STIGQter: STIG Summary: IBM z/OS TSS Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: IBM z/OS TSS Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:SV-223967r561402_rule
V-223967
SRG-OS-000324-GPOS-00125
TSS0-ES-000940
CAT I
10
Review the STC record for ACIDs with the BYPASS attribute. Ensure only those trusted STCs that are listed in the IBM z/OS MVS Initialization and Tuning Reference, have been granted this authority. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes.
Trusted STCs:
While the actual list may vary based on local site requirements and software configuration, the started tasks listed in the IBM z/OS MVS Initialization and Tuning Reference is an approved list of started tasks that may be considered trusted started procedures.
Guidelines for reference:
Assign the TRUSTED attribute when one of the following conditions applies:
-The started procedure or address space creates or accesses a wide variety of unpredictably named data sets within your installation.
-Insufficient authority to an accessed resource might risk an unsuccessful IPL or other system problem.
-Avoid assigning TRUSTED to a z/OS started procedure or address space unless it is listed here or you are instructed to do so by the product documentation.
Additionally external security managers are candidates for trusted attribute. Any other started tasks not; listed or not covered by the guidelines are a finding unless approval by the Authorizing Official AO.
From the ISPF Command Shell enter:
TSS LIST(STC)
If only STCs listed as trusted in the IBM z/OS MVS Initialization and Tuning Reference are granted the BYPASS privilege, this is not a finding.
Guidelines for reference:
Assign the TRUSTED attribute when one of the following conditions applies:
-The started procedure or address space creates or accesses a wide variety of unpredictably named data sets within your installation.
-Insufficient authority to an accessed resource might risk an unsuccessful IPL or other system problem.
-Avoid assigning TRUSTED to a z/OS started procedure or address space unless it is listed here or you are instructed to do so by the product documentation.
Additionally external security managers are candidates for trusted attribute. Any other started tasks not listed or not covered by the guidelines are a finding unless approval by the Authorizing Official AO.
V-223967
False
TSS0-ES-000940
From the ISPF Command Shell enter:
TSS LIST(STC)
If only STCs listed as trusted in the IBM z/OS MVS Initialization and Tuning Reference are granted the BYPASS privilege, this is not a finding.
Guidelines for reference:
Assign the TRUSTED attribute when one of the following conditions applies:
-The started procedure or address space creates or accesses a wide variety of unpredictably named data sets within your installation.
-Insufficient authority to an accessed resource might risk an unsuccessful IPL or other system problem.
-Avoid assigning TRUSTED to a z/OS started procedure or address space unless it is listed here or you are instructed to do so by the product documentation.
Additionally external security managers are candidates for trusted attribute. Any other started tasks not listed or not covered by the guidelines are a finding unless approval by the Authorizing Official AO.
M
4102