STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

CA-ACF2 must limit Write or greater access to Libraries containing EXIT modules to system programmers only.

DISA Rule

SV-223448r533198_rule

Vulnerability Number

V-223448

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

ACF2-ES-000270

Severity

CAT I

CCI(s)

• CCI-001499 - The organization limits privileges to change software resident within software libraries.
• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
• CCI-002235 - The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Weight

10

Fix Recommendation

Using the ESM, protect the data sets associated with all product exits installed in the z/OS environment. This reduces the potential of a hacker adding a routine to a library and possibly creating an exposure. See that all exits are tracked using a CMP. Develop usermods to include the source/object code used to support the exits. Have Systems programming personnel review all z/OS and other product exits to confirm that the exits are required and are correctly installed.

Configure ESM data set rules for all update and alter access to libraries containing z/OS and other system level exits will be logged using the ACP’s facilities. Only systems programming personnel will be authorized to update the libraries containing z/OS and other system level exits.

Check Contents

Examine the system for active exit modules. You may need system administrator help for this. Third-party software products can determine standard and dynamic exits loaded in the system.

If all the exits are found within APF, LPA, and LINKLIST, this is not applicable.

If ESM data set rules for libraries that contain system exit modules restrict UPDATE and ALLOCATE access to only z/OS systems programming personnel, this is not a finding.

If the ESM data set rules for libraries that contain exit modules specify that all UPDATE and ALLOCATE access will be logged, this is not a finding.

Vulnerability Number

V-223448

Documentable

False

Rule Version

ACF2-ES-000270

Severity Override Guidance

Examine the system for active exit modules. You may need system administrator help for this. Third-party software products can determine standard and dynamic exits loaded in the system.

If all the exits are found within APF, LPA, and LINKLIST, this is not applicable.

If ESM data set rules for libraries that contain system exit modules restrict UPDATE and ALLOCATE access to only z/OS systems programming personnel, this is not a finding.

If the ESM data set rules for libraries that contain exit modules specify that all UPDATE and ALLOCATE access will be logged, this is not a finding.

Check Content Reference

M

Target Key

4100

Comments