STIG ID - BACF0050: Limit the Users Granted TAPE-LBL and TAPE-BLP Privileges

Limit TAPE-LBL and TAPE-BLP privileges to specific system programmers and operations personnel.
Severity
: 2 - Medium
Tape Bypass Label Processing lets anyone bypass tape labels and read tape data without checking user authorization. Use of the special privileges of TAPE-LBL and TAPE-BLP should be restricted to a controlled number of systems programmers and operations personnel due to the high security risk.
This STIG shows how to identify who has the TAPE-LBL and TAPE-BLP privileges and how to remove those privileges if they are assigned to the wrong logonid.
The organization will ensure TAPE-LBL and TAPE-BLP privileges are limited to the specific system programmers and operations personnel who require this access.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
The following steps show how to identify logonids with the TAPE-LBL attribute defined. Repeat these steps to identify logoinds with the TAPE-BLP attribute defined.
Follow these steps
:
  1.   List all logonids with the TAPE-LBL attribute defined:
    SET LID LID LIST LIKE(-) IF(TAPE-LBL-) LID USER01
    USER01
    ... PRIVILEGES DUMPAUTH IMS JOB
    TAPE-LBL
    ... LID
    ACF2
    displays all logonid records with the
    TAPE-LBL
    attribute.
    In this example,
    ACF2
    displays the USER01 logonid record. USER01 is a user level logonid record that includes the TAPE-LBL attribute. The suggested guideline is the TAPE-LBL privilege be limited to systems programmers or operations personnel logonids.
    • TAPE-LBL|
      NOTAPE-LBL
      Specifies a user has limited bypass label processing authority when using tapes. When a user with this privilege has a BLP request,
      ACF2
      checks the volume serial number (volser) written on the tape label. If the volser is available from the tape, it will override the one specified in the JCL. The data set name used is the one from the JCL.
    • TAPE-BLP|
      NOTAPE-BLP
      Specifies that a user can use full bypass label processing (BLP) when accessing tape data sets. BLP lets a user specify any data set name or volume name in the JCL without any comparison of the information with the tape label. If a user specifies BLP,
      ACF2
      validates that they have the privilege to permit the job to run. In validating tape access,
      ACF2
      performs this validation based on the data set name or volume name coded in the JCL.
  2. If the logonid displayed includes the TAPE-LBL or TAPE-BLP attribute and is not a systems programmer or operations personnel,
    your organization has an audit finding
    . See Remediate Audit Finding.
  3. If the logonid displayed is that of a systems programmer or operations personnel and has the TAPE-LBL or TAPE-BLP attribute defined,
    your organization does not have an audit finding
    .
  4. If the logonid displayed does not include the TAPE-LBL or TAPE-BLP,
    your organization does not have an audit finding
    .
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change logonids with the TAPE-LBL and TAPE-BLP attributes. Limit all access to change logonid records to time frames of approved changes and reduced to view only outside of approved change windows.
The following steps show how to remove the TAPE-LBL attribute from a logonid at the user level. Repeat these steps to remove logoinds at the user lever with the TAPE-BLP attribute defined.
  1. Change the TAPE-LBL attribute in the USER01 logonid record to NOTAPE-LBL. The TAPE-LBL privilege should be limited to only systems programmers or operations personnel logonids:
    SET LID LID CHANGE USER01 NOTAPE-LBL LID
  2.   Verify USER01 logonid changed:
    SET LID LID LIST USER01 USER01
    USER01
    ... PRIVILEGES DUMPAUTH IMS JOB
    NOTAPE-LBL
    ... LID
    Removing the special privilege of TAPE-LBL from a user level logonid limits the chance of a security risk when dealing with tape volumes.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG.  For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000225
CCI
:
CCI-000225
Published Date
:
2009-09-14
Definition
:
The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
Type
:
policy
References
:
NIST: NIST SP 800-53 (v3): AC-6
NIST: NIST SP 800-53 Revision 4 (v4): AC-6
NIST: NIST SP 800-53A (v1): AC-6.1