STIG ID - BACF0041: Ensure Protected Programs are Executed by Privileged Users

Identify if protected programs are defined with a GSO PPGM record value.
Severity
: 2 - Medium
Safeguard your organization's data by ensuring only privileged users can access protective programs. The GSO PPGM record specifies the programs that can be executed by privileged users. Privileged users have access to all programs in the GSO PPGM record.
ACF2
logs the execution of programs in the GSO PPGM record at step initiation and at every data set open execurited by the program.
Your organization will ensure that all identified protective programs are secured.
This STIG article shows how to identify if all protected programs are represented by a GSO PPGM record value.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps:
  1. Review the Sensitive Utility Controls table below and identify protected programs that can only be executed by privilege users.
    Sensitive Utility Controls
    Program
    Product
    Function
    Auth
    AHLGTF
    HHLGTG
    IHLGTF
    z/OS
    System Activity Tracing
    STCGAUDT (users can issue started task only)
    ICPIOCP
    IOPIOCP
    IXPIOCP
    IYPIOCP
    IZPIOCP
    z/OS
    System Configuration
    SYSPAUDT
    BLSROPTR
    z/OS
    Data Management
    DASBAUT
    DASDAUDT
    SYSAUDT
    DEBE
    OS/DEBE
    Data Management
    DASDAUDT
    TAPEAUDT
    DITTO
    OS/DITTO
    Data Management
    DASDAUDT
    TAPEAUDT
    FDRZAPOP
    FDR
    Product Internal Modification
    SYSAUDT
    GIMSMP
    SMP/E
    Change Management Product
    AUDTAUDT
    DABAAUDT
    SYSPAUDT
    ICKDSF
    z/OS
    DASD Management
    DASDAUDT
    SYSPAUDT
    Userid assigned to DEVMAN
    STC
    IDCS01
    z/OS
    IDCAMS Set Cache Module
    SYSPAUDT
    IEHINITT
    z/OS
    Tape Management
    TAPEAUDT
    IFASMFDP
    z/OS
    SMF Data Dump Utility
    AUDTAUDT
    PCSPAUDT
    SECAAUDT
    SMFBAUDT
    SYSPAUDT
    MICSADM*
    IND$FILE
    z/OS
    PC to Mainframe File Transfer (applicable only for classified systems)
    n/a
    CSQJU003
    CSQJU004
    CSQUCVX
    CSQ1LOGP
    IBM WebSphereMQ
    n/a
    MQSAAUDT
    CSQUTIL
    IBM WebSphereMQ
    n/a
    AUDTAUDT
    MQSAAUDT
    WHOIS
    z/OS
    Share MOD to identify user name from USERID. Restricted to data center personnel only.
    DASDAUDT
    OPERAUDT
    SYSAUDT
    TAPEAUDT
  2. List the GSO PPGM record and determine if the protected programs identified in the Sensitive Utility Controls table are defined:
    SET CONTROL(GSO) CONTROL LIST PPGM XE40 / PPGM LAST CHANGED BY USER03 ON 07/25/19-09:20 PGM-MASK(
    pgm mask1,...,pgm-mask255
    ) CONTROL
    • PGM-MASK(
      IEHD,FDR***,DRWD,ICKDSF-
      ,...,PGMMASK255)
      Specifies up to 255 program masks. Specify a one- to -egith-character program mask.
  3. If the programs identified in the Sensitive Utility Controls table are defined in the GSO PPGM record, your organization does not have an audit finding.
  4. If any program identified in the Sensitive Utility Controls table is not defined in the GSO PPGM record,
    your organization has an audit finding.
    See Remediate Audit Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the GSO PPGM control options. Limit all access to change GSO control options to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps
:
  1. Change the GSO PPGM record to include any programs in the Sensitive Utility Controls table that are not defined in the PGM-MASK field:
    SET CONTROL(GSO) CONTROL CHANGE PGM-MASK(
    identified programs
    ) CONTROL
    When defining your programs, replace
    identified programs
    in this example with the programs you want protect.
  2. Verify the GSO PPGM record changed:
    SET CONTROL(GSO) CONTROL LIST PGM-MASK XE40 / PPGM LAST CHANGED BY USER03 ON 03/25/20-12:03
    PGM-MASK(
    identified programs
    )
    CONTROL
All identified protective programs are now secured.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG.  For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-002235
CCI
:
CCI-002235
Published Date
:
2013-06-24
Definition
:
The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): ACF-6 (10)