Title

CA-TSS Default ACID must be properly defined. (Cat II impact)

Discussion

Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.

Check Content

From the ISPF Command Shell enter: TSS LIST STC If *DEF* has action of *FAIL* this is not a finding. If the default ACID is defined enter: TSS List(<defined ACID>) If the ACID has no access to resources and no facility access and sourced to the internal reader, this is not a finding. If any of the above is untrue, this is a finding.

Fix Text

Ensure the default STC ACID is defined in accordance with the following restrictions. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as specified. All STCs not defined to TSS will fail upon initiation. The following command may be used to associate all undefined STCs with a default action of FAIL: TSS ADD(STC) PROCNAME(DEFAULT) ACID(FAIL) If a valid requirement exists to establish a default STC, the following restrictions also apply: a. The ISSO will maintain the written request, justification, and authorization. b. The STC's ACID will have no other facilities permitted to it. c. The STC's ACID will have a permission of DSN(*****) ACCESS(NONE). TSS PERMIT(stc-acid) DSN(*****) ACCESS(NONE) d. The STC's ACID will not have any permission to the resources available to TSS. e. The STC's ACID will be sourced to the internal reader: ADD(stc-acid) SOURCE(INTRDR) f. An entry will be made in the STC table identifying the default ACID name as follows ("stc-acid" site defined): TSS ADD(STC) PROCNAME(DEFAULT) ACID(stc-acid)

Additional Identifiers

Rule ID: SV-223966r877807_rule

Vulnerability ID: V-223966

Group Title: SRG-OS-000324-GPOS-00125

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.