STIG ID - BACF1013: Use Data Set and OS Passwords

Severity
: 2 - Medium
Access to data sets on z/OS systems can be protected using the old OS password technology. The use of these z/OS passwords are not supported by all External Security Managers (ESMs). All protection of system resources must now come from an ESM. If multiple protection mechanisms are in place, the accessibility of data is subject to compromise.
This STIG article shows how to determine if the system password data set and operating system passwords are in use using
Auditor
.
Your organization will ensure the system password data set and operating system passwords are not used.
Identify Audit Finding
Review the following data to determine if you should consider remediation.
Follow these steps
:
  1. Select option 2 from the
    Auditor
    Primary Menu.
    The System Installation Choices Menu is displayed.
  2. Selection option 3.
    The Program Library Analysis Using SMP/E screen is displayed.
  3. Selection option 6.
    The Program Updates Selection screen is displayed.
  4. View the results to determine if the system password data set and OS passwords are in use.
  5. If the system password data set and OS passwords are not in use,
    your organization does not have an audit finding
    .
  6. If the system password data set and OS passwords are in use,
    your organization has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
The Systems Programmer ensures that the old OS password protection is not in use and any data protected by the old OS password technology is removed and protection is replaced by the ESM.
Follow these steps:
  1. Delete the system password data set protection. For information on using the data set protection feature of the operating system, see the IBM documentation.
    ACF2
    protects data sets by default; therefore, no action is required.
By ensuring multiple protection mechanisms are not in place, the accessibility of data is not compromised.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG.  For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000366
CCI
:
CCI-000366
Published Date
:
2009-09-18
Definition
:
The organization implements the security configuration settings.
Type
:
policy, technical
References
:
NIST: NIST SP 800-53 (v3): CM-6 (b)
NIST: NIST SP 800-53 Revision 4 (v4): CM-6 (b)
NIST: NIST SP 800-53A (v1): CM-6.1 (iv)
CCI
:
CCI-002358
Published Date
:
2013-06-25
Definition
:
The information system implements a reference monitor for organization-defined access control policies that is always invoked.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): AC-25