STIG ID - BACF0028: Review GSO SAFDEF Record Values

Define GSO SAFDEF record field default values.
Severity
: 2 - Medium
ACF2
provides internal SAFDEFs for SAF default protection. The GSO SAFDEF record defines the SAF environment and how you want
ACF2
to process a SAF call.
ACF2
performs validation based on the environment you define in this record. You can use the GSO SAFDEF record to override how
ACF2
processes SAF calls.
Your organization will ensure that
ACF2
can process SAF calls using the GSO SAFDEF record field default values.
This STIG article identifies if the GSO SAFDEF fields are set to the default, which is the suggested guideline.
Changes to the GSO SAFDEF records must be justified, in writing, with supporting documentation.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. Show the GSO SAFDEF record to identify if the following fields are set to the default:
    • FUNCRET(
      4
      |
      retcode
      )
      Specifies the SAF function-dependent return code to be returned to the caller making the RACROUTE request when MODE is specified as IGNORE. The default is four.
    • FUNCRSN(
      0
      |
      rsncode
      )
      Specifies the SAF function-dependent reason code to be returned to the caller making the RACROUTE request when MODE is specified as IGNORE. The default is zero.
    • JOBNAME(mask|
      ********)
      Specifies the job names of the address spaces that apply to this SAFDEF record. You can specify an eight-character job name or a mask. The default is all job names.
    • MODE(IGNORE|
      GLOBAL
      |LOG|QUIET
      Specifies the mode you want
      ACF2
      to use to process this SAF request. The default value is GLOBAL. A value is required. You can specify any one of the following values. Note: Be aware that LOG and QUIET are only valid for REQUEST=AUTH calls.
      • IGNORE
        Bypass processing this SAF request.
      • GLOBAL
        Process this SAF request with the mode specified in the GSO OPTS record. For generated resource validations, use the
        ACF2
        SVCA recommendation to allow or deny the SAF request.
      • LOG
        Process this REQUEST=AUTH call in LOG mode. Upon return of the validation call, allow access even if access is denied. LOG does not force logging if a logonid is alled access.
      • QUIET
        Process this REQUEST=AUTH call in QUIET mode.
      NOAPFCHK|
      NONOAPFCHK
      Specifies STATUS=ACCESS, a keyword used in the RACROUTE REQUEST=AUTH security macro. It permits a user to interrogate security definitions (access and resource rules) to determine the access level for a user. No auditing is performed.
    • PROGRAM(mask|
      ********
      )
      Specifies the program name of the current program request block (PRB) making the SAF request. If no PRB exists on the active RB chain when the event occurs, the name for PROGRAM is the same as the name for RB. You can specify an eight-character program name or a mask. The default is all programs.
    • RACROUTE(
      Keyword=value,...,
      Keyword=value)
      Identifies the SAF request being made. Use this field to specify any valid RACROUTE parameters and values. This is a multi-value field. The maximum length that you can specify for the parameter keyword, operator, and value is 64 characters. Separate the entries with commas or blanks.
    • RB(mask|
      ********
      Specifies the name of the request block (RB) where the security event occurs. When an event occurs directly under a PRB, you should specify the value for PROGRAM. When an event occurs under a supervisor call request block, specify the RB name as SVCnnn, where nnn is the decimal SVC number. You can specify an eight-character RB name or a mask. The default is all request blocks
    • RETCODE(0|
      4
      |8)
      Specifies the SAF return code to be returned to the caller making the RACROUTE request when MODE is specified as IGNORE. The default is 4.
      • 0
        Allow the request.
      • 4
        Allow the request.
      • 8
        Deny the request.
    • USERID(useridmask|
      ********
      )
      Specifies the user ID of the address spaces that apply to this SAFDEF record. The default is all address spaces.
    SET CONTROL(GSO) CONTROL SHOW SAFDEF
    Internal and external SAFDEF records display when you issue the SHOW SAFDEF command.
  2. If the GSO SAFDEF record fields are defined to the default values listed in step 1,
    your site does not have an audit finding.
  3. If the GSO SAFDEF record fields are
    not
    defined to the default values listed in step 1,
    your site has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the GSO SAFDEF record. Limit all access to change GSO records to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps
:
  1. Verify the required justification documentation was received by the ZSECTEAM before making changes to the GSO SAFDEF record.
    Do not
    proceed to the next step if justification documentation was not received.
  2. Configure the GSO SAFDEF record fields to the suggested default values listed in step 1 of Identify Audit Finding:
    SET CONTROL(GSO) CONTROL
    INSERT SAFDEF FUNCRET(4) FUNCRSN(0) JOBNAME(
    jobname
    ) MODE(GLOBAL) NONOAPFCHK PROGRAM(
    program
    ) RACROUTE(
    keyword=value
    ) RB(
    value
    ) RETCODE(4) USERID(
    userid
    )
    CONTROL
  3. Verify the GSO SAFDEF record changes were made:
    SET CONTROL(GSO) CONTROL SHOW SAFDEF
ACF2
can now process SAF calls using the GSO SAFDEF record field default values.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-00213, CCI-000368
CCI
:
CCI-000213
Published Date
:
2009-09-14
Definition
:
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AC-3
NIST: NIST SP 800-53 Revision 4 (v4): AC-3
NIST: NIST SP 800-53A (v1): AC-3.1
CCI
:
CCI-000368
Published Date
:
2009-09-18
Definition
:
The organization documents any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements.
Type
:
policy
References
:
NIST: NIST SP 800-53 (v3): CM-6 c
NIST: NIST SP 800-53 Revision 4 (v4): CM-6 c
NIST: NIST SP 800-53A (v1): CM-6.1 (v)