UCF STIG Viewer Logo

IDMS must reveal security-related messages only to authorized users.


Overview

Finding ID Version Rule ID IA Controls Severity
V-251626 IDMS-DB-000550 SV-251626r807745_rule Medium
Description
Error messages issued to non-privileged users may have contents that should be considered confidential. IDMS should be configured so that these messages are not issued to those users.
STIG Date
CA IDMS Security Technical Implementation Guide 2021-11-10

Details

Check Text ( C-55061r807743_chk )
Check that security messages from external security managers (ESMs) are sent only to the log which can be secured. Log on to IDMS DC system and issue "DCPROFIL". Scroll to the "OPTION FLAGS" screen.

If OPT00051 is not listed, this is a finding.

For IDMS LOG messages, if OPT00226 is not listed, this is a finding.

Contact the security office and verify that the user, groups, and roles are defined to the ESM so that DC log can only be viewed by Information System Security Officer (ISSO), Information System Security manager (ISSM), Systems Administrator (SA), and Database Administrator (DBA).
Fix Text (F-55015r807744_fix)
In the source for RHDCOPTF, add lines:

#DEFOPT OPT00051 <-for messages sent to user
#DEFOPT OPT00226 <-for messages sent to IDMS log

Then, reassemble and relink RHDCOPTF. Reload RHDCOPTF in the CV by issuing the following commands:

DCMT VARY NUCLEUS MODULE RHDCOPTF NEW COPY
DCMT VARY NUCLEUS RELOAD

Contact the security office to ensure that ADSOBPLG, the ADS print log utility, is secured via the ESM and assigned to the appropriate users, and that the ADS log file is secured from being read by others than ISSO, ISSM, SA, and DBA, also via the ESM.