STIGQter: STIG Summary: IBM z/OS TSS Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

The number of CA-TSS control ACIDs must be justified and properly assigned.

DISA Rule

SV-223937r561402_rule

Vulnerability Number

V-223937

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

TSS0-ES-000640

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.
• CCI-002145 - The information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts.

Weight

10

Fix Recommendation

Review all security administrator ACIDs. Evaluate the impact of correcting the deficiency. Develop a plan of action and reduce the number of control ACIDs if not justified. Use information below as guidance.

TYPE=CENTRAL, TYPE=MASTER or also known as "SCA" and "MSCA" level of ACIDS will adhere to the following restrictions based upon documented role/function an individual performs:

-Domain level Information System Security Officer (ISSO) – full administrative authorities and access rights needed to perform required and documented role/responsibilities/function.
-Assistance Domain Level Information System Security Officer or "backup" or ISSO (up to same access as 1).
-DISA SRR Auditor, DoD IG Auditor, SAS70 Auditor – only "view" administrative authorities must be granted and only for those roles/functions that have been formally documented as DISA, DoD IG or SAS70 Auditors and approved by the DISA AO for those position/functions/roles.

Exception: Until scoping is worked out and resolved, DISA OST team members may be defined as TYPE=CENTRAL with limited authority such as ACID(INFO,MAINTAIN). All OST Team member ACIDS will be changed to TYPE=LIMITED and scoped accordingly to allow password resets upon verification of users, yet to limit and eliminate any potential risk associated with resetting of MSCA or other SCA level accounts. NO Other exceptions will exist.

Check Contents

From the ISPF Command Shell enter:
TSS LIST(ACIDS) TYPE(SCA) DATA(BASIC)

If the persons listed agree with the site security plan this is not a finding.

Vulnerability Number

V-223937

Documentable

False

Rule Version

TSS0-ES-000640

Severity Override Guidance

From the ISPF Command Shell enter:
TSS LIST(ACIDS) TYPE(SCA) DATA(BASIC)

If the persons listed agree with the site security plan this is not a finding.

Check Content Reference

M

Target Key

4102

Comments