STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:

The IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements.

DISA Rule

SV-223691r604139_rule

Vulnerability Number

V-223691

Group Title

SRG-OS-000324-GPOS-00125

Rule Version

RACF-ES-000430

Severity

CAT II

CCI(s)

• CCI-002235 - The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Weight

10

Fix Recommendation

Ensure that the System level symbolic resources are defined to the FACILITY resource class and protected. UPDATE access to the System level symbolic resources are limited to System Programmers, DASD Administrators, and/or Tape Library personnel. All access is logged. Ensure the guidelines for the resources and/or generic equivalent are followed.

Limit access to the IEASYMUP resources to above personnel with UPDATE and/or greater access.

The following commands are provided as a sample for implementing resource controls:

rdef facility ieasymup.* uacc(none) owner(admin) -
audit(all(read)) -
data('protected per acp00350')
rdef facility ieasymup.symbolname uacc(none) owner(admin) -
audit(all(read)) -
data('protected per acp00350')

pe ieasymup.symbolname cl(facility) id(<dasdsmpl) acc(u)
pe ieasymup.symbolname cl(facility) id(<syspsmpl) acc(u)
pe ieasymup.symbolname cl(facility) id(<tapesmpl) acc(u)

Check Contents

From the ISPF Command Shell enter:
Search all Class(Facility) MASK(ieasymup)

For each entity found enter:
RL facility <entity>

If RACF resources are defined with a default access of NONE, this is not a finding.

If RACF resource access authorizations restrict UPDATE and/or greater access to appropriate personnel (i.e., DASD administrators, Tape Library personnel, and system programming personnel), this is not a finding.

If RACF resource logging requirements are specified for UPDATE and/or greater access, this is not a finding.

Vulnerability Number

V-223691

Documentable

False

Rule Version

RACF-ES-000430

Severity Override Guidance

From the ISPF Command Shell enter:
Search all Class(Facility) MASK(ieasymup)

For each entity found enter:
RL facility <entity>

If RACF resources are defined with a default access of NONE, this is not a finding.

If RACF resource access authorizations restrict UPDATE and/or greater access to appropriate personnel (i.e., DASD administrators, Tape Library personnel, and system programming personnel), this is not a finding.

If RACF resource logging requirements are specified for UPDATE and/or greater access, this is not a finding.

Check Content Reference

M

Target Key

4101

Comments