UCF STIG Viewer Logo

CA-TSS Default ACID must be properly defined.


Overview

Finding ID Version Rule ID IA Controls Severity
V-223966 TSS0-ES-000930 SV-223966r856103_rule Medium
Description
Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
STIG Date
IBM z/OS TSS Security Technical Implementation Guide 2022-09-19

Details

Check Text ( C-25639r516297_chk )
From the ISPF Command Shell enter:
TSS LIST STC

If *DEF* has action of *FAIL* this is not a finding.

If the default ACID is defined enter:
TSS List()

If the ACID has no access to resources and no facility access and sourced to the internal reader, this is not a finding.

If any of the above is untrue, this is a finding.
Fix Text (F-25627r516298_fix)
Ensure the default STC ACID is defined in accordance with the following restrictions. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as specified.

All STCs not defined to TSS will fail upon initiation. The following command may be used to associate all undefined STCs with a default action of FAIL:

TSS ADD(STC) PROCNAME(DEFAULT) ACID(FAIL)

If a valid requirement exists to establish a default STC, the following restrictions also apply:

a. The ISSO will maintain the written request, justification, and authorization.

b. The STC's ACID will have no other facilities permitted to it.

c. The STC's ACID will have a permission of DSN(*****) ACCESS(NONE).

TSS PERMIT(stc-acid) DSN(*****) ACCESS(NONE)

d. The STC's ACID will not have any permission to the resources available to TSS.

e. The STC's ACID will be sourced to the internal reader:

ADD(stc-acid) SOURCE(INTRDR)

f. An entry will be made in the STC table identifying the default ACID name as follows ("stc-acid" site defined):

TSS ADD(STC) PROCNAME(DEFAULT) ACID(stc-acid)