UCF STIG Viewer Logo

IBM RACF must limit Write or greater access to SYS1.NUCLEUS to system programmers only.


Overview

Finding ID Version Rule ID IA Controls Severity
V-223649 RACF-ES-000010 SV-223649r853567_rule High
Description
This data set contains a large portion of the system initialization (IPL) programs and pointers to the master and alternate master catalog. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data. Satisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000259-GPOS-00100, SRG-OS-000324-GPOS-00125
STIG Date
IBM z/OS RACF Security Technical Implementation Guide 2022-12-14

Details

Check Text ( C-25322r514636_chk )
Execute a dataset access list for SYS1.NUCLEUS.

If all of the Following are untrue, this is not a finding.

If any of the following is true, this is a finding.

-The ACP data set rules for SYS1.NUCLEUS do not restrict WRITE or greater access to only z/OS systems programming personnel.
-The ACP data set rules for SYS1.NUCLEUS do not specify that all (i.e., failures and successes) WRITE or greater access will be logged.
Fix Text (F-25310r514637_fix)
Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect SYS1.NUCLEUS.

Configure the WRITE or greater access to SYS1.NUCLEUS to be limited to system programmers only and all WRITE or greater access is logged.