Check: TSS0-ES-000930
IBM z/OS TSS STIG:
TSS0-ES-000930
(in versions v9 r2 through v7 r1)
Title
CA-TSS Default ACID must be properly defined. (Cat II impact)
Discussion
Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
Check Content
From the ISPF Command Shell enter: TSS LIST STC If *DEF* has action of *FAIL* this is not a finding. If the default ACID is defined enter: TSS List(<defined ACID>) If the ACID has no access to resources and no facility access and sourced to the internal reader, this is not a finding. If any of the above is untrue, this is a finding.
Fix Text
Ensure the default STC ACID is defined in accordance with the following restrictions. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as specified. All STCs not defined to TSS will fail upon initiation. The following command may be used to associate all undefined STCs with a default action of FAIL: TSS ADD(STC) PROCNAME(DEFAULT) ACID(FAIL) If a valid requirement exists to establish a default STC, the following restrictions also apply: a. The ISSO will maintain the written request, justification, and authorization. b. The STC's ACID will have no other facilities permitted to it. c. The STC's ACID will have a permission of DSN(*****) ACCESS(NONE). TSS PERMIT(stc-acid) DSN(*****) ACCESS(NONE) d. The STC's ACID will not have any permission to the resources available to TSS. e. The STC's ACID will be sourced to the internal reader: ADD(stc-acid) SOURCE(INTRDR) f. An entry will be made in the STC table identifying the default ACID name as follows ("stc-acid" site defined): TSS ADD(STC) PROCNAME(DEFAULT) ACID(stc-acid)
Additional Identifiers
Rule ID: SV-223966r958726_rule
Vulnerability ID: V-223966
Group Title: SRG-OS-000324-GPOS-00125
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002235 |
Prevent non-privileged users from executing privileged functions. |
Controls
Number | Title |
---|---|
AC-6(10) |
Prohibit Non-privileged Users from Executing Privileged Functions |