UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The special privileges must be assigned on an as-needed basis to LOGONIDs associated with STCs and LOGONIDs that need to execute TSO in batch.


Overview

Finding ID Version Rule ID IA Controls Severity
V-177 ZTSOA040 SV-177r3_rule DCCS-1 DCCS-2 ECCD-1 ECCD-2 Medium
Description
Users with this privilege can mount tape and DASD. This could result in the compromise of the confidentiality, integrity, availability of the operating system, ACP, or customer data.
STIG Date
z/OS ACF2 STIG 2019-03-26

Details

Check Text ( C-20406r2_chk )
Refer to the following report produced by the ACF2 Data Collection:

- ACF2CMDS.RPT(ATTTSO)

Ensure that all ACF2 privileges are restricted according to the requirements specified. If the following guidance is true, this is not a finding.

___ The ACCTPRIV privilege is restricted to security personnel.

___ The CONSOLE and OPERATOR privileges are restricted to authorized systems personnel (e.g., systems programming personnel, operations staff, etc.).

___ The MOUNT privilege is restricted to DASD batch users only.
Fix Text (F-18705r3_fix)
The IAO will review all Logonids for the following and ensure that only authorized users with justification are given access to the privileges.

The ACCTPRIV privilege is restricted for used to the domain level security personnel (IAO/IAM).

The CONSOLE and OPERATOR privileges are restricted to authorized systems personnel (e.g., systems programming personnel, operations staff, etc.).

The MOUNT privilege is restricted to DASD batch users only on an as needed basis to execute TSO in batch.

Ensure that all privileges are kept to a minimum and are controlled and documented.