STIGQter: STIG Summary: IBM z/OS TSS Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: IBM z/OS TSS Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:SV-223918r561402_rule
V-223918
SRG-OS-000080-GPOS-00048
TSS0-ES-000450
CAT II
10
Ensure access to the MVS resource of the OPERCMDS class is restricted to a limited number of authorized users, and all access is logged. Ensure access to z/OS system commands as defined in the table entitled MVS commands, RACF access authorities, and resource names, in the IBM z/OS MVS System Commands manual is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users).
Ensure no access is granted at level MVS.**.
NOTE: Use the GROUP category specified in the table referenced above as a guideline to determine appropriate personnel access to system commands.
NOTE: The (MVS.SEND) Command will not be a finding if used by all.
Example:
TSS ADDTO(deptacid) OPERCMDS(MVS.)
TSS PERMIT(usracid) OPERCMDS(MVS.ACTIVATE) ACTION(AUDIT)
TSS PERMIT(usracid) OPERCMDS(MVS.CANCEL.JOB.) ACTION(AUDIT)
TSS PERMIT(usracid) OPERCMDS(MVS.CONTROL.) ACCESS(UPDATE)
ACTION(AUDIT)
TSS PERMIT(usracid) OPERCMDS(MVS.DISPLAY.) ACCESS(READ)
TSS PERMIT(usracid) OPERCMDS(MVS.MONITOR) ACCESS(READ)
TSS PERMIT(usracid) OPERCMDS(MVS.STOPMN) ACCESS(READ)
From a command screen enter:
TSS WHOHAS OPERCMDS(MVS)
If any of below is untrue for any z/OS system command resource, this is a finding.
Access to MVS resource of the OPERCMDS class is restricted to a limited number of authorized users, and all access logged.
Access to "MVS.**" is not allowed.
Access to z/OS system commands as defined in the table entitled MVS commands, RACF access authorities, and resource names, in the IBM z/OS MVS System Commands manual, is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users).
NOTE: Use the GROUP category specified in the table referenced above as a guideline to determine appropriate personnel access to system commands.
NOTE: The (MVS.SEND) Command will not be a finding if used by all.
Access to specific z/OS system commands is logged as indicated in the table entitled MVS commands, RACF access authorities, and resource names, in the IBM z/OS MVS System Commands manual.
V-223918
False
TSS0-ES-000450
From a command screen enter:
TSS WHOHAS OPERCMDS(MVS)
If any of below is untrue for any z/OS system command resource, this is a finding.
Access to MVS resource of the OPERCMDS class is restricted to a limited number of authorized users, and all access logged.
Access to "MVS.**" is not allowed.
Access to z/OS system commands as defined in the table entitled MVS commands, RACF access authorities, and resource names, in the IBM z/OS MVS System Commands manual, is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users).
NOTE: Use the GROUP category specified in the table referenced above as a guideline to determine appropriate personnel access to system commands.
NOTE: The (MVS.SEND) Command will not be a finding if used by all.
Access to specific z/OS system commands is logged as indicated in the table entitled MVS commands, RACF access authorities, and resource names, in the IBM z/OS MVS System Commands manual.
M
4102