STIG ID - BACF0052: Limit the Users Granted the ALLCMDS Privilege
Limit ALLCMDS privilege to only users that require the ability to bypass the restricted command list.
Severity: 2 - Medium
The ALLCMDS attribute on the logonid record lets you bypass the
ACF2restricted command lists. Users with this privilege can have access to restricted TSO commands and programs. Not having strict control over who and how many users are granted this privilege can compromise the integrity and availability of the operating system, applications, and data. The ALLCMDS attribute should be granted on an as-needed basis. Documentation justifying use of this special privilege must be submitted to the Information Systems Security Officer ISSO and approved before permission is granted. The ISSO must keep the documentation for reference.
Your organization will ensure that the ALLCMDS privilege is limited to only users that require the ability to bypass the restricted command list.
This STIG article shows how to identify logonids with the ALLCMDS attribute and how to remove the attribute if it is not authorized.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps:
- List all logonids with the ALLCMDS privilege defined:SET LID LID LIST IF(ALLCMDS) USER02 USER02 ... TSOALLCMDSJCL TSO ... LIDACF2displays all logonid records with the ALLCMDS attribute. In this example,ACF2displays USER02 logonid record, which includes the ALLCMDS attribute.
- The ISSO reviews documentation on hand to verify if USER02 is authorized to have the ability to bypass theACF2restricted command list. For the purposes of this STIG, USER02 is not authorized to have the ALLCMDS privilege.
- If the number of users granted the special privilege ALLCMDS is strictly controlled by the ISSO and access is granted on an as-needed basis,your organization does not have an audit finding.
- If the number of users granted the special privilege ALLCMDS is not controlled and is granted permission,your organization has an audit finding. See Remediate Audit Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) and ISSO are the only roles that should have access to change logonids with the ALLCMDS attribute. Limit all access to change logonid records to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps:
- Change the ALLCMDS privilege for logonid USER02 to NOALLCMDS, which removes the ability to bypass theACF2restricted command list.SET LID LID CHANGE USER02 NOALLCMDS LID
- Verify USER02 permissions changed:SET LID LID LIST IF(ALLCMDS) USER02 USER02 ... TSONOALLCMDSJCL TSO ... LID
Strict control of who is granted access to bypass the
ACF2restricted command list protects the integrity and availability of your organization's operating system, applications, and data.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
NIST: NIST SP 800-53 (v3): AC-3
NIST: NIST SP 800-53 Revision 4 (v4): AC-3
NIST: NIST SP 800-53A (v1): AC-3.1