UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

User accounts defined to the ACP do not uniquely identify system users.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3716 ACP00330 SV-3716r2_rule DCCS-1 DCCS-2 IAIA-1 IAIA-2 Medium
Description
System users must be uniquely identified to the operating system. To accomplish this, each user must have an individual account defined to the ACP. If user accounts are not associated with specific individuals and are shared among multiple users, individual accountability is lost. This could hamper security audit activities and lead to unauthorized user access of system resources and customer data. . Scope of, ownership of and responsibility over users shall be based upon the specifics of appointment, role, responsibilities and level of authority. Such as a domain/system level IAO is responsible for the Domain/system level users, whereas normally a application user would be the responsibility of the DoD AIS application security team unless SLA indicates otherwise.
STIG Date
z/OS ACF2 STIG 2016-06-30

Details

Check Text ( C-5433r1_chk )
a) The IAO will provide a list of all userids that are shared among multiple users(i.e not uniquely identified system users).

b) If there are no shared userids on this domain, there is NO FINDING.

c) If there are shared userids on this domain, this is a FINDING.

NOTE: Userids should be able to be traced back to a current DD2875 or a Vendor Requirement (example: A Started Task).
Fix Text (F-18149r1_fix)
The IAO wil identify user accounts defined to the ACP that are being shared among multiple users. This may require interviews with appropriate system-level support personnel. Remove the shared user accounts from the ACP.

The IAO is required to uniquely identify each system user to the ACP, and that access to resources is limited to those needed to perform the function. A user is defined as either an individual accessing a computer resource, or as a task executing on the system that requires access to a resource. On z/OS systems a user is identified by means of a unique userid. Security requires that audit data record the identity of the user, time of access, interaction with the system, and sensitive functions that might permit a user or program to modify, bypass, or negate security safeguards.
Any userid (user) on the system must be associated with only one individual also any given individual may be assigned responsibility for multiple userids on a given system, depending on functional responsibilities, to ensure task segregation.