From z/OS ACF2 STIG
Part of ZTSO0030
Associated with IA controls: DCCS-1, ECCD-2, DCCS-2, ECCD-1
The TSOAUTH resource class controls sensitive privileges, such as OPER, ACCOUNT, CONSOLE, and PARMLIB. Several of these privileges offer the ability, or provide a facility, to modify sensitive operating system resources. Failure to properly control and restrict access to these privileges may result in the compromise of the operating system environment, ACP, and customer data.
a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(TSOAUTH) for ACF2 and RACF - SENSITVE.RPT(WHOHTSOA) for TSS Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZTSO0030) b) Review the TSOAUTH report ensuring the following items are in effect: 1) The ACCT authorization is restricted to security personnel. 2) The CONSOLE authorization is restricted to authorized systems personnel (e.g., systems programming personnel, operations staff, etc.) and READ access may be given to all user when SDSF in install at the IAOs discretion. 3) The MOUNT authorization is not granted to on-line TSO users. 4) The OPER authorization is restricted to authorized systems personnel (e.g., systems programming personnel, operations staff, etc.). 5) The PARMLIB authorization is restricted to only z/OS systems programming personnel and READ access may be given to audit users. c) If all of the above are true, there is NO FINDING. d) If any of the above is untrue, this is a FINDING.
Verify with the IAO that the TSOAUTH resource is restricted to the following: 1) The ACCT authorization is restricted to security personnel. 2) The CONSOLE authorization is restricted to authorized systems personnel (e.g., systems programming personnel, operations staff, etc.) and READ access may be given to all user when SDSF in install at the IAOs discretion. 3) The MOUNT authorization is not granted to on-line TSO users. 4) The OPER authorization is restricted to authorized systems personnel (e.g., systems programming personnel, operations staff, etc.). 5) The PARMLIB authorization is restricted to only z/OS systems programming personnel and READ access may be given to audit users. The TSOAUTH resource class controls sensitive TSO/E commands.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer