IBM z/OS System datasets used to support the VTAM network must be properly secured.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-223869	RACF-VT-000010	SV-223869r604139_rule		Medium

Description
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Satisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000259-GPOS-00100

Description

To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Satisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000259-GPOS-00100

STIG	Date
IBM z/OS RACF Security Technical Implementation Guide	2021-01-05

Details

Check Text ( C-25542r515295_chk )
Determine data set names containing all VTAM start options, configuration lists, network resource definitions, commands, procedures, exit routines, all SMP/E TLIBs, and all SMP/E DLIBs used for installation and in development/production VTAM environments. If RACF data set rules for all VTAM system data sets restrict access to only network systems programming staff, this is not a finding. If RACF data set rules for all VTAM system data sets all READ access to auditors only, this is not a finding.

Check Text ( C-25542r515295_chk )

Determine data set names containing all VTAM start options, configuration lists, network resource definitions, commands, procedures, exit routines, all SMP/E TLIBs, and all SMP/E DLIBs used for installation and in development/production VTAM environments.

If RACF data set rules for all VTAM system data sets restrict access to only network systems programming staff, this is not a finding.

If RACF data set rules for all VTAM system data sets all READ access to auditors only, this is not a finding.

Fix Text (F-25530r515296_fix)
Configure RACF data set rules for all VTAM system data sets restrict access to only network systems programming staff. These data sets include libraries containing VTAM load modules and exit routines, and VTAM start options and definition statements. Auditors may have READ access as documented by and approved by the ISSM. The following sample RACF commands show proper definitions/permissions for VTAM datasets: AD 'SYS1.VTAM.' UACC(NONE) OWNER(SYS1) - AUDIT(SUCCESS(UPDATE) FAILURES(READ)) - DATA('IBM VTAM DS PROFILE: REF SRR PDI ZVTM0018') PE 'SYS1.VTAM.' ID() ACC(A) AD 'SYS1.VTAMLIB.' UACC(NONE) OWNER(SYS1) - AUDIT(SUCCESS(UPDATE) FAILURES(READ)) - DATA('IBM VTAM APF DS PROFILE: REF SRR PDI ZVTM0018') PE 'SYS1.VTAMLIB.' ID() ACC(A) AD 'SYS1.VTAM.SISTCLIB.' UACC(NONE) OWNER(SYS1) - AUDIT(SUCCESS(UPDATE) FAILURES(READ)) - DATA('IBM VTAM APF DS PROFILE: REF SRR PDI ZVTM0018') PE 'SYS1.VTAM.SISTCLIB.' ID() ACC(A) AD 'SYS3.VTAM.' UACC(NONE) OWNER(SYS3) - AUDIT(SUCCESS(UPDATE) FAILURES(READ)) - DATA('VTAM CUSTOMIZED DS: REF SRR PDI ZVTM0018') PE 'SYS3.VTAM.' ID() ACC(A) AD 'SYS3.VTAMLIB.' UACC(NONE) OWNER(SYS3) - AUDIT(SUCCESS(UPDATE) FAILURES(READ)) - DATA('IBM VTAM APF DS PROFILE: REF SRR PDI ZVTM0018') PE 'SYS3.VTAMLIB.*' ID() ACC(A) SETR GENERIC(DATASET) REFRESH

Fix Text (F-25530r515296_fix)

Configure RACF data set rules for all VTAM system data sets restrict access to only network systems programming staff. These data sets include libraries containing VTAM load modules and exit routines, and VTAM start options and definition statements.

Auditors may have READ access as documented by and approved by the ISSM.

The following sample RACF commands show proper definitions/permissions for VTAM datasets:

AD 'SYS1.VTAM*.**' UACC(NONE) OWNER(SYS1) -
AUDIT(SUCCESS(UPDATE) FAILURES(READ)) -
DATA('IBM VTAM DS PROFILE: REF SRR PDI ZVTM0018')
PE 'SYS1.VTAM.**' ID() ACC(A)

AD 'SYS1.VTAMLIB.**' UACC(NONE) OWNER(SYS1) -
AUDIT(SUCCESS(UPDATE) FAILURES(READ)) -
DATA('IBM VTAM APF DS PROFILE: REF SRR PDI ZVTM0018')
PE 'SYS1.VTAMLIB.**' ID() ACC(A)

AD 'SYS1.VTAM.SISTCLIB.**' UACC(NONE) OWNER(SYS1) -
AUDIT(SUCCESS(UPDATE) FAILURES(READ)) -
DATA('IBM VTAM APF DS PROFILE: REF SRR PDI ZVTM0018')
PE 'SYS1.VTAM.SISTCLIB.**' ID() ACC(A)

AD 'SYS3.VTAM.**' UACC(NONE) OWNER(SYS3) -
AUDIT(SUCCESS(UPDATE) FAILURES(READ)) -
DATA('VTAM CUSTOMIZED DS: REF SRR PDI ZVTM0018')
PE 'SYS3.VTAM.**' ID() ACC(A)

AD 'SYS3.VTAMLIB.**' UACC(NONE) OWNER(SYS3) -
AUDIT(SUCCESS(UPDATE) FAILURES(READ)) -
DATA('IBM VTAM APF DS PROFILE: REF SRR PDI ZVTM0018')
PE 'SYS3.VTAMLIB.**' ID() ACC(A)

SETR GENERIC(DATASET) REFRESH