STIG ID - BACF0016: Review Control Programs Authorized to Use Bypass Label Processing

Verify that ACF2 does not control programs authorized to use BLP.
Severity
: 2 - Medium
Bypass label processing (BLP) is a method of accessing tapes and cartridges. BLP lets anyone bypass tape labels and read tape data without checking user authorization. Use of BLP is usually restricted due to the security risk. The
ACF2
GSO BLPPGM record defines the programs and associated libraries that are authorized to use BLP. When specified, BLPPGM grants a specified program from the designated library BLP access even if the the logonid executing the program does not have the TAPE-BLP or TAPE-LBL privileges in the logonid record.
Your organization must ensure that
ACF2
does not control programs authorized to use BLP.
This STIG article addresses how to verify that
ACF2
does not
control programs authorized to use tape BLP.
Identify Audit Finding
Complete these steps to determine if you should consider remediation:
Follow these steps:
  1. List the GSO BLPPGM record to determine if the LIBRARY(
    sys1.linklib
    ) field is defined:
    SET CONTROL(GSO) CONTROL LIST BLPPGM LIBRARY(
    SYS1.LINKLIB
    ) CONTROL
    • LIBRARY(
      library
      )
      Defines the fully qualified name of the library where the programs you specify in the PGM parameter reside. However, if the library is also specified in the GSO LINKLST record, the library name that you specify in the GSO BLPPGM record should be SYS1.LINKLIB. For example, if PROD.LOADLIB is specified in the LINKLST record, SYS1.LINKLIB should be specified in the BLPPGM record. Based on the entry in the LINKLST record,
      ACF2
      validates accesses from PROD.LOADLIB as coming from SYS1.LINKLIB.
      If you do not specify the LIBRARY field or you specify a null value for LIBRARY, that is, LIBRARY(),
      ACF2
      rejects the BLPPGM records during refresh processing and does not use them for validation.
  2. If the GSO BLPPGM LIBRARY(
    sys1.linklib
    ) field is defined,
    your site has an audit finding.
    See Remediate Audit Finding.
  3. If the LIST GSO BLPPGM command returns the following message,
    your site does not have an audit finding
    .
    ACF0A005 RECORD(S) NOT FOUND
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the GSO BLPPGM record. Limit all access to change GSO records to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps:
  1. Configure the GSO BLPPGM record LIBRARY field value to null:
    SET CONTROL(GSO) CONTROL CHANGE BLPPGM LIBRARY
    ()
    F ACF2,REFRESH(BLPPGM) CONTROL
  2. Verify the GSO BLPPGM record is no longer defined:
    SET CONTROL(GSO) CONTROL LIST BLPPGM ACF0A005 RECORD(S) NOT FOUND CONTROL
    ACF2
    rejects the BLPPGM record during refresh processing and is not used for validation.
By implementing the GSO BLPPGM record, unauthorized access is denied to sensitive data.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG article. For more information, see the National Institute of Standards and Technology website.
CCI-000382 and CCI-001764
CCI
:
CCI-000382
Published Date
:
2009-09-18
Definition
:
The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): CM-7
NIST: NIST SP 800-53 Revision 4 (v4): CM-7b
NIST: NIST SP 800-53A (v1): CM-7.1 (iii)
CCI
:
CCI-001764
Definition
:
The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4) CM-7(2)