Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
IBM RACF must limit Write or greater access to SYS1.NUCLEUS to system programmers only.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-223649 | RACF-ES-000010 | SV-223649r853567_rule | High |
| Description |
|---|
| This data set contains a large portion of the system initialization (IPL) programs and pointers to the master and alternate master catalog. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data. Satisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000259-GPOS-00100, SRG-OS-000324-GPOS-00125 |
| STIG | Date |
|---|---|
| IBM z/OS RACF Security Technical Implementation Guide | 2023-12-27 |
Details
| Check Text ( C-25322r514636_chk ) |
|---|
| Execute a dataset access list for SYS1.NUCLEUS. If all of the Following are untrue, this is not a finding. If any of the following is true, this is a finding. -The ACP data set rules for SYS1.NUCLEUS do not restrict WRITE or greater access to only z/OS systems programming personnel. -The ACP data set rules for SYS1.NUCLEUS do not specify that all (i.e., failures and successes) WRITE or greater access will be logged. |
| Fix Text (F-25310r514637_fix) |
|---|
| Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect SYS1.NUCLEUS. Configure the WRITE or greater access to SYS1.NUCLEUS to be limited to system programmers only and all WRITE or greater access is logged. |