STIGQter: STIG Summary: IBM z/OS TSS Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

IBM z/OS DASD Volume access greater than CREATE found in the CA-TSS database must be limited to authorized information technology personnel requiring access to perform their job duties.

DISA Rule

SV-223929r561402_rule

Vulnerability Number

V-223929

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

TSS0-ES-000560

Severity

CAT I

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Weight

10

Fix Recommendation

Ensure that DASD VOLUME access authorization greater than CREATE is not permitted unless authorized by the ISSO.

Review all access to DASD VOLUMEs. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the required changes.

*Noted Exception: Domain level DASD Administrators who are responsible for the Domain level DASD/storage administration. Volume level access to those team members who are directly responsible and perform Domain level DASD/Storage administration may be granted access to all volumes via PRIVPGM controls.

Domain Level DASD/Storage administrators access should be granted VOL(*ALL*)ACC(ALL)ACTION(AUDIT)PRIVPGM(list of privileged programs)

Check Contents

From the ISPF Command Shell enter:
TSS WHOOWNS VOLUME(*)

For each volume identified issue WHOHAS (<volume id>)

If access authorizations greater than CREATE (e.g., CONTROL or ALL) granted for DASD volumes are within the requirements in the site security plan, this is not a finding.

If access authorization for volumes exceeds the requirements without justification, this is a finding.

NOTE: Domain-level DASD Administrators who are responsible for the Domain level DASD/storage administration. Volume level access to those team members who are directly responsible and perform Domain level DASD/Storage administration may be granted access to all volumes via PRIVPGM controls.

Vulnerability Number

V-223929

Documentable

False

Rule Version

TSS0-ES-000560

Severity Override Guidance

From the ISPF Command Shell enter:
TSS WHOOWNS VOLUME(*)

For each volume identified issue WHOHAS (<volume id>)

If access authorizations greater than CREATE (e.g., CONTROL or ALL) granted for DASD volumes are within the requirements in the site security plan, this is not a finding.

If access authorization for volumes exceeds the requirements without justification, this is a finding.

NOTE: Domain-level DASD Administrators who are responsible for the Domain level DASD/storage administration. Volume level access to those team members who are directly responsible and perform Domain level DASD/Storage administration may be granted access to all volumes via PRIVPGM controls.

Check Content Reference

M

Target Key

4102

Comments