An error occurred:

Check: ACP00291

zOS ACF2 STIG: ACP00291 (in versions v6 r43 through v6 r30)

Title

CONSOLxx members must be properly configured. (Cat II impact)

Discussion

MCS consoles can be used to issue operator commands. Failure to properly control access to MCS consoles could result in unauthorized personnel issuing sensitive operator commands. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.

Check Content

Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(PARMLIB) Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ACP00291) Review each CONSOLxx parmlib member. If the following guidance is true, this is not a finding. ____ The "DEFAULT" statement for each CONSOLxx member specifies "LOGON(REQUIRED)" or "LOGON(AUTO)". ____ The "CONSOLE" statement for each console assigns a unique name using the "NAME" parameter. ____ The "CONSOLE" statement for each console specifies "AUTH(INFO)". Exceptions are the "AUTH" parameter is not valid for consoles defined with "UNIT(PRT)" and specifying "AUTH(MASTER)" is permissible for the system console. Note: The site should be able to determine the system consoles. However, it is imperative that the site adhere to the "DEFAULT" statement requirement.

Fix Text

Ensure that the "DEFAULT" statement specifies "LOGON(REQUIRED)" so that all operators are required to log on prior to entering z/OS system commands. At the discretion of the ISSO, "LOGON(AUTO)" may be used. If "LOGON(AUTO)" is used assure that the console userids are defined with minimal access. See ACP00292. Ensure that each "CONSOLE" statement specifies an explicit console NAME. And that "AUTH(INFO)" is specified, this also including extended MCS consoles. "AUTH(MASTER)" may be specified for systems console. Note: The site should be able to determine the system consoles. However, it is imperative that the site adhere to the "DEFAULT" statement requirement.

Additional Identifiers

Rule ID: SV-7923r4_rule

Vulnerability ID: V-7485

Group Title: ACP00291

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000382

The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.
CCI-002234

The information system audits the execution of privileged functions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-6 (9)

Auditing Use Of Privileged Functions
CM-7

Least Functionality