STIG ID - BACF0028: Review GSO SAFDEF Record Values
Define GSO SAFDEF record field default values.
Severity: 2 - Medium
ACF2provides internal SAFDEFs for SAF default protection. The GSO SAFDEF record defines the SAF environment and how you want
ACF2to process a SAF call.
ACF2performs validation based on the environment you define in this record. You can use the GSO SAFDEF record to override how
ACF2processes SAF calls.
Your organization will ensure that
ACF2can process SAF calls using the GSO SAFDEF record field default values.
This STIG article identifies if the GSO SAFDEF fields are set to the default, which is the suggested guideline.
Changes to the GSO SAFDEF records must be justified, in writing, with supporting documentation.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps:
- Show the GSO SAFDEF record to identify if the following fields are set to the default:
SET CONTROL(GSO) CONTROL SHOW SAFDEFInternal and external SAFDEF records display when you issue the SHOW SAFDEF command.
- FUNCRET(4|retcode)Specifies the SAF function-dependent return code to be returned to the caller making the RACROUTE request when MODE is specified as IGNORE. The default is four.
- FUNCRSN(0|rsncode)Specifies the SAF function-dependent reason code to be returned to the caller making the RACROUTE request when MODE is specified as IGNORE. The default is zero.
- JOBNAME(mask|********)Specifies the job names of the address spaces that apply to this SAFDEF record. You can specify an eight-character job name or a mask. The default is all job names.
- MODE(IGNORE|GLOBAL|LOG|QUIETSpecifies the mode you wantACF2to use to process this SAF request. The default value is GLOBAL. A value is required. You can specify any one of the following values. Note: Be aware that LOG and QUIET are only valid for REQUEST=AUTH calls.
NOAPFCHK|Specifies STATUS=ACCESS, a keyword used in the RACROUTE REQUEST=AUTH security macro. It permits a user to interrogate security definitions (access and resource rules) to determine the access level for a user. No auditing is performed.NONOAPFCHK
- IGNOREBypass processing this SAF request.
- GLOBALProcess this SAF request with the mode specified in the GSO OPTS record. For generated resource validations, use theACF2SVCA recommendation to allow or deny the SAF request.
- LOGProcess this REQUEST=AUTH call in LOG mode. Upon return of the validation call, allow access even if access is denied. LOG does not force logging if a logonid is alled access.
- QUIETProcess this REQUEST=AUTH call in QUIET mode.
- PROGRAM(mask|********)Specifies the program name of the current program request block (PRB) making the SAF request. If no PRB exists on the active RB chain when the event occurs, the name for PROGRAM is the same as the name for RB. You can specify an eight-character program name or a mask. The default is all programs.
- RACROUTE(Keyword=value,...,Keyword=value)Identifies the SAF request being made. Use this field to specify any valid RACROUTE parameters and values. This is a multi-value field. The maximum length that you can specify for the parameter keyword, operator, and value is 64 characters. Separate the entries with commas or blanks.
- RB(mask|Specifies the name of the request block (RB) where the security event occurs. When an event occurs directly under a PRB, you should specify the value for PROGRAM. When an event occurs under a supervisor call request block, specify the RB name as SVCnnn, where nnn is the decimal SVC number. You can specify an eight-character RB name or a mask. The default is all request blocks********
- RETCODE(0|4|8)Specifies the SAF return code to be returned to the caller making the RACROUTE request when MODE is specified as IGNORE. The default is 4.
- 0Allow the request.
- 4Allow the request.
- 8Deny the request.
- USERID(useridmask|********)Specifies the user ID of the address spaces that apply to this SAFDEF record. The default is all address spaces.
- If the GSO SAFDEF record fields are defined to the default values listed in step 1,your site does not have an audit finding.
- If the GSO SAFDEF record fields arenotdefined to the default values listed in step 1,your site has an audit finding. See Remediate Audit Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the GSO SAFDEF record. Limit all access to change GSO records to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps:
- Verify the required justification documentation was received by the ZSECTEAM before making changes to the GSO SAFDEF record.Do notproceed to the next step if justification documentation was not received.
- Configure the GSO SAFDEF record fields to the suggested default values listed in step 1 of Identify Audit Finding:SET CONTROL(GSO) CONTROLINSERT SAFDEF FUNCRET(4) FUNCRSN(0) JOBNAME(CONTROLjobname) MODE(GLOBAL) NONOAPFCHK PROGRAM(program) RACROUTE(keyword=value) RB(value) RETCODE(4) USERID(userid)
- Verify the GSO SAFDEF record changes were made:SET CONTROL(GSO) CONTROL SHOW SAFDEF
ACF2can now process SAF calls using the GSO SAFDEF record field default values.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs: CCI-00213, CCI-000368
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
NIST: NIST SP 800-53 (v3): AC-3
NIST: NIST SP 800-53 Revision 4 (v4): AC-3
NIST: NIST SP 800-53A (v1): AC-3.1
The organization documents any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements.
NIST: NIST SP 800-53 (v3): CM-6 c
NIST: NIST SP 800-53 Revision 4 (v4): CM-6 c
NIST: NIST SP 800-53A (v1): CM-6.1 (v)