STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:SV-223716r604139_rule
V-223716
SRG-OS-000096-GPOS-00050
RACF-ES-000690
CAT II
10
Define all consoles identified in the currently active CONSOLxx parmlib member in EXAM.RPT(PARMLIB) to be defined to RACF.
Review the MCS console resources defined to z/OS and RACF, and ensure they conform to those outlined below.
Each console defined in the currently active CONSOLxx parmlib member in EXAM.RPT(PARMLIB) is associated with a valid RACF userid.
Each console userid has no special privileges and/or attributes (e.g., SPECIAL, OPERATIONS, etc.).
Each console userid has no accesses to interactive on-line facilities (e.g., TSO, CICS, etc.; excluding VTAM SMCS consoles).
Each console userid will be restricted from accessing all data sets and resources except MVS.MCSOPER.consolename in the OPERCMDS resource class and consolename in the CONSOLE resource class.
Each console userid has the RACF default group that is an appropriate console group profile.
NOTE: If LOGON(AUTO) is specified in the currently active CONSOLxx parmlib member, additional access may be required. Permissions for the console userids and/or console group may be given with access READ to MVS.CONTROL, MVS.DISPLAY, MVS.MONITOR, and MVS.STOPMN OPERCMDS resource.
NOTE: Execute the JCL in CNTL(IRRUT100) using the RACF console userids as SYSIN input. This report lists all occurrences of these userids within the RACF database, including data set and resource access lists.
Examples:
AG consautolog SUPGROUP(<syspsmpl>) OWNER(<syspsmpl>) -
DATA(' group for console userids for autolog processing ')
AG consnoautolog SUPGROUP(<syspsmpl>) OWNER(<syspsmpl>) -
DATA('group for console userids for no autolog processing')
AU consname NAME('CONSOLE USERID FOR consname') NOPASSWORD NOOIDCARD -
DFLTGRP(consautolog) OWNER(consautolog) -
DATA('ADDED TO SUPPORT THE CHANGE TO LOGON(AUTO) IN CONSOLXX')
PERMIT MVS.CONTROL.** CL(OPERCMDS) ID(consautolog) ACCESS(READ)
PERMIT MVS.DISPLAY.** CL(OPERCMDS) ID(consautolog) ACCESS(READ)
PERMIT MVS.MONITOR.** CL(OPERCMDS) ID(consautolog) ACCESS(READ)
PERMIT MVS.STOPMN.** CL(OPERCMDS) ID(consautolog) ACCESS(READ)
PERMIT consname CL(CONSOLE) ID(consname)
Refer to IEASYS00 to determine correct CONSOLxx member.
Examine the CONSOLxx member.
Verify that the MCS console userids are properly restricted.
If the following guidance is true, this is not a finding.
Each console defined in the currently active CONSOLxx parmlib member in EXAM.RPT(PARMLIB) is associated with a valid RACF userid.
Each console userid has no special privileges and/or attributes (e.g., SPECIAL, OPERATIONS, etc.).
Each console userid has no accesses to interactive on-line facilities (e.g., TSO, CICS, etc.; excluding VTAM SMCS consoles).
Each console userid will be restricted from accessing all data sets and resources except MVS.MCSOPER.consolename in the OPERCMDS resource class and console name in the CONSOLE resource class.
Each console userid has the RACF default group that is an appropriate console group profile.
NOTE: If LOGON(AUTO) is specified in the currently active CONSOLxx parmlib member, additional access may be required. Permissions for the console userids and/or console group may be given with access READ to MVS.CONTROL, MVS.DISPLAY, MVS.MONITOR, and MVS.STOPMN OPERCMDS resource.
NOTE: Execute the JCL in CNTL(IRRUT100) using the RACF console userids as SYSIN input. This report lists all occurrences of these userids within the RACF database, including data set and resource access lists.
V-223716
False
RACF-ES-000690
Refer to IEASYS00 to determine correct CONSOLxx member.
Examine the CONSOLxx member.
Verify that the MCS console userids are properly restricted.
If the following guidance is true, this is not a finding.
Each console defined in the currently active CONSOLxx parmlib member in EXAM.RPT(PARMLIB) is associated with a valid RACF userid.
Each console userid has no special privileges and/or attributes (e.g., SPECIAL, OPERATIONS, etc.).
Each console userid has no accesses to interactive on-line facilities (e.g., TSO, CICS, etc.; excluding VTAM SMCS consoles).
Each console userid will be restricted from accessing all data sets and resources except MVS.MCSOPER.consolename in the OPERCMDS resource class and console name in the CONSOLE resource class.
Each console userid has the RACF default group that is an appropriate console group profile.
NOTE: If LOGON(AUTO) is specified in the currently active CONSOLxx parmlib member, additional access may be required. Permissions for the console userids and/or console group may be given with access READ to MVS.CONTROL, MVS.DISPLAY, MVS.MONITOR, and MVS.STOPMN OPERCMDS resource.
NOTE: Execute the JCL in CNTL(IRRUT100) using the RACF console userids as SYSIN input. This report lists all occurrences of these userids within the RACF database, including data set and resource access lists.
M
4101