STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

ACF2 security data sets and/or databases must be properly protected.

DISA Rule

SV-223514r533198_rule

Vulnerability Number

V-223514

Group Title

SRG-OS-000134-GPOS-00068

Rule Version

ACF2-ES-000970

Severity

CAT I

CCI(s)

• CCI-001084 - The information system isolates security functions from nonsecurity functions.
• CCI-001499 - The organization limits privileges to change software resident within software libraries.
• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
• CCI-002235 - The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Weight

10

Fix Recommendation

Configure ESM READ and/or greater access rules for ESM files and/or databases as limited to system programmers and/or security personnel, and/or batch jobs that perform ACP maintenance.

READ access can be given to auditors and DASD batch. All accesses to ACP files and/or databases are logged.

Check Contents

Determine all associated ESM security data sets and/or databases.

If the ESM data set rules for ESM security data sets and/or databases restrict READ access to auditors and DASD batch, this is not a finding.

If the ESM data set rules for ESM security data sets and/or databases restrict READ and/or greater access to z/OS systems programming personnel, security personnel, and/or batch jobs that perform ACP maintenance, this is not a finding.

If all (i.e., failures and successes) data set access authorities (i.e., READ, UPDATE, ALTER, and CONTROL) for ACP security data sets and/or databases are logged, this is not a finding.

Vulnerability Number

V-223514

Documentable

False

Rule Version

ACF2-ES-000970

Severity Override Guidance

Determine all associated ESM security data sets and/or databases.

If the ESM data set rules for ESM security data sets and/or databases restrict READ access to auditors and DASD batch, this is not a finding.

If the ESM data set rules for ESM security data sets and/or databases restrict READ and/or greater access to z/OS systems programming personnel, security personnel, and/or batch jobs that perform ACP maintenance, this is not a finding.

If all (i.e., failures and successes) data set access authorities (i.e., READ, UPDATE, ALTER, and CONTROL) for ACP security data sets and/or databases are logged, this is not a finding.

Check Content Reference

M

Target Key

4100

Comments