STIG ID - BACF0036: Define Interactive LOGONIDs to ACF2 with Required Fields
ACF2with Required Fields
Verify all interactive logonids have the correct attributes assigned.
Severity: 2 - Medium
A user can be assigned multiple logonids within
ACF2. All interactive logonids must meet required definitions. Improper assignments of attributes in an interactive logonid record can provide users excessive privileges resulting in unauthorized access.
This STIG article shows how to identify interactive logonids and ensure the correct attributes are assigned.
Your organization will ensure that all interactive logonids have the correct attributes assigned.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps:
- Run the ACFRPTSL report to list TSO logonids (interactive userids)://REPORT EXEC PGM=ACFRPTSL //SYSPRINT DD SYSOUT=* //SYSIN DD * TITLE(LIST LIDS WITH TSOCMDS) INPUT(ACF2) REPORT(SHORT) SFLDS(MAXDAYS MINDAYS LIDZMAX) IF(TSO) /*
- Verify that the interactive userids are properly defined. Ensure that all logonid record fields are specified per the Interactive Users table:Interactive Users -ACF2FieldDescriptionRequired ValueAUTHSUP1Specifies the extended user authentication (EUA) routine for a user. User Authorization Flag 1ON for highly privileged users controlled by NC-PASS.GROUP(name)Specifies the one- to eight-character group name that is the default for a logonid. Required for assigning GIDs to MVS OpenEdition users.Will be defined for OpenEdition users.IDLE(time)Specifies the maximum time permitted (in minutes) between terminal transactions for this user. If exceeded,ACF2needs the logonid and password to be re-validated before another transaction is accepted. Zero (0) indicates no limit is enforced. This field is available for IMS and CICS online processing.IDLE(15)INTERCOM/NOINTERCOMIndicates this user is willing to accept messages from other users through the TSO SEND command.INTERCOMLGN-ACCT/NOLGN-ACCTIndicates permission to specify an account number at logon time. If a user has the PMT-ACCT field,ACF2prompts the user for an account number, unless an account number is specified before the prompt. If a user does not specify an account number at logon and PMT-ACCT is not specified in the user's logonid record,ACF2uses the user's default account number (TSSACCT is the logonid field) or the system default account number. Specifies the default in the ACCOUNT field of the GSO TSO record.LGN-ACCTMAIL/NOMAILIndicates a user can receive mail messages from TSO at logon time.MAXDAYS(days)Specifies the maximum number of days permitted between password changes before the password expires. Zero (0) indicates no limit.MAXDAYS(60)Note the following:
MINDAYS(days)Specifies the minimum number of days that must elapse before a user can change a password. Zero (0) indicates no limit.MINDAYS(1)MSGID/NOMSGIDIndicates this user wants TSO messages to have message IDs prefixed.MSGIDNO-STORE/NONO-STORESpecifies that a user cannot store or delete rule sets. This applies even if the value of the PREFIX field of the logonid record matches the $KEY of the rule or the data set, if the user has the SECURITY privilege, or if the user has change authority through a %CHANGE or %RCHANGE control statement in the rule set.NONO-STORENote: The GSO RULEOPTS record must specify CENTRALNOTICES/NONOTICESIndicates a user can receive TSO notices at logon time.NOTICESPASSWORDThe logon password for the user.Must be completed.PHONESpecifies the 1- to 12-character telephone number of a user.OptionalPMT-ACCT/NOPMT-ACCTIndicates thatACF2requires a user to specify an account number at logon time. Specify the LGN-ACCT field also.ACF2does not prompt for an account number if you also specify the FSRETAIN field in the GSO TSO record. FSRETAIN obtains the account values from the last session.May be required for fee-for-service support.PREFIXUser access to the user's own data sets without rule validationPREFIX()PROMPT/NOPROMPTIndicates thatACF2prompts a user for missing or incorrect parameters.PROMPTTSOACCTSpecifies the user's default TSO logon procedure.Can be required for fee-for-service support.TSOPROCSpecifies the user's default TSO logon procedure.Optional. Can be completed for TSO users.VLD-ACCT/NOVLD-ACCTIndicates thatACF2validate the TSO account number of a user. Creates a resource rule with a type code TAC and a $KEY of the account number so thatACF2performs this validation.VLD-ACCT. Can be required for fee-for-service supportVLD-PROC/NOVLD-PROCIndicates thatACF2validates the TSO logon procedure of a user. Creates a resources rule with a type code TPR and a $KEY of the logon procedure so thatACF2performs this validation.VLD-PROC. Will be completed for all TSO users.
- Value must be defined as 1 to 60 days.
- FTP only process and server to server userids may have MAXDAYS(0) and LIDZMAX specified. These user must be identified in the FTPUSERS group in the dialog process or FTP in the name field. Additionally, these users must change their passwords on an annual basis.
- If the interactive userids are properly defined per the above Interactive Users table,your organization does not have an audit finding.
- If the interactive userids are not defined per the above Interactive Users table,your organization has an audit finding. See Remediate Audit Findings.
Remediate Audit Finding
The ISSO reviews all interactive logonid records to ensure required information is provided, evaluates the impact of correcting any deficiencies, and develops a plan to implement the required changes.
Follow these steps:
- Define any logonid records identified as missing. For example, for logonid USER01, if the UID, NAME, AUTHSUP1, MAXDAYS, and MINDAYS are not defined, perform the following commands:SET LID INSERT USER01 UID(uid string) NAME(user name) AUTHSUP1 MAXDAYS(60) MINDAYS(1)
- Verify the logonid was updated:list USER01 USER01 UID USER01 ...PASSWORD AUTHSUP1....RESTRICTIONS MAXDAYS(60) MINDAYS(1)
ll interactive logonids meet the required definitions, avoiding unauthorized access due to incorrect excessive privileges assigned.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs: CCI-000199, CCI-000764
The information system enforces maximum password lifetime restrictions.
NIST: NIST SP 800-53 (v3): IA-5 (1) (d)
NIST: NIST SP 800-53 Revision 4 (v4): IA-5 (1) (d)
NIST: NIST SP 800-53A (v1): IA-5 (1).1 (v)
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
NIST: NIST SP 800-53 (v3): IA-2
NIST: NIST SP 800-53 Revision 4 (v4): IA-2
NIST: NIST SP 800-53A (v1): IA-2.1