Unauthorized users possess access to the resource TSOAUTH.

From z/OS ACF2 STIG

Part of ZTSO0030

Associated with IA controls: DCCS-1, ECCD-2, DCCS-2, ECCD-1

SV-297r1_rule Unauthorized users possess access to the resource TSOAUTH.

Vulnerability discussion

The TSOAUTH resource class controls sensitive privileges, such as OPER, ACCOUNT, CONSOLE, and PARMLIB. Several of these privileges offer the ability, or provide a facility, to modify sensitive operating system resources. Failure to properly control and restrict access to these privileges may result in the compromise of the operating system environment, ACP, and customer data.

Check content

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(TSOAUTH) for ACF2 and RACF - SENSITVE.RPT(WHOHTSOA) for TSS Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZTSO0030) b) Review the TSOAUTH report ensuring the following items are in effect: 1) The ACCT authorization is restricted to security personnel. 2) The CONSOLE authorization is restricted to authorized systems personnel (e.g., systems programming personnel, operations staff, etc.) and READ access may be given to all user when SDSF in install at the IAOs discretion. 3) The MOUNT authorization is not granted to on-line TSO users. 4) The OPER authorization is restricted to authorized systems personnel (e.g., systems programming personnel, operations staff, etc.). 5) The PARMLIB authorization is restricted to only z/OS systems programming personnel and READ access may be given to audit users. c) If all of the above are true, there is NO FINDING. d) If any of the above is untrue, this is a FINDING.

Fix text

Verify with the IAO that the TSOAUTH resource is restricted to the following: 1) The ACCT authorization is restricted to security personnel. 2) The CONSOLE authorization is restricted to authorized systems personnel (e.g., systems programming personnel, operations staff, etc.) and READ access may be given to all user when SDSF in install at the IAOs discretion. 3) The MOUNT authorization is not granted to on-line TSO users. 4) The OPER authorization is restricted to authorized systems personnel (e.g., systems programming personnel, operations staff, etc.). 5) The PARMLIB authorization is restricted to only z/OS systems programming personnel and READ access may be given to audit users. The TSOAUTH resource class controls sensitive TSO/E commands.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer