STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

The CA-ACF2 LOGONID with the REFRESH attribute must have procedures for utilization.

DISA Rule

SV-223468r533198_rule

Vulnerability Number

V-223468

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

ACF2-ES-000500

Severity

CAT II

CCI(s)

• CCI-000225 - The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Review security procedures for defining LOGONIDs and develop documentation of requirements for the LOGONID associated with the REFRESH attribute.

Example:
When the ISSO determines it necessary to refresh the ACF2 global options, the ISSO will do the following:

-Activate the REFRESH ID with the following setting(s):
NOSUSPEND
NOPSWD EXP
PASSWORD(new password)

-Instruct Operations to perform the REFRESH.

-Deactivate the REFRESH ID with the following setting:
SUSPEND

Check Contents

From the ACF Command screen enter:
SET LID
LIST IF(REFRESH)

If procedures exist to utilize the logonid with the REFRESH attribute to refresh ACF2 global options, this is not a finding.

Example:
When the ISSO determines it necessary to refresh the ACF2 global options, the ISSO will do the following:

-Activate the REFRESH ID with the following setting(s):
NOSUSPEND
NOPSWD EXP
PASSWORD(new password)

-Instruct Operations to perform the REFRESH.

-Deactivate the REFRESH ID with the following setting:
SUSPEND

If no procedures exist in accordance with the STIG requirements to utilize the logonid with the REFRESH attribute to refresh ACF2 global options, this is a finding.

Vulnerability Number

V-223468

Documentable

False

Rule Version

ACF2-ES-000500

Severity Override Guidance

From the ACF Command screen enter:
SET LID
LIST IF(REFRESH)

If procedures exist to utilize the logonid with the REFRESH attribute to refresh ACF2 global options, this is not a finding.

Example:
When the ISSO determines it necessary to refresh the ACF2 global options, the ISSO will do the following:

-Activate the REFRESH ID with the following setting(s):
NOSUSPEND
NOPSWD EXP
PASSWORD(new password)

-Instruct Operations to perform the REFRESH.

-Deactivate the REFRESH ID with the following setting:
SUSPEND

If no procedures exist in accordance with the STIG requirements to utilize the logonid with the REFRESH attribute to refresh ACF2 global options, this is a finding.

Check Content Reference

M

Target Key

4100

Comments