The LOGONIDs with the AUDIT or CONSULT attribute must be properly scoped.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-174	ACF0780	SV-174r2_rule	DCCS-1 DCCS-2	Medium

Description
Individuals with these attributes have the ability to view security definitions for resources not in their scope. This could result in the compromise of the confidentiality, integrity, and availability of the ACP, or customer data.

STIG	Date
z/OS ACF2 STIG	2016-01-04

Details

Check Text ( C-268r1_chk )
Refer to the following reports produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ATTAUDIT) - ACF2CMDS.RPT(ATTCONST) Automated Analysis Refer to the following report produced by the ACF2 Data Collection: - PDI(ACF0780) Ensure all logonids with the attributes AUDIT and/or CONSULT also have the SCPLIST attribute specified properly according to job function and areas of responsibility. NOTE: SCPLST attributes are not required for Logonids with the attributes AUDIT or CONSULT if the security IAM/IAO determines it requires ability to view the entire ACF2 environment. SCPLST attributes are not required for Auditors, Domain Level Security Admin Logonids, and BATCH Logonids that review the entire ACF2 environment to include GSO records, data set and resource rules, etc. or run audit reports.

Check Text ( C-268r1_chk )

Refer to the following reports produced by the ACF2 Data Collection:

- ACF2CMDS.RPT(ATTAUDIT)
- ACF2CMDS.RPT(ATTCONST)

Automated Analysis
Refer to the following report produced by the ACF2 Data Collection:

- PDI(ACF0780)

Ensure all logonids with the attributes AUDIT and/or CONSULT also have the SCPLIST attribute specified properly according to job function and areas of responsibility.

NOTE: SCPLST attributes are not required for Logonids with the attributes AUDIT or CONSULT if the security IAM/IAO determines it requires ability to view the entire ACF2 environment. SCPLST attributes are not required for Auditors, Domain Level Security Admin Logonids, and BATCH Logonids that review the entire ACF2 environment to include GSO records, data set and resource rules, etc. or run audit reports.

Fix Text (F-17067r1_fix)
The IAO will ensure that logonids with the AUDIT or CONSULT attributes are restricted by a SCPLIST attribute that restricts authority based on job function and area of responsibility. The following user attributes allow viewing of the ACF2 databases for the purpose of inspecting users, data set access rules, and Infostorage records. When granted to a logonid, restrict the scope of the following attributes using an associated SCPLIST (scope list) record: AUDIT CONSULT

Fix Text (F-17067r1_fix)

The IAO will ensure that logonids with the AUDIT or CONSULT attributes are restricted by a SCPLIST attribute that restricts authority based on job function and area of responsibility.

The following user attributes allow viewing of the ACF2 databases for the purpose of inspecting users, data set access rules, and Infostorage records. When granted to a logonid, restrict the scope of the following attributes using an associated SCPLIST (scope list) record:

AUDIT
CONSULT