STIG ID - BACF0043: Define Maintenance Logonid Key Attributes
Assign required attributes to logonids assigned to production maintenance tasks.
Severity: 2 - Medium
Production maintenance tasks manage the backup and restoration of data for the Continuity of Operations Plan (COOP) and media maintenance. Logonids assigned to production maintenance tasks require the JOB and MAINT logonid attributes. If these two attributes are not defined, critical system maintenance tasks will not be performed.
This STIG shows how to define a maintenance logonid to ensure that critical system maintenance tasks are performed using the
ACF2MAINT privileged attribute.
The organization will ensure that logonids assigned to production maintenance tasks have the required attributes to perform critical system maintenance tasks.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps:
- List the logonid specified for maintenance purposes to determine if the JOB and MAINT attributes are defined:SET LID LID LIST MAINTLID MAINTLID XXX MAINTLID ...PRIVILEGES DUMPATH... LIDIn this example, the JOB and MAINT attributes are not defined, as required by the suggested guidelines.
- JOB|NOJOBSpecifies that batch or background jobs can use this logonid.
- MAINTSpecifies that a logonid can access data sets withoutACF2rule validation or loggings by means of a specified program executed from a specified library. This field is used in conjunction with the GSO MAINT record.
- If the logonid specified for maintenance purposes does not include the JOB and MAINT attributes,your organization as an audit finding. See Remediate Audit Finding.
- If the logonid specifies for maintenance purposes includes the JOB and MAINT attributes,your organization does not have an audit finding.
Remediate Audit Finding
The z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the logonid attributes.
Follow these steps:
- Change the logonid specified for maintenance purposes to include the JOB and MAINT attributes:SET LID LID CHANGE MAINTLID JOB MAINT LID
- Verify MAINTLID logonid changed:SET LID LID LISTMAINTLIDMAINTLID XXX MAINTLID ...PRIVILEGES DUMPATH JOB MAINT... LID
The production maintenance logonid
MAINTLIDcan now perform critical system maintenance tasks.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs: CCI-002145, CCI-02883
The information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts.
NIST: NIST SP 800-53 Revision 4 (v4): AC-2(11)
The information system restricts the use of maintenance tools to authorized personnel only.
NIST: NIST SP 800-53 (v3): MA-4 a
NIST: NIST SP 800-53 Revision 4 (v4): MA-4 a
NIST: NIST SP 800-53A (v1): MA-4.1 (i)