Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-7486 | ACP00292 | SV-7925r3_rule | Medium |
Description |
---|
MCS consoles can be used to issue operator commands. Failure to properly control access to MCS consoles could result in unauthorized personnel issuing sensitive operator commands. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data. |
STIG | Date |
---|---|
z/OS RACF STIG | 2018-12-20 |
Check Text ( C-20011r2_chk ) |
---|
Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(PARMLIB) Refer to the following report produced by the RACF Data Collection and Data Set and Resource Data Collection: - RACFCMDS.RPT(LISTUSER) - RACFCMDS.RPT(LISTGRP) - SENSITVE.RPT(OPERCMDS) - RACFCMDS.RPT(DATASET) Verify that the MCS console userids are properly restricted. If the following guidance is true, this is not a finding. ____ Each console defined in the currently active CONSOLxx parmlib member in EXAM.RPT(PARMLIB) is associated with a valid RACF userid. ____ Each console userid has no special privileges and/or attributes (e.g., SPECIAL, OPERATIONS, etc.). ____ Each console userid has no accesses to interactive on-line facilities (e.g., TSO, CICS, etc.). ____ Each console userid will be restricted from accessing all data sets and resources except MVS.MCSOPER.consolename in the OPERCMDS resource class and consolename in the CONSOLE resource class. ____ Each console userid has the RACF default group that is an appropriate console group profile. NOTE: If LOGON(AUTO) is specified in the currently active CONSOLxx parmlib member, additional access may be required. Permissions for the console userids and/or console group may be given with access READ to MVS.CONTROL, MVS.DISPLAY, MVS.MONITOR, and MVS.STOPMN OPERCMDS resource. NOTE: Execute the JCL in CNTL(IRRUT100) using the RACF console userids as SYSIN input. This report lists all occurrences of these userids within the RACF database, including data set and resource access lists. |
Fix Text (F-18157r2_fix) |
---|
The IAO will ensure that all consoles identified in the currently active CONSOLxx parmlib member in EXAM.RPT(PARMLIB) are defined to the ACP. Review the MCS console resources defined to z/OS and the ACP, and ensure they conform to those outlined below. Each console defined in the currently active CONSOLxx parmlib member in EXAM.RPT(PARMLIB) is associated with a valid RACF userid. Each console userid has no special privileges and/or attributes (e.g., SPECIAL, OPERATIONS, etc.). Each console userid has no accesses to interactive on-line facilities (e.g., TSO, CICS, etc.). Each console userid will be restricted from accessing all data sets and resources except MVS.MCSOPER.consolename in the OPERCMDS resource class and consolename in the CONSOLE resource class. Each console userid has the RACF default group that is an appropriate console group profile. NOTE: If LOGON(AUTO) is specified in the currently active CONSOLxx parmlib member, additional access may be required. Permissions for the console userids and/or console group may be given with access READ to MVS.CONTROL, MVS.DISPLAY, MVS.MONITOR, and MVS.STOPMN OPERCMDS resource. NOTE: Execute the JCL in CNTL(IRRUT100) using the RACF console userids as SYSIN input. This report lists all occurrences of these userids within the RACF database, including data set and resource access lists. Examples: AG consautolog SUPGROUP( DATA(' group for console userids for autolog processing ') AG consnoautolog SUPGROUP( DATA('group for console userids for no autolog processing') AU consname NAME('CONSOLE USERID FOR consname') NOPASSWORD NOOIDCARD - DFLTGRP(consautolog) OWNER(consautolog) - DATA('ADDED TO SUPPORT THE CHANGE TO LOGON(AUTO) IN CONSOLXX') PERMIT MVS.CONTROL.** CL(OPERCMDS) ID(consautolog) ACCESS(READ) PERMIT MVS.DISPLAY.** CL(OPERCMDS) ID(consautolog) ACCESS(READ) PERMIT MVS.MONITOR.** CL(OPERCMDS) ID(consautolog) ACCESS(READ) PERMIT MVS.STOPMN.** CL(OPERCMDS) ID(consautolog) ACCESS(READ) PERMIT consname CL(CONSOLE) ID(consname) |