Access to IBM Security zSecure STC data sets must be properly restricted and logged.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259729	ZSEC-00-000060	SV-259729r943250_rule		Medium

Description
IBM Security zSecure STC have the ability to use privileged functions and/or have access to sensitive data. Failure to properly restrict access to these zSecure STC data sets could result in violating the integrity of the base product, which could compromise the operating system or sensitive data.

STIG	Date
IBM zSecure Suite Security Technical Implementation Guide	2024-01-18

Details

Check Text ( C-63468r943250_chk )
Verify that access to the zSecure STC data sets is properly restricted. If the following guidance is true, this is not a finding. - The RACF profiles protecting zSecure STC data sets do not allow general access by means of UACC, ID(), WARNING, or global access. - READ and higher access to zAlert CKFREEZE data sets is restricted to trusted STC users and systems programmers. - READ access to Access Monitor output data sets is restricted to auditors, decentralized security administrators, security administrators, automated operation STCs/batch jobs, batch jobs performing ESM maintenance, trusted STC users, and systems programmers. - UPDATE access to Access Monitor output data sets is restricted to automated operation STCs/batch jobs, batch jobs performing ESM maintenance, trusted STC users, and systems programmers. - CONTROL and higher access to Access Monitor output data sets is restricted to trusted STC users and systems programmers. - All failures and successful UPDATE and higher access to zSecure STC data sets is logged. DASD-only CKXLOG log stream resources in the LOGSTRM class: - READ is restricted to security administrators, auditors, batch jobs performing ESM maintenance - ALTER restricted to CKXLOG task, system programmers, and batch jobs performing ESM maintenance For Coupling-Facility CKXLOG log streams, the above applies in addition to checking the IXLSTR.model_structure_name profiles in the FACILITY class: - UPDATE and higher trusted STC users, and systems programmers.

Check Text ( C-63468r943250_chk )

Verify that access to the zSecure STC data sets is properly restricted.

If the following guidance is true, this is not a finding.

- The RACF profiles protecting zSecure STC data sets do not allow general access by means of UACC, ID(*), WARNING, or global access.
- READ and higher access to zAlert CKFREEZE data sets is restricted to trusted STC users and systems programmers.
- READ access to Access Monitor output data sets is restricted to auditors, decentralized security administrators, security administrators, automated operation STCs/batch jobs, batch jobs performing ESM maintenance, trusted STC users, and systems programmers.
- UPDATE access to Access Monitor output data sets is restricted to automated operation STCs/batch jobs, batch jobs performing ESM maintenance, trusted STC users, and systems programmers.
- CONTROL and higher access to Access Monitor output data sets is restricted to trusted STC users and systems programmers.
- All failures and successful UPDATE and higher access to zSecure STC data sets is logged.

DASD-only CKXLOG log stream resources in the LOGSTRM class:
- READ is restricted to security administrators, auditors, batch jobs performing ESM maintenance
- ALTER restricted to CKXLOG task, system programmers, and batch jobs performing ESM maintenance
* For Coupling-Facility CKXLOG log streams, the above applies in addition to checking the IXLSTR.model_structure_name profiles in the FACILITY class:
- UPDATE and higher trusted STC users, and systems programmers.

Fix Text (F-63375r943220_fix)
Ensure that READ and higher access to zSecure STC data sets is restricted to authorized users, and all failures and successful UPDATE and higher access is logged. Appropriate access can be permitted to auditors, decentralized security administrators, security administrators, automated operation STCs/batch jobs, batch jobs performing ESM maintenance, trusted STC users and systems programmers. The following commands are provided as a sample for implementing zSecure STC data set controls: ad 'hlq.zsec.alert.ckfreeze' uacc(none) owner(zSecure owner) - audit(success(update) failures(read)) pe 'hlq.zsec.alert.ckfreeze' id(SYSPAUDT, TSTCAUDT) access(READ) ad 'hlq.zsec.access.monitor.dsn' uacc(none) owner(zSecure owner) - audit(success(UPDATE) failures(READ)) pe 'hlq.zsec.access.monitor.dsn' id(AUDTAUDT, SECAAUDT, SECDAUDT, SECBAUDT) access(READ) pe 'hlq.zsec.access.monitor.dsn' id(SECBAUDT, access(UPDATE) pe 'hlq.zsec.access.monitor.dsn' id(SYSPAUDT, TSTCAUDT) access(ALTER) rdef logstrm LSName uacc(none) owner(zSecure owner) - audit(success(UPDATE) failures(read)) pe LSName class(logstrm) id(AUDTAUDT, SECAAUDT, SECDAUDT) access(READ) pe LSName class(logstrm) id(CKXLOG, SECBAUDT, AUTOAUDT, SYSPAUDT) access(ALTER) rdef facility IXLSTR. uacc(none) owner(zSecure owner) - audit(success(UPDATE) failures(READ)) pe IXLSTR. class(facility) id(SYSPAUDT, TSTCAUDT) access(ALTER)

Fix Text (F-63375r943220_fix)

Ensure that READ and higher access to zSecure STC data sets is restricted to authorized users, and all failures and successful UPDATE and higher access is logged.
Appropriate access can be permitted to auditors, decentralized security administrators, security administrators, automated operation STCs/batch jobs, batch jobs performing ESM maintenance, trusted STC users and systems programmers.

The following commands are provided as a sample for implementing zSecure STC data set controls:

ad 'hlq.zsec.alert.ckfreeze' uacc(none) owner(zSecure owner) -
audit(success(update) failures(read))
pe 'hlq.zsec.alert.ckfreeze' id(SYSPAUDT, TSTCAUDT) access(READ)
ad 'hlq.zsec.access.monitor.dsn' uacc(none) owner(zSecure owner) -
audit(success(UPDATE) failures(READ))
pe 'hlq.zsec.access.monitor.dsn' id(AUDTAUDT, SECAAUDT, SECDAUDT, SECBAUDT) access(READ)
pe 'hlq.zsec.access.monitor.dsn' id(SECBAUDT,
access(UPDATE)
pe 'hlq.zsec.access.monitor.dsn' id(SYSPAUDT, TSTCAUDT) access(ALTER)
rdef logstrm LSName uacc(none) owner(zSecure owner) - audit(success(UPDATE) failures(read))
pe LSName class(logstrm) id(AUDTAUDT, SECAAUDT, SECDAUDT) access(READ)
pe LSName class(logstrm) id(CKXLOG, SECBAUDT, AUTOAUDT, SYSPAUDT) access(ALTER)
rdef facility IXLSTR. uacc(none) owner(zSecure owner) - audit(success(UPDATE) failures(READ))
pe IXLSTR. class(facility) id(SYSPAUDT, TSTCAUDT) access(ALTER)