STIG ID - BACF0054: Limit the Users Granted the OPERATOR Privilege
Severity: 1- High
The OPERATOR attribute on the logonid record indicates that a user has TSO operator privileges. Users with this privilege can do anything from canceling jobs to disabling the entire system, compromising the confidentiality, integrity, and availability of the operating system, applications, and data. The OPERATOR attribute should be granted to only systems programmer, operations personnel, and security manager on an as-required basis. Documentation justifying use of this special privilege must be submitted to the Information Systems Security Officer (ISSO) and approved before permission is granted. The ISSO must keep the documentation for reference.
Your organization will ensure the OPERATOR attribute is kept to a strictly controlled minimum. Appropriate resource access should be granted in lieu of the OPERATOR attribute, ensuring documented role-based least privileged access is defined and granted.
This STIG article shows how to identify logonids with the OPERATOR attribute and how to remove the attribute if it is not authorized.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps:
- List all logonids with the OPERATOR privilege defined:SET LID LID LIST IF(PPGM) USER04 USER04 ... PRIVILEGES EXPIRE(12/12/20)OPERATOR... LIDACF2displays all logonid records with the OPERATOR attribute. In this example,ACF2displays a logonid record USER04, which includes the OPERATOR attribute.
- PPGM|NOOPERATORIndicates the user has TSO operator privileges.
- The ISSO reviews documentation on hand to verify if the logonids displayed are authorized to have the logonid OPERATOR attribute, which gives the user TSO operator privileges. For the purposes of this STIG, USER04 is not authorized to have the OPERATOR attribute.
- If the number of users granted the OPERATOR privilege is strictly controlled by the ISSO and access is granted on an as-needed basis,your organization does not have an audit finding.
- If the number of users granted the OPERATOR privilege is not controlled and is granted permission,your organization has an audit finding. See Remediate Audit Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) and ISSO are the only roles that should have access to change logonids with the OPERATOR attribute. Limit all access to change logonid records to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps:
- Change the OPERATOR privilege for logonid USER04 to NOOPERATOR, which removes TSO operator privileges.SET LID LID CHANGE USER04 NOOPERATOR LID
- Verify USER04 permissions changed:SET LID LID LIST IF(ALLCMDS) USER04 USER04 ... TSONOOPERATOR... LID
Strict control of who has TSO operator privileges protects the integrity and availability of your organization's operating system, applications, and data.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
NIST: NIST SP 800-53 (v3): AC-3
NIST: NIST SP 800-53 Revision 4 (v4): AC-3
NIST: NIST SP 800-53A (v1): AC-3.1