From z/OS TSS STIG
Part of TSS0980
Associated with IA controls: DCCS-1, DCCS-2
Associated with: CCI-002230 CCI-002289
Because the NO***CHK attributes can bypass system security, it is imperative that all ACIDS possessing these attributes be monitored and documentation maintained justifying the need for the access authorization. If these attributes are given to ACIDs that do not require the authority, the ACIDs could modify system data and potentially degrade or destroy system information.
Refer to the following report produced by the TSS Data Collection: - TSSPRIV.RPT Review ACIDs having the following attributes specified. These attributes will be identified in the TSSPRIV.RPT as follows: NDSN - NODSNCHK NLCF - NOLCFCHK NRES - NORESCHK NSUB - NOSUBCHK NVMD - NOVMDCHK NVOL - NOVOLCHK NOTE: NOSUBCHK attribute must be given to CICS Regions, IDMS Regions, etc. to be able to submit Jobs on behalf of all users. This applies to ACIDs having the NOxxxCHK attributes. Started tasks that are listed in the TRUSTED STARTED TASKS table, in the z/OS STIG Addendum are permitted to have the NOxxxCHK attributes. Ensure that the use of the NOxxxCHK attribute is avoided unless a special requirement necessitates their use and the IAO documents all uses of the NOxxxCHK attributes. Verify that any ACID having the NO***CHK attribute has documentation on file concerning the assignment of the attribute.
The IAO will ensure that the use of NOxxxCHKs is avoided unless a special requirement necessitates their use and the IAO documents all uses of NOxxxCHKs. Review all ACIDs with the NO***CHK attribute. Evaluate the impact of correcting the deficiency. Develop a plan of action and remove the NO***CHK attribute(s). Example: TSS REMOVE(acid) NODSNCHK
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer