STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

IBM z/OS LOGONIDs with the AUDIT or CONSULT attribute must be properly scoped.

DISA Rule

SV-223472r533198_rule

Vulnerability Number

V-223472

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

ACF2-ES-000540

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure logonids with the AUDIT or CONSULT attributes are restricted by a SCPLIST attribute that restricts authority based on job function and area of responsibility.

The following user attributes allow viewing of the ACF2 databases for the purpose of inspecting users, data set access rules, and Infostorage records. When granted to a logonid, restrict the scope of the following attributes using an associated SCPLIST (scope list) record:

AUDIT
CONSULT

NOTE: SCPLST attributes are not required for Logonids with the attributes AUDIT or CONSULT if the security ISSM/ISSO determines it requires ability to view the entire ACF2 environment. SCPLST attributes are not required for Auditors, Domain Level Security Admin Logonids, and BATCH Logonids that review the entire ACF2 environment to include GSO records, data set and resource rules, etc. or run audit reports.

Check Contents

From the ACF Command Screen enter:
SET LID
LIST IF(AUDIT)

If all logonids with the attributes AUDIT and/or CONSULT also do not have the SCPLIST attribute specified properly according to job function and areas of responsibility, this is a finding.

NOTE: SCPLST attributes are not required for Logonids with the attributes AUDIT or CONSULT if the security ISSM/ISSO determines it requires ability to view the entire ACF2 environment. SCPLST attributes are not required for Auditors, Domain Level Security Admin Logonids, and BATCH Logonids that review the entire ACF2 environment to include GSO records, data set and resource rules, etc. or run audit reports.

Vulnerability Number

V-223472

Documentable

False

Rule Version

ACF2-ES-000540

Severity Override Guidance

From the ACF Command Screen enter:
SET LID
LIST IF(AUDIT)

If all logonids with the attributes AUDIT and/or CONSULT also do not have the SCPLIST attribute specified properly according to job function and areas of responsibility, this is a finding.

NOTE: SCPLST attributes are not required for Logonids with the attributes AUDIT or CONSULT if the security ISSM/ISSO determines it requires ability to view the entire ACF2 environment. SCPLST attributes are not required for Auditors, Domain Level Security Admin Logonids, and BATCH Logonids that review the entire ACF2 environment to include GSO records, data set and resource rules, etc. or run audit reports.

Check Content Reference

M

Target Key

4100

Comments