The number of ACIDs with MISC9 authority must be justified. ACIDs with MISC9 must be limited to the administrative authorities authorized and that require these privileges to perform their job duties.

From z/OS TSS STIG

Part of TSS0950

Associated with IA controls: DCCS-1, DCCS-2

Associated with: CCI-000035 CCI-002145

SV-243r3_rule The number of ACIDs with MISC9 authority must be justified. ACIDs with MISC9 must be limited to the administrative authorities authorized and that require these privileges to perform their job duties.

Vulnerability discussion

The MISC9 authority deals with higher level administrative authorities. One of the authorities is The MISC9 authority deals with higher level administrative authorities. One of the authorities is BYPASS, which can bypass security on the system. This violates the principle of individual user accountability. If this authority is not monitored, the potential for system degradation or destruction could happen. Only the appointed SCA's who are responsible for the security at the domain shall have MISC9 admin rights except MISC9(Generic) may be granted to any DCA,VCA,ZCA,LSCA,SCA.

Check content

a) Refer to the following report produced by the TSS Data Collection: - TSSCMDS.RPT(@ADMIN) b) Review ACIDs having MISC9(ALL) or MISC9(CONSOLE) authority under administrative authorities. Only designated SCA's who are responsible for the security for the domain will be allowed this authority. c) If (b) above is in compliance, there is NO FINDING. d) If (b) above is not in compliance, this is a FINDING.

Fix text

Review all ACIDs with the MISC9 attribute. Evaluate the impact of removing MISC9(ALL) or MISC9(CONSOLE) access from ACIDs not required to assign the CONSOLE attribute. It is suggested that MISC9(CONSOLE) assignment privileges be limited to the MSCA. Develop a plan of action and implement the changes.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer