Documentation confirming the necessity of NO***CHK attributes is not available.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-245	TSS0980	SV-245r2_rule	DCCS-1 DCCS-2	Medium

Description
Because the NO***CHK attributes can bypass system security, it is imperative that all ACIDS possessing these attributes be monitored and documentation maintained justifying the need for the access authorization. If these attributes are given to ACIDs that do not require the authority, the ACIDs could modify system data and potentially degrade or destroy system information.

STIG	Date
z/OS TSS STIG	2018-10-04

Details

Check Text ( C-32091r1_chk )
Refer to the following report produced by the TSS Data Collection: - TSSPRIV.RPT Review ACIDs having the following attributes specified. These attributes will be identified in the TSSPRIV.RPT as follows: NDSN - NODSNCHK NLCF - NOLCFCHK NRES - NORESCHK NSUB - NOSUBCHK NVMD - NOVMDCHK NVOL - NOVOLCHK NOTE: NOSUBCHK attribute must be given to CICS Regions, IDMS Regions, etc. to be able to submit Jobs on behalf of all users. This applies to ACIDs having the NOxxxCHK attributes. Started tasks that are listed in the TRUSTED STARTED TASKS table, in the z/OS STIG Addendum are permitted to have the NOxxxCHK attributes. Ensure that the use of the NOxxxCHK attribute is avoided unless a special requirement necessitates their use and the IAO documents all uses of the NOxxxCHK attributes. Verify that any ACID having the NO***CHK attribute has documentation on file concerning the assignment of the attribute.

Check Text ( C-32091r1_chk )

Refer to the following report produced by the TSS Data Collection:

- TSSPRIV.RPT

Review ACIDs having the following attributes specified. These attributes will be identified in the TSSPRIV.RPT as follows:

NDSN - NODSNCHK
NLCF - NOLCFCHK
NRES - NORESCHK
NSUB - NOSUBCHK
NVMD - NOVMDCHK
NVOL - NOVOLCHK

NOTE: NOSUBCHK attribute must be given to CICS Regions, IDMS Regions, etc. to be able to submit Jobs on behalf of all users.

This applies to ACIDs having the NOxxxCHK attributes.

Started tasks that are listed in the TRUSTED STARTED TASKS table, in the z/OS STIG Addendum are permitted to have the NOxxxCHK attributes.

Ensure that the use of the NOxxxCHK attribute is avoided unless a special requirement necessitates their use and the IAO documents all uses of the NOxxxCHK attributes.

Verify that any ACID having the NO***CHK attribute has documentation on file concerning the assignment of the attribute.

Fix Text (F-18411r1_fix)
The IAO will ensure that the use of NOxxxCHKs is avoided unless a special requirement necessitates their use and the IAO documents all uses of NOxxxCHKs. Review all ACIDs with the NO*CHK attribute. Evaluate the impact of correcting the deficiency. Develop a plan of action and remove the NO*CHK attribute(s). Example: TSS REMOVE(acid) NODSNCHK