From z/OS TSS STIG
Part of TSS1010
Associated with IA controls: DCCS-1, ECCD-2, DCCS-2, ECAR-3, ECAR-2, ECCD-1, ECAR-1
Associated with: CCI-000213
TSS provides masking as an additional method for reducing the number of entries that must be made to secure the installation data sets. Shared patterns can be used as the operands of data set parameters. If this masking character (*, *., and/or **) are not restricted, there is the possibility of exposure when granting access to the data set mask allowing access to all data sets. Unauthorized access could result in the compromise of the operating system environment, ACP, products, and customer data.
Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(GLOBRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(TSS1010) Verify that the accesses to the TSS masking character (*, *., and/or **) for data sets are properly restricted. If the following guidance is true, this is not a finding. ___ The TSS data set access authorizations restricts READ access to auditors. ___ The TSS data set access authorizations restricts READ and/or greater access to DASD administrators, Trusted Started Tasks, emergency users, and DASD batch users. ___ If CA VTAPE is installed on the systems, the TSS data set access authorizations restricts READ access to CA VTAPE STCs and/or batch users. ___ The TSS data set access authorizations specify that all (i.e., failures and successes) EXECUTE and/or greater accesses are logged.
The IAO will review access authorization to the TSS mask character (*, *., and/or **) for data sets. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to restrict access to the data set mask permissions. The installing Systems Programmer will identify and document the product data sets and categorize them according to who will have WRITE and/or greater access and, if required, that all WRITE and/or greater accesses are logged. He will identify if any additional groups have WRITE and/or greater access for specific data sets, and once documented he will work with the IAO to see that they are properly restricted to the ACP (Access Control Program) active on the system. (Note: The data sets and/or data set prefixes identified below are examples of a possible installation. The actual data sets and/or prefixes are determined when the product is actually installed on a system through the product’s installation guide and can be site specific.) Auditors may require READ access to all data sets. DASD administrators, Trusted Started Tasks, emergency users, and DASD batch users that require READ and/or greater access to perform maintenance to all data sets. If CA VTAPE is installed on the system, READ access can be given to the CA VTAPE STCs and/or batch users. All accesses authorizations will be logged, the exception is the logging requirement is not required for Trusted Started Tasks. The following commands are provided as a sample for implementing data set controls: TSS ADDTO(msca) DATASET(*.) TSS PERMIT(audtaudt) DATASET(*.) ACCESS(READ) ACTION(AUDIT) TSS PERMIT(CA VTape STC) DATASET(*.) ACCESS(READ) ACTION(AUDIT) TSS PERMIT(dasbaudt) DATASET(*.) ACCESS(ALL) ACTION(AUDIT) TSS PERMIT(dasdaudt) DATASET(*.) ACCESS(ALL) ACTION(AUDIT) TSS PERMIT(emeraudt) DATASET(*.) ACCESS(ALL) ACTION(AUDIT) TSS PERMIT(tstcaudt) DATASET(*.) ACCESS(ALL)
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer