Title

The special privileges must be assigned on an as-needed basis to LOGONIDs associated with STCs and LOGONIDs that need to execute TSO in batch. (Cat II impact)

Discussion

Users with this privilege can mount tape and DASD. This could result in the compromise of the confidentiality, integrity, availability of the operating system, ACP, or customer data.

Check Content

Refer to the following report produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ATTTSO) Ensure that all ACF2 privileges are restricted according to the requirements specified. If the following guidance is true, this is not a finding. ___ The ACCTPRIV privilege is restricted to security personnel. ___ The CONSOLE and OPERATOR privileges are restricted to authorized systems personnel (e.g., systems programming personnel, operations staff, etc.). ___ The MOUNT privilege is restricted to DASD batch users only.

Fix Text

The IAO will review all Logonids for the following and ensure that only authorized users with justification are given access to the privileges. The ACCTPRIV privilege is restricted for used to the domain level security personnel (IAO/IAM). The CONSOLE and OPERATOR privileges are restricted to authorized systems personnel (e.g., systems programming personnel, operations staff, etc.). The MOUNT privilege is restricted to DASD batch users only on an as needed basis to execute TSO in batch. Ensure that all privileges are kept to a minimum and are controlled and documented.

Additional Identifiers

Rule ID: SV-177r3_rule

Vulnerability ID: V-177

Group Title: ZTSOA040

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.