STIGQter: STIG Summary: IBM z/OS TSS Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: IBM z/OS TSS Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:SV-223996r561402_rule
V-223996
SRG-OS-000080-GPOS-00048
TSS0-JS-000120
CAT II
10
For each ACID identified in the XA ACID entries, ensure the following items are in effect regarding ACID permissions:
-ACID permission (XA ACID) is logged (ACTION = AUDIT), at the discretion of the ISSM/ISSO scheduling tasks may be exempted from logging.
-ACID permission (XA ACID) is logged (ACTION = AUDIT), for Privileged users (MSCA, SCA, DCA, VCA, ZCA).
-Access authorization is restricted to scheduling tools, started tasks, or other system applications required for running production jobs.
Other users may have minimal access required for running production jobs with documentation properly approved and filed with the site security official (ISSM or equivalent).
Consider the following recommendations when implementing security for Cross-Authorized ACIDs:
Keep ACID cross authorization of ACIDs outside of those granted to the scheduling software to a minimum number of individuals.
The simplest configuration is to have no ACID Cross Authorization except for the appropriate Scheduling task/software for production scheduling purposes as documented.
Temporary Cross Authorization of the production batch ACID to the scheduling tasks may be allowed for a period for testing by the appropriate specific production Support Team members. Authorization, eligibility, and test period is determined by site policy.
Access authorization is restricted to the minimum number of personnel required for running production jobs. However, ACID Cross Authorization usage must not become the default for all jobs submitted by individual userids (i.e., system programmer will use their assigned individual userids for software installation, duties, whereas a Cross-Authorized ACID would normally be utilized for scheduled batch production only and as such must normally be limited to the scheduling task such as CONTROLM) and not granted as a normal daily basis to individual users.
Grant access to the user ACID for each cross-authorized ACID required:
For Example:
TSS PERMIT(ACID) ACID(Cross-Authorized ACID) ACTION(AUDIT)
For production ACIDs being used by CONTROLM:
TSS PER(CONTROLM)ACID(production user ACID)
From the ISPF Command Shell enter:
TSS LIST(ACIDS) DATA(XA)
If no XA ACID entries exist in the above reports, this is not applicable.
For each ACID identified in the XA ACID entries, if the following items are true regarding ACID permissions, this is not a finding.
-ACID permission (XA ACID) is logged (ACTION = AUDIT), only for Privileged USERIDS (MASTER, SCA, DCA, VCA, ZCA) if they are XAUTH; at the discretion of the ISSM/ISSO scheduling tasks may be exempted from logging.
-Access authorization is restricted to scheduling tools, started tasks or other system applications required for running production jobs.
-Other users may have minimal access required for running production jobs with documentation properly approved and filed with the site security official (ISSM or equivalent).
V-223996
False
TSS0-JS-000120
From the ISPF Command Shell enter:
TSS LIST(ACIDS) DATA(XA)
If no XA ACID entries exist in the above reports, this is not applicable.
For each ACID identified in the XA ACID entries, if the following items are true regarding ACID permissions, this is not a finding.
-ACID permission (XA ACID) is logged (ACTION = AUDIT), only for Privileged USERIDS (MASTER, SCA, DCA, VCA, ZCA) if they are XAUTH; at the discretion of the ISSM/ISSO scheduling tasks may be exempted from logging.
-Access authorization is restricted to scheduling tools, started tasks or other system applications required for running production jobs.
-Other users may have minimal access required for running production jobs with documentation properly approved and filed with the site security official (ISSM or equivalent).
M
4102