Navigate

Check: TSS0930

zOS TSS STIG: TSS0930 (in versions v6 r43 through v6 r30)

Title

The number of ACIDs possessing the tape Bypass Label Processing (BLP) privilege is not limited. (Cat II impact)

Discussion

BLP is extremely sensitive, as it allows the circumvention of security access checking for the data. If an unauthorized user possesses BLP authority, they could potentially read any restricted tape and modify any information once it has been copied.

Check Content

a) Refer to the following reports produced by the TSS Data Collection: - TSSCMDS.RPT(@ACIDS) - SENSITVE.RPT(WHOHVOL) b) Using the reports listed in (a) above, review the ACIDs that have BLP access. Verify that only authorized personnel have BLP access and that documentation for access is on file with the IAO. c) If (b) above is correct, there is NO FINDING. d) If (b) above is incorrect, this is a FINDING.

Fix Text

Review all ACIDs with the BLP attribute. Evaluate the impact of removing BLP access from unauthorized personnel. Develop a plan of action and remove BLP access from unauthorized ACIDs.

Additional Identifiers

Rule ID: SV-241r2_rule

Vulnerability ID: V-241

Group Title: TSS0930

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000035	Provide the capability for privileged administrators to configure the organization-defined security or privacy policy filters to support different security or privacy policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-4(11)	Configuration of Security Policy Filters