LOGONIDs with the ACCOUNT, LEADER, or SECURITY attribute must be properly scoped.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-171	ACF0750	SV-171r2_rule	DCCS-1 DCCS-2	Medium

Description
Individuals with these powerful attributes may have more extensive privileges than necessary to perform their job function. There could be no separation of duties and/or principle of least privilege in effect. This could result in the compromise of the confidentiality, integrity, and availability of the operating system, ACP, or customer data.

STIG	Date
z/OS ACF2 STIG	2019-12-12

Details

Check Text ( C-265r1_chk )
Refer to the following reports produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ATTACCT) - ACF2CMDS.RPT(ATTLEAD) - ACF2CMDS.RPT(ATTSECT) Automated Analysis Refer to the following report produced by the ACF2 Data Collection: - PDI(ACF0750) Review all logonids for specific groups with the attributes ACCOUNT, LEADER, or SECURITY ensure they have the SCPLIST attribute specified properly according to job function and areas of responsibility. NOTE: SCPLST attributes are not required for Domain Level Security Admin Logonids and BATCH Logonids that administer and modify the entire ACF2 environment to include GSO records, data set and resource rules, etc. or run audit reports.

Check Text ( C-265r1_chk )

Refer to the following reports produced by the ACF2 Data Collection:

- ACF2CMDS.RPT(ATTACCT)
- ACF2CMDS.RPT(ATTLEAD)
- ACF2CMDS.RPT(ATTSECT)

Automated Analysis
Refer to the following report produced by the ACF2 Data Collection:

- PDI(ACF0750)

Review all logonids for specific groups with the attributes ACCOUNT, LEADER, or SECURITY ensure they have the SCPLIST attribute specified properly according to job function and areas of responsibility.

NOTE: SCPLST attributes are not required for Domain Level Security Admin Logonids and BATCH Logonids that administer and modify the entire ACF2 environment to include GSO records, data set and resource rules, etc. or run audit reports.

Fix Text (F-3354r1_fix)
The IAO will ensure logonids with the ACCOUNT, LEADER, and SECURITY attributes are restricted by a SCPLIST attribute that restricts authority based on job function and area of responsibility. The following user attributes allow update of the ACF2 databases for administering users, data set access rules, and Infostorage records. When granted to a logonid, restrict the scope of the following attributes using an associated SCPLIST (scope list) record: ACCOUNT LEADER SECURITY NOTE: SCPLST attributes are not required for Domain Level Security Admin Logonids and BATCH Logonids that administer and modify the entire ACF2 environment to include GSO records, data set and resource rules, etc. or run audit reports.

Fix Text (F-3354r1_fix)

The IAO will ensure logonids with the ACCOUNT, LEADER, and SECURITY attributes are restricted by a SCPLIST attribute that restricts authority based on job function and area of responsibility.

The following user attributes allow update of the ACF2 databases for administering users, data set access rules, and Infostorage records. When granted to a logonid, restrict the scope of the following attributes using an associated SCPLIST (scope list) record:

ACCOUNT
LEADER
SECURITY

NOTE: SCPLST attributes are not required for Domain Level Security Admin Logonids and BATCH Logonids that administer and modify the entire ACF2 environment to include GSO records, data set and resource rules, etc. or run audit reports.