STIG ID - BACF0031: Review GSO TSO Record Values

Define global usage and system parameters to control the TSO logon process.
Severity
: 2 - Medium
Failure to implement secure controls on the TSO logon process can compromise your organization's security. The GSO TSO record lets you specify global usage and system parameters that define and control the TSO logon process and other system parameters.
Your organization will ensure that global usage and system parameters that define and control the TSO logon process and other system parameters are defined.
This STIG article shows how to define the GSO TSO record field values to control how your TSO environment and other system parameters are secured.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. List the GSO TSO record to determine if the fields are defined to the values shown in the following table:
    ACCOUNT(1)
    PWPHRASE (
    site defined
    )
    BYPASS(#)
    REGION (
    site defined
    )
    CHAR(BS)
    SUBCLSS()
    CMDLIST()
    SUBHOLD()
    NOIKJEFLD1
    SUBMSG()
    LINE(ATTN)
    TIME(0)
    LOGONCK
    TSOSOUT(A)
    NOQLOGON
    UNI(SYSDA)
    PERFORM(0)
    WAITIME(60)
    PROC (
    site defined
    )
    n/a
    SET CONTROL(GSO) CONTROL LIST SYNCOPTS XE40 / TSO LAST CHANGED BY USER01 ON 03/15/17-09:20
    ACCOUNT(1) BYPASS(#) CHAR(NO) CMDLIST()
    NOIKJEFLD1
    LINE(ATTN) NOLOGONCK QLOGON PERFORM(0) PROC(
    site defined
    )
    PWPHRASE(
    site defined
    ) REGION(
    site defined
    ) SUBCLSS(
    class
    )
    SUBHOLD(class) SUBMSGC(class) TIME(0) TSOSOUT(A)
    UNIT(SYSDA) WAITIME(120)
    CONTROL
    The CHAR, QLOGON, and WAITIME values differ from the suggested values of CHAR(BS), NOQLOGON, and WAITTIME(60). For your organization, ensure all GSO TSO record values listed in the table are set in accordance with the recommendations set forth in this article.
    • ACCOUNT(
      1
      |
      string
      )
      Specifies the system-wide default TSO account number.
      Default
      : 1.
    • BYPASS(
      #
      |
      character
      Defines the TSO command list bypass character.
      Default
      : pound sing (#)
    • CHAR(BS|NO|
      character
      Defines the default TSO delete character. When entered at the terminal, this character indicates that the previous character should be ignored. This optional field has no default value.
      • BS
        Indicates that the backspace character deletes the last character entered.
      • NO
        Indicates no character-delete character desired.
    • CMDLIST(
      moduleid
      )
      Specifies the default TSO command limiting list. If you specify a module, no users, even privileged logonids, can run without the command list present in a link list library. This field is optional and has no default. It is effective in all modes with the exception of QUIET.
    • IKJEFLD1|
      NOIKJEFLD1
      )
      Indicates that
      ACF2
      dynamically links authorized logon pre-prompt, IKJEFLD1 into LPALIB. Lets you use the authorized logon pre-prompt exit. You must perform the
      ACF2
      REFRESH command to activate the IKJEFLD1 facility. The default is NOIKJEFLD, which indicates
      ACF2
      will not dynamically link the authorized logon pre-prompt exit. Once activated, an IPL is required to deactivate the IKJEFLD1 facility.
      Default
      : NOIKJEFLD
    • LINE(ATTN|CTLX|
      character
      Specifies the system-wide default TSO line-delete character. When entered at the terminal, this character indicates that the current line should be ignored. This optional field has no default value.
      • ATTN
        Indicates that an attention interruption deletes the current line.
      • CTLX
        Indicates that the X and CTRL keys pressed simultaneously delete the current line (for Teletype terminals).
    • LOGON|
      NOLOGONCK
      Indicates if
      ACF2
      checks the TSO attribute in the user's logonid record. If you specify LOGONCK and the user does not have the TSO attribute in his logonid,
      ACF2
      rejects the logon attempt.
      Default
      : NOLOGONCK
    • PERFORM(
      0
      |
      nnn
      )
      Specifies the system-wide default TSO performance group. If you specify zero, no performance group (PERFORM=) parameter is placed on the job statement.
