STIGQter: STIG Summary: IBM z/OS TSS Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: IBM z/OS TSS Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:SV-223928r561402_rule
V-223928
SRG-OS-000080-GPOS-00048
TSS0-ES-000550
CAT II
10
Review access authorization to the TSS mask character (*, *., and/or **) for data sets. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to restrict access to the data set mask permissions.
The installing Systems Programmer will identify and document the product data sets and categorize them according to who will have WRITE and/or greater access and, if required, that all WRITE and/or greater accesses are logged. The Programmer will identify if any additional groups have WRITE and/or greater access for specific data sets, and once documented, will work with the ISSO to see that they are properly restricted to the ACP (Access Control Program) active on the system.
(Note: The data sets and/or data set prefixes identified below are examples of a possible installation. The actual data sets and/or prefixes are determined when the product is actually installed on a system through the product’s installation guide and can be site specific.)
Auditors may require READ access to all data sets.
DASD administrators, Trusted Started Tasks, emergency users, and DASD batch users that require READ and/or greater access to perform maintenance to all data sets.
If CA VTAPE is installed on the system, READ access can be given to the CA VTAPE STCs and/or batch users.
All accesses authorizations will be logged. The exception is the logging requirement is not required for Trusted Started Tasks.
The following commands are provided as a sample for implementing data set controls:
TSS ADDTO(msca) DATASET(*.)
TSS PERMIT(smplsmpl) DATASET(*.) ACCESS(READ) ACTION(AUDIT)
TSS PERMIT(CA VTape STC) DATASET(*.) ACCESS(READ) ACTION(AUDIT)
TSS PERMIT(dasbsmpl) DATASET(*.) ACCESS(ALL) ACTION(AUDIT)
TSS PERMIT(dasdsmpl) DATASET(*.) ACCESS(ALL) ACTION(AUDIT)
TSS PERMIT(emersmpl) DATASET(*.) ACCESS(ALL) ACTION(AUDIT)
TSS PERMIT(tstcsmpl) DATASET(*.) ACCESS(ALL)
Refer the accesses to the TSS masking character (*, *., and/or **) for data sets.
If the following guidance is true, this is not a finding.
If the TSS data set access authorizations restrict READ access to auditors, this is not a finding.
If the TSS data set access authorizations restrict READ and/or greater access to DASD administrators, Trusted Started Tasks, emergency users, and DASD batch users, this is not a finding.
If CA VTAPE is installed on the systems, the TSS data set access authorizations restricts READ access to CA VTAPE STCs and/or batch users, this is not a finding.
If the TSS data set access authorizations specify that all (i.e., failures and successes) EXECUTE and/or greater accesses are logged, this is not a finding.
V-223928
False
TSS0-ES-000550
Refer the accesses to the TSS masking character (*, *., and/or **) for data sets.
If the following guidance is true, this is not a finding.
If the TSS data set access authorizations restrict READ access to auditors, this is not a finding.
If the TSS data set access authorizations restrict READ and/or greater access to DASD administrators, Trusted Started Tasks, emergency users, and DASD batch users, this is not a finding.
If CA VTAPE is installed on the systems, the TSS data set access authorizations restricts READ access to CA VTAPE STCs and/or batch users, this is not a finding.
If the TSS data set access authorizations specify that all (i.e., failures and successes) EXECUTE and/or greater accesses are logged, this is not a finding.
M
4102