MSCA ACID will perform security administration only.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-235	TSS0870	SV-235r2_rule	DCCS-1 DCCS-2	Medium

Description
Since the MSCA is a special security administrator ACID, it has unlimited administrative authority. The MSCA can create SCAs and LSCAs, scope zones, extend the security database, so it should only be utilized for this purpose. The system MSCA will be a limited-use ACID, which is not available to any individual for day-to-day processing. Limit it's use only to performing security administration functions. An SCA will assume the use of, and the responsibility for, the MSCA. The MSCA account is identified in an ACID listing as the only ACID with: TYPE = MASTER

Description

Since the MSCA is a special security administrator ACID, it has unlimited administrative authority. The MSCA can create SCAs and LSCAs, scope zones, extend the security database, so it should only be utilized for this purpose. The system MSCA will be a limited-use ACID, which is not available to any individual for day-to-day processing. Limit it's use only to performing security administration functions. An SCA will assume the use of, and the responsibility for, the MSCA. The MSCA account is identified in an ACID listing as the only ACID with: TYPE = MASTER

STIG	Date
z/OS TSS STIG	2019-12-12

Details

Check Text ( C-536r1_chk )
Refer to the following report produced by the TSS Data Collection: - TSSCMDS.RPT(@SCA) If the MSCA ACID has access limited to performing security administration functions only, this is not a finding. Below is an example of allowed setup for MSCA account and authorities. “MSCA” as the Accessorid, is merely an Example here, which is site determined. List is not all inclusive. The primary SCA for the domain will be listed within the “NAME” field since they are responsible for the MSCA ACID. ACCESSORID = MSCA NAME = "primary SCA" TYPE = MASTER FACILITY = BATCH PROFILES = SECURID ATTRIBUTES = AUDIT,CONSOLE,NOATS DATASET = %. . DATASET = **** +. VOLUMES = (G) XA DATASET = SYS3.TSS.BACKUP ACCESS = UPDATE ACTION = AUDIT ----------- ADMINISTRATION AUTHORITIES RESOURCE = ALL* ACCESS = ALL ACID = ALL FACILITIES = ALL LIST DATA = ALL,PROFILES,PASSWORD,SESSKEY MISC1 = ALL MISC2 = ALL MISC4 = ALL MISC8 = ALL MISC9 = ALL NOTE 1: Update access to the backup security database is required by the MSCA account anytime the IAO needs to run/submit the TSS Utility called TSSFAR. MSCA account may from time to time be required to have additional access for the period of project such as Extending the Security Database. NOTE 2: MSCA account shall be used for such items as: TSSFAR, EXTENDING Security Database, creating SCA/LSCA accounts, working with LSCA accounts (scoping, admin rights, etc). Most often the IAO staff shall utilize their normal SCA account. The MSCA account shall not be anyone’s primary security administrative account. NOTE 3: MSCA account shall be limited in access, to least privileged access of resources required to function. NOTE 4: If running Quest NC-Pass, validate in ZNCP0020 that the MSCA ACID has the FACILITY of NCPASS and SECURID resource in the ABSTRACT resource class.

Check Text ( C-536r1_chk )

Refer to the following report produced by the TSS Data Collection:

- TSSCMDS.RPT(@SCA)

If the MSCA ACID has access limited to performing security administration functions only, this is not a finding.

Below is an example of allowed setup for MSCA account and authorities. “MSCA” as the Accessorid, is merely an Example here, which is site determined. List is not all inclusive. The primary SCA for the domain will be listed within the “NAME” field since they are responsible for the MSCA ACID.

ACCESSORID = MSCA NAME = "primary SCA"
TYPE = MASTER
FACILITY = BATCH
PROFILES = SECURID
ATTRIBUTES = AUDIT,CONSOLE,NOATS
DATASET = %. *.
DATASET = ***** +.
VOLUMES = *(G)
XA DATASET = SYS3.TSS.BACKUP
ACCESS = UPDATE
ACTION = AUDIT
----------- ADMINISTRATION AUTHORITIES
RESOURCE = *ALL*
ACCESS = ALL
ACID = *ALL*
FACILITIES = *ALL*
LIST DATA = *ALL*,PROFILES,PASSWORD,SESSKEY
MISC1 = *ALL*
MISC2 = *ALL*
MISC4 = *ALL*
MISC8 = *ALL*
MISC9 = *ALL*

NOTE 1: Update access to the backup security database is required by the MSCA account anytime the IAO needs to run/submit the TSS Utility called TSSFAR. MSCA account may from time to time be required to have additional access for the period of project such as Extending the Security Database.

