Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-7486 | ACP00292 | SV-7924r3_rule | DCCS-1 DCCS-2 ECCD-1 ECCD-2 | Medium |
Description |
---|
MCS consoles can be used to issue operator commands. Failure to properly control access to MCS consoles could result in unauthorized personnel issuing sensitive operator commands. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data. |
STIG | Date |
---|---|
z/OS ACF2 STIG | 2016-01-04 |
Check Text ( C-19517r2_chk ) |
---|
Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(PARMLIB) Refer to the following reports produced by the ACF2 Data Collection and Data Set and Resource Data Collection: - ACF2CMDS.RPT(LOGONIDS) - ACF2CMDS.RPT(RULES) - SENSITVE.RPT(OPERCMDS) - ACF2CMDS.RPT(RESOURCE) – Alternate report Verify that the MCS console logonids are properly restricted. If the following guidance is true, this is not a finding. ____ Each console defined in the currently active CONSOLxx parmlib member in EXAM.RPT(PARMLIB) is associated with a valid ACF2 logonid. ____ Each console logonid has no special privileges and/or attributes (e.g., ACCOUNT, SECURITY, etc.). ____ Each console logonid has no accesses to interactive on-line facilities (e.g., TSO, CICS, etc.). ____ Each console logonid will be restricted from accessing all data sets and resources except MVS.MCSOPER.consolename in the OPERCMDS resource class and consolename in the CONSOLE resource class. NOTE: If LOGON(AUTO) is specified in the currently active CONSOLxx parmlib member, additional access may be required. Permissions for the console logonids may be given with SERVICE(READ) to MVS.CONTROL, MVS.DISPLAY, MVS.MONITOR, and MVS.STOPMN OPERCMDS resources. NOTE: Execute the JCL in CNTL(ACFRPTRX) using the ACF2 console userids in the LID statements in the SYSIN input. This report lists all occurrences of these userids within the ACF2 database, including data set and resource access lists. |
Fix Text (F-6841r2_fix) |
---|
The IAO will ensure that all consoles identified in the currently active CONSOLxx parmlib member in EXAM.RPT(PARMLIB) are defined to the ACP. Review the MCS console resources defined to z/OS and the ACP, and ensure they conform to those outlined below. Each console defined in the currently active CONSOLxx parmlib member in EXAM.RPT(PARMLIB) is associated with a valid ACF2 logonid. Each console logonid has no special privileges and/or attributes (e.g., ACCOUNT, SECURITY, etc.). Each console logonid has no accesses to interactive on-line facilities (e.g., TSO, CICS, etc.). Each console logonid will be restricted from accessing all data sets and resources except MVS.MCSOPER.consolename in the OPERCMDS resource class and consolename in the CONSOLE resource class. NOTE: If LOGON(AUTO) is specified in the currently active CONSOLxx parmlib member, additional access may be required. Permissions for the console logonids may be given with SERVICE(READ) to MVS.CONTROL, MVS.DISPLAY, MVS.MONITOR, and MVS.STOPMN OPERCMDS resources. NOTE: If LOGON(AUTO) is specified in the currently active CONSOLxx parmlib member, additional access may be required. Permissions for the console logonids may be given with SERVICE(READ) to MVS.CONTROL, MVS.DISPLAY, MVS.MONITOR, and MVS.STOPMN OPERCMDS resources. Example: INSERT MVAC20 NAME(MVA CONSOLE C20) PASSWORD(xxxxxxxx) $KEY(MVS) TYPE(OPR) MCSOPER.- UID(MVAC20) SERVICE(READ) ALLOW CONTROL.- UID(MVAC20) SERVICE(READ) ALLOW DATA(FOR LOGON(AUTO)) MONITOR.- UID(MVAC20) SERVICE(READ) ALLOW DATA(FOR LOGON(AUTO)) STOPMN.- UID(MVAC20) SERVICE(READ) ALLOW DATA(FOR LOGON(AUTO)) DISPLAY.- UID(*) SERVICE(READ) ALLOW - UID(*) PREVENT SET R(OPR) COMPILE ' ACF2.MVA.OPR(MVS)' STORE F ACF2,REBUILD(OPR) $KEY(consname) TYPE(CON) UID(MVAC20) SERVICE(READ) ALLOW SET R(CON) COMPILE ' ACF2.MVA.CON(consname)' STORE F ACF2,REBUILD(CON) |