STIG ID - BACF0051: Limit the Users Granted the CONSOLE

Remove CONSOLE attribute from unauthorized logonids.
Severity
: 2 - Medium
The CONSOLE attribute on the logonid record lets you access the TSO/E CONSOLE facility. Users with this special privilege could intentionally or inadvertently issue console commands that could cause system resources and data to become unavailable. Guidelines suggest the CONSOLE privilege be granted on an as-needed basis. Documentation justifying use of this special privilege must be submitted to the Information Systems Security Officer ISSO before permission is granted.
This STIG article shows how to identify logonids with the CONSOLE attribute and how to remove the attribute if it is not authorized.
The organization will ensure that access to the CONSOLE attribute is kept to a minimum and is controlled and documented.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. List all logonids with the CONSOLE privilege defined:
    SET LID LID LIST LIKE(-) IF(CONSOLE) USER02 USER02 ... TSO ACCTPRIV
    CONSOLE
    JCL ... LID
    ACF2
    displays all logonid records with the
    CONSOLE
    attribute. In this example,
    ACF2
    displays USER02 logonid record, which includes the CONSOLE attribute.
  2. Verify that USER02 is authorized to have the CONSOLE attribute with the ISSO.
  3. If the logonid has the CONSOLE attribute defined and the ISSO verifies the user is authorized,
    your organization does not have an audit finding
    .
  4. If the logonid has the CONSOLE attribute defined and the ISSO verifies the user is not authorized,
    your organization has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change logonids with the CONSOLE attributes. Limit all access to change logonid records to time frames of approved changes and reduced to view only outside of approved change windows.
The following steps show how to remove the CONSOLE attribute from a logonid that is no longer authorized to use.
Follow these steps:
  1.   Remove the CONSOLE attribute permission from USER02.
    SET LID LID CHANGE USER02 NOCONSOLE LID
  2. Verify USER02 permissions changed:
    SET LID LID LIST USER02 USER02 USER02 ... TSO ACCTPRIV JCL ... LID
    USER02 no longer has authority to issue console commands.
Being vigilant about which logonids have the authority to issue console commands is an important step in securing your TSO environment.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG.  For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000213, CCI-000226
CCI
:
CCI-000213
Published Date
:
2009-09-14
Definition
:
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AC-3
NIST: NIST SP 800-53 Revision 4 (v4): AC-3
NIST: NIST SP 800-53A (v1): AC-3.1
CCI
:
CCI-000226
Published Date
:
2009-09-14
Definition
:
The information system provides the capability for a privileged administrator to configure organization-defined security policy filters to support different security policies.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AC-6 (4)
NIST: NIST SP 800-53A (v1): AC-6 (4).1