STIG ID - BACF0045: Scope Logonids with ACCOUNT, LEADER, and SECURITY Attributes

Properly scope logonids with ACCOUNT, LEADER, and SECURITY attributes.
Severity
: 2 - Medium
Logonids with the ACCOUNT, LEADER, or SECURITY attributes have powerful privileges such as, allowing updates to the
ACF2
databases for administering users, data set access rules, and Infostorage records. To ensure logonids with the ACCOUNT, LEADER, and SECURITY attributes do not compromise your organization's operating system and data, restrict authority based on job function and area of responsibility by defining the SCPLST attribute to each logonid.
This STIG article shows you how to identify logonids with ACCOUNT, LEADER, or SECURITY attributes and verify if the SCPLST attribute is defined and specified according to the job function and areas of responsibility.
The organization will ensure logonids with ACCOUNT, LEADER, and SECURITY are properly scoped.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. List all logonids with the ACCOUNT attribute:
    SET LID LID LIST IF(ACCOUNT) ACCTMNGR ACCTMNGR ... PRIVILEGES ACCOUNT DUMPAUTH IMS JOB STC ... LID
    ACF2
    displays all logonid records with the ACCOUNT attribute. For the purposes of this STIG, the example displays one logonid record with the ACCOUNT attribute defined.
    • ACCOUNT
      Specifies user can insert, list, change, and delete logonid records. A user with the ACCOUNT attribute defined to their logonid typically has the role of account manager. A user with ACCOUNT only or SECURITY only privilege cannot list or change a logonid record of a user who has both ACCOUNT and SECURITY, because the user with both is more powerful than a user with only one of these two authorities. You can restrict access to the ACCOUNT logonid by adding the SCPLST attribute that is associated with the job function and area of responsibility.
    • LEADER
      Specifies user can display and alter certain fields of logonid records for other users. A user with the LEADER attribute defined to their logonid typically has the role of project leader. You can restrict access to the LEADER logonid by adding the SCPLST attribute that is associated with the job function and area of responsibility.
    • SECURITY
      Specifies user is a security administrator who can:
      • Access all data sets, protected programs, and resources.
      • Maintain rules and all infostorage records.
      • Change certain fields in logonid records.
      If the RULEVLD or RSRCVLD attribute is specified in the SECURITY user's logonid record, these attributes take precedence over any privileges granted by the SECURITY field.
      ACF2
      logs all access the security administrator makes that are not allowed through ownership or through rules. You can restrict access to the SECURITY logonid by adding the SCPLST attribute that is associated with the job function and area of responsibility.
  2. Review all logonids with the ACCOUNT attribute to determine if the SCPLST(ACT) attribute is defined. The SCPLST(ACT) attribute limits the ACCOUNT privileges to the job function and area of responsibility defined in the scope record. For more information on SCPLST and scope records, see the Field Descriptions following this example.
    SET LID LID ACCTMNGR ACCTMNGR ...
    PRIVILEGES
    ACCOUNT DUMPAUTH IMS JOB STC LID
    In this example, the ACCTMNGR logonid with the ACCOUNT privilege does not have the SCPLST(ACT) attribute defined in accordance with the recommendations set forth in this article.
    • Scope Records
      Scope records limit a user's administrative authority over logonids, rules, and Inforstorage databases. Although scope records are used to control the actions of logonids,
      ACF2
      stores scope records in the Infostorage database. The SCPLST field of the logonid record points to the name of the scope record.
    • SCPLST
      The SCPLST attribute lets you restrict access for privileged users. The SCPLST attribute is associated with the logonid job role. For example, an Account Manager creates and maintains logonid records for his division. A scope record for the Account Manager could be ACCTMNGR and ACT for account manager job task. The SCPLST attribute lets you restrict access for these privileged users. SCPLST attributes are not required for Domain Level Security Admin Logonids and BATCH Logonids that administer and modify the entire
      ACF2
      environment to include GSO records, data set and resource rules, or run audit reports.
  3. If logonids with the SECURITY attribute do not have RULEVLD and RSRCVLD,
    your organization has an audit finding
    . See Remediate Audit Finding.
  4. If there is no SCPLST attribute defined, your organization has an audit finding. See Remediate Audit Finding.
  5. If there is a SCPLST attribute defined, your organization does not have an audit finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change logonids with the ACCOUNT, LEADER, and SECURITY attribute. Limit all access to change logonid records to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps
:
  1. Add the SCPLST(ACT) attribute to the ACCTMNGR logonid:
    SET LID LID CHANGE ACCTMNGR
    SCPLST(ACT)
    LID
    The ACCTMNGR logonid is defined with the SCPLST(ACT), limiting scope privileges to tasks associated with the Account Manager job role.
  2. Verify the ACCTMNGR logonid changed:
    SET LID LID LIST ACCTMGR ACCTMRG ACCTMNGR ... PRIVILEGES ACCOUNT DUMPAUTH IMS JOB
    SCPLST(ACT)
    STC LID
The ACCTMGR logonid, which includes the ACCOUNT attribute, is now restricted to tasks related to the job function and area of responsibility defined in the scope record and SCPLST attribute. Limiting access to a job function ensures logonids with the ACCOUNT, LEADER, and SECURITY attributes do not compromise your organization's operating system and data.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG.  For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-002227, CCI-002276
CCI
:
CCI-002227
Published Date
:
2013-06-24
Definition
:
The organization restricts privileged accounts on the information system to organization-defined personnel or roles.
Type
:
policy
References
:
NIST: NIST SP 800-53 Revision 4 (v4): AC-6 (5)
CCI
:
CCI-002276
Published Date
:
2013-06-24
Definition
:
The organization identifies the individuals authorized to define the value of associated security attributes.
Type
:
policy
References
:
NIST: NIST SP 800-53 Revision 4 (v4): AC-16 (2)