STIGQter: STIG Summary: IBM z/OS TSS Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

CA-TSS Default ACID must be properly defined.

DISA Rule

SV-223966r561402_rule

Vulnerability Number

V-223966

Group Title

SRG-OS-000324-GPOS-00125

Rule Version

TSS0-ES-000930

Severity

CAT II

CCI(s)

• CCI-002235 - The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Weight

10

Fix Recommendation

Ensure the default STC ACID is defined in accordance with the following restrictions. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as specified.

All STCs not defined to TSS will fail upon initiation. The following command may be used to associate all undefined STCs with a default action of FAIL:

TSS ADD(STC) PROCNAME(DEFAULT) ACID(FAIL)

If a valid requirement exists to establish a default STC, the following restrictions also apply:

a. The ISSO will maintain the written request, justification, and authorization.

b. The STC's ACID will have no other facilities permitted to it.

c. The STC's ACID will have a permission of DSN(*****) ACCESS(NONE).

TSS PERMIT(stc-acid) DSN(*****) ACCESS(NONE)

d. The STC's ACID will not have any permission to the resources available to TSS.

e. The STC's ACID will be sourced to the internal reader:

ADD(stc-acid) SOURCE(INTRDR)

f. An entry will be made in the STC table identifying the default ACID name as follows ("stc-acid" site defined):

TSS ADD(STC) PROCNAME(DEFAULT) ACID(stc-acid)

Check Contents

From the ISPF Command Shell enter:
TSS LIST STC

If *DEF* has action of *FAIL* this is not a finding.

If the default ACID is defined enter:
TSS List(<defined ACID>)

If the ACID has no access to resources and no facility access and sourced to the internal reader, this is not a finding.

If any of the above is untrue, this is a finding.

Vulnerability Number

V-223966

Documentable

False

Rule Version

TSS0-ES-000930

Severity Override Guidance

From the ISPF Command Shell enter:
TSS LIST STC

If *DEF* has action of *FAIL* this is not a finding.

If the default ACID is defined enter:
TSS List(<defined ACID>)

If the ACID has no access to resources and no facility access and sourced to the internal reader, this is not a finding.

If any of the above is untrue, this is a finding.

Check Content Reference

M

Target Key

4102

Comments