UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Data set masking characters allowing access to all data sets must be properly restricted in the security database.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22648 TSS1010 SV-26592r3_rule DCCS-1 DCCS-2 ECAR-1 ECAR-2 ECAR-3 ECCD-1 ECCD-2 Medium
Description
TSS provides masking as an additional method for reducing the number of entries that must be made to secure the installation data sets. Shared patterns can be used as the operands of data set parameters. If this masking character (*, *., and/or **) are not restricted, there is the possibility of exposure when granting access to the data set mask allowing access to all data sets. Unauthorized access could result in the compromise of the operating system environment, ACP, products, and customer data.
STIG Date
z/OS TSS STIG 2017-03-22

Details

Check Text ( C-27644r3_chk )
Refer to the following report produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(GLOBRPT)

Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(TSS1010)

Verify that the accesses to the TSS masking character (*, *., and/or **) for data sets are properly restricted. If the following guidance is true, this is not a finding.

___ The TSS data set access authorizations restricts READ access to auditors.

___ The TSS data set access authorizations restricts READ and/or greater access to DASD administrators, Trusted Started Tasks, emergency users, and DASD batch users.

___ If CA VTAPE is installed on the systems, the TSS data set access authorizations restricts READ access to CA VTAPE STCs and/or batch users.

___ The TSS data set access authorizations specify that all (i.e., failures and successes) EXECUTE and/or greater accesses are logged.
Fix Text (F-235r3_fix)
The IAO will review access authorization to the TSS mask character (*, *., and/or **) for data sets. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to restrict access to the data set mask permissions.

The installing Systems Programmer will identify and document the product data sets and categorize them according to who will have WRITE and/or greater access and, if required, that all WRITE and/or greater accesses are logged. He will identify if any additional groups have WRITE and/or greater access for specific data sets, and once documented he will work with the IAO to see that they are properly restricted to the ACP (Access Control Program) active on the system.

(Note: The data sets and/or data set prefixes identified below are examples of a possible installation. The actual data sets and/or prefixes are determined when the product is actually installed on a system through the product’s installation guide and can be site specific.)

Auditors may require READ access to all data sets.
DASD administrators, Trusted Started Tasks, emergency users, and DASD batch users that require READ and/or greater access to perform maintenance to all data sets.
If CA VTAPE is installed on the system, READ access can be given to the CA VTAPE STCs and/or batch users.
All accesses authorizations will be logged, the exception is the logging requirement is not required for Trusted Started Tasks.

The following commands are provided as a sample for implementing data set controls:

TSS ADDTO(msca) DATASET(*.)
TSS PERMIT(audtaudt) DATASET(*.) ACCESS(READ) ACTION(AUDIT)
TSS PERMIT(CA VTape STC) DATASET(*.) ACCESS(READ) ACTION(AUDIT)
TSS PERMIT(dasbaudt) DATASET(*.) ACCESS(ALL) ACTION(AUDIT)
TSS PERMIT(dasdaudt) DATASET(*.) ACCESS(ALL) ACTION(AUDIT)
TSS PERMIT(emeraudt) DATASET(*.) ACCESS(ALL) ACTION(AUDIT)
TSS PERMIT(tstcaudt) DATASET(*.) ACCESS(ALL)