STIGQter: STIG Summary: z/OS BMC CONTROL-D for RACF STIG Version: 6 Release: 7 Benchmark Date: 26 Oct 2018: STIGQter: STIG Summary: z/OS BMC CONTROL-D for RACF STIG Version: 6 Release: 7 Benchmark Date: 26 Oct 2018:SV-32056r3_rule
V-17947
ZB000020
ZCTDR020
CAT II
10
The IAO will work with the systems programmer to verify that the following are properly specified in the ACP.
Note: To determine what resource class is used review the IOACLASS setting in SECPARM. The "Trigger" resources i.e., $$SECxxx (xxx is unique to the product) are defined in the FACILITY resource class
(Note: The resource class, resources, and/or resource prefixes identified below are examples of a possible installation. The actual resource class, resources, and/or resource prefixes are determined when the product is actually installed on a system through the product’s installation guide and can be site specific.)
Use BMC CONTROL-D Resources and BMC INCONTROL Resources Descriptions tables in the zOS STIG Addendum. These tables list the resources, descriptions, and access and logging requirements. Ensure the guidelines for the resources and/or generic equivalent specified in the z/OS STIG Addendum are followed.
The following commands are provided as a sample for implementing resource controls:
rdef $ioa $$addnot.** uacc(none) owner(admin) –
audit(failure(read)) -
data('protected per zctdr020')
pe $$addnot.** cl($ioa) id(<appsaudt>) acc(alter)
pe $$addnot.** cl($ioa) id(<operaudt>) acc(alter)
pe $$addnot.** cl($ioa) id(<pcspaudt>) acc(alter)
pe $$addnot.** cl($ioa) id(<syspaudt>) acc(alter)
Refer to the following report produced by the Data Set and Resource Data Collection:
- SENSITVE.RPT(ZCTD0020)
Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:
- PDI(ZCTD0020)
Verify that the accesses to resources and/or generic equivalent are properly restricted according to the requirements specified in BMC CONTROL-D Resources table in the z/OS STIG Addendum. If the following guidance is true, this is not a finding.
Note: To determine what resource class is used review the IOACLASS setting in SECPARM. The "Trigger" resources i.e., $$SECxxx (xxx is unique to the product) are defined in the FACILITY resource class
___ The RACF resources are defined with a default access of NONE.
___ The RACF resource access authorizations restrict access to the appropriate personnel.
___ The RACF resource logging requirements are specified.
___ The RACF resource access authorizations are defined with UACC(NONE) and NOWARNING.
V-17947
False
ZCTDR020
Refer to the following report produced by the Data Set and Resource Data Collection:
- SENSITVE.RPT(ZCTD0020)
Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:
- PDI(ZCTD0020)
Verify that the accesses to resources and/or generic equivalent are properly restricted according to the requirements specified in BMC CONTROL-D Resources table in the z/OS STIG Addendum. If the following guidance is true, this is not a finding.
Note: To determine what resource class is used review the IOACLASS setting in SECPARM. The "Trigger" resources i.e., $$SECxxx (xxx is unique to the product) are defined in the FACILITY resource class
___ The RACF resources are defined with a default access of NONE.
___ The RACF resource access authorizations restrict access to the appropriate personnel.
___ The RACF resource logging requirements are specified.
___ The RACF resource access authorizations are defined with UACC(NONE) and NOWARNING.
M
Systems Programmer
1998