Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-223966 | TSS0-ES-000930 | SV-223966r561402_rule | Medium |
Description |
---|
Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. |
STIG | Date |
---|---|
IBM z/OS TSS Security Technical Implementation Guide | 2022-01-05 |
Check Text ( C-25639r516297_chk ) |
---|
From the ISPF Command Shell enter: TSS LIST STC If *DEF* has action of *FAIL* this is not a finding. If the default ACID is defined enter: TSS List( If the ACID has no access to resources and no facility access and sourced to the internal reader, this is not a finding. If any of the above is untrue, this is a finding. |
Fix Text (F-25627r516298_fix) |
---|
Ensure the default STC ACID is defined in accordance with the following restrictions. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as specified. All STCs not defined to TSS will fail upon initiation. The following command may be used to associate all undefined STCs with a default action of FAIL: TSS ADD(STC) PROCNAME(DEFAULT) ACID(FAIL) If a valid requirement exists to establish a default STC, the following restrictions also apply: a. The ISSO will maintain the written request, justification, and authorization. b. The STC's ACID will have no other facilities permitted to it. c. The STC's ACID will have a permission of DSN(*****) ACCESS(NONE). TSS PERMIT(stc-acid) DSN(*****) ACCESS(NONE) d. The STC's ACID will not have any permission to the resources available to TSS. e. The STC's ACID will be sourced to the internal reader: ADD(stc-acid) SOURCE(INTRDR) f. An entry will be made in the STC table identifying the default ACID name as follows ("stc-acid" site defined): TSS ADD(STC) PROCNAME(DEFAULT) ACID(stc-acid) |