STIG ID - BACF1041: Configure CONSOLxx Members

Severity
: 1- High
The Multiple Console Support (MCS console) facility can be used to issue basic operator commands. Failure to properly control access to MCS consoles can result in unauthorized personnel issuing sensitive operator commands. This type of exposure can threaten the integrity and availability of the operating system environment and compromise the confidentiality of customer data.
ACF2
can protect the use of MCS consoles.
This STIG article shows how to ensure that all operators are required to log on prior to entering z/OS system commands using
Auditor
.
Identify Audit Finding
Review the following data to determine if you should consider remediation.
Follow these steps
:
  1. Review each DEFAULT statement in the CONSOLxx member of SYS1.PARMLIB from the
    Auditor
    menu:
    1. Select option 2 from the
      Auditor
      Primary menu.
      The System Installation Choices menu is displayed.
    2. Selection option 1.
      The Parmlib Information screen is displayed.
    3. Type 2 for STATUS to identify library contents and detect changes.
    4. Press F3 to continue from the
      Auditor
      - PARMLIB DATASET CONCATENTATION panel.
    5. Scroll down and locate the CONSOL
      xx
      member and type 'B' to browse the CONSOL
      xx
      member.
    6. Determine the following:
      1. LOGON(REQUIRED) or LOGON(AUTO) is specified.
        • LOGON(REQUIRED)
          Ensure all operators are required to log on prior to entering operator commands.
        • LOGON(AUTO)
          Specifies consoles are automatically logged on using a user ID that is equal to their console ID.
      2. The CONSOLE statement for each console assigns a unique name using the NAME parameter.
      3. The CONSOLE statement for each console specifies AUTH(INFO).
        • AUTH(INFO)
          Specifies authority to issue informational commands.
  2. If requirements in step 1D are defined,
    your organization does not have an audit finding
    .
  3. If requirements in step 1D are not defined,
    your organization has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
The Information System Security Officer (ISSO) is responsible for ensuring each DEFAULT statement in the CONSOLxx member of SYS1.PARMLIB specifies all operators are required to log on prior to entering operator commands, each console assigns a unique name using the NAME parameter, and each console specifies authority to issue information commands.
Follow these steps:
  1. Specify LOGON(REQUIRED) on the DEFAULT statement in the CONSOLxx member of SYS1.PARMLIB. LOGON(REQUIRED) forces users to undergo identification and authentication checks before entering commands through an operator console.
    DEFAULT ROUTCODE(11),
    LOGON(REQUIRED)
    Or,
    Specify LOGON(AUTO) on the DEFAULT statement in the CONSOLxx member of SYS1.PARMLIB.
    DEFAULT ROUTCODE(11),
    LOGON(AUTO)
  2. Ensure the CONSOLE statement for each console assigned a unique name using the NAME parameter.
    CONSOLE
    DEVNUM(922),AUTH(MASTER),ROUTCODE(ALL), RNUM(20),RTME(01),MFORM(J,S,T),PFKTAB(CONSPFK),DEL(RD), MONITOR(JOBNAMES-T,SESS-T),AREA(NONE),UNIT(3270-X),
    NAME(MAST&SYSNAME.)
    The CONSOLE statement for each console specifies AUTH(INFO). Exceptions are the AUTH parameter is not valid for consoles defined with UNIT(PRT) and specifying AUTH(MASTER) is permissible for the system console. For example:
    CONSOLE
    DEVNUM(925),AUTH(INFO),ROUTCODE(ALL), RNUM(20),RTME(01),MFORM(J,S,T),PFKTAB(CONSPFK),DEL(RD), MONITOR(JOBNAMES-T,SESS-T),AREA(NONE),UNIT(3270-X),
    NAME(MAST&SYSNAME.)
    All operators are now required to log on prior to entering z/OS system commands.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG.  For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-002234, CCI-000382
CCI
:
CCI-002234
Published Date
:
2013-06-24
Definition
:
The information system audits the execution of privileged functions.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): AC-6 (9)
CCI
:
CCI-000382
Published Date
:
2009-09-18
Definition
:
The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): CM-7
NIST: NIST SP 800-53 Revision 4 (v4): CM-7 b
NIST: NIST SP 800-53A (v1): CM-7.1 (iii)