STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:

IBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.

DISA Rule

SV-223689r604139_rule

Vulnerability Number

V-223689

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

RACF-ES-000410

Severity

CAT II

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
• CCI-002235 - The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Weight

10

Fix Recommendation

Define all MCS consoles to the CONSOLE resource class and configure READ access to be limited to operators and system programmers.

Configure the MCS console resources defined to z/OS and the ESM to conform to those outlined below.

Each console defined in the CONSOLxx parmlib member is defined to RACF with a corresponding profile in the CONSOLE resource class. See the IBM zOS OPERATIONS AND PLANNING guide for further information.

Each CONSOLE profile is defined with UACC(NONE).

Example:
RDEF CONSOLE MMDMST UACC(NONE) OWNER(syspsmpl)
RDEF CONSOLE MMD041 UACC(NONE) OWNER(syspsmpl)
RDEF CONSOLE MMDSCN UACC(NONE) OWNER(syspsmpl)
RDEF CONSOLE ** UACC(NONE) OWNER(syspsmpl) DATA('** represents all consoles not specifically defined')

Do not permit any user or group access to the ** profile. If a new console is added to the CONSOLxx member of it will be covered by this profile and a subsequent error will display in the log which will allow identification of the undefined console.

The userid associated with each console will have READ access to the corresponding resource defined in the CONSOLE resource class. A sample command file to accomplish this is shown here:

PE MMDMST CL(CONSOLE) ID(mmdmst)
PE MMDSCN CL(CONSOLE) ID(mmdscn)
PE MMD041 CL(CONSOLE) ID(mmd041)

Access authorization for CONSOLE resources restricts READ access to operations and system programming personnel. A sample command file showing a permission of READ access for sysprogs and operators is shown here:

PE MMDMST CL(CONSOLE) ID(syspsmpl opersmpl)
PE MMDSCN CL(CONSOLE) ID(syspsmpl opersmpl)
PE MMD041 CL(CONSOLE) ID(syspsmpl opersmpl)

Check Contents

Refer to the CONSOLxx member of SYS1.PARMLIB.console is defined to RACF with a corresponding profile in the CONSOLE resource class.

If each console is defined to RACF with a corresponding profile in the CONSOLE resource class, this is not a finding.

If the userid associated with each console has READ access to the corresponding resource defined in the CONSOLE resource class, this is not a finding.

If access authorization for CONSOLE resources restricts READ access to operations and system programming personnel, this is not a finding.

Vulnerability Number

V-223689

Documentable

False

Rule Version

RACF-ES-000410

Severity Override Guidance

Refer to the CONSOLxx member of SYS1.PARMLIB.console is defined to RACF with a corresponding profile in the CONSOLE resource class.

If each console is defined to RACF with a corresponding profile in the CONSOLE resource class, this is not a finding.

If the userid associated with each console has READ access to the corresponding resource defined in the CONSOLE resource class, this is not a finding.

If access authorization for CONSOLE resources restricts READ access to operations and system programming personnel, this is not a finding.

Check Content Reference

M

Target Key

4101

Comments