STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:SV-223732r604139_rule
V-223732
SRG-OS-000080-GPOS-00048
RACF-ES-000850
CAT II
10
Note: This applies to non-SMS volumes. Refer to the System Managed Storage group (i.e., ZSMSnnnn) for requirements for System managed Storage.
Evaluate the impact of accomplishing the change. Develop a plan of action and implement the change as required.
Ensure that storage management userids do not possess the "OPERATIONS" attribute. A sample command to accomplish this is shown here:
ALU <userid> NOOPERATIONS
Ensure that storage management userids possess the "PROTECTED" attribute. A sample command to accomplish this is shown here:
ALU <userid> NOPASS NOOIDCARD
Ensure that storage management userids are permitted to the appropriate "STGADMIN" profiles in the "FACILITY" class for SMS-managed volumes.
Ensure that storage management userids are permitted to appropriate "DASDVOL" profiles for non-SMS-managed volumes.
This applies to non-SMS volumes. For SMS-Managed volumes this is Not Applicable.
Ask the system administrator for all documents and procedures that apply to Storage Management, including identification of the DASD backup data sets and associated storage management userids.
From the ISPF Command enter:
RL User for each identified Userid.
Review storage management userids, if the following guidance is true, this is not a finding.
Storage management userids will not be given the "OPERATIONS" attribute.
Storage management userids will be defined with the "PROTECTED" attribute.
Storage management userids are permitted to the appropriate "STGADMIN" profiles in the "FACILITY" class for SMS-managed volumes.
Storage management userids assigned to storage management tasks (e.g., volume backup, data set archive and restore, etc.) are given access to data sets using "DASDVOL" and/or "GDASDVOL" profiles for non-SMS-managed volumes.
NOTE: "DASDVOL" profiles will not work with SMS-managed volume. "FACILITY" class profiles must be used instead. If "DFSMS/MVS" is used to perform DASD management operations, "FACILITY" class profiles may also be used to authorize storage management operations to non-SMS-managed volumes in lieu of using "DASDVOL" profiles. Therefore, not all volumes may be defined to the "DASDVOL/GDASDVOL" resource classes, and not all storage management userids may be represented in the profile access lists.
V-223732
False
RACF-ES-000850
This applies to non-SMS volumes. For SMS-Managed volumes this is Not Applicable.
Ask the system administrator for all documents and procedures that apply to Storage Management, including identification of the DASD backup data sets and associated storage management userids.
From the ISPF Command enter:
RL User for each identified Userid.
Review storage management userids, if the following guidance is true, this is not a finding.
Storage management userids will not be given the "OPERATIONS" attribute.
Storage management userids will be defined with the "PROTECTED" attribute.
Storage management userids are permitted to the appropriate "STGADMIN" profiles in the "FACILITY" class for SMS-managed volumes.
Storage management userids assigned to storage management tasks (e.g., volume backup, data set archive and restore, etc.) are given access to data sets using "DASDVOL" and/or "GDASDVOL" profiles for non-SMS-managed volumes.
NOTE: "DASDVOL" profiles will not work with SMS-managed volume. "FACILITY" class profiles must be used instead. If "DFSMS/MVS" is used to perform DASD management operations, "FACILITY" class profiles may also be used to authorize storage management operations to non-SMS-managed volumes in lieu of using "DASDVOL" profiles. Therefore, not all volumes may be defined to the "DASDVOL/GDASDVOL" resource classes, and not all storage management userids may be represented in the profile access lists.
M
4101