Check: TSS0-ES-000970
      
      
        
  IBM z/OS TSS STIG:
  TSS0-ES-000970
  
    (in versions v9 r5 through v7 r1)
  
      
      
    
  Title
CA-TSS ACIDs defined as security administrators must have the NOATS attribute. (Cat II impact)
Discussion
Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.
Check Content
Execute TSS Report TSS AUDIT with PRIVILEGES control statement PRIVILEGES [SHORT]. For more information TSSAUDIT reports refer to the CA-TSS Report and Tracking Guide. Refer to the resulting report. If all security administrators have the "NOATS" attribute, this is not a finding.
Fix Text
Review all security administrator ACIDs. Ensure the "NOATS" attribute has been assigned. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes. NOTE: The NOATS attribute may be added to an ACID or an ACID's PROFILE. The following command may be issued to determine if the NOATS attribute is defined to an ACID or an ACID's PROFILE: tss list(<acid>) data(basic,profile)
Additional Identifiers
Rule ID: SV-223970r958726_rule
Vulnerability ID: V-223970
Group Title: SRG-OS-000324-GPOS-00125
Expert Comments
      
        
        
      
      
        
  CCIs
      
      
        
        
      
    
  | Number | Definition | 
|---|---|
| CCI-002235 | Prevent non-privileged users from executing privileged functions. | 
      
        
        
      
      
        
  Controls
      
      
        
        
      
    
  | Number | Title | 
|---|---|
| AC-6(10) | Prohibit Non-privileged Users from Executing Privileged Functions |