STIGQter STIGQter: STIG Summary: IBM z/OS TSS Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

CA-TSS must properly define users that have access to the CONSOLE resource in the TSOAUTH resource class.

DISA Rule

SV-223920r561402_rule

Vulnerability Number

V-223920

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

TSS0-ES-000470

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Evaluate the impact of correcting any deficiencies. Develop a plan of action and implement the required changes.

At the discretion of the ISSO, users may be allowed to issue z/OS system commands from a TSO session. With this in mind, ensure the following items are in effect for users granted the TSO CONSOLE privilege:
-User ACIDs are restricted to the INFO level in the MCSAUTH attribute.
-User ACIDs are restricted to READ access to the MVS.MCSOPER.acid resource defined in the OPERCMDS resource class.
-User ACIDs and/or profile ACIDs are restricted to the CONSOLE resource defined in the TSOAUTH resource class.

For Example:
TSS ADDTO (userid) MCSAUTH(INFO)
TSS PERMIT(userid) OPERCMDS(MVS.MCSOPER.userid)
ACCESS(READ) ACTION(AUDIT)
TSS PERMIT(oprprofileacid) TSOAUTH(CONSOLE)
ACCESS(READ) ACTION(AUDIT)

Check Contents

TSS WHOOWNS TSOAUTH(*)
If the Console is not defined to TSOAuth RESOURCE CLASS this is Not Applicable.

Refer to the CONSOLxx member of SYS1.PARMLIB.

For each Console defined if the following is true, this is not a finding.

-User ACIDs are restricted to the INFO level in the MCSAUTH attribute.
-User ACIDs are restricted to READ access to the MVS.MCSOPER.acid resource defined in the OPERCMDS resource class.
-User ACIDs and/or profile ACIDs are restricted to the CONSOLE resource defined in the TSOAUTH resource class.

If any of the above are untrue, this is a finding.

Vulnerability Number

V-223920

Documentable

False

Rule Version

TSS0-ES-000470

Severity Override Guidance

TSS WHOOWNS TSOAUTH(*)
If the Console is not defined to TSOAuth RESOURCE CLASS this is Not Applicable.

Refer to the CONSOLxx member of SYS1.PARMLIB.

For each Console defined if the following is true, this is not a finding.

-User ACIDs are restricted to the INFO level in the MCSAUTH attribute.
-User ACIDs are restricted to READ access to the MVS.MCSOPER.acid resource defined in the OPERCMDS resource class.
-User ACIDs and/or profile ACIDs are restricted to the CONSOLE resource defined in the TSOAUTH resource class.

If any of the above are untrue, this is a finding.

Check Content Reference

M

Target Key

4102

Comments