Documentation confirming the necessity of NO***CHK attributes is not available.

From z/OS TSS STIG

Part of TSS0980

Associated with IA controls: DCCS-1, DCCS-2

Associated with: CCI-002230 CCI-002289

SV-245r2_rule Documentation confirming the necessity of NO***CHK attributes is not available.

Vulnerability discussion

Because the NO***CHK attributes can bypass system security, it is imperative that all ACIDS possessing these attributes be monitored and documentation maintained justifying the need for the access authorization. If these attributes are given to ACIDs that do not require the authority, the ACIDs could modify system data and potentially degrade or destroy system information.

Check content

Refer to the following report produced by the TSS Data Collection: - TSSPRIV.RPT Review ACIDs having the following attributes specified. These attributes will be identified in the TSSPRIV.RPT as follows: NDSN - NODSNCHK NLCF - NOLCFCHK NRES - NORESCHK NSUB - NOSUBCHK NVMD - NOVMDCHK NVOL - NOVOLCHK NOTE: NOSUBCHK attribute must be given to CICS Regions, IDMS Regions, etc. to be able to submit Jobs on behalf of all users. This applies to ACIDs having the NOxxxCHK attributes. Started tasks that are listed in the TRUSTED STARTED TASKS table, in the z/OS STIG Addendum are permitted to have the NOxxxCHK attributes. Ensure that the use of the NOxxxCHK attribute is avoided unless a special requirement necessitates their use and the IAO documents all uses of the NOxxxCHK attributes. Verify that any ACID having the NO***CHK attribute has documentation on file concerning the assignment of the attribute.

Fix text

The IAO will ensure that the use of NOxxxCHKs is avoided unless a special requirement necessitates their use and the IAO documents all uses of NOxxxCHKs. Review all ACIDs with the NO***CHK attribute. Evaluate the impact of correcting the deficiency. Develop a plan of action and remove the NO***CHK attribute(s). Example: TSS REMOVE(acid) NODSNCHK

Pro Tips

Powered by sagemincer