search cancel

Top Secret STIG ID - BTSS0039: Set the DOWN Control Option

book

Article ID: 242559

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

I am looking for an in-depth understanding of the DOWN parameters in the TSS MODI File. Presently, we have our Facilities to BYPASS (see below).

DOWN(BB,SB,TN,OB)

 

Environment

Release : 16.0

Component : Top Secret for z/OS

Resolution

https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-top-secret-for-z-os/16-0/using-stig-articles/stig-id-btss0039-set-the-down-control-option.html

Use Top Secret STIG article BTSS0039 to verify the status of the DOWN control option and configure it according to the type of ACIDs defined in SYS1.UADS.
 
Severity
: 2 - Medium
The DOWN Control Option determines how jobs are initiated and how passwords are changed when the
Top Secret
address space is inactive.
Top Secret
system-wide options control the default settings for determining how the product handles requests for access to the operating system environment,
Top Secret
, and customer data.
Top Secret
lets you set many fields at the subsystem level. If no setting is found, system-wide defaults are used.
Improper setting of these fields, individually or with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for
Top Secret
control options introduces the possibility of exposure during a migration or during contingency plan activation.
The organization must ensure that the DOWN control option is set according to the following specifications:
  • If only emergency ACIDs are defined in SYS1.UADS, set the DOWN control option to BW,SB,TN,OW.
  • If any non-emergency ACIDs are defined in SYS1.UADS, set the DOWN control option to BW,SB,TW,OW.
The following list describes how
Top Secret
should process security when its address space is down:
  • BW
     
    Batch jobs and password changes (B) wait for
    Top Secret
    to be reactivated (W).
  • SB
     
    STC initiations (S) bypass security checking (B).
  • TN
     
    TSO logons and password changes (T) revert to native security (if any) until restarted (N).
  • TW
     
    TSO logons and password changes (T) wait for
    Top Secret
    to be reactivated (W).
  • OW
     
    Online initiations and password changes (O) wait for
    Top Secret
    to be reactivated (W).
This STIG article shows how to determine the status of the DOWN control option and configure it according to the type of ACIDs defined in SYS1.UADS.
Identify Audit Finding
Complete these steps to determine if you should consider remediation:
Follow these steps:
  • Display the status of the DOWN control option:
    TSS MODIFY STATUS
     
    The product displays the status of the DOWN control option.
     
    Example Output:
    ...
    DOWN(BW,SB,TW,OW)
    EXIT(ON) EXPDAYS(00) ...
  • Review the output to verify the status of the DOWN control option.
  • Review SYS1.UADS to see which type of ACIDs are defined.
  • If only emergency ACIDs are defined in SYS1.UADS and the DOWN Control Option values are set to BW,SB,TN,OW,
    your organization does not have an audit finding
    .
  • If non-emergency ACIDs are defined in SYS1.UADS and the DOWN Control Option values are set to BW,SB,TW,OW,
    your organization does not have an audit finding
    .
  • If the DOWN Control Option values do not conform to the above requirements,
    your organization has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
Evaluate the impact that is associated with implementing the control option. Develop a plan of action to implement the DOWN control option setting as specified in the following procedure and proceed with the change.
Follow these steps:
  • If only emergency ACIDs are defined in SYS1.UADS, set the DOWN control option as follows:
    TSS MODIFY(DOWN(BW,SB,TN,OW))
    The product confirms your change.
  • If any non-emergency ACIDs are defined in SYS1.UADS, set the DOWN control option as follows:
    TSS MODIFY(DOWN(BW,SB,TW,OW))
    The product confirms your change.
  • Update the
    Top Secret
    startup parameter file with DOWN(BW,SB,TN,OW) or DOWN(BW,SB,TW,OW). If you do not complete this step, the DOWN control option reverts to what is specified in the
    Top Secret
    startup parameter file during the next IPL.
  • Verify the change to the status of the DOWN control option:
    TSS MODIFY STATUS
     
    The product displays the status of the DOWN control option.
     
    Example Output:
    ...
    DOWN(BW,SB,TW,OW)
    EXIT(ON) EXPDAYS(00) ...
  • Create documentation to establish standardized settings for
    Top Secret
    control options. File the documentation with the Information System Security Owner (ISSO) for the organization, and include the documentation in your mainframe system security plan (SSP).
Maintaining standardized settings for
Top Secret 
control options protects your organization from compromising the security of the processing environment or other security exposures.
Control Correlation Identifiers