STIG ID - BACF0020: Define the GSO Maint Record for System Maintenance
Specify logonid, program, and library combinations used for the system maintenance function.
Severity: 2 - Medium
The GSO MAINT record specifies the program, library, and logonid that make up a maintenance environment. Disk compression and archiving are examples of standard system maintenance functions. These maintenance programs must reside in a specific library and be executed on behalf of the specified logonid. When
ACF2encounters this environment, it does the following:
- Bypasses rule validation only if the library, LID, and program match the MAINT record.
- Creates no SMF logging records and therefore, no violations are logged.
- Does not queue data set access rule sets in the address space.
Your organization will ensure the GSO MAINT record values specified are restricted to production storage management user accounts and programs. Restricting the program, library, and logonids provides access based upon least privileged access requirements and roles assigned.
This STIG article shows how to specify the logonid, program, and library combinations used for the system maintenance function.
Identify Audit Finding
Complete these steps to determine if you should consider remediation:
Follow these steps:
- List the GSO MAINT record to identify the values of the LIBRARY, LID, and PGM fields:SET CONTROL(GSO) CONTROL LIST MAINT XXXX / MAINT LAST CHANGED BY USER01 ON 02/24/20-13:51LIBRARY() LID() PGM()CONTROLThere are no values defined for the GSO MAINT record fields, which differs from the recommendations set forth in this article.
- LIBRARYDefines a fully qualified library data set name where the maintenance programs reside.ACF2checks all active libraries when matching the MAINT record. Define only one library per MAINT record.If the library is also specified in the GSO LINKLST record, the library name that you specify in the MAINT record should be SYS1.LINKLIB. For more information, see Logical Extension of the System Link List (LINKLST).
- LID(logonid)Specifies the logonid of an authorized maintenance user. Define only one logonid per MAINT record.
- PGM(pgm1,...,pgm256)Specifies the programs. Individual MAINT records are limited to 256 programs per MAINT record; however, the maximum number of programs you can specify in the cumulative total of MAINT records that exist is 1024. Any programs you create over the 1024 maximum are ignored byACF2.
- If the GSO MAINT record fields are defined as LIBRARY(library), LID(logonid), and PGM(pgm1,...pgm256),your site does not have an audit finding.
- If the GSO MAINT record fields are not defined as shown in step 2,your site has an audit finding. See Remediate Audit Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) or Information System Security Office (ISSO) ensures the GSO MAINT values specified are restricted to production storage management user accounts and programs.
Follow these steps:
- Configure the GSO MAINT record LIBRARY, LID, and PGM fields. Ensure the GSO MAINT values are restricted to production storage management user accounts and programs. Restricting the program, library, and logonid to production storage management user accounts and programs provides access based upon least privileged access requirements and roles assigned.SET CONTROL(GSO) CONTROL CHANGE MAINT LIBRARY(LIBRARY) LID(user01) PGM(pgm1,...pgm256) F ACF2,REFRESH(MAINT) CONTROLThe MAINT record now specifies the library, logonid, and program that make up the maintenance environment.Any logonid specified in the MAINT recordmusthave the NON-CNCL or MAINT privilege assigned. If the logonid does not have these privileges assigned,ACF2does not examine the maintenance program list. See step 2 to determine if the MAINT privilege is assigned to USER01.
- Determine if USER01 has the MAINT privilege assigned. The MAINT privilege is in the PRIVILEGES section of the logonid record.
The MAINT privilege is not assigned to USER01.SET LID LID LISTUSER01USER01 COMPANY(S) DEPT() IDNUM() LEVEL(S) LOCATION() POSITION() PROJECTX() PRV-TOD5(00/00/00-00:00)PRIVILEGESACCOUNT CICS DUMPAUTH IMS JOB SECURITY TSO ... LID
- Assign the MAINT privilege to USER01:SET LID LID CHANGE USER01 MAINT F ACF2,REFRESH(USER01) LID
- Verify the MAINT privilege was added to USER01.
USER01 now has the MAINT privilege assigned.SET LID LID LISTUSER01USER01 COMPANY(S) DEPT() IDNUM() LEVEL(S) LOCATION() POSITION() PROJECTX() PRV-TOD5(00/00/00-00:00) PRIVILEGES ACCOUNT CICS DUMPAUTH IMS JOBMAINTSECURITY TSO ... LID
- Verify the MAINT record has been updated.
The MAINT record has been updated and is restricted to production storage management user accounts and programs.SET CONTROL(GSO) CONTROL LIST MAINT XXXX / MAINT LAST CHANGED BY USER01 ON 02/24/20-13:51 LIBRARY(LIBRARY) LID(user01) PGM(pgm1,...pgm256) CONTROL
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs: CCI-001762, CCI-001764, CCI-002262
The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.
NIST: SP 800-53 Revision 4 (v4): CM-7 (1) (b)
The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.
NIST: NIST SP 800-53 Revision 4 (v4): CM-7(2)
The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in storage
NIST: NIST SP800-53 Revision 4 (v4): AC-16 a