The number of ACIDs with MISC9 authority must be justified. ACIDs with MISC9 must be limited to the administrative authorities authorized and that require these privileges to perform their job duties.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-243 | TSS0950 | SV-243r3_rule | DCCS-1 DCCS-2 | High |
| Description |
|---|
| The MISC9 authority deals with higher level administrative authorities. One of the authorities is The MISC9 authority deals with higher level administrative authorities. One of the authorities is BYPASS, which can bypass security on the system. This violates the principle of individual user accountability. If this authority is not monitored, the potential for system degradation or destruction could happen. Only the appointed SCA's who are responsible for the security at the domain shall have MISC9 admin rights except MISC9(Generic) may be granted to any DCA,VCA,ZCA,LSCA,SCA. |
| STIG | Date |
|---|---|
| z/OS TSS STIG | 2019-12-12 |
Details
| Check Text ( C-578r1_chk ) |
|---|
| a) Refer to the following report produced by the TSS Data Collection: - TSSCMDS.RPT(@ADMIN) b) Review ACIDs having MISC9(ALL) or MISC9(CONSOLE) authority under administrative authorities. Only designated SCA's who are responsible for the security for the domain will be allowed this authority. c) If (b) above is in compliance, there is NO FINDING. d) If (b) above is not in compliance, this is a FINDING. |
| Fix Text (F-18197r1_fix) |
|---|
| Review all ACIDs with the MISC9 attribute. Evaluate the impact of removing MISC9(ALL) or MISC9(CONSOLE) access from ACIDs not required to assign the CONSOLE attribute. It is suggested that MISC9(CONSOLE) assignment privileges be limited to the MSCA. Develop a plan of action and implement the changes. |