STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

IBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.

DISA Rule

SV-223444r533198_rule

Vulnerability Number

V-223444

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

ACF2-ES-000230

Severity

CAT II

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
• CCI-002235 - The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Weight

10

Fix Recommendation

Configuration should ensure that all MCS consoles are defined to the CONSOLE resource class and READ access is limited to operators and system programmers.

Review the MCS console resources defined to z/OS and the ACP, and ensure they conform to those outlined below.

Each console defined in the CONSOLxx parmlib members is defined to ACF2 with a corresponding resource rule for TYPE(CON).

Each TYPE(CON) rule is defined with PREVENT access by default.

The logonid associated with each console has READ access to the corresponding resource defined in the CONSOLE resource class.

Access authorization for CONSOLE resources restricts READ access to operations and system programming personnel.

Example:
$KEY(MZNC20) TYPE(CON)
USERDATA(CONSOLE ID SECURITY)
UID(sysprgmr) ALLOW
UID(oper) ALLOW
UID(MZNC20) ALLOW DATA(MZNC20 CONSOLE LOGONID ACCESS REQUIREMENTS)
UID(*) PREVENT

SET R(CON)
COMPILE 'ACF2.MZN.CON(MZNC20)' STORE

F ACF2,REBUILD(CON)

Check Contents

Refer to the proper CONSOLxx member of SYS1.PARMLIB.

From a ACF Command screen enter:
ACF
SET RESOURCE(CON)
SET VERBOSE
LIST LIKE(-)

NOTE: If CLASMAP defines CONSOLE as anything other than the default of TYPE(CON), replace CON below with the appropriate three letters.

If each console in the CONSOLxx member is defined to ACF2 with a corresponding resource rule for TYPE(CON), this is not a finding.

If each TYPE(CON) rule is defined with PREVENT access by default, this is not a finding.

If the logonid associated with each console has READ access to the corresponding resource defined in the CONSOLE resource class, this is not a finding.

If access authorization for CONSOLE resources restricts READ access to operations and system programming personnel, this is not a finding.

Vulnerability Number

V-223444

Documentable

False

Rule Version

ACF2-ES-000230

Severity Override Guidance

Refer to the proper CONSOLxx member of SYS1.PARMLIB.

From a ACF Command screen enter:
ACF
SET RESOURCE(CON)
SET VERBOSE
LIST LIKE(-)

NOTE: If CLASMAP defines CONSOLE as anything other than the default of TYPE(CON), replace CON below with the appropriate three letters.

If each console in the CONSOLxx member is defined to ACF2 with a corresponding resource rule for TYPE(CON), this is not a finding.

If each TYPE(CON) rule is defined with PREVENT access by default, this is not a finding.

If the logonid associated with each console has READ access to the corresponding resource defined in the CONSOLE resource class, this is not a finding.

If access authorization for CONSOLE resources restricts READ access to operations and system programming personnel, this is not a finding.

Check Content Reference

M

Target Key

4100

Comments