STIG ID - BACF0049: Control READALL Attribute Usage

Identify logonids with READALL privilege.
Severity
: 1- High
The READALL attribute in the logonid record gives a user read and execute access to every data set on the system, which violates the principle of least privilege. Users with the READALL attribute also have the ability to read, copy, and download all
ACF2
database files as well as all data set on the system, including those with business sensitive and personally identifiable information data. READALL bypasses all normal
ACF2
data set security rules concerning the ability to read or browse data sets on the system. The READALL attribute should not be granted to any logonid. Misuse of the READALL attribute can result in the compromise of operating system, applications, and customer data
We strongly discourage the use of the READALL attribute.
Your organization will ensure the READALL attribute is controlled as indicated within this STIG article. Under no circumstances should the privilege be used as a convenience regardless of the individual role or function assigned.
This STIG article shows how to identify logonids with the READALL privilege and how to remove if not needed.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. List all logonids with the READALL attribute:
    SET LID LID LIST IF(READALL) AUDITOR1
    AUDITOR1
    ... PRIVILEGES AUDIT DUMPAUTH IMS JOB
    READALL
    STC ... LID
    ACF2
    displays all logonid records with the
    READALL
    attribute.
    In this example,
    ACF2
    displays the AUDITOR1 logonid record, which includes the READALL attribute. When found, the READALL privilege must be revoked.
    • READALL|
      NOREADALL
      Specifies that a logonid has read and execute access to all data sets.
      ACF2
      enforces any existing rules for other types of access such as write and allocate.
      ACF2
      logs any accesses the logonid makes that are not allowed through ownership or rules. READALL also bypasses PDS member-level validation. READALL is not considered when validating resources.
  2. If a logonid includes the READALL attribute,
    your organization has an audit finding
    . See Remediate Audit Finding.
  3. If no logonids include the READALL attribute,
    your organization does not have an audit finding
    .
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change logonids with the READALL attributes. Limit all access to change logonid records to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps
:
  1. Change the READALL attribute in the logonid to NOREADALL:
    SET LID LID CHANGE AUDITOR1
    NOREADALL
    LID
  2. Verify AUDITOR1 logonid changed:
    SET LID LID LIST AUDITOR1 AUDITOR1
    AUDITOR1
    ... PRIVILEGES AUDIT DUMPAUTH IMS JOB
    NOREADALL
    STC ... LID
The AUDITOR1 logonid no longer has the ability to read and execute data sets on the system.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG.  For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000035, CCI-000225
CCI
:
CCI-000035
Published Date
:
2009-09-14
Definition
The information system provides the capability for privileged administrators to configure the organization-defined security policy filters to support different security policies.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AC-4 (11)
NIST: NIST SP 800-53 Revision 4 (v4): AC-4 (11)
NIST: NIST SP 800-53A (v1): AC-4 (11).1 (ii)
CCI
:
CCI-000225
Published Date
:
2009-09-14
Definition
:
The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
Type
:
policy
References
:
NIST: NIST SP 800-53 (v3): AC-6
NIST: NIST SP 800-53 Revision 4 (v4): AC-6
NIST: NIST SP 800-53A (v1): AC-6.1