STIG ID - BACF1056: Define Trusted Started Tasks

Severity
: 1- High
Started tasks performing critical operating system related functions can be considered trusted for the purposes of data set and resource access requests. For these started tasks, all access requests are honored. Trusted started tasks can have a variety of access or privileged attributes such as NON-CNCL or MAINT, allowing for access requirements to be fulfilled while running on the system. If started tasks are granted NON-CNCL or MAINT, your organization must ensure full, proper, and complaint security access is in place. Not limiting access to the system proclib, where the started task procedures are stored, compromises the security, operating system, customer applications, and data due to exploiting those started tasks with security bypassing authority. Write or allocate access must be limited to only those periods of time where approved changes have been authorized for the specific system programs authorized to make the approved change.
Your organization must ensure only those started tasks listed as trusted receive privileged attributes or other access that allows bypassing of security and system controls. Additional requirements shall be fully documented by vendor requirement where proper access controls must be bypassed and approved by the approving authority, such as the Authorizing Officer (AO) or Chief Information Security Officer (CISO).
This STIG article shows how to identify started tasks logonids that are unauthorized to have the NON-CNCL and MAINT attributes assigned and how to remove those attributes.

Identify Audit Finding

Review the following data to determine if you should consider remediation:
  1. List all logonids with NON-CNCL to identify started task logonids. NON-CNCL lets bypassing of data set rule sets while recording the access violations and SMF records are written. If the logonid does not have the NON-CNCL privilege, ACF2 does not examine the maintenance program list.
    SET TERSE LIST IF(NON-CNCL,STC)
    All logonids with the NON-CNCL and STC attributes display.
  2. List the started task logonid identified to determine if it is a trusted started task with the MAINT attribute defined. The MAINT record and MAINT privileged attribute lets users bypass rule validation only if the library, logonid, and program match the MAINT record. In doing so, NO SMF records are written and the MAINT processing does not queue data set rule sets in the address space. If the logonid does not have the MAINT privilege, ACF2 does not examine the maintenance program list. If SMF recording is desired, then the user may be given the MAINTTRC attribute along with the MAINT privileged attribute.
    SET TERSE LIST IF(MAINT,STC)
    All logonids with the MAINT and STC attributes display.
  3. Review all logonids listed with NON-CNCL and STC or MAINT and STC. Ensure the logonids are included in the TRUSTED list below.
    ACF2
    GSKSRVR
    SMSRESTR
    ACBKUP
    IEEVMPCR
    SMSVSAM
    APSWPROA
    IOSAS
    TCPIP
    APSWPROB
    IXGLOGR
    TSS
    APSWPROC
    JES2
    TSSB
    APSWPROM
    JESXCF
    TSSM
    APSWPROT
    LLA
    TSSRESTN
    CATALOG
    NFS
    VLF
    CEA
    OMVS/OMVSKERN
    VTAM
    CONSOLE
    RACF
    XCFAS
    DFHSM
    RMF
    ZFS
    DFS
    RMFGAT
    n/a
    DUMPSRV
    SMF
    n/a
    GPMSERVE
    SMRESTN
    n/a
    Many of the started tasks listed as trusted may not require NON-CNCL. However, that requires the responsible security team to take the time to identify the proper resources and access levels for those started tasks. NON-CNCL logs those resources and access. Upon review, the security team is able to grant such access to the specific started tasks.
    We recommend that NON-CNCL is used to start the started task, identify the access requirements needed, grant those requirements to the started task and recycle STC, and determine if additional access requirements exist and grant. When possible, remove NON-CNCL, ensuring least privileged access has been granted as required.
  4. If the started task logonid is a trusted started task and the NON-CNCL or MAINT privilege attribute is defined,
    your organization does not have an audit finding.
  5. If the started task logonid is not a trusted started task and has NON-CNCL, MAINT, or NONCNL and MAINT privilege attributes defined,
    your organization has an audit finding
    . Se Remediate Audit Finding.

Remediate Audit Finding

The z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) ensures that only the trusted started task logonid listed have the NON-CNCL privileged attribute, the MAINT privileged attribute or all required access controls defined.
  1. Remove NON-CNCL from the logonids identified in Identify Audit Finding that should not have the privilege attribute assigned.
    SET LID LID CHANGE
    user01
    NONON-CNCL
    In this example, user01 has the NONON-CNCL attribute defined, which specifies bypassing of data set rule sets is not allowed.
  2. Verify NON-CNCL was removed from the logonid:
    LIST
    logonid
    logonid .... PRIVILEGES ACCOUNT TSO ....
    In this example, the NON-CNCL attribute no longer appears in the PRIVILEGES section of the logonid record.
  3. Remove MAINT from the logonids identified in Identify Audit Finding that should not have the MAINT attribute assigned:
    SET LID LID CHANGE
    user01
    NOMAINT
    In this example, user01 has the NOMAINT attribute defined, which specifies that a logonid cannot access data sets without ACF2 rule validation or loggings.
  4. Verify MAINT was removed from the logonid:
    LIST
    logonid
    logonid .... PRIVILEGES ACCOUNT TSO ....
    In this example, the MAINT attribute no longer appears in the PRIVILEGES section of the logonid record.
Ensuring only started tasks listed as trusted receive privileged attributes or other access that allows bypassing of security and system controls, protects your organization from unauthorized security bypassing and system controls.

Control Correlation Identifier (CCI)

A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG.  For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-002145
CCI
:
CCI-002145
Published Date
:
2013-06-24
Definition
:
The information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): AC-2(11)