STIG ID - BACF0043: Define Maintenance Logonid Key Attributes

Assign required attributes to logonids assigned to production maintenance tasks.
Severity
: 2 - Medium
Production maintenance tasks manage the backup and restoration of data for the Continuity of Operations Plan (COOP) and media maintenance. Logonids assigned to production maintenance tasks require the JOB and MAINT logonid attributes. If these two attributes are not defined, critical system maintenance tasks will not be performed.
This STIG shows how to define a maintenance logonid to ensure that critical system maintenance tasks are performed using the
ACF2
MAINT privileged attribute.
The organization will ensure that logonids assigned to production maintenance tasks have the required attributes to perform critical system maintenance tasks.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. List the logonid specified for maintenance purposes to determine if the JOB and MAINT attributes are defined:
    SET LID LID LIST MAINTLID MAINTLID XXX MAINTLID ...
    PRIVILEGES DUMPATH
    ... LID
    In this example, the JOB and MAINT attributes are not defined, as required by the suggested guidelines.
    • JOB|
      NOJOB
      Specifies that batch or background jobs can use this logonid.
    • MAINT
      Specifies that a logonid can access data sets without
      ACF2
      rule validation or loggings by means of a specified program executed from a specified library. This field is used in conjunction with the GSO MAINT record.
  2. If the logonid specified for maintenance purposes does not include the JOB and MAINT attributes,
    your organization as an audit finding
    . See Remediate Audit Finding.
  3. If the logonid specifies for maintenance purposes includes the JOB and MAINT attributes,
    your organization does not have an audit finding
    .
Remediate Audit Finding
The z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the logonid attributes.
Follow these steps
:
  1. Change the logonid specified for maintenance purposes to include the JOB and MAINT attributes:
    SET LID LID CHANGE MAINTLID JOB MAINT LID
  2. Verify MAINTLID logonid changed:
    SET LID LID LIST
    MAINTLID
    MAINTLID XXX MAINTLID ...
    PRIVILEGES DUMPATH JOB MAINT
    ... LID
The production maintenance logonid
MAINTLID
can now perform critical system maintenance tasks.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG.  For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-002145, CCI-02883
CCI
:
CCI-002145
Published Date
:
2013-06-24
Definition
:
The information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): AC-2(11)
CCI
:
CCI-02883
Published Date
:
2009-09-18
Definition
:
The information system restricts the use of maintenance tools to authorized personnel only.
Type
:
policy
References
:
NIST: NIST SP 800-53 (v3): MA-4 a
NIST: NIST SP 800-53 Revision 4 (v4): MA-4 a
NIST: NIST SP 800-53A (v1): MA-4.1 (i)