The BYPASS attribute must be limited to just trusted STCs.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-229	TSS0810	SV-229r4_rule		High

Description
The BYPASS attribute permits STCs to bypass security checking. With this authority, a job or ACID could bypass all security checking, and could potentially alter or destroy critical system data.

STIG	Date
z/OS TSS STIG	2019-12-12

Details

Check Text ( C-6212r2_chk )
Refer to the following report produced by the TSS Data Collection: - TSSCMDS.RPT(#STC) Automated Analysis requires Additional Analysis. Automated Analysis Refer to the following report produced by the TSS Data Collection: - PDI(TSS0810) Ensure that only STCs listed in the TRUSTED STARTED TASKS table, in the z/OS STIG addendum, are granted the BYPASS privilege. TRUSTED STCs: Certain started tasks perform critical operating system-related functions. The site can secure these started tasks in one of two ways: 1) By analyzing an STC's access requirements and granting the requisite accesses. 2) By considering these started tasks as trusted for the purpose of data set and resource access requests. While the actual list may vary based on local site requirements and software configuration, the TRUSTED STARTED TASKS table, in the z/OS STIG addendum, is an approved list of started tasks that may be considered trusted started procedures and can have the BYPASS attribute specified in the start task table. The site may exclude any STCs from the list of trusted started tasks based on local requirements. However, the addition of other started tasks to the list requires the approval of the site DAA.

Check Text ( C-6212r2_chk )

Refer to the following report produced by the TSS Data Collection:

- TSSCMDS.RPT(#STC)

Automated Analysis requires Additional Analysis.
Automated Analysis
Refer to the following report produced by the TSS Data Collection:

- PDI(TSS0810)

Ensure that only STCs listed in the TRUSTED STARTED TASKS table, in the z/OS STIG addendum, are granted the BYPASS privilege.

TRUSTED STCs:
Certain started tasks perform critical operating system-related functions. The site can secure these started tasks in one of two ways:

1) By analyzing an STC's access requirements and granting the requisite accesses.

2) By considering these started tasks as trusted for the purpose of data set and resource access requests.

While the actual list may vary based on local site requirements and software configuration, the TRUSTED STARTED TASKS table, in the z/OS STIG addendum, is an approved list of started tasks that may be considered trusted started procedures and can have the BYPASS attribute specified in the start task table.

The site may exclude any STCs from the list of trusted started tasks based on local requirements. However, the addition of other started tasks to the list requires the approval of the site DAA.

Fix Text (F-18130r1_fix)
Review the STC record for ACIDs with the BYPASS attribute. Ensure only those trusted STCs that are listed in the TRUSTED STARTED TASKS table, in the z/OS STIG addendum, have been granted this authority. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes. Trusted STCs: While the actual list may vary based on local site requirements and software configuration, the TRUSTED STARTED TASKS table, in the z/OS STIG addendum, is an approved list of started tasks that may be considered trusted started procedures:

Fix Text (F-18130r1_fix)

Review the STC record for ACIDs with the BYPASS attribute. Ensure only those trusted STCs that are listed in the TRUSTED STARTED TASKS table, in the z/OS STIG addendum, have been granted this authority. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes.

Trusted STCs:

While the actual list may vary based on local site requirements and software configuration, the TRUSTED STARTED TASKS table, in the z/OS STIG addendum, is an approved list of started tasks that may be considered trusted started procedures: