STIG ID - BACF0047: Restrict Logonid with ACCTPRIV Attribute
Verify logonids with the ACCTPRIV attribute are assigned only to the Information Systems Security Officer.
Severity: 2 - Medium
The SYS1.UADS is the data set where emergency logonids are maintained. This data set ensures that logon processing can occur even if
ACF2is not functional. Individuals with the ACCTPRIV attribute can add or delete users in SYS1.UADS. Unauthorized access to the SYS1.UADS data set could result in the compromise of the operating system environment,
ACF2, and customer data.
Your organization will ensure that the ACCTPRIV attribute is only granted to the z/OS System Level Security Team or Information Systems Security Officer (ISO) during those limited times where emergency userids are to be added or removed from SYS1.UADS.
This STIG article shows how to identify logonids with the ACCTPRIV attribute and verify that the logonid is assigned to the ISSO.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps:
- List logonids with the ACCTPRIV attribute. The ACCTPRIV attribute indicates a logonid has TSO accounting privileges for UADS updates with the TSO ACCOUNT command.SET LID LID LIST IF(ACCTPRIV-)JSMITH01 JSMITH01 JOHN SMITH... TSOACCTPRIV... LIDACF2displays all logonid records with the ACCTPRIV attribute.For the purposes of this STIG, this example displays one logonid record, with the ACCTPRIV attribute defined, and assigned to John Smith who isnotthe ISSO.
- If a logonid has the ACCTPRIV but isnotassigned to the ISSO,your organization has an audit finding. See Remediate Audit Finding.
- If a logonid has the ACCTPRIV and is assigned to the ISSO,your organization does not have an audit finding.
Remediate Audit Finding
The ISO is the only role that should have the ACCTPRIV attribute defined in their logonid record.
Follow these steps:
- Change all logonids identified as not assigned the ISSO role but having the ACCTPRIV attribute defined in their logonid record.SET LID LID CHANGEJSMITH01NOACCTPRIV
- Verify the ACCTPRIV attribute was changed to NOACCTPRIV.SET LID LID LIST JSMITH01 JSMITH01 JSMITH01 JOHN SMITH ... TSONOACCTPRIV... LID
The unauthorized logonid can no longer add or delete users in the SYS1.UADS data set.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
The information system provides the capability for privileged administrators to configure the organization-defined security policy filters to support different security policies.
NIST: NIST SP 800-53 (v3): AC-4 (11)
NIST: NIST SP 800-53 Revision 4 (v4): AC-4 (11)
NIST: NIST SP 800-53A (v1): AC-4 (11).1 (ii)