Check: TSS0990
zOS TSS STIG:
TSS0990
(in versions v6 r43 through v6 r30)
Title
ACIDs were found having access FAC(*ALL*). (Cat II impact)
Discussion
All users with the exception of the master security control ACID must be authorized to a facility in order to sign on to it. When a user is granted FACILITY(*ALL*) , it gives the user access to all facilities. Users should be limited to access only those facilities that are required to perform their jobs successfully.
Check Content
Refer to the following reports produced by the TSS Data Collection: - TSSCMDS.RPT(@ACIDS) - TSSCMDS.RPT(@ALL) Automated Analysis Refer to the following report produced by the TSS Data Collection: - PDI(TSS0990) Ensure that no ACID(s) is (are) assigned FACILITY(*ALL*).
Fix Text
The IAO will ensure that blanket access to all facilities; FACILITY(ALL), is never granted. Review all access to FACILITY(*ALL*). Evaluate the impact of correcting the deficiency. Develop a plan of action and remove access to FAC(*ALL*). Example: TSS REM(acid) FAC(ALL)
Additional Identifiers
Rule ID: SV-246r2_rule
Vulnerability ID: V-246
Group Title: TSS0990
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000213 |
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
| CCI-002230 |
Review, on an organization-defined frequency, the privileges assigned to organization-defined roles or classes of users to validate the need for such privileges. |