The special privileges must be assigned on an as-needed basis to LOGONIDs associated with STCs and LOGONIDs that need to execute TSO in batch.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-177 | ZTSOA040 | SV-177r3_rule | DCCS-1 DCCS-2 ECCD-1 ECCD-2 | Medium |
| Description |
|---|
| Users with this privilege can mount tape and DASD. This could result in the compromise of the confidentiality, integrity, availability of the operating system, ACP, or customer data. |
| STIG | Date |
|---|---|
| z/OS ACF2 STIG | 2019-12-12 |
Details
| Check Text ( C-20406r2_chk ) |
|---|
| Refer to the following report produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ATTTSO) Ensure that all ACF2 privileges are restricted according to the requirements specified. If the following guidance is true, this is not a finding. ___ The ACCTPRIV privilege is restricted to security personnel. ___ The CONSOLE and OPERATOR privileges are restricted to authorized systems personnel (e.g., systems programming personnel, operations staff, etc.). ___ The MOUNT privilege is restricted to DASD batch users only. |
| Fix Text (F-18705r3_fix) |
|---|
| The IAO will review all Logonids for the following and ensure that only authorized users with justification are given access to the privileges. The ACCTPRIV privilege is restricted for used to the domain level security personnel (IAO/IAM). The CONSOLE and OPERATOR privileges are restricted to authorized systems personnel (e.g., systems programming personnel, operations staff, etc.). The MOUNT privilege is restricted to DASD batch users only on an as needed basis to execute TSO in batch. Ensure that all privileges are kept to a minimum and are controlled and documented. |