STIGQter: STIG Summary: z/OS CA 1 Tape Management for RACF STIG Version: 6 Release: 8 Benchmark Date: 25 Oct 2019:

CA-1 Tape Management STC data sets must be properly protected.

DISA Rule

SV-87411r1_rule

Vulnerability Number

V-17067

Group Title

ZB000001

Rule Version

ZCA1R001

Severity

CAT II

CCI(s)

• CCI-001499 - The organization limits privileges to change software resident within software libraries.

Weight

10

Fix Recommendation

Ensure that WRITE and/or greater access to CA1 Tape management STC data sets is limited to System Programmers and/or CA1 Tape management STC(s) and/or batch user(s) only. READ access can be given to auditors.
(Note: The data sets and/or data set prefixes identified below are examples of a possible installation. The actual data sets and/or prefixes are determined when the product is actually installed on a system through the product’s installation guide and can be site specific.)

Data sets to be protected will be:
CA1.TMS* (Data sets that are altered by the product’s STCs, this can be more specific.)

The following commands are provided as a sample for implementing data set controls:

Ad ‘SYS3.CA1.TMS*.**’ UACC(NONW) OWNER(SYS3) –
AUDIT(FAILURES(READ)) –
DATA(‘CA1 STC DS’)

PE ‘CA1.TMS*.**’ ID(<syspaudt> ACC(A)
PE ‘CA1.TMS*.**’ ID (<Tape Management STCs and/or batch users >) ACC(A)
PE ‘CA1.TMS*.**’ ID (<audtaudt>) ACC(R)

Check Contents

Refer to the following report produced by the RACF Data Collection and Data Set and Resource Data Collection:

- SENSITVE.RPT(CA1STC)


Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(ZCA10001)

Verify that the accesses to CA1 Tape Management Started Tasks (STCs) data sets are properly restricted. If the following guidance is true, this is not a finding.

___ The RACF data set access authorizations restrict READ access to auditors.

___ The RACF data set access authorizations restrict WRITE and/or greater access to systems programming personnel.

___ The RACF data set access authorizations restrict WRITE and/or greater access to CA1 Tape Management STCs and/or batch users.

___ The RACF data set access authorizations specify UACC(NONE) and NOWARNING.

Vulnerability Number

V-17067

Documentable

False

Rule Version

ZCA1R001

Severity Override Guidance

Refer to the following report produced by the RACF Data Collection and Data Set and Resource Data Collection:

- SENSITVE.RPT(CA1STC)


Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(ZCA10001)

Verify that the accesses to CA1 Tape Management Started Tasks (STCs) data sets are properly restricted. If the following guidance is true, this is not a finding.

___ The RACF data set access authorizations restrict READ access to auditors.

___ The RACF data set access authorizations restrict WRITE and/or greater access to systems programming personnel.

___ The RACF data set access authorizations restrict WRITE and/or greater access to CA1 Tape Management STCs and/or batch users.

___ The RACF data set access authorizations specify UACC(NONE) and NOWARNING.

Check Content Reference

M

Responsibility

Systems Programmer

Target Key

2189

Comments