Navigate

Check: ACP00293

zOS TSS STIG: ACP00293 (in versions v6 r43 through v6 r30)

Title

MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected. (Cat II impact)

Discussion

MCS consoles can be used to issue operator commands. Failure to properly control access to MCS consoles could result in unauthorized personnel issuing sensitive operator commands. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.

Check Content

Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(CONSOLE) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(WHOHSYSC) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00293) Ensure the following items are in effect for all MCS consoles identified in the EXAM.RPT(CONSOLE): 1) Each console is defined to SYSCONS resource class and/or the SYSCONS resource class has the DEFPROT attribute. 2) The ACID associated with each console has READ access to the corresponding resource defined in the SYSCONS resource class. 3) Access authorization for SYSCONS resources restricts access to operations, the Master SCA, and system programming personnel.

Fix Text

The IAO must ensure that all MCS consoles are defined to the SYSCONS resource class and READ access is limited to operators and system programmers. Review the MCS console resources defined to z/OS and the ACP, and ensure they conform to those outlined below. Each console defined in the CONSOLxx parmlib members is defined to TSS SYSCONS resource class and/or the SYSCONS resource class has the DEFPROT attribute. The ACID associated with each console has access to the corresponding resource defined in the SYSCONS resource class. Example: TSS PERMIT(MMGMST) SYSCONS(MMGMST) ACCESS(READ) Access authorization for SYSCONS resources restricts access to operations, the Master SCA, and system programming personnel. TSS PERMIT(operaudt) SYSCONS(MMGMST) ACCESS(READ) TSS PERMIT(Master SCA) SYSCONS(MMGMST) ACCESS(READ) TSS PERMIT(syspaudt) SYSCONS(MMGMST) ACCESS(READ)

Additional Identifiers

Rule ID: SV-7929r3_rule

Vulnerability ID: V-7487

Group Title: ACP00293

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000213	Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
CCI-002234	Log the execution of privileged functions.
CCI-002235	Prevent non-privileged users from executing privileged functions.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-3	Access Enforcement
AC-6(9)	Auditing Use of Privileged Functions
AC-6(10)	Prohibit Non-privileged Users from Executing Privileged Functions