STIG ID - BACF0048: Scope Logonids with AUDIT or CONSULT Attribute

Properly scope logonids with AUDIT and CONSULT attributes.
Severity
: 2 - Medium
Logonids with the AUDIT and CONSULT attributes have powerful privileges such as, viewing the
ACF2
databases for the purpose of inspecting users, data set access rules, and Infostorage records. To ensure logonids with the AUDIT and CONSULT attributes do not compromise your organization's operating system and data, restrict authority based on job function and area of responsibility by defining the SCPLST attribute to each logonid.
This STIG article shows how to identify logonids with the AUDIT and CONSULT attributes and verify if the SCPLST attribute is defined and specified according to the job function and areas of responsibility.
The organization will ensure logonids with AUDIT or CONSULT attributes are properly scoped in accordance with documented assigned function and areas of responsibility.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
The following steps show how to identify logonids with the AUDIT attribute and verify if the SCPLST attribute is defined. Repeat these steps to identify logonids with the CONSULT attributes.
Follow these steps
:
  1. List all logonids with the AUDIT attribute:
    SET LID LID LIST IF(AUDIT-) AUDITOR1 AUDITOR1 ... PRIVILEGES
    AUDIT
    DUMPAUTH IMS JOB STC ... LID
    ACF2
    displays all logonid records with the
    AUDIT
    attribute. For the purposes of this STIG, this example displays one logonid record with the AUDIT attribute defined.
    • AUDIT|
      NOAUDIT
      Specifies that this user can display the records and parameters of the
      ACF2
      system and gives audit privileges in an OMVS system. This privilege can be limited by a scope.
    • CONSULT|
      NOCONSULT
      Specifies that user can dispaly other logonid records. This privilege can be limited by a scope.
  2. Review all logonids with the AUDIT attribute to determine if the SCPLST(AUD) attribute is defined. The SCPLST(AUD) attribute limits the AUDIT privileges to the job function and area of responsibility defined in the scope record. For more information on SCPLST and scope records, see the Field Descriptions following this example.
    The SCPLST attribute is not required for logonids with the AUDIT and CONSULT attributes if the Information System Security Officer (ISSO) determines the logonids require the ability to view the entire
    ACF2
    environment. SCPLST attributes are not required for Auditors, Domain Level Security Admin Logonids, and BATCH Logonids that review the entire
    ACF2
    environment and need to add GSO records, data set and resource rules, or run audit reports.
    SET LID LID AUDITOR1 AUDITOR1 ... PRIVILEGES
    AUDIT
    DUMPAUTH IMS JOB STC ... LID
    • Scope Records
      Scope records limit a user's administrative authority over logonids, rules, and Inforstorage databases. Although scope records are used to control the actions of logonids,
      ACF2
      stores scope records in the Infostorage database. The SCPLST field of the logonid record points to the name of the scope record.
    • SCPLST
      The SCPLST attribute lets you restrict access for privileged users. The SCPLST attribute is associated with the logonid job role. For example, an Account Manager creates and maintains logonid records for his division. A scope record for the Account Manager could be ACCTMNGR and ACT for account manager job task. The SCPLST attribute lets you restrict access for these privileged users. SCPLST attributes are not required for Domain Level Security Admin Logonids and BATCH Logonids that administer and modify the entire
      ACF2
      environment to include GSO records, data set and resource rules, or run audit reports.
  3. If there is no SCPLST attribute defined,
    your organization has an audit finding
    . See Remediate Audit Finding.
  4. If there is a SCPLST attribute defined,
    your organization does not have an audit finding
    .
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the logonids with the AUDIT and CONSULT attribute. Limit all access to change logonid records to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps
:
  1. Add the SCPLST(AUD) attribute to the AUDITOR1 logonid:
    SET LID LID CHANGE AUDITOR1 SCPLST(AUD) LID
    The AUDITOR1 logonid is defined with the SCPLST(AUD), limiting scope privileges to tasks associated with the Auditor job role.
  2. Verify the AUDITOR1 logonid changed:
    SET LID LID LIST AUDITOR1 AUDITOR1 AUDITOR1 ... PRIVILEGES
    AUDIT
    DUMPATH IMS JOB
    SCPLST(AUD)
    STC LID
The AUDITOR1 logonid, which includes the AUDIT attribute, is now restricted to tasks related to the job function and area of responsibility defined in the scope record and SCPLST attribute. Limiting access to a job function ensures logonids with the AUDIT and CONSULT attributes do not compromise your organization's operating system and data.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following reference CCIs are related to this STIG article. For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000035, CCI-000213, CCI-002234, CCI-002235
CCI
:
CCI-000035
Published Date
:
2009-09-14
Definition
:
The information system provides the capability for privileged administrators to configure the organization-defined security policy filters to support different security policies.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AC-4 (11)
NIST: NIST SP 800-53 Revision 4 (v4): AC-4 (11)
NIST: NIST SP 800-53A (v1): AC-4 (11).1 (ii)
CCI
:
CCI-000213
Published Date
:
2009-09-14
Definition
:
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AC-3
NIST: NIST SP 800-53 Revision 4 (v4): AC-3
NIST: NIST SP 800-53A (v1): AC-3.1
CCI
:
CCI-002234
Published Date
:
2013-06-24
Definition
:
The information system audits the execution of privileged functions.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): AC-6 (9)
CCI
:
CCI-002235
Published Date
:
2013-06-24
Definition
:
The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): AC-6 (10)