STIG ID - BACF0017: Write Resource Rules to Validate Security Calls

Write resource rules to validate security calls for specified classes.
Severity
: 2 - Medium
The GSO CLASMAP record translates eight-character resource classes into three-byte
ACF2
resource type codes. The three-character resource type code lets you write resource rules to validate security calls for specified classes. The GSO CLASMAP also translates the resource type codes from
ACF2
calls or calls made to
ACF2
from the CA International Standard Security Facility (CAISSF). Improper setting of the GSO CLASMAP fields can compromise the security of the processing environment. In addition, failure to establish standardized settings for records introduces the possibility of exposure during a migration process or contingency plan activation.
Your organization will ensure that authorized users can write resource rules to validate security calls for specified classes without compromising your processing environment
This STIG article shows how to verify if your GSO CLASMAP record is set to translate eight-character SAF resource classes into three-character
ACF2
resource type codes to allow resource rules that perform validations to be written.

Identify Audit Finding

Complete these steps to determine if you should consider remediation:
  1. Review the GSO CLASMAP record to determine if the resource class to resource types are defined as follows:
    • APPL maps to APL
    • CONSOLE maps to CON
    • FACILITY maps to FAC
    • OPERCMS maps to OPR
    • TSOAUTH maps to TSO
    SET CONTROL(GSO) CONTROL SHOW CLASMAP -- MERGED CLASMAP DEFINITIONS -- MUSASS
    RESOURCE
    TYPE
    ENTITY PROFINT LOG MIXED EXTERNAL POSIT SIGNL ID
    CLASS
    CODE
    LENGTH VALUE ======== ======== === ====== ======= === ===== ======== ===== ===== ... ********
    APPL APL
    8 EXT 3 ... ********
    CONSOLE SAF
    8 107 ... ********
    FACILITY FAC
    39 8 ... ********
    OPERCMDS OPR
    39 EXT 112 ... ********
    TSOAUTH SAF
    8 124 ... CONTROL
    In this example, the CONSOLE and TSOAUTH type code values differ from the suggested values CONSOLE=CON and TSOAUTH=TSO.
    • RESOURCE(
      class
      )
      Specifies the explicit eight-character resource class from the CLASS keyword on the RACROUTE macro. RESOURCE can also define the resource class defined to
      ACF2
      by CAISSF. Normal
      ACF2
      resource name masking conventions apply.
    • RSRCTYPE(
      typecode
      )
      Specifies the explicit three-character resource type code associated with the class. If you define a RESOURCE but do not define a RSRCTYPE,
      ACF2
      uses the first three characters of the RESOURCE as the RSRCTYPE. Use this type code to write resource rules to perform validation. This value cannot be a mask.
  2. If the GSO CLASMAP record resource class and resource type field values in the following table are defined,
    your organization does not have an audit finding.
    • APPL maps to APL
    • CONSOLE maps to CON
    • FACILITY maps to FAC
    • OPERCMS maps to OPR
    • TSOAUTH maps to TSO
  3. If the GSO CLASMAP record resource class and resource type field values in step 1 are
    not
    defined,
    your organization has an audit finding.
    See Remediate Audit Finding.

Remediate Audit Finding

z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the GSO CLASMAP record. Limit all access to change GSO records to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps:
  1. Configure the GSO CLASMAP record CONSOLE field value to CON and the TSOAUTH field value to TSO:
    SET CONTROL(GSO) CONTROL CHANGE CLASMAP RESOURCE(
    CONSOLE,TSOAUTH
    ) RSRCTYPE(
    CON,TSO
    ) F ACF2,REFRESH(CLASMAP) CONTROL
    The eight-character resource classes and three-character resource types are defined, allowing resource rules to validate security to be written.
  2. Verify the resource classes and resource types were changed.
    SET CONTROL(GSO) CONTROL SHOW CLASMAP -- MERGED CLASMAP DEFINITIONS -- MUSASS
    RESOURCE
    TYPE
    ENTITY PROFINT LOG MIXED EXTERNAL POSIT SIGNL ID
    CLASS
    CODE
    LENGTH VALUE ======== ======== ==== ====== ======= === ===== ======== ===== ===== ... ********
    CONSOLE CON
    8 107 ... ********
    TSOAUTH TSO
    8 124 ... CONTROL
You can now write resource rules to validate security calls for the specified classes without compromising your processing environment.

Control Correlation Identifier

A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG article. For more information, see the National Institute of Standards and Technology website.
CCI-000213, CCI-000366
CCI
:
CCI-000213
Published Date
:
2009-09-14
Definition
:
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Type
:
technical
References
:
NIST: NIST SP 800-53 (V3): AC-3
NIST: NIST SP 800-53 Revision 4 (v4): AC-3
NIST: NIST SP 800-53A (v1): AC-3.1
CCI
:
CCI-000366
Published Date
:
2009-09-18
Definition
:
The organization implements the security configuration settings.
Type
policy, technical
References
:
NIST: NIST SP 800-53 (v3): CM-6 b
NIST: NIST SP 800-53 Revision 4 (v4): CM-6 b
NIST: NIST SP 800-53A (v1): CM-6.1 (iv)