STIG ID - BACF0019: GSO LINKLST Record Values Contain Only Trusted System Data Sets

Specify trusted system partitioned data sets as part of the SYS1.LINKLIB during data set access validation.
Severity
: 2 - Medium
ACF2
validates access to application libraries and partitioned data sets. When
ACF2
validates access to a program-pathed data set, it takes special measures to ensure that only the defined library and program combination are used to gain access to the data set. To ensure this level of integrity,
ACF2
maintains a list of active libraries. The active library list names all the libraries from which the executing program can fetch another program or subroutine.
ACF2
provides a GSO record called LINKLST which names the libraries that your site wants
ACF2
to consider the same as SYS1.LINKLIB. When
ACF2
performs rule validation, LIB('SYS1.LINKLIB') is substituted for the true library name for all GSO LINKLST entries.
Your organization will ensure that SYS1.LINKLIB is defined and is recognized during data set access validation.
This STIG article shows how to specify trusted system partitioned data sets as part of the system link (SYS1.LINKLIB) during data set access validation.

Identify Audit Finding

Complete these steps to determine if you should consider remediation:
  1. List the GSO LINKLST record to identify if
    ACF2
    is defined to specify trusted partitioned data sets as part of SYS1.LINKLIB during data set access validation.
    SET CONTROL(GSO) CONTROL LIST LINKLST ACF0A005 RECORD(S) NOT FOUND CONTROL
    In this example, the GSO LINKLST record is
    not
    defined, which differs from the suggested guideline.
  2. If the GSO LINKLST record specifies one or more partitioned data sets considered part of the system link (SYS1.LINKLIB) during data set access validation,
    your site does not have an audit finding
    . Only trusted system data sets will be listed. Application libraries such as LIBRARY(SYS1.LINKLIB SYS2A.FDR.LOADLIB), are never included.
  3. If the GSO LINKLST record is not defined or is defined with an application library,
    your site has an audit finding
    . See Remediate Audit Finding

Remediate Audit Finding

z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the GSO LINKLST record. Limit all access to change GSO records to time frames of approved changes and reduced to view only outside of approved change windows.
  1. Configure the GSO LINKLST record to LIBRARY(SYS1.LINKLIB) field value:
    SET CONTROL(GSO) CONTROL INSERT LINKLST LIBRARY(SYS1.LINKLIB) F ACF2,REFRESH(LINKLST) CONTROL
    A trusted system partitioned data sets is defined.
  2. Verify the GSO LINKLST record changed::
    SET CONTROL(GSO) CONTROL SHOW LINKLST -- DATASETS INCLUDED IN THE "LINK LIST" -- CONTROL
The SYS1.LINKLIB is defined and will be recognized during data set access validation.

Control Correlation Identifier

A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG article. For more information, see the National Institute of Standards and Technology website.
CCI-001762, CCI-001764, CCI-002342
CCI
:
CCI-00176
Published Date
:
2013-02-28
Definition
:
The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.
Type
:
technical
References:
NIST: NIST SP 800-53 Revision 4 (v4): CM-7 (1) (b)
CCI
:
CCI-001764
Published Date
:
2013-02-28
Definition
:
The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): CM-7 (2)
CCI
:
CCI-002342
Published Date
:
2013-06-25
Definition
:
The information system implements information search and retrieval services that enforce organization-defined information sharing restrictions.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): AC-21 (2)