STIG ID - BACF0041: Ensure Protected Programs are Executed by Privileged Users
Identify if protected programs are defined with a GSO PPGM record value.
Severity: 2 - Medium
Safeguard your organization's data by ensuring only privileged users can access protective programs. The GSO PPGM record specifies the programs that can be executed by privileged users. Privileged users have access to all programs in the GSO PPGM record.
ACF2logs the execution of programs in the GSO PPGM record at step initiation and at every data set open execurited by the program.
Your organization will ensure that all identified protective programs are secured.
This STIG article shows how to identify if all protected programs are represented by a GSO PPGM record value.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps:
- Review the Sensitive Utility Controls table below and identify protected programs that can only be executed by privilege users.Sensitive Utility ControlsProgramProductFunctionAuthAHLGTFHHLGTGIHLGTFz/OSSystem Activity TracingSTCGAUDT (users can issue started task only)ICPIOCPIOPIOCPIXPIOCPIYPIOCPIZPIOCPz/OSSystem ConfigurationSYSPAUDTBLSROPTRz/OSData ManagementDASBAUTDASDAUDTSYSAUDTDEBEOS/DEBEData ManagementDASDAUDTTAPEAUDTDITTOOS/DITTOData ManagementDASDAUDTTAPEAUDTFDRZAPOPFDRProduct Internal ModificationSYSAUDTGIMSMPSMP/EChange Management ProductAUDTAUDTDABAAUDTSYSPAUDTICKDSFz/OSDASD ManagementDASDAUDTSYSPAUDTUserid assigned to DEVMANSTCIDCS01z/OSIDCAMS Set Cache ModuleSYSPAUDTIEHINITTz/OSTape ManagementTAPEAUDTIFASMFDPz/OSSMF Data Dump UtilityAUDTAUDTPCSPAUDTSECAAUDTSMFBAUDTSYSPAUDTMICSADM*IND$FILEz/OSPC to Mainframe File Transfer (applicable only for classified systems)n/aCSQJU003CSQJU004CSQUCVXCSQ1LOGPIBM WebSphereMQn/aMQSAAUDTCSQUTILIBM WebSphereMQn/aAUDTAUDTMQSAAUDTWHOISz/OSShare MOD to identify user name from USERID. Restricted to data center personnel only.DASDAUDTOPERAUDTSYSAUDTTAPEAUDT
- List the GSO PPGM record and determine if the protected programs identified in the Sensitive Utility Controls table are defined:SET CONTROL(GSO) CONTROL LIST PPGM XE40 / PPGM LAST CHANGED BY USER03 ON 07/25/19-09:20 PGM-MASK(pgm mask1,...,pgm-mask255) CONTROL
- PGM-MASK(IEHD,FDR***,DRWD,ICKDSF-,...,PGMMASK255)Specifies up to 255 program masks. Specify a one- to -egith-character program mask.
- If the programs identified in the Sensitive Utility Controls table are defined in the GSO PPGM record, your organization does not have an audit finding.
- If any program identified in the Sensitive Utility Controls table is not defined in the GSO PPGM record,your organization has an audit finding.See Remediate Audit Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the GSO PPGM control options. Limit all access to change GSO control options to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps:
- Change the GSO PPGM record to include any programs in the Sensitive Utility Controls table that are not defined in the PGM-MASK field:SET CONTROL(GSO) CONTROL CHANGE PGM-MASK(identified programs) CONTROLWhen defining your programs, replaceidentified programsin this example with the programs you want protect.
- Verify the GSO PPGM record changed:SET CONTROL(GSO) CONTROL LIST PGM-MASK XE40 / PPGM LAST CHANGED BY USER03 ON 03/25/20-12:03PGM-MASK(CONTROLidentified programs)
All identified protective programs are now secured.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
NIST: NIST SP 800-53 Revision 4 (v4): ACF-6 (10)