From z/OS RACF STIG
Part of ACP00292
Associated with: CCI-000382 CCI-002232
MCS consoles can be used to issue operator commands. Failure to properly control access to MCS consoles could result in unauthorized personnel issuing sensitive operator commands. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.
Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(PARMLIB) Refer to the following report produced by the RACF Data Collection and Data Set and Resource Data Collection: - RACFCMDS.RPT(LISTUSER) - RACFCMDS.RPT(LISTGRP) - SENSITVE.RPT(OPERCMDS) - RACFCMDS.RPT(DATASET) Verify that the MCS console userids are properly restricted. If the following guidance is true, this is not a finding. ____ Each console defined in the currently active CONSOLxx parmlib member in EXAM.RPT(PARMLIB) is associated with a valid RACF userid. ____ Each console userid has no special privileges and/or attributes (e.g., SPECIAL, OPERATIONS, etc.). ____ Each console userid has no accesses to interactive on-line facilities (e.g., TSO, CICS, etc.). ____ Each console userid will be restricted from accessing all data sets and resources except MVS.MCSOPER.consolename in the OPERCMDS resource class and consolename in the CONSOLE resource class. ____ Each console userid has the RACF default group that is an appropriate console group profile. NOTE: If LOGON(AUTO) is specified in the currently active CONSOLxx parmlib member, additional access may be required. Permissions for the console userids and/or console group may be given with access READ to MVS.CONTROL, MVS.DISPLAY, MVS.MONITOR, and MVS.STOPMN OPERCMDS resource. NOTE: Execute the JCL in CNTL(IRRUT100) using the RACF console userids as SYSIN input. This report lists all occurrences of these userids within the RACF database, including data set and resource access lists.
The IAO will ensure that all consoles identified in the currently active CONSOLxx parmlib member in EXAM.RPT(PARMLIB) are defined to the ACP.
Review the MCS console resources defined to z/OS and the ACP, and ensure they conform to those outlined below.
Each console defined in the currently active CONSOLxx parmlib member in EXAM.RPT(PARMLIB) is associated with a valid RACF userid.
Each console userid has no special privileges and/or attributes (e.g., SPECIAL, OPERATIONS, etc.).
Each console userid has no accesses to interactive on-line facilities (e.g., TSO, CICS, etc.).
Each console userid will be restricted from accessing all data sets and resources except MVS.MCSOPER.consolename in the OPERCMDS resource class and consolename in the CONSOLE resource class.
Each console userid has the RACF default group that is an appropriate console group profile.
NOTE: If LOGON(AUTO) is specified in the currently active CONSOLxx parmlib member, additional access may be required. Permissions for the console userids and/or console group may be given with access READ to MVS.CONTROL, MVS.DISPLAY, MVS.MONITOR, and MVS.STOPMN OPERCMDS resource.
NOTE: Execute the JCL in CNTL(IRRUT100) using the RACF console userids as SYSIN input. This report lists all occurrences of these userids within the RACF database, including data set and resource access lists.
Examples:
AG consautolog SUPGROUP(
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer