IBM z/OS system administrator must develop a procedure to notify system administrators (SAs) and information system security officers (ISSOs) of account enabling actions.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-223579	SRG-OS-000304-GPOS-00121	ACF2-OS-002390	SV-223579r1001132_rule	2025-03-11	9

Description
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable an existing disabled account. Sending notification of account enabling actions to the SA and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.

Description

Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable an existing disabled account. Sending notification of account enabling actions to the SA and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.

ℹ️ Check
Ask the SA for the procedure to notify SAs and ISSOs of account enabling actions. If no procedures are in place, this is a finding.

✔️ Fix
Develop and document a procedure to notify SAs and ISSOs of account enabling actions.