There are started task LOGONIDs with the NON-CNCL attribute specified In the associated LOGONID record that are not listed as trusted and have not been specifically approved.

From z/OS ACF2 STIG

Part of ACF0640

Associated with IA controls: DCCS-1, DCCS-2

Associated with: CCI-002145

SV-1r2_rule There are started task LOGONIDs with the NON-CNCL attribute specified In the associated LOGONID record that are not listed as trusted and have not been specifically approved.

Vulnerability discussion

The NON-CNCL privilege exempts the started tasks from security checking. This could result in the compromise of the confidentiality, integrity, and availability of the operating system, ACP, and customer data.

Check content

a) Refer to the following report produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ATTNOCNL) Automated Analysis Refer to the following report produced by the ACF2 Data Collection Checklist: - PDI(ACF0640) b) Ensure that only logonids associated with trusted STCs have the NON-CNCL attribute specified. TRUSTED STCs: Certain started tasks perform critical operating system-related functions. The site can secure these started tasks in one of two ways: 1) By analyzing an STC's access requirements and granting the requisite accesses. 2) By considering these started tasks as trusted for the purpose of data set and resource access requests. The list of approved trusted started tasks is found in the TRUSTED STARTED TASKS Table in the zOS STIG Addendum. c) If (b) above is true, there is NO FINDING. d) If (b) above is untrue, there is a FINDING.

Fix text

Review all LOGONIDs with the NON-CNCL attribute. The IAO will ensure that only STCs in the trusted STC list can have the NON-CNCL attribute. The list of approved trusted STCs is found in the TRUSTED STARTED TASKS Table in the zOS STIG Addendum. The use of default IDs prevents the identification of tasks with individual users as mandated by policy, and prevents adequate accountability. Default IDs for STCs will not be used. Certain started tasks performing critical operating system related functions may be considered trusted for the purposes of data set and resource access requests. For these STCs all access requests will be honored. These STCs will be given the following attribute to facilitate access while logging any accesses they would not ordinarily be granted by the access rule sets: NON-CNCL Example: SET LID CHANGE logonid STC NON-CNCL

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer