MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-7487	ACP00293	SV-7927r3_rule	DCCS-1 DCCS-2 ECCD-1 ECCD-2	Medium

Description
MCS consoles can be used to issue operator commands. Failure to properly control access to MCS consoles could result in unauthorized personnel issuing sensitive operator commands. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.

STIG	Date
z/OS ACF2 STIG	2019-12-12

Details

Check Text ( C-19520r1_chk )
Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(CONSOLE) Refer to the following reports produced by the ACF2 Data Collection and Data Set and Resource Data Collection: - SENSITVE.RPT(CONSOLE) - ACF2CMDS.RPT(RESOURCE) – Alternate report NOTE: If CLASMAP defines CONSOLE as anything other than the default of TYPE(CON), replace CON below with the appropriate three letters. Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00293) Review resource rules for TYPE(CON). Ensure the following items are in effect for all MCS consoles identified in the EXAM.RPT(CONSOLE): 1) Each console is defined to ACF2 with a corresponding resource rule for TYPE(CON). 2) Each TYPE(CON) rule is defined with PREVENT access by default. 3) The logonid associated with each console has READ access to the corresponding resource defined in the CONSOLE resource class. 4) Access authorization for CONSOLE resources restricts READ access to operations and system programming personnel.

Check Text ( C-19520r1_chk )

Refer to the following report produced by the z/OS Data Collection:

- EXAM.RPT(CONSOLE)

Refer to the following reports produced by the ACF2 Data Collection and Data Set and Resource Data Collection:

- SENSITVE.RPT(CONSOLE)
- ACF2CMDS.RPT(RESOURCE) – Alternate report

NOTE: If CLASMAP defines CONSOLE as anything other than the default of TYPE(CON), replace CON below with the appropriate three letters.

Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(ACP00293)

Review resource rules for TYPE(CON). Ensure the following items are in effect for all MCS consoles identified in the EXAM.RPT(CONSOLE):

1) Each console is defined to ACF2 with a corresponding resource rule for TYPE(CON).
2) Each TYPE(CON) rule is defined with PREVENT access by default.
3) The logonid associated with each console has READ access to the corresponding resource defined in the CONSOLE resource class.
4) Access authorization for CONSOLE resources restricts READ access to operations and system programming personnel.

Fix Text (F-28347r2_fix)
The IAO must ensure that all MCS consoles are defined to the CONSOLE resource class and READ access is limited to operators and system programmers. Review the MCS console resources defined to z/OS and the ACP, and ensure they conform to those outlined below. Each console defined in the CONSOLxx parmlib members is defined to ACF2 with a corresponding resource rule for TYPE(CON). Each TYPE(CON) rule is defined with PREVENT access by default. The logonid associated with each console has READ access to the corresponding resource defined in the CONSOLE resource class. Access authorization for CONSOLE resources restricts READ access to operations and system programming personnel. Example: $KEY(MZNC20) TYPE(CON) USERDATA(CONSOLE ID SECURITY) UID(syspaudt) ALLOW UID(operaudt) ALLOW UID(MZNC20) ALLOW DATA(MZNC20 CONSOLE LOGONID ACCESS REQUIREMENTS) UID(*) PREVENT SET R(CON) COMPILE 'ACF2.MZN.CON(MZNC20)' STORE F ACF2,REBUILD(CON)

Fix Text (F-28347r2_fix)

The IAO must ensure that all MCS consoles are defined to the CONSOLE resource class and READ access is limited to operators and system programmers.

Review the MCS console resources defined to z/OS and the ACP, and ensure they conform to those outlined below.

Each console defined in the CONSOLxx parmlib members is defined to ACF2 with a corresponding resource rule for TYPE(CON).

Each TYPE(CON) rule is defined with PREVENT access by default.

The logonid associated with each console has READ access to the corresponding resource defined in the CONSOLE resource class.

Access authorization for CONSOLE resources restricts READ access to operations and system programming personnel.

Example:

$KEY(MZNC20) TYPE(CON)
USERDATA(CONSOLE ID SECURITY)
UID(syspaudt) ALLOW
UID(operaudt) ALLOW
UID(MZNC20) ALLOW DATA(MZNC20 CONSOLE LOGONID ACCESS REQUIREMENTS)
UID(*) PREVENT

SET R(CON)
COMPILE 'ACF2.MZN.CON(MZNC20)' STORE

F ACF2,REBUILD(CON)