STIG ID - BACF0057: Set GSO RESRULE Record to NONE

Severity
: 2 - Medium
The GSO RESRULE record defines a set of high-level indexes that identify the access rule sets to be made resident in storage at
ACF2
initialization time. You can use this function to reduce the I/O operations that are required by
ACF2
to obtain heavily used indexes such as SYS1 or other high-level indexes. The default setting is NONE.
The system-wide options control the default settings for determining how the product handles requests for access to the operating system environment,
ACF2
, and customer data.
ACF2
lets you set many fields at the subsystem level. If no setting is found, system-wide defaults are used.
Improper setting of these fields, individually or with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for
ACF2
options introduces the possibility of exposure during a migration or during contingency plan activation.
The organization must ensure that the GSO RESRULE record value is set to none. Any other setting requires documentation to justify the change.
This STIG article shows how to change the GSO RESRULE record INDEX field setting to NONE.
Identify Audit Finding
Complete these steps to determine if you should consider remediation:
Follow these steps:
  1. List the GSO RESRULE record to identify the INDEX field value:
    SET CONTROL(GSO) CONTROL LIST RESRULE XXXX / MAINT LAST CHANGED BY USER01 ON 11/22/20-13:51
    INDEX()
    CONTROL
    In this example, the GSO RESRULE record INDEX field value is set to (), which equals NONE.
    • INDEX(
      index1,...,index255
      )
      Indicates the number high-level indexes that identify the access rule sets to be made resident in storage at
      ACF2
      initialization time.
  2. If the GSO RESRULE record INDEX field is set to NONE,
    your site does not have an audit finding
    .
  3. If the GSO RESRULE record INDEX field is set to a number from index1 through index255,
    your site has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) or Information System Security Office (ISSO) ensures that the GSO RESRULE record INDEX value is set to NONE.
Follow these steps
:
  1. Configure the GSO RESRULE record INDEX value to NONE.
    SET CONTROL(GSO) CONTROL INSERT RESRULE INDEX() CONTROL
  2. Issue the REFRESH command to refresh the GSO RESRULE record:
    F ACF2,REFRESH(RESRULE)
  3. Verify that the GSO RESRULE record is set to NONE:
    SET CONTROL(GSO) CONTROL LIST RESRULE XXXX / MAINT LAST CHANGED BY USER01 ON 11/22/20-14:01
    INDEX()
    CONTROL
The RESRULE record is now set to NONE, indicating no access rules sets are made resident in storage at
ACF2
initialization time.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000366, CCI-000368, CCI-000369
CCI
:
CCI-000366
Published Date
:
2009-09-18
Definition
:
The organization implements the security configuration settings.
Type
:
policy, technical
References
:
NIST: SP 800-53 (v3): CM-6b
NIST: SP 800-53 Revision 4 (v4): CM-6b
NIST SP 800-53A (v1): CM-6.1 (iv)
CCI
:
CCI-000368
Published Date
:
2009-09-18
Definition
:
The organization documents any deviations from the established configuration settings for organizatio-defined information system components based on organization-defined operational requirements.
Type
:
policy
References
:
NIST: NIST SP 800-53 (v3): CM-6c
NIST: NIST SP 800-53 Revision 4 (v4): CM-6c
NIST: NIST SP 800-53A (v1): VM-6.1 (v)
CCI
:
CCI-000369
Published Date
:
2009-09-18
Definition
:
The organization approves any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements.
Type
:
policy
Reference
:
NIST: NIST SP 800-53 (v3): CM-6 c
NIST: NIST SP 800-53 Revision 4 (v4): CM-6 c
NIST: NIST SP 800-53A (v1): CM-6.1 (v)