STIG ID - BACF0042: Limit Access to NON-CNCL Privilege

Identify if started task logonid records have the NON-CNCL attribute defined.
Severity
: 1 - High
Certain started tasks performing critical operating system related functions can be considered trusted for the purposes of data set and resource access requests. For these started tasks, all access requests are honored. Trusted started tasks are given the NON-CNCL attribute to facilitate access while logging any accesses they would not ordinarily be granted by the access rule sets.
The NON-CNCL privilege exempts the started task from security checking which can result in the compromise of the confidentiality, integrity, and availability of the operating system and data. Ensure that only logonids associated with trusted started tasks have the NON-CNCL attribute specified.
Many of the started tasks listed as trusted may not require NON-CNCL. However, the responsible security team is required to identify the proper resources and access levels for those started tasks. NON-CNCL logs those resources and access, upon review the security team is able to grant such access to the specific started tasks.
Your organization must ensure only those started tasks listed as trusted receive NON-CNCL in accordance with the recommendations within this article.
This STIG article shows how to identify trusted started task logonid records and determine if the NON-CNCL attribute is defined.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. List the started task logonid records to identify all started task logonids:
    SET CONTROL(GSO) LIST LIKE(STC-)
    ACF2
    displays all records with started task defined. Typically, the number of started tasks returned is significant. For the purpose of this STIG, the following example shows one logonid which is assigned to an started task:
    XXXX / STC.CONSOLE LAST CHANGED BY MASTER ON 03/25/20-9:42 GROUP() LOGONID(
    CNSLSTC
    ) STCID(CONSOLE)
  2. List the started task logonid identified to determine if it is a trusted started task with the NON-CNCL attribute defined:
    SET LID LID LIST CNSLSTC CNSLSTC ... PRIVILEGES CONSOLE STC LID
    In this example, the trusted CONSOLE started task logonid does not have the NON-CNCL attribute defined. Ensure only those started tasks listed as trusted receive NON-CNCL in accordance with the recommendations set forth in this article.
    A majority of the items are obtained from IBM's website listing their recommended trusted started tasks for z/OS.
    The following table lists the trusted started tasks. Note CONSOLE is included in the trusted STC table.
    ACF2
    IOSAS
    SMSRESTR
    ACFBKUP
    JES2
    SMSVSAME
    CATALOG
    LLA
    TCIPIP
    CONSOLE
    NFS
    VLF
    DFHSM
    OMVS/OMVSKERN
    VTAM
    DFS
    RMF
    XCFAS
    DUMPSRV
    RMFGAT
    ZFS
    IEEVMPCR
    SMF
    n/a
    • NON-CNCL|
      NONON-CNCL
      Specifies
      ACF2
      cannot cancel a user for security violations. The event log shows that the request was permitted because the user cannot be canceled.
  3. If the logonid is a trusted started task and the NON-CNCL attribute is defined,
    your organization does not have an audit finding.
  4. If the logonid is not a trusted started task or does not have the NON-CNCL attribute defined,
    your organization has an audit finding
    . See Remediate Audit Finding
Remediate Audit Finding
The z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) ensures that the trusted started task logonid has the NON-CNCL attribute defined.
Follow these steps
:
  1. Change the trusted started task logonid to include the NON-CNCL attribute:
    SET LID LID CHANGE CNSLSTC NON-CNCL LID
  2. Verify started task logonid CNCLSTC includes the NON-CNCL attribute:
    SET LID LID LIST CNSLSTC CNSLSTC CNSLSTC ... PRIVILEGES CONSOLE
    NON-CNCL
    STC ... LID
The trusted started task logonid is exempt from security checking.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG.  For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-002145
CCI
:
CCI-002145
Published Date
:
2013-06-24
Definition
:
The information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): AC-2(11)