STIG ID - BACF0022: Specify GSO OPTS Record Values

Define GSO OPTS records that control functions when handling access request to operating systems.
Severity
: 2 - Medium
System-wide options control the default settings for determining how
ACF2
functions when handling requests for access to the operating system environment. Improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. The GSO OPTS record lets you define global options available for use by the system.
Your organization will ensure that the GSO OPTS options that control functions when handling requests for access to the operating system are defined to the suggested values.
This STIG article shows how to define the suggested GSO OPTS record fields and their values.
Identify Audit Finding
Complete these steps to determine if you should consider remediation:
Follow these steps:
  1. List the GSO OPTS record to identify the values of the following fields:
    BLPLOG
    JOBCHK
    STAMPSMF
    CONSOLE(NOROLL)
    MAXVIO(10)
    STC
    CPUTIME(LOCAL)
    NOCMDREC
    TAPEDSN
    DATE(MDY)
    NODDB
    TEMPDSN
    DFTLID()
    NOTIFY
    NOUADS
    DFTSTC()
    RPTSCOPE
    NOVTAMOPEN
    INFOLIST(SECURITY, AUDIT)
    SHRDASD
    SET CONTROL(GSO) CONTROL LIST OPTS XXXX / OPTS LAST CHANGED BY USER01 ON 02/08/20-09:45 ACCESS
    NOBLPLOG
    NOBYPSTATS
    NOCMDREC
    CACHE NOCERTCNTL CERTEXP(30)
    CONSOLE(ROLL)
    CPF
    CPUTIME(GMT)
    NOCSLIDEXT
    DATE(MDY)
    NODDB
    DFTLID()
    DFTLNXG() DFTLNXU()
    DFTSTC()
    NOEVALMODE NOICSF
    INFOLIST(AUDIT SECURITY)
    JOBCK
    KERBLVL(0) KEYSIZE(2,048) LDS
    MAXVIO(10)
    MODE(ABORT) NONAMEHIDE
    NOTIFY
    PRIMARY(ENU) NOPTKRESCK
    RPTSCOPE
    SDNSIZE(512) SECONDRY(ENU)
    SHRDASD
    STAMPSMF
    STATRECD(ALL) NOSTATS STATSINT(15) STATSLOG(SMF)
    STC
    NOSUPERVAL SWTCHTOD(00/00/00-00:00) NOSYSPLEX
    TAPEDSN
    TEMPDSN
    TNGMON
    NOUADS
    NOVTAMOPEN
    WRNDAYS(1) NOXAPPLVLD CONTROL
    In this example, the NOBLPLOG, CONSOLE(ROLL), and CPUTIME(GMT) fields differ from the suggested values of BLPLOG, CONSOLE(NOROLL), and CPUTIME(LOCAL).
    • BLPLOG|
      NOBLPLOG
      Specifies if BLP accesses should produce an
      ACF2
      logging record when authorized through the TAPE-BLP or TAPE-LBL logonid record fields or through the BLPPGM record. NOBLPLOG is the default.
    • CONSOLE(
      NOROLL
      |ROLL|NONE|WTP)
      Specifies how
      ACF2
      messages for data set access loggings (ACF99900) and security violations (ACF99913) display. The default is NOROLL.
      • NOROLL
        Specifies that the messages
        are
        marked non-deletable and do not roll off the console screens.
      • ROLL
        Specifies that the messages
        are not
        marked non-deletable. Messages roll off console screens in roll, roll deletable, or wrap mode.
      • NONE
        Specifies that the ACF99900 and ACF99913 messages do not display.
      • WTP
        Specifies that the messages are issued as write-to-programmer messages.
    • CPUTIME(
      LOCAL
      |GMT
      )
      Specifies the time setting of the CPU. This field determines how
      ACF2
      calculates a user's time of access when zone record processing is performed. GMT (Greenwich Mean Time) specifies
      ACF2
      bases all time zone calculations on the time-of-day (TOD) clock. LOCAL specifies
      ACF2
      adjusts the TOD clock by the value stored in the CVTTZ field of the communications vector table (CVT) and then bases all time-zone calculations on the adjusted TOD clock. LOCAL is the default.
  2. If the GSO OPTS record field values listed in the table in step 1,
    your site does not have an audit finding
    .
  3. If the GSO OPTS record field values listed in the table in step 1 are not defined,
    your site has an audit finding
    . See Remediate Audit Finding
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) ensures that the GSO OPTS control option values are set to valid values.
Follow these steps
:
  1. Define the GSO OPTS record field values that differed from the suggested values (BLPLOG, CONSOLE(NOROLL), and CPUTIME(LOCAL)):
    SET CONTROL(GSO) CONTROL
    CHANGE BLPLOG CONSOLE(NOROLL) CPUTIME(LOCAL)
    F ACF2,REFRESH(OPTS) CONTROL
  2. Verify the GSO OPTS record field values have been updated:
    SET CONTROL(GSO) CONTROL LIST OPTS XXXX / OPTS LAST CHANGED BY USER01 ON 02/08/20-09:45 ACCESS
    BLPLOG
    NOBYPSTATS NOCMDREC CACHE NOCERTCNTL CERTEXP(30)
    CONSOLE(NOROLL)
    CPF
    CPUTIME(LOCAL)
    NOCSLIDEXT DATE(MDY) NODDB DFTLID() DFTLNXG() DFTLNXU() NOEVALMODE NOICSF INFOLIST(AUDIT SECURITY) JOBCK KERBLVL(0) KEYSIZE(2,048) LDS MAXVIO(10) MODE(ABORT) NONAMEHIDE NOTIFY PRIMARY(ENU) NOPTKRESCK RPTSCOPE SDNSIZE(512) SECONDRY(ENU) SHRDASD STAMPSMF STATRECD(ALL) NOSTATS STATSINT(15) STATSLOG(SMF) TC NOSUPERVAL SWTCHTOD(00/00/00-00:00) NOSYSPLEX TAPEDSN TEMPDSN TNGMON NOUADS NOVTAMOPEN WRNDAYS(1) NOXAPPLVLD CONTROL
Global system options that control functions when handling requests for access to the operating system are now defined to the suggested values.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCI-000366, CCI-000762, CCI-001764
Published Date
:
2009-09-18
Definition
:
The organization implements the security configuration settings.
Type
:
policy, technical
References
:
NIST: NIST SP 800-53 (v3)
NIST: NIST SP 800-53 Revision 4 (v4): CM-6 c
NIST: SP 800-53A (v1): CM-6.1 (v)
CCI
:
CCI-000762
Published Date
:
2009-09-17
Definition
:
The organization reviews and updates identification and authentication procedures in accordance with the organization-defined frequency.
Type
:
policy
References
:
NIST: NIST SP 800-53 (v3): IA-1 b
NIST: NIST SP 800-53 Revision 4 (v4): IA-1 b 2
NIST: NIST SP 800-53A (v1): IA-1.2 (iv)
CCI
:
CCI-001764
Published Date
:
2009-09-17
Definition
:
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): IA-2
NIST: NIST SP 800-53 Revision 4 (v4): IA-2
NIST: NIST SP 800-53A (v1): IA-2.1