STIG ID - BACF0018: Review ACF2 Exit Routines

Set GSO EXIT record fields to ensure proper system entry validation is performed.
Severity
: 1 - High
EXITs bypass normal security, controls which can lead to a compromised system.
ACF2
does not require user-written exits or modifications to operate. However, users can require special functions or support that are not part of the
ACF2
system.
ACF2
provides exits to support local system modifications or extensions. The GSO EXITS record specifies the module name for each user-written
ACF2
exit.
Your organization will ensure data is protected by performing a configuration and governing life cycle management review of all exits including review and validation of each exit code.
This STIG article shows how to identify if Exit code is in place and how to set GSO EXITS record field values to ensure proper system entry validation is performed.
Identify Audit Finding
Complete these steps to determine if you should consider remediation:
Follow these steps:
  1. List the GSO EXITS record to determine if EXITS are defined.
    SET CONTROL CONTROL LIST EXITS *** / EXITS LAST CHANGED BY USER02 ON 4/29/19-15:30 -
    NO DATA AVAILABLE
    CONTROL
    In this example, there are no Exits currently defined.
  2. If the GSO EXITS record shows exits are being used, a formal review of configuration management including review and validation of each EXIT Code is
    required
    . This would be considered a
    Severity 1 - HIGH
    and
    your organization would have an audit finding
    . See Remediate Audit Finding.
  3. If the GSO EXITS record shows exits are being used and your organization provides clear evidence the current exit load module matches module source code for each exit in place and the GSO EXITS record values are set to DSNPOST, SEVPRE(SEVPRE01), and SEVPOST(SEVPST01),
    your organization does not have an audit finding
    .
Remediate Audit Finding
The z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) ensures that a formal review and validation of each exit code occurs and the correct GSO EXITS field values are defined.
Follow these steps:
  1. Per your organization's standards, perform a configuration and governing life cycle management review of the identified exit including review and validation of each exit code. Standard configuration management control ensures the correct exit code is implemented and your organization maintains proper and full control over the exit source code to load module parity. Once a formal review is performed and shows clear evidence the exit load module matches module source code, continue to step 2.
  2. Define the GSO EXITS record values to DSNPOST(
    modulename
    ), SEVPRE(SEVPRE01), and SEVPOST(SEVPST01):
    SET CONTROL(GSO) CONTROL CHANGE EXIT
    DSNPOST(
    modulename
    ), SEVPRE(SEVPRE01), and SEVPOST(SEVPST01)
    F ACF2,REFRESH(EXITS) CONTROL
    • DSNPOST(module)
      ACF2
      calls the Data Set and Program Postvalidation exit (DSNPOST) for all data set and program accesses. The exit receives control after
      ACF2
      validation is complete.
      ACF2
      passes DSNPOST the address of the ACSXP parameter list. This parameter list contains information that describes the type of access, the access environment, and the
      ACF2
      recommendation. If
      ACF2
      calls DSNPOST,
      ACF2
      does not call the data set and program violation exit (VIOEXIT).
    • SEVPRE(SEVPRE01)
      The System Entry Validation Preprocessing Exit (SEVPRE) lets you inspect and modify a system entry validation (SEV) request before the validation is performed. It lets you return a site message to the requester and deny the request.
    • SEVPOST(SEVPST01)
      The System Entry Validation Postprocessing Exit (SEVPOST) lets you inspect and modify a system entry validation (SEV) request after the validation has been performed. It lets you suppress a Login ID database update, if applicable, before the update is applied to the database.
      ACF2
      also eliminates the login ID SMF (LL) record in this case. This exit can return a site message to the requester, deny the request, or modify the login ID information that is returned to the requester
  3. Verify the GSO EXITS record value changes were made:
    SET CONTROL(GSO) CONTROL LIST EXIT *** / EXITS LAST CHANGED BY USER02 ON 3/29/20-08:30
    EXIT DSNPOST(
    modulename
    ), SEVPRE(SEVPRE01), and SEVPOST(SEVPST01)
    CONTROL
Performing a configuration and governing life cycle management review of all exits including review and validation of each exit code ensures your organization's data is protected.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000021, CCI-000366, CCI-000368, CCI-000764, CCI-000765, CCI-001764
CCI
:
CCI-000021
Published Date
:
2009-05-13
Definition
:
The information system enforces dual authorization for organization-defined privileged commands and/or other organization-defined actions.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AC-3 (2)
NIST: NIST SP 00-53 Revision 4 (v4) AC-3 (2)
NIST: NIST SP 800-53A (v1): AC-3 (20.1 (ii)
CCI
:
CCI-000366
Published Date
:
2009-09-18
Definition
:
The organization implements the security configuration settings.
Type
:
policy
References
:
NIST: NIST SP 800-53 (v3): CM-6 b
NIST: NIST SP 800-53 Revision 4 (v4): CM-6 b
NIST: NIST SP 800-53A (v1): CM-6.1 (iv)
CCI
:
CCI-000368
Published Date
:
2009-09-18
Definition
:
The organization documents any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements.
Type
:
policy
References
:
NIST: NIST SP 800-53 (v3): CM-6 c
NIST: NIST SP 800-53 Revision 4 (v4): CM-6 c
NIST: NIST SP 800-53A (v1): CM-6.1 (v)
CCI
:
CCI-000764
Published Date
:
2009-09-17
Definition
:
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf or organizational users).
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): IA-2
NIST: NIST SP 800-53 Revision 4 (v4): IA-2
NIST: NIST SP 800-53A (v1): IA-2.1
CCI
:
CCI-000765
Published Date
:
2009-09-17
Definition
:
The information system implements multifactor authentication for network access to privileged accounts.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): IA-2 (1)
NIST: NIST SP 800-53 Revision 4 (v4): IA-2 (1)
NIST: NIST SP 800-53A (v1): IA-2 (1).1
CCI
:
CCI-001764
Published Date
:
2013-02-28
Definition
:
The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): CM-7 (2)