STIG ID - BACF0020: Define the GSO Maint Record for System Maintenance

Specify logonid, program, and library combinations used for the system maintenance function.
Severity
: 2 - Medium
The GSO MAINT record specifies the program, library, and logonid that make up a maintenance environment. Disk compression and archiving are examples of standard system maintenance functions. These maintenance programs must reside in a specific library and be executed on behalf of the specified logonid. When
ACF2
encounters this environment, it does the following:
  • Bypasses rule validation only if the library, LID, and program match the MAINT record.
  • Creates no SMF logging records and therefore, no violations are logged.
  • Does not queue data set access rule sets in the address space.
Your organization will ensure the GSO MAINT record values specified are restricted to production storage management user accounts and programs. Restricting the program, library, and logonids provides access based upon least privileged access requirements and roles assigned.
This STIG article shows how to specify the logonid, program, and library combinations used for the system maintenance function.
Identify Audit Finding
Complete these steps to determine if you should consider remediation:
Follow these steps:
  1. List the GSO MAINT record to identify the values of the LIBRARY, LID, and PGM fields:
    SET CONTROL(GSO) CONTROL LIST MAINT XXXX / MAINT LAST CHANGED BY USER01 ON 02/24/20-13:51
    LIBRARY() LID() PGM()
    CONTROL
    There are no values defined for the GSO MAINT record fields, which differs from the recommendations set forth in this article.
    • LIBRARY
      Defines a fully qualified library data set name where the maintenance programs reside.
      ACF2
      checks all active libraries when matching the MAINT record. Define only one library per MAINT record.
      If the library is also specified in the GSO LINKLST record, the library name that you specify in the MAINT record should be SYS1.LINKLIB. For more information, see Logical Extension of the System Link List (LINKLST).
    • LID(
      logonid
      )
      Specifies the logonid of an authorized maintenance user. Define only one logonid per MAINT record.
    • PGM(
      pgm1,...,pgm256
      )
      Specifies the programs. Individual MAINT records are limited to 256 programs per MAINT record; however, the maximum number of programs you can specify in the cumulative total of MAINT records that exist is 1024. Any programs you create over the 1024 maximum are ignored by
      ACF2
      .
  2. If the GSO MAINT record fields are defined as LIBRARY(
    library
    ), LID(
    logonid
    ), and PGM(
    pgm1,...pgm256
    ),
    your site does not have an audit finding
    .
  3. If the GSO MAINT record fields are not defined as shown in step 2,
    your site has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) or Information System Security Office (ISSO) ensures the GSO MAINT values specified are restricted to production storage management user accounts and programs.
Follow these steps
:
  1. Configure the GSO MAINT record LIBRARY, LID, and PGM fields. Ensure the GSO MAINT values are restricted to production storage management user accounts and programs. Restricting the program, library, and logonid to production storage management user accounts and programs provides access based upon least privileged access requirements and roles assigned.
    SET CONTROL(GSO) CONTROL CHANGE MAINT LIBRARY(
    LIBRARY
    ) LID(
    user01
    ) PGM(
    pgm1,...pgm256
    ) F ACF2,REFRESH(MAINT) CONTROL
    The MAINT record now specifies the library, logonid, and program that make up the maintenance environment.
    Any logonid specified in the MAINT record
    must
    have the NON-CNCL or MAINT privilege assigned. If the logonid does not have these privileges assigned,
    ACF2
    does not examine the maintenance program list. See step 2 to determine if the MAINT privilege is assigned to USER01.
  2. Determine if USER01 has the MAINT privilege assigned. The MAINT privilege is in the PRIVILEGES section of the logonid record.
    SET LID LID LIST
    USER01
    USER01 COMPANY(S) DEPT() IDNUM() LEVEL(S) LOCATION() POSITION() PROJECTX() PRV-TOD5(00/00/00-00:00)
    PRIVILEGES
    ACCOUNT CICS DUMPAUTH IMS JOB SECURITY TSO ... LID
    The MAINT privilege is not assigned to USER01.
  3. Assign the MAINT privilege to USER01:
    SET LID LID CHANGE USER01 MAINT F ACF2,REFRESH(USER01) LID
  4. Verify the MAINT privilege was added to USER01.
    SET LID LID LIST
    USER01
    USER01 COMPANY(S) DEPT() IDNUM() LEVEL(S) LOCATION() POSITION() PROJECTX() PRV-TOD5(00/00/00-00:00) PRIVILEGES ACCOUNT CICS DUMPAUTH IMS JOB
    MAINT
    SECURITY TSO ... LID
    USER01 now has the MAINT privilege assigned.
  5. Verify the MAINT record has been updated.
    SET CONTROL(GSO) CONTROL LIST MAINT XXXX / MAINT LAST CHANGED BY USER01 ON 02/24/20-13:51 LIBRARY(
    LIBRARY
    ) LID(
    user01
    ) PGM(
    pgm1,...pgm256
    ) CONTROL
    The MAINT record has been updated and is restricted to production storage management user accounts and programs.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-001762, CCI-001764, CCI-002262
CCI
:
CCI-001762
Published Date
:
2013-02-28
Definition
:
The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.
Type
:
technical
References
:
NIST: SP 800-53 Revision 4 (v4): CM-7 (1) (b)
CCI
:
CCI-001764
Published Date
:
2013-02-28
Definition
:
The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): CM-7(2)
CCI
:
CCI-002262
Published Date
:
2013-06-24
Definition
:
The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in storage
Type
:
technical
Reference
:
NIST: NIST SP800-53 Revision 4 (v4): AC-16 a