There are GSO MAINT records that do not have corresponding maintenance LOGONIDs.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-167 | ACF0670 | SV-167r2_rule | DCCS-1 DCCS-2 | Low |
| Description |
|---|
| LOGONIDs could be intentionally created that correspond to the GSO MAINT records. Then the maintenance programs could be used to gain unauthorized access to the system. This could result in the compromise of the confidentiality, integrity, and availability of the operating system, ACP, and customer data. |
| STIG | Date |
|---|---|
| z/OS ACF2 STIG | 2019-12-12 |
Details
| Check Text ( C-258r1_chk ) |
|---|
| a) Refer to the following reports produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ACFGSO) - ACF2CMDS.RPT(ATTMAINT) Automated Analysis Refer to the following report produced by the ACF2 Data Collection Checklist: - PDI(ACF0670) b) If every GSO MAINT record has a corresponding maintenance logonid, there is NO FINDING. c) If any GSO MAINT record does not have a corresponding maintenance logonid, this is a FINDING. |
| Fix Text (F-16910r1_fix) |
|---|
| The IAO will ensure that an associated user logonid exists for each special GSO maintenance record identifying the program(s) that it is permitted to access and the library where the program(s) resides. An associated GSO MAINT record will exist for each special user logonid, identifying the program(s) that it is permitted to access and the library where the program(s) resides. Example: SET LID CHANGE DFSMSHSM MAINT |