STIG ID - BACF0046: Logonid with SECURITY Attribute Missing Security Check Attributes

Add security check to logonids with the SECURITY attribute.
Severity
: 1- High
A user with the SECURITY privilege defined in their logonid record can access all data sets, protected programs, and resources. A logonid with this privilege is known as a security administrator. A security administrator has unlimited access to system resources, unless you add security checks attributes to the logonid record. The RULEVLD and RSRCVLD attributes specify access and resource rules must authorize any data set and resource accesses that a user makes. Failure to assign the attributes RULEVLD and RSRCVLD to a user with the SECURITY privilege allows bypassing of normal security checks for the logonid and could result in compromise of the confidentiality, integrity, and availability of the operating system data.
The organization ensures that users assigned roles that require security administration privileges receive the SECURITY, RULEVLD, and RSRCVLD in accordance with the recommendations set forth in this article. RULEVLD does not apply if a user has READALL or NON-CNCL attributes defined.
This STIG article shows how to add security check attributes and remove the ability to access a data set or resource without logging to a logonid with the SECURITY attribute.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. List all logonids with the SECURITY attribute:
    SET LID LID LIST IF(SECURITY) SECADMIN SECADMIN ... PRIVILEGES
    SECURITY
    STC ... LID
    ACF2
    displays all logonid records with the SECURITY attribute defined. For the purpose of this STIG, the example shows one logonid (SECADMIN) with the SECURITY attribute.
  2. Review all logonids with the SECURITY attribute to determine if the RULEVLD, RSRCVLD, READALL, and NON-CNCL attributes are defined.
    SET LID LID LIST SECADMIN SECADMIN SECADMIN ... PRIVILEGES SECURITY STC LID
    In this example, the RULEVLD, RSRCVLD, READALL, and NON-CNCL attributes
    are not
    defined to the SECADMIN logonid. Ensure all users assigned roles that require security administration privileges receive the SECURITY, RULEVLD, and RSRCVLD attributes, in accordance with the recommendations set forth in this article.
    • RULEVLD|
      NORULEVLD
      Specifies that an access rule must authorize any data set accesses that a user makes. This field applies even if a user has ownership of the data or has the SECURITY privilege. RULEVLD does not apply if a user has READALL or NON-CNCL access. READALL and NON-CNCL access takes precedence over RULEVLD.
    • RSRCVLD|
      NORSRCVLD
      Specifies that a resource rule must authorize any resource accesses that a user makes. This field applies even if a user has the SECURITY privilege.
    • NON-CNCL|
      NONON-CNCL
      A user with the NONCNCL privilege that is defined in their logonid record has full access to any data set or resource despite any security violations that can occur during the access attempt. These violations are logged by
      ACF2
      . However, the logonid can access a data set or resource without logging as long as the access is defined by an existing data access or resource rule, or is permitted by virtue of the logonid's PREFIX field. All accesses outside of those typically permitted by the PREFIX or rules are permitted, but logged. You cannot create a scope record to limit the access of a logonid with the NONCNCL privilege.
    • READALL|
      NOREADALL
      Specifies a user has read and execute access to all data sets. This is similar to the NON-CNCL attribute, but grants read and execute access only.
      ACF2
      enforces any existing rules for other types of access such as write and allocate.
      ACF2
      logs any accesses the user makes that are not allowed through ownership or through rules.
  3. If the SECURITY, RULEVLD, and RSRCVLD attributes are not assigned to the security administrator logonid,
    your organization has an audit finding
    . See Remediate Audit Finding.
  4. If the SECURITY, RULEVLD, NON-CNCL, and READALL are defined,
    your organization has an audit finding
    . See Remediate Audit Finding.
  5. If the SECURITY, RULEVLD and RSRCVLD attributes are assigned to the logonid,
    your organization does not have an audit finding
    .
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the logonids with the SECURITY attribute. Limit all access to change logonid records to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps
:
  1. Change the logonids identified with the SECURITY attribute to include the RULEVLD and RSRCVLD privileges:
    SET LID LID CHANGE SECADMIN RULEVLD RSRCVLD LID
  2. Verify the SECADMIN logonid attributes changed and do not include the NON-CNCL or READALL attributes:
    SET LID LID LIST SECADMIN SECADMIN SECADMIN ... PRIVILEGES RULEVLD RSRCVLD SECURITY STC LID
Security check for the SECADMIN logonid is defined, removing the ability to compromise your operating system and data.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG.  For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000035
CC
I
:
CCI-000035
Published Date
:
2009-09-14
Definition
:
The information system provides the capability for privileged administrators to configure the organization-defined security policy filters to support different security policies.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AC-4 (11)
NIST: NIST SP 800-53 Revision 4 (v4): AC-4 (11)
NIST: NIST SP 800-53A (v1): AC-4 (11).1 (ii)