Check: TSS0755
zOS TSS STIG:
TSS0755
(in versions v6 r43 through v6 r30)
Title
Interactive ACIDs defined to TSS must have the required fields completed. (Cat II impact)
Discussion
The required fields indicate the privileges and accesses that each user possesses. If the user is not associated with a group, user accountability is lost for that user and they could conceivably possess more authority than is necessary for them to do their job.
Check Content
Refer to the following reports produced by the TSS Data Collection: - TSSCMDS.RPT(@ACIDS) - TSSCMDS.RPT(@ALL) Automated Analysis Refer to the following report produced by the TSS Data Collection: - PDI(TSS0755) Verify that the interactive userids are properly defined. If the following guidance is true, this is not a finding. ___ Ensure the fields and information listed below, are present for all interactive users. FIELD DESCRIPTION VALUE FACILITY Validated facilities to use BATCH, TSO, NCPASS, or other interactive Facility PASSWORD logon password must have a value INSTDATA Installation data optional PROFILE Profile(s) optional TSOLPROC Default TSO logon PROC optional for TSO users TSOLACCT Default TSO logon account may be required for a fee for service. ___ Ensure that the PASSWORD interval is a value of 1 to 60 days. ___ Ensure that the NOSUSPEND attribute is not specified. Note: Current DoD policy has changed requiring that the password change interval is set to a value of 1 to 60. Ensure that this is in effect. Note: FTP only process and server to server userids may have PASSWORD interval of 0 specified. These users must be identified in the FTPUSERS group in the Dialog Process or FTP in the name field. Additionally, these users must change their passwords on an annual basis.
Fix Text
The IAO will review all interactive ACID definitions to ensure required information is provided. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required according to the following: FIELD DESCRIPTION VALUE FACILITY Validated facilities to use BATCH, TSO, NCPASS, or other interactive Facility PASSWORD logon password must have a value INSTDATA Installation data optional PROFILE Profile(s) optional TSOLPROC Default TSO logon PROC optional for TSO users TSOLACCT Default TSO logon account may be required for a fee for service. The PASSWORD interval for interactive user must be set to no higher than 60 days. The NOSUSPEND attribute will not be specified for interactive users. Note: Current DoD policy has changed requiring that the password change interval is set to a value of 1 to 60. Ensure that this is in effect. Note: FTP only process and server to server userids may have PASSWORD interval of 0 specified. These users must be identified in the FTPUSERS group in the Dialog Process or FTP in the name field. Additionally, these users must change their passwords on an annual basis. TSS REP(userid) PASSWORD(Unk#own6,60)
Additional Identifiers
Rule ID: SV-31713r5_rule
Vulnerability ID: V-25505
Group Title: TSS0755
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000199 |
The information system enforces maximum password lifetime restrictions. |
| CCI-000764 |
Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. |
| CCI-000804 |
Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. |
| CCI-002119 |
Specify organization-attributes (as required) for each account on the system. |