UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

MCS console userid(s) will be properly protected.


Overview

Finding ID Version Rule ID IA Controls Severity
V-7486 ACP00292 SV-7924r3_rule DCCS-1 DCCS-2 ECCD-1 ECCD-2 Medium
Description
MCS consoles can be used to issue operator commands. Failure to properly control access to MCS consoles could result in unauthorized personnel issuing sensitive operator commands. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.
STIG Date
z/OS ACF2 STIG 2016-01-04

Details

Check Text ( C-19517r2_chk )
Refer to the following report produced by the z/OS Data Collection:

- EXAM.RPT(PARMLIB)

Refer to the following reports produced by the ACF2 Data Collection and Data Set and Resource Data Collection:

- ACF2CMDS.RPT(LOGONIDS)
- ACF2CMDS.RPT(RULES)
- SENSITVE.RPT(OPERCMDS)
- ACF2CMDS.RPT(RESOURCE) – Alternate report

Verify that the MCS console logonids are properly restricted. If the following guidance is true, this is not a finding.

____ Each console defined in the currently active CONSOLxx parmlib member in EXAM.RPT(PARMLIB) is associated with a valid ACF2 logonid.

____ Each console logonid has no special privileges and/or attributes (e.g., ACCOUNT, SECURITY, etc.).

____ Each console logonid has no accesses to interactive on-line facilities (e.g., TSO, CICS, etc.).

____ Each console logonid will be restricted from accessing all data sets and resources except MVS.MCSOPER.consolename in the OPERCMDS resource class and consolename in the CONSOLE resource class.

NOTE: If LOGON(AUTO) is specified in the currently active CONSOLxx parmlib member, additional access may be required. Permissions for the console logonids may be given with SERVICE(READ) to MVS.CONTROL, MVS.DISPLAY, MVS.MONITOR, and MVS.STOPMN OPERCMDS resources.

NOTE: Execute the JCL in CNTL(ACFRPTRX) using the ACF2 console userids in the LID statements in the SYSIN input. This report lists all occurrences of these userids within the ACF2 database, including data set and resource access lists.
Fix Text (F-6841r2_fix)
The IAO will ensure that all consoles identified in the currently active CONSOLxx parmlib member in EXAM.RPT(PARMLIB) are defined to the ACP.

Review the MCS console resources defined to z/OS and the ACP, and ensure they conform to those outlined below.

Each console defined in the currently active CONSOLxx parmlib member in EXAM.RPT(PARMLIB) is associated with a valid ACF2 logonid.

Each console logonid has no special privileges and/or attributes (e.g., ACCOUNT, SECURITY, etc.).

Each console logonid has no accesses to interactive on-line facilities (e.g., TSO, CICS, etc.).

Each console logonid will be restricted from accessing all data sets and resources except MVS.MCSOPER.consolename in the OPERCMDS resource class and consolename in the CONSOLE resource class.

NOTE: If LOGON(AUTO) is specified in the currently active CONSOLxx parmlib member, additional access may be required. Permissions for the console logonids may be given with SERVICE(READ) to MVS.CONTROL, MVS.DISPLAY, MVS.MONITOR, and MVS.STOPMN OPERCMDS resources.

NOTE: If LOGON(AUTO) is specified in the currently active CONSOLxx parmlib member, additional access may be required. Permissions for the console logonids may be given with SERVICE(READ) to MVS.CONTROL, MVS.DISPLAY, MVS.MONITOR, and MVS.STOPMN OPERCMDS resources.

Example:

INSERT MVAC20 NAME(MVA CONSOLE C20) PASSWORD(xxxxxxxx)

$KEY(MVS) TYPE(OPR)
MCSOPER.- UID(MVAC20) SERVICE(READ) ALLOW
CONTROL.- UID(MVAC20) SERVICE(READ) ALLOW DATA(FOR LOGON(AUTO))
MONITOR.- UID(MVAC20) SERVICE(READ) ALLOW DATA(FOR LOGON(AUTO))
STOPMN.- UID(MVAC20) SERVICE(READ) ALLOW DATA(FOR LOGON(AUTO))
DISPLAY.- UID(*) SERVICE(READ) ALLOW
- UID(*) PREVENT

SET R(OPR)
COMPILE ' ACF2.MVA.OPR(MVS)' STORE

F ACF2,REBUILD(OPR)

$KEY(consname) TYPE(CON)
UID(MVAC20) SERVICE(READ) ALLOW

SET R(CON)
COMPILE ' ACF2.MVA.CON(consname)' STORE

F ACF2,REBUILD(CON)