STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:

IBM z/OS DFSMS Program Resources must be properly defined and protected.

DISA Rule

SV-223815r604139_rule

Vulnerability Number

V-223815

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

RACF-SM-000010

Severity

CAT II

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Weight

10

Fix Recommendation

(Note: The resource type, resources, and/or resource prefixes identified below are examples of a possible installation. The actual resource type, resources, and/or resource prefixes are determined when the product is actually installed on a system through the product’s installation guide and can be site specific.)

Refer to the chapter titled “Protecting the Storage Management Subsystem” in the IBM z/OS DFSMSdfp Storage Administration Guide.

Use SMS Program Resources tables to determine the resources and access requirements for SMS Program Resources. Ensure the guidelines for the resource type, resources, and/or generic equivalent are specified.

The RACF resources as designated in the table above are defined with a default access of NONE.

The RACF resource access authorizations restrict access to the appropriate personnel as designated in the table above.

The following commands are provided as a sample for implementing resource controls:

RDEF PROGRAM ACBFUTO2 ADDMEM('SYS1.DSF.DGTLLIB'//NOPADCHK) -
DATA('ADDED PER SRR PDI ZSMS0012 ') -
AUDIT(FAILURE(READ)) UACC(NONE) OWNER(ADMIN)
PERMIT ACBFUTO2 CLASS(PROGRAM) ID(********)

Check Contents

Refer to the load modules residing in the following Load libraries to determine program resource definitions:
SYS1.DGTLLIB for DFSMSdfp/ISMF
SYS1.DGTLLIB for DFSMSdss/ISMF
SYS1.DFQLLIB for DFSMShsm

If the installation moves these modules to another load library the installation-defined load library must be used in the program protection.

If the RACF resources are defined with a default access of NONE, this is not a finding.

If the RACF resource access authorizations restrict access to the appropriate personnel, this is not a finding.

(Refer to the chapter titled “Protecting the Storage Management Subsystem” in the IBM z/OS DFSMSdfp Storage Administration Guide to assist with guidance on appropriate access.)

Vulnerability Number

V-223815

Documentable

False

Rule Version

RACF-SM-000010

Severity Override Guidance

Refer to the load modules residing in the following Load libraries to determine program resource definitions:
SYS1.DGTLLIB for DFSMSdfp/ISMF
SYS1.DGTLLIB for DFSMSdss/ISMF
SYS1.DFQLLIB for DFSMShsm

If the installation moves these modules to another load library the installation-defined load library must be used in the program protection.

If the RACF resources are defined with a default access of NONE, this is not a finding.

If the RACF resource access authorizations restrict access to the appropriate personnel, this is not a finding.

(Refer to the chapter titled “Protecting the Storage Management Subsystem” in the IBM z/OS DFSMSdfp Storage Administration Guide to assist with guidance on appropriate access.)

Check Content Reference

M

Target Key

4101

Comments