STIG ID - BACF0029: Review GSO SECVOLS Record Values

Define volume level security checking protection for DASD, mass storage, and tape volumes.
Severity
: 2 - Medium
Volume-level security checking provides protection to your DASD, mass storage, and tape volumes. The GSO SECVOLS record defines the DASD and tape volumes for which
ACF2
provides volume-level protection.
Your organization will ensure that volume-level security checking protection for your DASD, mass storage, and tape volumes is defined.
This STIG article shows how to define GSO SECVOLS record value default when implementing volume-level protection at your organization.
Changes to the GSO SECVOLS record must be justified, in writing, with supporting documentation.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps:
  1. List the GSO SECVOLS record and determine if the VOLMASK field default of (-) is defined:
    SET CONTROL(GSO) CONTROL LIST SECVOLS XE40 / SECVOLS LAST CHANGED BY USER01 ON 03/15/17-09:20
    VOLMASK(
    xxxxxx
    )
    CONTROL
    The GSO SECVOLS record VOLMASK field default value of (-) is not defined, which is the recommendation set forth in this article.
    • VOLMASK(
      -
      |
      mask1,000,mask255
      )
      Specifies up to 255 volume serial masks up to six characters each. Two symbols can be used in RESVOLS and SECVOLS to signify masking, the asterisk (*) and the dash (-). A dash represents all valid volumes that begin with the specified characters that precede the dash or all volumes if the dash is used alone. An asterisk represents one or more masking or wild card characters that can be specified anywhere in the in RESVOLS and SECVOLS. The default is null no volume-level protection.
  2. If the GSO SECVOLS record field is defined to all volumes protected (VOLMASK(-)),
    your site does not have an audit finding
    .
  3. If the GSO SECVOLS record field is not defined to VOLMASK(-),
    your site has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the GSO SECVOLS record. Limit all access to change GSO records to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps
:
  1. Verify the required justification documentation was received by the ZSECTEAM before making changes to the GSO SECVOLS record.
    Do not
    proceed to the next step if justification documentation was not received.
  2. Configure the GSO SECVOLS record VOLMASK field to the suggested value of VOLMASK(), no volume-level protection. Documentation justifying the suggested change is required. **** WHY WOULD THEY SET IT TO NO PROTECTION? ***
    SET CONTROL(GSO) CONTROL CHANGE VOLMASK(-) CONTROL
    The GSO SECVOL record is set to null, no volume-level protection.
  3. Verify the change was applied to the GSO SECVOL record field:
    SET CONTROL(GSO) CONTROL LIST SECVOL XE40 / SECVOLS LAST CHANGED BY USER01 ON 03/20/17-03:18
    VOLMASK(-)
    CONTROL
Volume-level security checking protection for your DASD, mass storage, and tape volumes is now in place.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000368, CCI-000369, CCI-001199, CCI-001399
CCI
:
CCI-000368
Published Date
:
2009-09-18
Definition
:
The organization documents any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements.
Type
:
policy
References
:
NIST: NIST SP 800-53 (v3): CM-6 c
NIST: NIST SP 800-53 Revision 4 (v4): CM-6 c
NIST: NIST SP 800-53A (v1): CM-6.1 (v)
CCI
:
CCI-000369
Published Date
:
2009-09-18
Definition
:
The organization approves any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements.
Type
:
policy
References
:
NIST: NIST SP 800-53 (v3): CM-6 c
NIST: NIST SP 800-53 Revision 4 (v4)
NIST: NIST SP 800-53A (v1): CM-6.1