STIG ID - BACF0038: Started Task Logonid Missing STC Attribute

Add STC attribute to a logonid record.
Severity
: 2 - Medium
For added security,
ACF2
requires all started task have the STC attribute specified on the logonid record. A started task is a set of JCL that runs as a result of a start command. Started task logonids without the STC attribute are denied access, which can result in system and applications interruptions.
Your organization will ensure that the started task logonid has the STC attribute assigned.
This STIG article shows how to review all logonid records assigned to a started task and how to add the STC attribute if missing.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. List the started task logonid records to identify all started task logonids:
    SET CONTROL(GSO) LIST LIKE(STC-)
    ACF2
    displays all records with the started task defined. Typically, the number of started tasks returned is significant. For the purpose of this STIG, the following example shows one logonid, which is assigned to started task
    ABCDEFGH
    .
    XXXX / STC.ABCDEFGH LAST CHANGED BY MASTER ON 07/30/19-10:53 GROUP()
    LOGONID(USER01) STCID(ABCDEFGH)
    ...
  2. List each started task logonid identified to determine if the STC attribute is assigned:
    SET LID LID LIST USER01 USER01 SHS USER01 ...
    PRIVILEGES
    ACCOUNT CICS DUMPAUTH IMS JOB TSO
    In this example, the STC attribute is not defined to USER01.
    • STC|
      NOSTC
      Specifies a logonid is only used for started tasks.
      ACF2
      denies access to started tasks without this privilege. Logonids with the STC attribute are prevented from submitting jobs or logging on to TSO.
      ACF2
      does not create a special logging record when a logonid with the STC attribute enters the system. To monitor the use of a logonid with the STC privilege, run the ACFRPTLL report from the ISPF panel and specify the UPDATE parameter.
  3. If all logonids identified as a started task have the STC attribute specified,
    your organization does not have an audit finding.
  4. If any logonid identified as a started task does not have the STC attribute specified,
    your organization does have an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change these logonid attributes.
Follow these steps
:
  1. Change logonid USER01 to include the STC attribute:
    SET LID LID CHANGE USER01 STC LID
  2. Verify logonid USER01 has the STC attribute assigned:
    SET LID LID LIST USER01 USERSTC USERSTC PRIVILEGES
    STC
    ACCOUNT CICS DUMPAUTH ... LID
The started task logonid USER01 now has the STC attribute assigned.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-002145
CCI
:
CCI-002145
Published Date
:
2013-06-24
Definition
:
The information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): AC-2(11)