Operating system privileged account control

The use of administrator-level operating system accounts must be restricted to the maximum extent possible, unless needed to install, configure, maintain, operate and support emergency activities. The use of the administrator-level account must be limited to the duration of those activities. Log-in with built-in administrator-level accounts is not permitted, except to perform activities where such accounts are specifically needed or in emergency situations. Individual accounts with administrator-level privileges or accounts with the ability to escalate to administrative access (for example, sudo) should be used instead. Those administration accesses and usage is to be logged so that it is possible to trace back the cause of an incident. For all other situations, a user account with minimum privilege is required. To comply with this regulations, ensure:

• Utility program invocation has to be encapsulated in scripts that can be executed only within a controlled scope.
• Usage of the command-line interface (CLI) is allowed only for:
  • Installation tasks
  • Resolution of emergency situations
  • Use in scripts that can be executed only within a controlled scope
• No other operating system accounts should have access to file system resources, database resources, IBM® MQ and IBM Integration Bus resources of FTM SWIFT.
• Regular administrative and operational tasks have to be performed using the Administration & Operation Browser UI (see AO Facility). However, the AO console can be used to issue CLI commands.