STIG ID - BACF0039: Started Task Logonid Missing MUSASS and NO-SMC Attributes

Add MUSASS and NO-SMC attributes to logonid records assigned to a started task.
Severity
: 2 - Medium
To ensure individual accountability within associated address spaces, Multi User Single Address Space System (MUSUASS) started tasks (STC) logonids must have the MUSASS and NO-SMC attributes defined. The MUSASS attribute specifies that this logonid is a MUSASS STC logonid. The NO-SMC attribute indicates that, for this particular job,
ACF2
does not use the step-must-complete function of the IBM ENQ macro when accessing the
ACF2
databases.
Your organization will ensure that the started task logonid has the MUSASS and NO-SMC attribute assigned.
This STIG article shows how to review all logonid records assigned to a started task and how to add the MUSASS and NO-SMC attributes, if missing.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. List the started task logonid records to identify all started task logonids:
    SET CONTROL(GSO) LIST LIKE(STC-)
    ACF2
    displays all records with the started task defined. Typically, the number of started tasks returned is significant. For the purpose of this STIG, the following example shows one logonid, which is assigned to started task
    STC.CICS1
    .
    XXXX / STC.CICS1 LAST CHANGED BY MASTER ON 03/25/20-9:42 GROUP() LOGONID(USER02) STCID(CICS1)
  2. List each started task logonid identified to determine if the MUSASS and NO-SMC attributes are assigned:
    SET LID LID LIST USER02 XXX USER01 ... PRIVILEGES ACCOUNT CICS DUMPAUTH IMS JOB STC TSO LID
    In this example, the MUSASS and NO-SMC attributes are not assigned to STC logonid USER02.
    • MUSASS|
      NOMUSASS
      Specifies that this logonid is for a multiple-user single address space system, such as CICS or IMS.
      Default
      : NOMUSASS
    • NO-SMC|
      NONO-SMC
      Specifies that this user can bypass step-must-complete (SMC) controls. A job is considered non-cancelable for the duration of the sensitive VSAM update operation.
      Default
      : NONO-SM
  3. If all logonids identified as a started task have the MUSASS and NO-SMC attribute specified,
    your organization does not have an audit finding.
  4. If any logonid identified as a started task does not have the MUSASS and NO-SMC attribute specified,
    your organization has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
The z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) ensures that if the STC is a MUSASS system, the STC logonid has the MUSASS and NO-SMC attributes.
Follow these steps
:
  1. Change the logonid to include the STC attribute:
    SET LID LID CHANGE USER02 MUSASS NO-SMC LID
  2. Verify the changes were applied to logonid USERSTC:
    SET LID LID LIST USERSTC USERSTC XXX USERSTC
    PRIVILEGES ACCOUNT CICS DUMPAUTH IMS JOB MUSASS NO-SMC STC TSO
    ... LID
The started task logonid USER02 now has the MUSASS and NO-SMC attribute assigned.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG.  For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-002145
CCI
:
CCI-002145
Published Date
:
2013-06-24
Definition
:
The information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): AC-2(11)