STIG ID - BACF0019: GSO LINKLST Record Values Contain Only Trusted System Data Sets
Specify trusted system partitioned data sets as part of the SYS1.LINKLIB during data set access validation.
Severity: 2 - Medium
ACF2validates access to application libraries and partitioned data sets. When
ACF2validates access to a program-pathed data set, it takes special measures to ensure that only the defined library and program combination are used to gain access to the data set. To ensure this level of integrity,
ACF2maintains a list of active libraries. The active library list names all the libraries from which the executing program can fetch another program or subroutine.
ACF2provides a GSO record called LINKLST which names the libraries that your site wants
ACF2to consider the same as SYS1.LINKLIB. When
ACF2performs rule validation, LIB('SYS1.LINKLIB') is substituted for the true library name for all GSO LINKLST entries.
Your organization will ensure that SYS1.LINKLIB is defined and is recognized during data set access validation.
This STIG article shows how to specify trusted system partitioned data sets as part of the system link (SYS1.LINKLIB) during data set access validation.
Identify Audit Finding
Complete these steps to determine if you should consider remediation:
- List the GSO LINKLST record to identify ifACF2is defined to specify trusted partitioned data sets as part of SYS1.LINKLIB during data set access validation.SET CONTROL(GSO) CONTROL LIST LINKLST ACF0A005 RECORD(S) NOT FOUND CONTROLIn this example, the GSO LINKLST record isnotdefined, which differs from the suggested guideline.
- If the GSO LINKLST record specifies one or more partitioned data sets considered part of the system link (SYS1.LINKLIB) during data set access validation,your site does not have an audit finding. Only trusted system data sets will be listed. Application libraries such as LIBRARY(SYS1.LINKLIB SYS2A.FDR.LOADLIB), are never included.
- If the GSO LINKLST record is not defined or is defined with an application library,your site has an audit finding. See Remediate Audit Finding
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the GSO LINKLST record. Limit all access to change GSO records to time frames of approved changes and reduced to view only outside of approved change windows.
- Configure the GSO LINKLST record to LIBRARY(SYS1.LINKLIB) field value:SET CONTROL(GSO) CONTROL INSERT LINKLST LIBRARY(SYS1.LINKLIB) F ACF2,REFRESH(LINKLST) CONTROLA trusted system partitioned data sets is defined.
- Verify the GSO LINKLST record changed::SET CONTROL(GSO) CONTROL SHOW LINKLST -- DATASETS INCLUDED IN THE "LINK LIST" -- CONTROL
The SYS1.LINKLIB is defined and will be recognized during data set access validation.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG article. For more information, see the National Institute of Standards and Technology website.
CCI-001762, CCI-001764, CCI-002342
The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.
NIST: NIST SP 800-53 Revision 4 (v4): CM-7 (1) (b)
The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.
NIST: NIST SP 800-53 Revision 4 (v4): CM-7 (2)
The information system implements information search and retrieval services that enforce organization-defined information sharing restrictions.
NIST: NIST SP 800-53 Revision 4 (v4): AC-21 (2)