      Default
      : 0
    • PROC(
      IKJACCNT
      |
      procedure
      )
      Specifies the default TSO cataloged procedure name. Specify the default value for an individual user with the TSOPROC field of the logonid record.
      Default
      : IKJACCNT
    • QLOGON
      |NOQLOGON)
      Specifies if a quick logon is permitted. Lets
      ACF2
      accept the password specified on the first line instead of forcing a prompt. When QLOGON is in effect, password integrity can be jeopardized.
      Default:
      QLOGON.
    • REGION(
      2048
      |
      nnnn
      )
      Specifies the default TSO region size. The TSORGN option in the logonid record or a size specification at TSO logon time can override this value. If this field is zero and the user does not specify a region size at logon time or in the logonid record,
      ACF2
      assumes that the region has been specified in the TSO logon procedure and no value is passed by
      ACF2
      to TSO. If this field is zero, the SHOW TSO command indicates “NONE”.
      Default
      : 2048.
    • SUBCLSS(
      class
      )
      Specifies the default TSO job submission class. This field is active only if TSO/E is also installed. This is an optional field and has no default value.
    • SUBHOLD(
      class
      )
      Specifies the default submit hold class. This field is active only if TSO/E is also installed. This is an optional field and has no default value.
    • SUBMSGC(
      class
      )
      Specifies the default submit message class. This field is active only if TSO/E is also installed.
      Default
      : Null
    • TIME(
      0
      |
      nnnn
      )
      Specifies the default time estimate for TSO sessions in minutes. If you specify zero, no TIME parameter is placed on the job statement. The maximum value is 1439.
      Default
      : 0
    • TSOSOUT(
      A
      |
      class
      Specifies the default class for spun TSO SYSOUT. This field is active only if TSO/E is also installed.
      Default
      : A
    • UNIT(
      SYSDA
      |
      unit name
      )
      Specifies the default UNITNAME used in TSO allocation requests.
      Default
      : SYSDA
    • WAITIME(
      0
      |
      nnnn
      )
      Specifies if
      ACF2
      should time user responses. If you specify a nonzero value, that is the amount of time permitted between prompts.
      ACF2
      aborts the logon if the user exceeds wait time. The value you specify as
      nnn
      must be less than or equal to 120 seconds.
      Default:
      0 (no check takes place).
  2. If the GSO TSO record fields are defined to the values listed in step 1,
    your organization does not have an audit finding
  3. If the GSO TSO record fields are not defined to the values listed in step 1,
    your organization has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the GSO TSO record. Limit all access to change GSO records to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps
:
  1. Configure the GSO TSO record  CHAR(BS), NOQLOGON, and WAITIME(60) field:
    SET CONTROL(GSO) CONTROL CHANGE CHAR(BS)LOGONCK NOQLOGON WAITIME(60) F ACF2,REFRESH(TSO) CONTROL
  2. Verify the GSO TSO fields changed:
    SET CONTROL(GSO) CONTROL LIST SYNCOPTS XE40 / TSO LAST CHANGED BY USER01 ON 03/25/20-03:20 ACCOUNT(1) BYPASS(#)
    CHAR(BS)
    CMDLIST() NOIKJEFLD1 LINE(ATTN) NOLOGONCK
    NOQLOGON
    PERFORM(0) PROC(site defined) PWPHRASE(site defined) REGION(site defined) SUBCLSS(class) SUBHOLD(class) SUBMSGC(class) TIME(0) TSOSOUT(A) UNIT(SYSDA)
    WAITIME(60)
    CONTROL
The global usage and system parameters that define and control the TSO logon process and other system parameters are now defined.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000366, CCI-001133
CCI
:
CCI-000366
Published Date
:
2009-09-18
Definition
:
The organization implements the security configuration settings.
Type
:
policy, technical
References
:
NIST: NIST SP 800-53 (v3): CM-6 b
NIST: NIST SP 800-53 Revision 4 (v4): CM-6 b
NIST: NIST SP 800-53A (v1): CM-6.1 (iv)
CCI
:
CCI-001133
Published Date
:
2009-09-21
Definition
:
The information system terminates the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.
Type
:
policy
References
:
NIST: NIST SP 800-53 (v3): SC-10
NIST: NIST SP 800-53 Revision 4 (v4): SC-10
NIST: NIST SP 800-53A (v1): SC-10.1 (ii)