NOTE 2: MSCA account shall be used for such items as: TSSFAR, EXTENDING Security Database, creating SCA/LSCA accounts, working with LSCA accounts (scoping, admin rights, etc). Most often the IAO staff shall utilize their normal SCA account. The MSCA account shall not be anyone’s primary security administrative account.

NOTE 3: MSCA account shall be limited in access, to least privileged access of resources required to function.

NOTE 4: If running Quest NC-Pass, validate in ZNCP0020 that the MSCA ACID has the FACILITY of NCPASS and SECURID resource in the ABSTRACT resource class.

Fix Text (F-18182r1_fix)
The IAO will review the MSCA and ensure access granted is limited to those resources necessary to support the security administration function. Evaluate the impact of correcting the deficiency and develop a plan of action to implement the changes. Below is an example of allowed setup for MSCA account and authorities. “MSCA” as the Accessorid, is merely an Example here, which is site determined. List is not all inclusive. The primary SCA for the domain will be listed within the “NAME” field since they are responsible for the MSCA ACID. ACCESSORID = MSCA NAME = "primary SCA" TYPE = MASTER FACILITY = BATCH PROFILES = SECURID ATTRIBUTES = AUDIT,CONSOLE,NOATS DATASET = %. . DATASET = **** +. VOLUMES = (G) XA DATASET = SYS3.TSS.BACKUP ACCESS = UPDATE ACTION = AUDIT ----------- ADMINISTRATION AUTHORITIES RESOURCE = ALL* ACCESS = ALL ACID = ALL FACILITIES = ALL LIST DATA = ALL,PROFILES,PASSWORD,SESSKEY MISC1 = ALL MISC2 = ALL MISC4 = ALL MISC8 = ALL MISC9 = ALL NOTE 1: Update access to the backup security database is required by the MSCA account anytime the IAO needs to run/submit the TSS Utility called TSSFAR. MSCA account may from time to time be required to have additional access for the period of project such as Extending the Security Database. NOTE 2: MSCA account shall be used for such items as: TSSFAR, EXTENDING Security Database, creating SCA/LSCA accounts, working with LSCA accounts (scoping, admin rights, etc). Most often the IAO staff shall utilize their normal SCA account. The MSCA account shall not be anyone’s primary security administrative account. NOTE 3: MSCA account shall be limited in access, to least privileged access of resources required to function. NOTE 4: If running Quest NC-Pass, validate in ZNCP0020 that the MSCA ACID has the FACILITY of NCPASS and SECURID resource in the ABSTRACT resource class.

Fix Text (F-18182r1_fix)

The IAO will review the MSCA and ensure access granted is limited to those resources necessary to support the security administration function. Evaluate the impact of correcting the deficiency and develop a plan of action to implement the changes.

Below is an example of allowed setup for MSCA account and authorities. “MSCA” as the Accessorid, is merely an Example here, which is site determined. List is not all inclusive. The primary SCA for the domain will be listed within the “NAME” field since they are responsible for the MSCA ACID.

ACCESSORID = MSCA NAME = "primary SCA"
TYPE = MASTER
FACILITY = BATCH
PROFILES = SECURID
ATTRIBUTES = AUDIT,CONSOLE,NOATS
DATASET = %. *.
DATASET = ***** +.
VOLUMES = *(G)
XA DATASET = SYS3.TSS.BACKUP
ACCESS = UPDATE
ACTION = AUDIT
----------- ADMINISTRATION AUTHORITIES
RESOURCE = *ALL*
ACCESS = ALL
ACID = *ALL*
FACILITIES = *ALL*
LIST DATA = *ALL*,PROFILES,PASSWORD,SESSKEY
MISC1 = *ALL*
MISC2 = *ALL*
MISC4 = *ALL*
MISC8 = *ALL*
MISC9 = *ALL*

NOTE 1: Update access to the backup security database is required by the MSCA account anytime the IAO needs to run/submit the TSS Utility called TSSFAR. MSCA account may from time to time be required to have additional access for the period of project such as Extending the Security Database.

NOTE 2: MSCA account shall be used for such items as: TSSFAR, EXTENDING Security Database, creating SCA/LSCA accounts, working with LSCA accounts (scoping, admin rights, etc). Most often the IAO staff shall utilize their normal SCA account. The MSCA account shall not be anyone’s primary security administrative account.

NOTE 3: MSCA account shall be limited in access, to least privileged access of resources required to function.

NOTE 4: If running Quest NC-Pass, validate in ZNCP0020 that the MSCA ACID has the FACILITY of NCPASS and SECURID resource in the ABSTRACT resource class.