LOGONIDs must not be defined to SYS1.UADS for non-emergency use.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-184 | ZTSO0020 | SV-184r3_rule | DCCS-1 DCCS-2 ECCD-1 ECCD-2 | High |
| Description |
|---|
| SYS1.UADS is a dataset where LOGONIDs will be maintained with applicable password information when the ACP is not functional. If an unauthorized user has access to SYS1.UADS, they could enter their LOGONID and password into the SYS1.UADS dataset and could give themselves all special attributes on the system. This could enable the user to bypass all security and alter data. They could modify the audit trail information so no trace of their activity could be found. |
| STIG | Date |
|---|---|
| z/OS ACF2 STIG | 2019-12-12 |
Details
| Check Text ( C-20973r1_chk ) |
|---|
| a) Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(TSOUADS) Please provide a list of all emergency userids available to the site along with the associated function of each. b) If SYS1.UADS userids are limited and reserved for emergency purposes only, there is NO FINDING. c) If any SYS1.UADS userids are assigned for other than emergency purposes, this is a FINDING. |
| Fix Text (F-18939r1_fix) |
|---|
| The system programmer and IAO will examine the SYS1.UADS entries to ensure LOGONIDs defined include only those users required to support specific functions related to system recovery. Evaluate the impact of accomplishing the change. |