Check: TSS0-ES-000030
IBM z/OS TSS STIG:
TSS0-ES-000030
(in versions v9 r2 through v7 r1)
Title
CA-TSS MODE Control Option must be set to FAIL. (Cat I impact)
Discussion
Enterprise environments make account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other errors. A comprehensive account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated, or by disabling accounts located in non-centralized account stores such as multiple servers. This requirement applies to all account types, including individual/user, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. The automated mechanisms may reside within the operating system itself or may be offered by other infrastructure providing automated account management capabilities. Automated mechanisms may be composed of differing technologies that, when placed together, contain an overall automated mechanism supporting an organization's automated account management requirements. Account management functions include: assigning group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephonic notification to report atypical system account usage.
Check Content
From the ISPF Command Shell enter: TSS MODIFY STATUS If the global MODE Control Option value is set to "FAIL", this is not a finding. If the global MODE Control Option value is not set to "FAIL", this is a finding. Additional analysis may be required under the following conditions: Mode(IMPL) is allowed while a system is in implementation with a documented process that includes an implementation completion date.
Fix Text
Evaluate the impact associated with implementation of the control option. Develop a plan of action to set the MODE control option to (FAIL) and proceed with the change.
Additional Identifiers
Rule ID: SV-223876r958362_rule
Vulnerability ID: V-223876
Group Title: SRG-OS-000001-GPOS-00001
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000015 |
Support the management of system accounts using organization-defined automated mechanisms. |
Controls
Number | Title |
---|---|
AC-2(1) |
Automated System Account Management |