Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-1 | ACF0640 | SV-1r2_rule | DCCS-1 DCCS-2 | Medium |
Description |
---|
The NON-CNCL privilege exempts the started tasks from security checking. This could result in the compromise of the confidentiality, integrity, and availability of the operating system, ACP, and customer data. |
STIG | Date |
---|---|
z/OS ACF2 STIG | 2019-09-27 |
Check Text ( C-30803r1_chk ) |
---|
a) Refer to the following report produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ATTNOCNL) Automated Analysis Refer to the following report produced by the ACF2 Data Collection Checklist: - PDI(ACF0640) b) Ensure that only logonids associated with trusted STCs have the NON-CNCL attribute specified. TRUSTED STCs: Certain started tasks perform critical operating system-related functions. The site can secure these started tasks in one of two ways: 1) By analyzing an STC's access requirements and granting the requisite accesses. 2) By considering these started tasks as trusted for the purpose of data set and resource access requests. The list of approved trusted started tasks is found in the TRUSTED STARTED TASKS Table in the zOS STIG Addendum. c) If (b) above is true, there is NO FINDING. d) If (b) above is untrue, there is a FINDING. |
Fix Text (F-27343r1_fix) |
---|
Review all LOGONIDs with the NON-CNCL attribute. The IAO will ensure that only STCs in the trusted STC list can have the NON-CNCL attribute. The list of approved trusted STCs is found in the TRUSTED STARTED TASKS Table in the zOS STIG Addendum. The use of default IDs prevents the identification of tasks with individual users as mandated by policy, and prevents adequate accountability. Default IDs for STCs will not be used. Certain started tasks performing critical operating system related functions may be considered trusted for the purposes of data set and resource access requests. For these STCs all access requests will be honored. These STCs will be given the following attribute to facilitate access while logging any accesses they would not ordinarily be granted by the access rule sets: NON-CNCL Example: SET LID CHANGE logonid STC NON-CNCL |