STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

CA-ACF2 must limit update and allocate access to all system-level product installation libraries to system programmers only.

DISA Rule

SV-223452r533198_rule

Vulnerability Number

V-223452

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

ACF2-ES-000310

Severity

CAT II

CCI(s)

• CCI-001499 - The organization limits privileges to change software resident within software libraries.
• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
• CCI-002235 - The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Weight

10

Fix Recommendation

Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect System-level product installation libraries.

Configure allocate access to all system-level product execution libraries to be limited to system programmers only.

Check Contents

Have the systems programmer for z/OS supply the following information:

- The data set name and associated SREL for each SMP/E CSI utilized to maintain this system.
- The data set name of all SMP/E TLIBs and DLIBs used for installation and production support. A comprehensive list of the SMP/E DDDEFs for all CSIs may be used if valid.

The ESM data set rules for system-level product installation libraries (e.g., SMP/E CSIs) do not restrict UPDATE and/or ALTER access to only z/OS systems programming personnel.

If all of the above are untrue, this is not a finding.

If any of the above is true, or if these data sets cannot be identified due to a lack of requested information, this is a finding.

Vulnerability Number

V-223452

Documentable

False

Rule Version

ACF2-ES-000310

Severity Override Guidance

Have the systems programmer for z/OS supply the following information:

- The data set name and associated SREL for each SMP/E CSI utilized to maintain this system.
- The data set name of all SMP/E TLIBs and DLIBs used for installation and production support. A comprehensive list of the SMP/E DDDEFs for all CSIs may be used if valid.

The ESM data set rules for system-level product installation libraries (e.g., SMP/E CSIs) do not restrict UPDATE and/or ALTER access to only z/OS systems programming personnel.

If all of the above are untrue, this is not a finding.

If any of the above is true, or if these data sets cannot be identified due to a lack of requested information, this is a finding.

Check Content Reference

M

Target Key

4100

Comments