STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:

IBM RACF security data sets and/or databases must be properly protected.

DISA Rule

SV-223685r604139_rule

Vulnerability Number

V-223685

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

RACF-ES-000370

Severity

CAT I

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
• CCI-001084 - The information system isolates security functions from nonsecurity functions.
• CCI-001499 - The organization limits privileges to change software resident within software libraries.
• CCI-002235 - The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Weight

10

Fix Recommendation

Review access authorization to critical security database files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect the ESM files.

Configure READ and/or greater access to all ESM files and/or databases are limited to system programmers and/or security personnel, and/or batch jobs that perform ESM maintenance. READ access can be given to auditors and DASD batch. All accesses to ESM files and/or databases are logged.

Check Contents

If the following accesses to the ESM security data sets and/or databases are properly restricted as detailed below, this is not a finding.

-The ESM data set rules for ESM security data sets and/or databases restrict READ access to auditors and DASD batch.
-The ESM data set rules for ESM security data sets and/or databases restrict READ and/or greater access to z/OS systems programming personnel, security personnel, and/or batch jobs that perform ESM maintenance.

All (i.e., failures and successes) data set access authorities (i.e., READ, UPDATE, ALTER, and CONTROL) for ESM security data sets and/or databases are logged.

Vulnerability Number

V-223685

Documentable

False

Rule Version

RACF-ES-000370

Severity Override Guidance

If the following accesses to the ESM security data sets and/or databases are properly restricted as detailed below, this is not a finding.

-The ESM data set rules for ESM security data sets and/or databases restrict READ access to auditors and DASD batch.
-The ESM data set rules for ESM security data sets and/or databases restrict READ and/or greater access to z/OS systems programming personnel, security personnel, and/or batch jobs that perform ESM maintenance.

All (i.e., failures and successes) data set access authorities (i.e., READ, UPDATE, ALTER, and CONTROL) for ESM security data sets and/or databases are logged.

Check Content Reference

M

Target Key

4101

Comments