STIGQter: STIG Summary: IBM z/OS TSS Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

IBM z/OS DFSMS Program Resources must be properly defined and protected.

DISA Rule

SV-224050r561402_rule

Vulnerability Number

V-224050

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

TSS0-SM-000020

Severity

CAT II

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Weight

10

Fix Recommendation

Configure the following to be properly specified in the ACP.

Note: The resource type, resources, and/or resource prefixes identified below are examples of a possible installation. The actual resource type, resources, and/or resource prefixes are determined when the product is actually installed on a system through the product’s installation guide and can be site specific.

Reference the SMS Program Resources as provided by the following libraries:
v SYS1.DGTLLIB for DFSMSdfp/ISMF
v SYS1.DGTLLIB for DFSMSdss/ISMF
v SYS1.DFQLLIB for DFSMShsm

If the installation moves these modules to another load library the installation-defined load library must be used in the program protection.

The TSS resources as designated in the above are owned and/or DEFPROT is specified for the resource class.

The TSS resource access authorizations restrict access to the appropriate personnel as designated in the above.

The following commands are provided as a sample for implementing resource controls:

Example:
TSS ADD(dept-acid) PROGRAM(ACBFUTO2)
TSS PERMIT(smplsmpl) PROGRAM(ACBFUTO2)
TSS PERMIT(dasdsmpl) PROGRAM(ACBFUTO2)
TSS PERMIT(secasmpl) PROGRAM(ACBFUTO2)
TSS PERMIT(syspsmpl) PROGRAM(ACBFUTO2)
TSS PERMIT(tstcsmpl) PROGRAM(ACBFUTO2)

Check Contents

Refer to the load modules residing in the following Load libraries to determine Program resource definitions:
v SYS1.DGTLLIB for DFSMSdfp/ISMF
v SYS1.DGTLLIB for DFSMSdss/ISMF
v SYS1.DFQLLIB for DFSMShsm

If the installation moves these modules to another load library the installation-defined load library must be used in the program protection.

If the TSS resources are owned or DEFPROT is specified for the resource class, this is not a finding.

If the TSS resource access authorizations restrict access to the appropriate personnel, this is not a finding.

Vulnerability Number

V-224050

Documentable

False

Rule Version

TSS0-SM-000020

Severity Override Guidance

Refer to the load modules residing in the following Load libraries to determine Program resource definitions:
v SYS1.DGTLLIB for DFSMSdfp/ISMF
v SYS1.DGTLLIB for DFSMSdss/ISMF
v SYS1.DFQLLIB for DFSMShsm

If the installation moves these modules to another load library the installation-defined load library must be used in the program protection.

If the TSS resources are owned or DEFPROT is specified for the resource class, this is not a finding.

If the TSS resource access authorizations restrict access to the appropriate personnel, this is not a finding.

Check Content Reference

M

Target Key

4102

Comments