STIG ID - BACF0036: Define Interactive LOGONIDs to
ACF2
with Required Fields

Verify all interactive logonids have the correct attributes assigned.
Severity
: 2 - Medium
A user can be assigned multiple logonids within
ACF2
. All interactive logonids must meet required definitions. Improper assignments of attributes in an interactive logonid record can provide users excessive privileges resulting in unauthorized access.
This STIG article shows how to identify interactive logonids and ensure the correct attributes are assigned.
Your organization will ensure that all interactive logonids have the correct attributes assigned.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. Run the ACFRPTSL report to list TSO logonids (interactive userids):
    //REPORT EXEC PGM=ACFRPTSL //SYSPRINT DD SYSOUT=* //SYSIN DD * TITLE(LIST LIDS WITH TSOCMDS) INPUT(ACF2) REPORT(SHORT) SFLDS(MAXDAYS MINDAYS LIDZMAX) IF(TSO) /*
  2. Verify that the interactive userids are properly defined. Ensure that all logonid record fields are specified per the Interactive Users table:
    Interactive Users -
    ACF2
    Field
    Description
    Required Value
    AUTHSUP1
    Specifies the extended user authentication (EUA) routine for a user. User Authorization Flag 1
    ON for highly privileged users controlled by NC-PASS.
    GROUP(name)
    Specifies the one- to eight-character group name that is the default for a logonid. Required for assigning GIDs to MVS OpenEdition users.
    Will be defined for OpenEdition users.
    IDLE(time)
    Specifies the maximum time permitted (in minutes) between terminal transactions for this user. If exceeded,
    ACF2
    needs the logonid and password to be re-validated before another transaction is accepted. Zero (0) indicates no limit is enforced. This field is available for IMS and CICS online processing.
    IDLE(15)
    INTERCOM/NOINTERCOM
    Indicates this user is willing to accept messages from other users through the TSO SEND command.
    INTERCOM
    LGN-ACCT/NOLGN-ACCT
    Indicates permission to specify an account number at logon time. If a user has the PMT-ACCT field,
    ACF2
    prompts the user for an account number, unless an account number is specified before the prompt. If a user does not specify an account number at logon and PMT-ACCT is not specified in the user's logonid record,
    ACF2
    uses the user's default account number (TSSACCT is the logonid field) or the system default account number. Specifies the default in the ACCOUNT field of the GSO TSO record.
    LGN-ACCT
    MAIL/NOMAIL
    Indicates a user can receive mail messages from TSO at logon time.
    MAIL
    MAXDAYS(days)
    Specifies the maximum number of days permitted between password changes before the password expires. Zero (0) indicates no limit.
    MAXDAYS(60)
    Note the following
    :
    • Value must be defined as 1 to 60 days.
    • FTP only process and server to server userids may have MAXDAYS(0) and LIDZMAX specified. These user must be identified in the FTPUSERS group in the dialog process or FTP in the name field. Additionally, these users must change their passwords on an annual basis.
    MINDAYS(days)
    Specifies the minimum number of days that must elapse before a user can change a password. Zero (0) indicates no limit.
    MINDAYS(1)
    MSGID/NOMSGID
    Indicates this user wants TSO messages to have message IDs prefixed.
    MSGID
    NO-STORE/NONO-STORE
    Specifies that a user cannot store or delete rule sets. This applies even if the value of the PREFIX field of the logonid record matches the $KEY of the rule or the data set, if the user has the SECURITY privilege, or if the user has change authority through a %CHANGE or %RCHANGE control statement in the rule set.
    NONO-STORE
    Note
    : The GSO RULEOPTS record must specify CENTRAL
    NOTICES/NONOTICES
    Indicates a user can receive TSO notices at logon time.
    NOTICES
    PASSWORD
    The logon password for the user.
    Must be completed.
    PHONE
    Specifies the 1- to 12-character telephone number of a user.
    Optional
    PMT-ACCT/NOPMT-ACCT
    Indicates that
    ACF2
    requires a user to specify an account number at logon time. Specify the LGN-ACCT field also.
    ACF2
    does not prompt for an account number if you also specify the FSRETAIN field in the GSO TSO record. FSRETAIN obtains the account values from the last session.
    May be required for fee-for-service support.
    PREFIX
    User access to the user's own data sets without rule validation
    PREFIX()
    PROMPT/NOPROMPT
    Indicates that
    ACF2
    prompts a user for missing or incorrect parameters.
    PROMPT
    TSOACCT
    Specifies the user's default TSO logon procedure.
    Can be required for fee-for-service support.
    TSOPROC
    Specifies the user's default TSO logon procedure.
    Optional. Can be completed for TSO users.
    VLD-ACCT/NOVLD-ACCT
    Indicates that
    ACF2
    validate the TSO account number of a user. Creates a resource rule with a type code TAC and a $KEY of the account number so that
    ACF2
    performs this validation.
    VLD-ACCT. Can be required for fee-for-service support
    VLD-PROC/NOVLD-PROC
    Indicates that
    ACF2
    validates the TSO logon procedure of a user. Creates a resources rule with a type code TPR and a $KEY of the logon procedure so that
    ACF2
    performs this validation.
    VLD-PROC. Will be completed for all TSO users.
  3. If the interactive userids are properly defined per the above Interactive Users table,
    your organization does not have an audit finding
    .
  4. If the interactive userids are not defined per the above Interactive Users table,
    your organization has an audit finding
    . See Remediate Audit Findings.
Remediate Audit Finding
The ISSO reviews all interactive logonid records to ensure required information is provided, evaluates the impact of correcting any deficiencies, and develops a plan to implement the required changes.
Follow these steps:
  1. Define any logonid records identified as missing. For example, for logonid USER01, if the UID, NAME, AUTHSUP1, MAXDAYS, and MINDAYS are not defined, perform the following commands:
    SET LID INSERT USER01 UID(
    uid string
    ) NAME(
    user name
    ) AUTHSUP1 MAXDAYS(60) MINDAYS(1)
  2. Verify the logonid was updated:
    list USER01 USER01 UID USER01 ...
    PASSWORD AUTHSUP1
    ....
    RESTRICTIONS MAXDAYS(60) MINDAYS(1)
ll interactive logonids meet the required definitions, avoiding unauthorized access due to incorrect excessive privileges assigned.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG.  For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000199, CCI-000764
CCI
:
CCI-000199
Published Date
:
2009-09-15
Definition
:
The information system enforces maximum password lifetime restrictions.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): IA-5 (1) (d)
NIST: NIST SP 800-53 Revision 4 (v4): IA-5 (1) (d)
NIST: NIST SP 800-53A (v1): IA-5 (1).1 (v)
CCI
:
CCI-000764
Published Date
:
2009-09-17
Definition
:
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): IA-2
NIST: NIST SP 800-53 Revision 4 (v4): IA-2
NIST: NIST SP 800-53A (v1): IA-2.1