DISA STIG - TSS0920 for Top Secret

book

Article ID: 144476

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP

Issue/Introduction

Is there a better way to pull the requested information from the DISA STIG other than reviewing TSS LIST(ACIDS)DATA(ALL) and looking for the criteria.

TSS0920The STIG provides the following requirements: 

1)  Determine if any ACIDs other than TYPE=CENTRAL (SCA/MSCA) has the following administrative authority:

FACILITIES(ALL)
PROGRAM(ALL)
PROGRAM(OWN)
RESOURCE(ALL)
ROSRES(ALL)
VOLUME(ALL)
VOLUME(OWN)
MISC1(ALL)
MISC1(LCF)
MISC1(LTIME)
MISC1(RDT)
MISC1(USER)
MISC2(ALL)
MISC2(DLF)
MISC2(NDT)
MISC2(SMS)
MISC4(ALL)
MISC8(ALL)
MISC8(LISTAPLU)
MISC8(LISTRDT)
MISC8(LISTSDT)
MISC8(LISTSTC)
MISC8(MCS)
MISC9(ALL)
MISC9(BYPASS)
MISC9(CONSOLE)
MISC9(GLOBAL)
MISC9(MASTFAC)
MISC9(MODE)
MISC9(STC)
MISC9(TRACE)

Additionally, decentralized security administrators shall not have scope/control over DISA internal system/domain level resources.

2)  The following are “approved” Examples for other types (DCA, VCA, ZCA, LSCA) that require administrative authorities: (note: these are examples and does not mean everyone should have all of these levels).

DATASET(ALL)ACC(ALL)
DATASET(XAUTH,OWN,REPORT,AUDIT,INFO)ACC(ALL)
OTRAN(ALL)ACC(ALL)
ACID(ALL)
ACID(INFO,MAINTAIN)
MISC1(INSTDATA,SUSPEND,TSSSIM,NOATS)
MISC2(TSO,TARGET)
MISC8(PWMAINT,REMASUSP)
MISC9(GENERIC)
FACILITY(BATCH, TSO, ROSCOE, CICS, xxxx)

Where ‘xxxx’ is a facility the application security team grants access into for their application users. This shall not be STC, CA1, DFHSM or other “domain level mastfac/facility. This is only for those “onlines” that users truly log into to access their applications/data such as TSO, CICS regions, IDMS, ROSCOE, FTP, etc.

TSS ADMIN(acid)RESOURCE(REPORT,INFO,AUDIT) can be allowed and is required to run TSSUTIL reports.

Note: “RESOURCE” can specify a more specific Resource Class, such as “OTRAN”, “DATASET”, “IDMSGON”, “PROGRAM” for non SCA/MSCA type of accounts. These administrators will not have “RESOURCE” specified in administrative authority. 

Note: “ALL” will display as “*ALL*” but also means approved for any single administrative authority under that specific item.

3)   If no item in (b) above is found on any TYPE=DCA, VCA, ZCA, LSCA, USER, PROFILE, there is NO FINDING.

4)   If any item in (b) above is found on TYPE=DCA, VCA, ZCA, LSCA, USER, PROFILE, this is a FINDING.

 

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

1)  Submit TSSCFILE creating a dataset as output with the following: 

//********************************************************

//TSSCFILE     EXEC     PGM=TSSCFILE,PARM='PRINTDATA'    

//PRINT   DD SYSOUT=*                                    

//OUT     DD DSN=DSN.TSSCFIL5,DISP=(NEW,CATLG),          

//        SPACE=(TRK,(60,60),RLSE),                      

//       DSORG=PS,LRECL=300,BLKSIZE=3600,RECFM=FB        

//IN           DD *                                      

TSS LIST(ACIDS)DATA(ADMIN)TYPE(SCA)                      

TSS LIST(ACIDS)DATA(ADMIN)TYPE(LSCA)                     

TSS LIST(ACIDS)DATA(ADMIN)TYPE(ZCA)                      

TSS LIST(ACIDS)DATA(ADMIN)TYPE(VCA)                      

TSS LIST(ACIDS)DATA(ADMIN)TYPE(DCA)                       

TSS LIST(ACIDS)DATA(ADMIN)TYPE(USER)                     

**************************** Bottom of Data **************

  2)  EDIT the dataset via 3.4. 

    1. X ALL (enter)
    2. F all 5 ’29’ (enter)
    3. Del x all (enter)
    4. SAVE the file

3)  You should then see data records such as those listed below.  All of the 29** records are the security administrator authorities granted to the ACIDs.   Full description of each 29* record type can be found at:  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/security/ca-top-secret-for-z-vm/12-1/reporting/tsscfile-utility/formatted-record-types.html  (requires you to logon to see the list).

The advantage of using TSSCFILE – is that the output also provides you with the actual ACID in each record starting in column 15.  As your reviewing, you can simply delete those records that you have reviewed and that are not findings.

    2907086   MSCA01            IBMFAC  *ALL*            

 {  2921      MSCA01            ALL                      

    2906      MSCA01            RESOURCE*ALL*            

 {  2921      MSCA01            ALL                      

    2902      MSCA01            ACID    *ALL*            

    2901      MSCA01            *ALL*                    

    2903      MSCA01            LISTDATA*ALL*   MFA      

    2904      MSCA01            MISC1   *ALL*            

    2908      MSCA01            MISC2   *ALL*            

    2912      MSCA01            MISC3   *ALL*            

    2913      MSCA01            MISC4   *ALL*            

    2914      MSCA01            MISC5   *ALL*            

    2916      MSCA01            MISC7   *ALL*            

    2910      MSCA01            MISC8   *ALL*            

    2905      MSCA01            MISC9   *ALL*            

    29070C4   TEST001           DATASET *ALL*            

 {  2921      TEST001           ALL                      

    2906      TEST001           RESOURCE*ALL*            

 {  2921      TEST001           ALL                      

 
4)  What is missing from TSS0920 is review and validation of various CASECAUT resource permissions.  Additional items to review and ensure are not granted outside of LPAR Level SCA’s that perform TSS Administration:

  A.     CASECAUT(TSSCMD.ADMIN.MODIFY) ACCESS(PRIVILEG)                                       
        A1.   
If this is granted to any ACID outside of the LPAR Level LSCA’s – this could result in a CAT I exposure, as would allow users to modify the Top Secret settings
  B
.     CASECAUT(TSSCMD.USER.*.NOPW) ACCESS(UPDATE)                                      
        B1.   
Where * could be ADD, REPLACE                                       
        B2.   
This would allow a user to set a password of NOPW, you want to avoid that, as any ACID with NOPW truly requires “garbage” as a password or any other type of “password” in the password field to logon to the system, as such that would open a Risk and Exposure.
  C.     IF PWADMIN(YES) is set (TSS MODIFY will display either PWADMIN(YES) OR PWADMIN(NO)), you may want to review who has access to TSSCMD.USER.cmd.PWADMIN.NO

 

 

 

 

Additional Information

To review additional information about CASECAUT – please see:  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-mainframe-software/security/ca-top-secret-for-z-os/16-0/restricted-administrative-authorities-casecaut-resource-class.html

Broadcom offers Web Based Training on CA-Top Secret at no cost.  Please see - https://www.broadcom.com/support/education-training/specialized-training/mainframe-training
Contact your Customer Value Manager (CVM) and ask how do you register for the WBT classes on Top Secret.