The BYPASS attribute is not being limited to just trusted STCs.

From z/OS TSS STIG

Part of TSS0810

Associated with IA controls: DCCS-1, DCCS-2

SV-229r1_rule The BYPASS attribute is not being limited to just trusted STCs.

Vulnerability discussion

The BYPASS attribute permits STCs to bypass security checking. With this authority, a job or ACID could bypass all security checking, and could potentially alter or destroy critical system data.

Check content

Refer to the following report produced by the TSS Data Collection: - TSSCMDS.RPT(#STC) Automated Analysis Refer to the following report produced by the TSS Data Collection: - PDI(TSS0810) Ensure that only STCs listed in the TRUSTED STARTED TASKS table, in the z/OS STIG addendum, are granted the BYPASS privilege. TRUSTED STCs: Certain started tasks perform critical operating system-related functions. The site can secure these started tasks in one of two ways: 1) By analyzing an STC's access requirements and granting the requisite accesses. 2) By considering these started tasks as trusted for the purpose of data set and resource access requests. While the actual list may vary based on local site requirements and software configuration, the TRUSTED STARTED TASKS table, in the z/OS STIG addendum, is an approved list of started tasks that may be considered trusted started procedures and can have the BYPASS attribute specified in the start task table. The site may exclude any STCs from the list of trusted started tasks based on local requirements. However, the addition of other started tasks to the list requires the approval of the site DAA.

Fix text

Review the STC record for ACIDs with the BYPASS attribute. Ensure only those trusted STCs that are listed in the TRUSTED STARTED TASKS table, in the z/OS STIG addendum, have been granted this authority. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes. Trusted STCs: While the actual list may vary based on local site requirements and software configuration, the TRUSTED STARTED TASKS table, in the z/OS STIG addendum, is an approved list of started tasks that may be considered trusted started procedures:

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer