Check: TSS0-ES-000640
IBM z/OS TSS STIG:
TSS0-ES-000640
(in versions v9 r2 through v8 r8)
Title
The number of CA-TSS control ACIDs must be justified and properly assigned. (Cat II impact)
Discussion
Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.
Check Content
From the ISPF Command Shell enter: TSS LIST(ACIDS) TYPE(SCA) DATA(BASIC) If the persons listed agree with the site security plan, this is not a finding.
Fix Text
Review all security administrator ACIDs. Evaluate the impact of correcting the deficiency. Develop a plan of action and reduce the number of control ACIDs if not justified. Use information below as guidance. TYPE=CENTRAL, TYPE=MASTER or also known as "SCA" and "MSCA" level of ACIDS will adhere to the following restrictions based upon documented role/function an individual performs: -Domain level Information System Security Officer (ISSO) - full administrative authorities and access rights needed to perform required and documented role/responsibilities/function. -Assistance Domain Level Information System Security Officer or "backup" or ISSO (up to same access as 1). -DISA SRR Auditor, DoD IG Auditor, SAS70 Auditor - only "view" administrative authorities must be granted and only for those roles/functions that have been formally documented as DISA, DoD IG or SAS70 Auditors and approved by the DISA AO for those position/functions/roles. Exception: Until scoping is worked out and resolved, DISA OST team members may be defined as TYPE=CENTRAL with limited authority such as ACID(INFO,MAINTAIN). All OST Team member ACIDs will be changed to TYPE=LIMITED and scoped accordingly to allow password resets upon verification of users, yet to limit and eliminate any potential risk associated with resetting of MSCA or other SCA level accounts. NO other exceptions will exist.
Additional Identifiers
Rule ID: SV-223937r991589_rule
Vulnerability ID: V-223937
Group Title: SRG-OS-000480-GPOS-00227
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
Implement the security configuration settings. |
CCI-002145 |
Enforce organization-defined circumstances and/or usage conditions for organization-defined system accounts. |