There are started task LOGONIDs with the NON-CNCL attribute specified In the associated LOGONID record that are not listed as trusted and have not been specifically approved.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-1	ACF0640	SV-1r2_rule	DCCS-1 DCCS-2	Medium

Description
The NON-CNCL privilege exempts the started tasks from security checking. This could result in the compromise of the confidentiality, integrity, and availability of the operating system, ACP, and customer data.

STIG	Date
z/OS ACF2 STIG	2016-01-04

Details

Check Text ( C-30803r1_chk )
a) Refer to the following report produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ATTNOCNL) Automated Analysis Refer to the following report produced by the ACF2 Data Collection Checklist: - PDI(ACF0640) b) Ensure that only logonids associated with trusted STCs have the NON-CNCL attribute specified. TRUSTED STCs: Certain started tasks perform critical operating system-related functions. The site can secure these started tasks in one of two ways: 1) By analyzing an STC's access requirements and granting the requisite accesses. 2) By considering these started tasks as trusted for the purpose of data set and resource access requests. The list of approved trusted started tasks is found in the TRUSTED STARTED TASKS Table in the zOS STIG Addendum. c) If (b) above is true, there is NO FINDING. d) If (b) above is untrue, there is a FINDING.

Check Text ( C-30803r1_chk )

a) Refer to the following report produced by the ACF2 Data Collection:

- ACF2CMDS.RPT(ATTNOCNL)

Automated Analysis
Refer to the following report produced by the ACF2 Data Collection Checklist:

- PDI(ACF0640)

b) Ensure that only logonids associated with trusted STCs have the NON-CNCL attribute specified.

TRUSTED STCs:
Certain started tasks perform critical operating system-related functions. The site can secure these started tasks in one of two ways:

1) By analyzing an STC's access requirements and granting the requisite accesses.

2) By considering these started tasks as trusted for the purpose of data set and resource access requests.

The list of approved trusted started tasks is found in the TRUSTED STARTED TASKS Table in the zOS STIG Addendum.

c) If (b) above is true, there is NO FINDING.

d) If (b) above is untrue, there is a FINDING.

Fix Text (F-27343r1_fix)
Review all LOGONIDs with the NON-CNCL attribute. The IAO will ensure that only STCs in the trusted STC list can have the NON-CNCL attribute. The list of approved trusted STCs is found in the TRUSTED STARTED TASKS Table in the zOS STIG Addendum. The use of default IDs prevents the identification of tasks with individual users as mandated by policy, and prevents adequate accountability. Default IDs for STCs will not be used. Certain started tasks performing critical operating system related functions may be considered trusted for the purposes of data set and resource access requests. For these STCs all access requests will be honored. These STCs will be given the following attribute to facilitate access while logging any accesses they would not ordinarily be granted by the access rule sets: NON-CNCL Example: SET LID CHANGE logonid STC NON-CNCL

Fix Text (F-27343r1_fix)

Review all LOGONIDs with the NON-CNCL attribute. The IAO will ensure that only STCs in the trusted STC list can have the NON-CNCL attribute. The list of approved trusted STCs is found in the TRUSTED STARTED TASKS Table in the zOS STIG Addendum.

The use of default IDs prevents the identification of tasks with individual users as mandated by policy, and prevents adequate accountability. Default IDs for STCs will not be used.

Certain started tasks performing critical operating system related functions may be considered trusted for the purposes of data set and resource access requests. For these STCs all access requests will be honored. These STCs will be given the following attribute to facilitate access while logging any accesses they would not ordinarily be granted by the access rule sets:

NON-CNCL

Example:

SET LID
CHANGE logonid STC NON-CNCL