IDMS must allow only authorized users to sign on to an IDMS CV.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-251584	IDMS-DB-000030	SV-251584r807619_rule		High

Description
Unauthorized users signing on to IDMS can pose varying amounts of risk depending upon the security of the IDMS resources in an IDMS CV. Until the IDMS sign-on resource type (SGON) is secured anyone can sign on to IDMS. This risk can be mitigated by securing the SGON resource.

STIG	Date
CA IDMS Security Technical Implementation Guide	2021-11-10

Details

Check Text ( C-55019r807617_chk )
Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note that this requires PTFs SO07995 and SO09476. Look for a #SECRTT statement with the string "RESTYPE=SGON" and SECBY=EXTERNAL. If no "RESTYPE=SGON" is found or "SECBY=OFF" or "SECBY=INTERNAL" is specified, this is a finding. Execute an external security manager (ESM) resource access list for resource "SGON" for each CV on the system. If the resource access is not restricted to only users authorized in the site security plan, this is a finding.

Check Text ( C-55019r807617_chk )

Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output.

Note that this requires PTFs SO07995 and SO09476.

Look for a #SECRTT statement with the string "RESTYPE=SGON" and SECBY=EXTERNAL.

If no "RESTYPE=SGON" is found or "SECBY=OFF" or "SECBY=INTERNAL" is specified, this is a finding.

Execute an external security manager (ESM) resource access list for resource "SGON" for each CV on the system.

If the resource access is not restricted to only users authorized in the site security plan, this is a finding.

Fix Text (F-54973r807618_fix)
In the source for RHDCSRTT add a #SECRTT entry to secure the sign-on process such as this example: #SECRTT TYPE=ENTRY, X RESTYPE=SGON, X SECBY=EXTERNAL, X EXTCLS='CA@IDMS', X EXTNAME=(RESTYPE,RESNAME) The RESNAME used during sign-on is the CV system name as defined in SYSGEN. To find the system name sign into SYSGEN in the CV. Then issue command "SIGNON DICT SYST" and then issue command "DISP SYS nnn" where nnn is the CV number. Look for "SYSTEM ID IS" to find the system name used as RESNAME. Before implementing changes, contact the security administrator and ensure that the ESM has the necessary rules for the EXTCLS and EXTNAME values chosen. The appropriate ESM rules must then be given to the appropriate users. For instance, in Top Secret: TSS PER(user_id) CA@IDMS(SGON.your_extname) In ACF2: $KEY(SGON.your_extname) TYPE(CA@IDMS) UID(user_id) ALLOW After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD

Fix Text (F-54973r807618_fix)

In the source for RHDCSRTT add a #SECRTT entry to secure the sign-on process such as this example:

#SECRTT TYPE=ENTRY, X
RESTYPE=SGON, X
SECBY=EXTERNAL, X
EXTCLS='CA@IDMS', X
EXTNAME=(RESTYPE,RESNAME)

The RESNAME used during sign-on is the CV system name as defined in SYSGEN. To find the system name sign into SYSGEN in the CV. Then issue command "SIGNON DICT SYST" and then issue command "DISP SYS nnn" where nnn is the CV number. Look for "SYSTEM ID IS" to find the system name used as RESNAME.

Before implementing changes, contact the security administrator and ensure that the ESM has the necessary rules for the EXTCLS and EXTNAME values chosen. The appropriate ESM rules must then be given to the appropriate users. For instance, in Top Secret:
TSS PER(user_id) CA@IDMS(SGON.your_extname)

In ACF2:
$KEY(SGON.your_extname) TYPE(CA@IDMS)
UID(user_id) ALLOW

After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands:

DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY
DCMT VARY NUCLEUS RELOAD