STIG ID - BACF0055: Define and Protect Sensitive Utility Controls

Severity
: 2 - Medium
Sensitive Utility Controls can run sensitive system privileges or controls and can potentially circumvent control to these resources. Failure to properly control access to these resources could result in the compromise of the confidentiality, integrity, and availability of the operating system environment, system services, external security manager, and customer data.
This STIG article shows how to define and protect sensitive utility programs resource controls.
The organization will ensure that all Sensitive Utility Programs Control resources and generic equivalent are properly protecting according to the requirements specified in the Sensitive Utility Program Controls table below.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
The following shows how to identify if any Sensitive Utility Control resources are properly protected:
  1. Ensure all Sensitive Utilities resources and generic equivalent are properly protected according to the requirements specified in the Sensitive Utility Controls table shown below. This table lists the resources, access requirements, and logging requirements for Sensitive Utilities.
    Program Name
    Product
    Function
    Allowed Access
    Logging
    AHLGTF
    HHLGTF
    IHLGTF
    z/OS
    System Activity Tracing
    Specific started task that require this: GTF, GTFTRACE
    Yes
    ICPIOCP
    IOPIOCP
    IXPIOCP
    IYPIOCP
    IZPIOCP
    z/OS
    System Configuration
    ZOSSYSP1
    Yes
    BLSROPTR
    z/OS
    Data Management
    DASDSYSP
    Yes
    DEBE
    OS/DEBE
    Data Management
    DASDSYSP
    TAPELIBR
    Yes
    DITTO
    OS/DITO
    Data Management
    DASDSYSP
    TAPELIBR
    Yes
    FDRZAPOP
    FDR
    Product Internal Modification
    ZOSSYSP1
    Yes
    GIMSMP
    SMP/E
    Software Product Change Management
    AUDITORS
    DASDSYSP
    ZOSSYSP1
    CICSSYSP
    DB2SYSP
    IDMSSYSP
    Yes
    ICKDSF
    z/OS
    DASD Management
    DASDSYSP
    Userid assigned to DEVMAN started task
    Yes
    IDCSC01
    z/OS
    IDCAMS Set Cache Module
    ZOSSYSP1
    Yes
    IEHINITT
    z/OS
    Tape Management - erase tapes/init tapes
    TAPELIBR
    Yes
    IFASMFDP
    z/OS
    SMF Data Dump Utiity
    AUDITORS
    PCSPTEAM
    ZSECTEAM
    DASDSYSP
    ZOSSYSP1
    CICSSYSP
    DBASYSP
    IDMSSYSP
    Yes
    CSQJU003
    CSQJU004
    CSQUCVX
    CSQ1LOGP
    CSQUTIL
    IBM WebSphere MQ
    MQ Series Sensitive Utility programs
    AUDITORS
    MQSTEAM
    Yes
    IND$FILE
    z/OS
    File transfer via TSO (applicable for classified systems or customers who desire to restrict)
    n/a
    n/a
    WHOIS
    A process by which Userids/Names are provided and allowed to be searched, listed and/or downloaded if Read access is granted.
    Internal infrastructure roles only - Read only access
    Yes
    The following Sensitive Utilities will be checked or not checked for the reason specified:
    • AMDIOCP
      May be in use on Fujitsu 5990, 5995a, and 5995m processors.
    • AMZIOCP
      May be in use on Fujitsu Millennium and Omniflex processors.
    • DEBE
      Check only if DEBE is installed on the system.
    • DITTO
      Check only if DITTO/ESA is installed on the system.
    • FDRZAPOP
      Check only if FDR is installed on the system.
    • IND$FILE
      >
      Check only systems where organization requires restrictions.
    • CSQxxxx
      Check only if WebSphere MQ is installed.
    • WHOIS
      Any utility or process which provides for entire list of user ids on a system with or without assigned names. These types of userid lists can be exploited as they provide for half of the key to logon. Additionally, such list could be utilized to drive a denial of service attack by attempting to logon to every single account with bad passwords and suspend or disable all user ids on the respectful system. User id listings that include all user ids should be treated as sensitive information with limited access.
    *This access is allowed at the discretion of the site ISSM/ISSO.
  2. Ensure the following guidelines identified in the table are followed:
    1. The resources are defined with a default access of PREVENT.
    2. The resource access authorizations restrict access to the appropriate personnel.
    3. The resource logging is correctly specified.
  3. If the guidance provided in the Sensitive Utility Controls table is followed,
    your organization does not have an audit finding
    .
  4. If the guidance provided in the Sensitive Utility Controls table is not followed,
    your organization has a finding
    . See Remediate Audit Finding.
Remediate Audit Finding
The z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) will work with the Systems Programmer to verify that the guidance provided in the Sensitive Controls table are properly specified in
ACF2
.
Follow these steps:
  1. Implement any resource controls identified as missing. Use the following commands as an example:
    $KEY(AHLGTF) TYPE(PGM) UID(stcgaudt) LOG UID(*) PREVENT F ACF2,REBUILD(PGM)
Sensitive Utility Programs Control resources and generic equivalent are now properly protecting according to the requirements specified in the Sensitive Utility Program Controls table.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following reference CCIs are related to this STIG article. For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000213
CCI
:
CCI-000213
Published Date
:
2009-09-14
Definition
:
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AC-3
NIST: NIST SP 800-53 Revision 4 (v4): AC-3
NIST: NIST SP 800-53A (v1): AC-3.1