Title

The number of ACIDs with MISC9 authority must be justified. ACIDs with MISC9 must be limited to the administrative authorities authorized and that require these privileges to perform their job duties. (Cat I impact)

Discussion

The MISC9 authority deals with higher level administrative authorities. One of the authorities is The MISC9 authority deals with higher level administrative authorities. One of the authorities is BYPASS, which can bypass security on the system. This violates the principle of individual user accountability. If this authority is not monitored, the potential for system degradation or destruction could happen. Only the appointed SCA's who are responsible for the security at the domain shall have MISC9 admin rights except MISC9(Generic) may be granted to any DCA,VCA,ZCA,LSCA,SCA.

Check Content

a) Refer to the following report produced by the TSS Data Collection: - TSSCMDS.RPT(@ADMIN) b) Review ACIDs having MISC9(ALL) or MISC9(CONSOLE) authority under administrative authorities. Only designated SCA's who are responsible for the security for the domain will be allowed this authority. c) If (b) above is in compliance, there is NO FINDING. d) If (b) above is not in compliance, this is a FINDING.

Fix Text

Review all ACIDs with the MISC9 attribute. Evaluate the impact of removing MISC9(ALL) or MISC9(CONSOLE) access from ACIDs not required to assign the CONSOLE attribute. It is suggested that MISC9(CONSOLE) assignment privileges be limited to the MSCA. Develop a plan of action and implement the changes.

Additional Identifiers

Rule ID: SV-243r3_rule

Vulnerability ID: V-243

Group Title: TSS0950

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.