Title

MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected. (Cat II impact)

Discussion

MCS consoles can be used to issue operator commands. Failure to properly control access to MCS consoles could result in unauthorized personnel issuing sensitive operator commands. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.

Check Content

Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(CONSOLE) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(CONSOLE) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00293) Ensure the following items are in effect for all MCS consoles identified in the EXAM.RPT(CONSOLE): 1) Each console is defined to RACF with a corresponding profile in the CONSOLE resource class. 2) Each CONSOLE profile is defined with UACC(NONE). 3) The userid associated with each console has READ access to the corresponding resource defined in the CONSOLE resource class. 4) Access authorization for CONSOLE resources restricts READ access to operations and system programming personnel.

Fix Text

The IAO must ensure that all MCS consoles are defined to the CONSOLE resource class and READ access is limited to operators and system programmers. Review the MCS console resources defined to z/OS and the ACP, and ensure they conform to those outlined below. Each console defined in the CONSOLxx parmlib member is defined to RACF with a corresponding profile in the CONSOLE resource class. See the IBM zOS OPERATIONS AND PLANNNG guide for further information. Each CONSOLE profile is defined with UACC(NONE). A sample command file to accomplish items #1 and #2 is shown here: RDEF CONSOLE MMDMST UACC(NONE) OWNER(syspaudt) RDEF CONSOLE MMD041 UACC(NONE) OWNER(syspaudt) RDEF CONSOLE MMDSCN UACC(NONE) OWNER(syspaudt) RDEF CONSOLE ** UACC(NONE) OWNER(syspaudt) DATA('** represents all consoles not specifically defined') Do not permit any user or group access to the ** profile. If a new console is added to the CONSOLxx member of it will be covered by this profile and a subsequent error will display in the log which will allow identification of the undefined console. The userid associated with each console will have READ access to the corresponding resource defined in the CONSOLE resource class. A sample command file to accomplish this is shown here: Note that the actual console groupid & userids are defined as part of ACP00292. PE MMDMST CL(CONSOLE) ID(mmdmst) PE MMDSCN CL(CONSOLE) ID(mmdscn) PE MMD041 CL(CONSOLE) ID(mmd041) Access authorization for CONSOLE resources restricts READ access to operations and system programming personnel. A sample command file showing a permission of READ access for sysprogs and operators is shown here: PE MMDMST CL(CONSOLE) ID(syspaudt operaudt) PE MMDSCN CL(CONSOLE) ID(syspaudt operaudt) PE MMD041 CL(CONSOLE) ID(syspaudt operaudt)

Additional Identifiers

Rule ID: SV-7928r3_rule

Vulnerability ID: V-7487

Group Title: ACP00293

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.