STIG ID - BACF0053: Limit the Users Granted the PPGM Privilege

Limit PPGM attribute to only users that require the ability to bypass the restricted command list.
Severity
: 1 - High
The PPGM attribute on the logonid record lets users execute protected programs that are specified on the GSO PPGM record. Users with this privilege have access to powerful utilities and can intentionally or inadvertently compromise operating system integrity or destroy data on a large-scale. Misuse of these utilities could result in the compromise of the confidentiality, integrity, and availability of the operating system, ESM, or customer data. The PPGM attribute should be granted on an as-needed basis. Documentation justifying use of this special privilege must be submitted to the Information Systems Security Officer (ISSO) and approved before permission is granted. The ISSO must keep the documentation for reference.
Your organization will ensure that the PPGM attribute is limited to only users that require the ability to bypass the restricted command list. Appropriate resource access should be granted in lieu of the PPGM attribute, ensuring documented role-based least privileged access is defined and granted.
This STIG article shows how to identify logonids with the PPGM attribute and how to remove the attribute if it is not authorized.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. List all logonids with the PPGM privilege defined:
    SET LID LID LIST IF(PPGM) USER04 USER04 ... PRIVILEGES EXPIRE(12/12/20)
    PPGM
    ... LID
    ACF2
    displays all logonid records with the PPGM attribute. In this example,
    ACF2
    displays a logonid record USER04, which includes the PPGM attribute.
    • PPGM|
      NOPPGM
      Specifies that a user can execute the protected programs specified in the GSO PPGM record.
  2. The ISSO reviews documentation on hand to verify if the logonids displayed are authorized to have the logonid PPGM privilege which executes the protected programs specified in the GSO PPGM record. For the purposes of this STIG, USER04 is not authorized to have the PPGM privilege.
  3. If the number of users granted the special privilege PPGM is strictly controlled by the ISSO and access is granted on an as-needed basis,
    your organization does not have an audit finding
    .
  4. If the number of users granted the special privilege ALLCMDS is not controlled and is granted permission,
    your organization has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) and ISSO are the only roles that should have access to change logonids with the PPGM attribute. Limit all access to change logonid records to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps
:
  1. Change the PPGM privilege for logonid USER04 to NOPPGM, which removes the ability to execute the protected programs specified in the GSO PPGM record.
    SET LID LID CHANGE USER04 NOPPGM LID
  2. Verify USER04 permissions changed:
    SET LID LID LIST IF(ALLCMDS) USER04 USER04 ... TSO
    NOPPGM
    ... LID
Strict control of who can execute the protected programs specified in the GSO PPGM record protects the integrity and availability of your organization's operating system, applications, and data.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG.  For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000213
CCI
:
CCI-000213
Published Date
:
2009-09-14
Definition
:
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AC-3
NIST: NIST SP 800-53 Revision 4 (v4): AC-3
NIST: NIST SP 800-53A (v1): AC-3.1