear text display.
Severity
: 2 - Medium
To provide extra security during the logon process,
ACF2
lets you control how your ID displays during the logon process. A strong logon policy protects your organization's operating system environment, external security manager, and customer data.
Your organization will ensure a strong TSO logon process policy is implemented.
This STIG article shows how to define the GSO TSOCRT record field values to have clear text display while signing on to ASCII CRT devices.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. List the GSO TSOCRT record to determine if the field value is defined to the default of STRING(A12FA11C1A270C0D).
    SET CONTROL(GSO) CONTROL LIST TSOCRT XXXX / TSOCRT LAST CHANGED BY USER01 ON 10/15/15-9:20
    STRING(
    hhhhhhhhhhhh...h
    )
    CONTROL
    In this example, the default value of STRING(A12FA11C1A270C0D) is not defined. Ensure that the GSO TSOCRT record value is defined to the default, which complies with the recommendation in this article.
    • STRING(
      A12FA11C1A270C0D
      |
      hhhhhhhhhhhh...h
      )
      Specifies a one to 256-byte CRT clear string, in hexadecimal.
      Default
      : STRING(A12FA11C1A270C0D)
  2. If the GSO TSOCRT record field is defined to the default value of STRING(A12FA11C1A270C0D),
    your site does not have an audit finding
    .
  3. If the GSO TSOCRT record field is not defined to the default value of STRING(A12FA11C1A270C0D),
    your site has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the GSO TSOCRT record. Limit all access to change GSO records to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps
:
  1. Configure the GSO TSOCRT record STRING field value to (A12FA11C1A270C0D):
    SET CONTROL(GSO) CONTROL CHANGE TSOCRT
    STRING(A12FA11C1A270C0D)
    F ACF2,REFRESH(TSOCRT) CONTROL
  2. Verify the change was applied to the GSO TSOCRT record field:
    SET CONTROL(GSO) CONTROL LIST TSOCRT XXXX / TSOCRT LAST CHANGED BY USER01 ON 03/25/20-10:20
    STRING(A12FA11C1A270C0D)
    CONTROL
Your site has implemented a strong logon policy by defining the GSO TSOCRT record to hide logons during TSO logon process.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCI
: CCI-000206
CCI
:
CCI-000206
Published Date
:
2009-05-22
Definition
:
The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
Type
:
technical
Note
:
The feedback from the information system does not provide information that would allow an unauthorized user to compromise the authentication mechanism. Displaying asterisks when a user types in a password is an example of obscuring feedback of authentication information.
References
:
NIST: NIST SP 800-53 (v3): IA-6
NIST: NIST SP 800-53 Revision 4 (v4): IA-6
NIST: NIST SP 800-53A (v1): IA-6.1