Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-251626 | IDMS-DB-000550 | SV-251626r807745_rule | Medium |
Description |
---|
Error messages issued to non-privileged users may have contents that should be considered confidential. IDMS should be configured so that these messages are not issued to those users. |
STIG | Date |
---|---|
CA IDMS Security Technical Implementation Guide | 2022-09-07 |
Check Text ( C-55061r807743_chk ) |
---|
Check that security messages from external security managers (ESMs) are sent only to the log which can be secured. Log on to IDMS DC system and issue "DCPROFIL". Scroll to the "OPTION FLAGS" screen. If OPT00051 is not listed, this is a finding. For IDMS LOG messages, if OPT00226 is not listed, this is a finding. Contact the security office and verify that the user, groups, and roles are defined to the ESM so that DC log can only be viewed by Information System Security Officer (ISSO), Information System Security manager (ISSM), Systems Administrator (SA), and Database Administrator (DBA). |
Fix Text (F-55015r807744_fix) |
---|
In the source for RHDCOPTF, add lines: #DEFOPT OPT00051 <-for messages sent to user #DEFOPT OPT00226 <-for messages sent to IDMS log Then, reassemble and relink RHDCOPTF. Reload RHDCOPTF in the CV by issuing the following commands: DCMT VARY NUCLEUS MODULE RHDCOPTF NEW COPY DCMT VARY NUCLEUS RELOAD Contact the security office to ensure that ADSOBPLG, the ADS print log utility, is secured via the ESM and assigned to the appropriate users, and that the ADS log file is secured from being read by others than ISSO, ISSM, SA, and DBA, also via the ESM. |