STIG ID - BACF0049: Control READALL Attribute Usage
Identify logonids with READALL privilege.
Severity: 1- High
The READALL attribute in the logonid record gives a user read and execute access to every data set on the system, which violates the principle of least privilege. Users with the READALL attribute also have the ability to read, copy, and download all
ACF2database files as well as all data set on the system, including those with business sensitive and personally identifiable information data. READALL bypasses all normal
ACF2data set security rules concerning the ability to read or browse data sets on the system. The READALL attribute should not be granted to any logonid. Misuse of the READALL attribute can result in the compromise of operating system, applications, and customer data
We strongly discourage the use of the READALL attribute.
Your organization will ensure the READALL attribute is controlled as indicated within this STIG article. Under no circumstances should the privilege be used as a convenience regardless of the individual role or function assigned.
This STIG article shows how to identify logonids with the READALL privilege and how to remove if not needed.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps:
- List all logonids with the READALL attribute:SET LID LID LIST IF(READALL) AUDITOR1AUDITOR1... PRIVILEGES AUDIT DUMPAUTH IMS JOBREADALLSTC ... LIDACF2displays all logonid records with theREADALLattribute.In this example,ACF2displays the AUDITOR1 logonid record, which includes the READALL attribute. When found, the READALL privilege must be revoked.
- READALL|NOREADALLSpecifies that a logonid has read and execute access to all data sets.ACF2enforces any existing rules for other types of access such as write and allocate.ACF2logs any accesses the logonid makes that are not allowed through ownership or rules. READALL also bypasses PDS member-level validation. READALL is not considered when validating resources.
- If a logonid includes the READALL attribute,your organization has an audit finding. See Remediate Audit Finding.
- If no logonids include the READALL attribute,your organization does not have an audit finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change logonids with the READALL attributes. Limit all access to change logonid records to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps:
- Change the READALL attribute in the logonid to NOREADALL:SET LID LID CHANGE AUDITOR1NOREADALLLID
- Verify AUDITOR1 logonid changed:SET LID LID LIST AUDITOR1 AUDITOR1AUDITOR1... PRIVILEGES AUDIT DUMPAUTH IMS JOBNOREADALLSTC ... LID
The AUDITOR1 logonid no longer has the ability to read and execute data sets on the system.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs: CCI-000035, CCI-000225
The information system provides the capability for privileged administrators to configure the organization-defined security policy filters to support different security policies.
NIST: NIST SP 800-53 (v3): AC-4 (11)
NIST: NIST SP 800-53 Revision 4 (v4): AC-4 (11)
NIST: NIST SP 800-53A (v1): AC-4 (11).1 (ii)
The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
NIST: NIST SP 800-53 (v3): AC-6
NIST: NIST SP 800-53 Revision 4 (v4): AC-6
NIST: NIST SP 800-53A (v1): AC-6.1