Volume access greater than CREATE found in CA-Top Secret (TSS) database must be limited to authorized information technology personnel requiring access to perform their job duties.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-247	TSS1030	SV-247r3_rule	DCCS-1 DCCS-2	High

Description
Access authorization to data sets is verified by examining both volume access and data set access authorization. If a user has been authorized for any volume access greater than CREATE, then TSS allows access to the volume without checking the data set authorizations. A user could potentially alter a data set that resides on a volume even though access has not been granted to that data set.

STIG	Date
z/OS TSS STIG	2019-09-27

Details

Check Text ( C-20473r1_chk )
a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(WHOHVOL) b) Determine whether or not access authorization greater than CREATE (e.g. CONTROL or ALL) has been granted for volumes. c) If access authorizations for volumes are within the requirements, there is NO FINDING. d) If access authorization for volumes exceeds the requirements without justification, this is a FINDING. NOTE: Domain level DASD Administrators who are responsible for the Domain level DASD/storage administration. Volume level access to those team members who are directly responsible and perform Domain level DASD/Storage administration may be granted access to all volumes via PRIVPGM controls.

Check Text ( C-20473r1_chk )

a) Refer to the following report produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(WHOHVOL)

b) Determine whether or not access authorization greater than CREATE (e.g. CONTROL or ALL) has been granted for volumes.

c) If access authorizations for volumes are within the requirements, there is NO FINDING.

d) If access authorization for volumes exceeds the requirements without justification, this is a FINDING.

NOTE: Domain level DASD Administrators who are responsible for the Domain level DASD/storage administration. Volume level access to those team members who are directly responsible and perform Domain level DASD/Storage administration may be granted access to all volumes via PRIVPGM controls.

Fix Text (F-18424r1_fix)
The IAO will ensure that VOLUME access authorization greater than CREATE is not permitted unless authorized by the IAO. Review all access to VOLUMEs. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the required changes. Noted Exception: Domain level DASD Administrators who are responsible for the Domain level DASD/storage administration. Volume level access to those team members who are directly responsible and perform Domain level DASD/Storage administration may be granted access to all volumes via PRIVPGM controls. Domain Level DASD/Storage administrators access should be granted VOL(ALL*)ACC(ALL)ACTION(AUDIT)PRIVPGM(list of privileged programs)

Fix Text (F-18424r1_fix)

The IAO will ensure that VOLUME access authorization greater than CREATE is not permitted unless authorized by the IAO.

Review all access to VOLUMEs. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the required changes.

*Noted Exception: Domain level DASD Administrators who are responsible for the Domain level DASD/storage administration. Volume level access to those team members who are directly responsible and perform Domain level DASD/Storage administration may be granted access to all volumes via PRIVPGM controls.

Domain Level DASD/Storage administrators access should be granted VOL(*ALL*)ACC(ALL)ACTION(AUDIT)PRIVPGM(list of privileged programs)