SV-223785r604139_rule
V-223785
SRG-OS-000095-GPOS-00049
RACF-OS-000290
CAT II
10
Review the PPT and define all entries associated with non-existent or inapplicable modules as invalidated. Nullify the invalid IEFSDPPT entry by ensuring that there is a corresponding SCHED entry, which confers no special attributes.
Use the following recommendations and techniques to provide protection for the PPT:
Review the IEFSDPPT module and all programs that IBM has, by default, placed in the PPT to validate their applicability to the execution system. Refer to the IBM z/OS MVS Initialization and Tuning Reference documentation for the version and release of z/OS installed at the individual site for the actual contents of the default IEFSDPPT.
Modules for products not in use on the system will have their special privileges explicitly revoked. Do this by placing a PPT entry for each module in the SYS1.PARMLIB(SCHEDxx) member, specifying no special privileges. The PPT entry for each overridden program will be in the following format, accepting the default (unprivileged) values for the sub parameters:
PPT PGMNAME(<program name>)
Assemble documentation regarding these PPT entries, and the ISSO will keep it on file. Include the following in the documentation:
- The product and release for which the PPT entry was made
- The last date this entry was reviewed to authenticate status
- The reason the module's privileges are being revoked
Review program entries in the IBM Program Properties Table (PPT). You may use a third-party product to examine these entries however, to determine program entries issue the following command from an ISPF command line enter:
TSO ISRDDN LOAD IEFSDPPT
Interpret the display as follows:
Examine contents at offset 8
Hex ‘x2’ - Bypass Password Protection
Hex ‘x3’ - Bypass Password Protection
Hex ‘x4’ - No Dataset Integrity
Hex ‘x5’ - No Dataset Integrity
Hex ‘x6’ - Both
Hex ‘x7’ - Both
Determine Privilege Key at offset 9. A value of hex ’70’ or less indicates an elevated privilege.
For each module identified in the "eyecatcher" that has BYPASS Password Protection, No Dataset Integrity, an elevated Privilege Key or any combination thereof, determine if there is a valid loaded module. Again, you may use a third-party product otherwise execute the following steps from an ISPF command line enter:
TSO ISRDDN LOAD <privileged module>
If the return message is "Load Failed" make sure there is an entry in PARMLIB member SCHEDxx that revokes the excessive privilege.
If this is not true, this is a finding.
V-223785
False
RACF-OS-000290
Review program entries in the IBM Program Properties Table (PPT). You may use a third-party product to examine these entries however, to determine program entries issue the following command from an ISPF command line enter:
TSO ISRDDN LOAD IEFSDPPT
Interpret the display as follows:
Examine contents at offset 8
Hex ‘x2’ - Bypass Password Protection
Hex ‘x3’ - Bypass Password Protection
Hex ‘x4’ - No Dataset Integrity
Hex ‘x5’ - No Dataset Integrity
Hex ‘x6’ - Both
Hex ‘x7’ - Both
Determine Privilege Key at offset 9. A value of hex ’70’ or less indicates an elevated privilege.
For each module identified in the "eyecatcher" that has BYPASS Password Protection, No Dataset Integrity, an elevated Privilege Key or any combination thereof, determine if there is a valid loaded module. Again, you may use a third-party product otherwise execute the following steps from an ISPF command line enter:
TSO ISRDDN LOAD <privileged module>
If the return message is "Load Failed" make sure there is an entry in PARMLIB member SCHEDxx that revokes the excessive privilege.
If this is not true, this is a finding.
M
4101