Check: TSS0740
zOS TSS STIG:
TSS0740
(in versions v6 r43 through v6 r30)
Title
User ACIDs and Control ACIDs do not have the NAME field completed. (Cat III impact)
Discussion
Every User ACID should be assigned to an individual using the name field. Within the ACID record, the users NAME field should be completed. If this field is not completed for each user, user accountability will become lost. A completed NAME field must be either traced back to a current DD2875 or a Vendor Requirement (example: A Started Task). A user may be required to have more than one logonid but users must not share userids.
Check Content
a) Refer to the following reports produced by the TSS Data Collection: - TSSCMDS.RPT(@ACIDS) - TSSCMDS.RPT(@ALL) Automated Analysis Refer to the following report produced by the TSS Data Collection: - PDI(TSS0740) Note: An interactive user may have more than one ACID as long as it has a matching DD2875 form. Users may not share any type of ACID. b) If all ACIDs have the NAME field completed, there is NO FINDING. c) If any ACID does not have the NAME field completed, this is a FINDING.
Fix Text
The IAO will review all ACID definitions and ensure the NAME field is completed. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement. NOTE: An interactive user may have more than one ACID as long as it has a matching DD2875 form. Users may not share any type of ACID.
Additional Identifiers
Rule ID: SV-224r2_rule
Vulnerability ID: V-224
Group Title: TSS0740
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000764 |
Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. |
| CCI-000804 |
Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. |