IBM Security zSecure access to user data sets must be properly restricted and logged.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259730	ZSEC-00-000080	SV-259730r943224_rule		Medium

Description
If zSecure were to allow inappropriate reading or updating of user data sets, sensitive information could be disclosed, or changes might result in incorrect results reported by the product. Only qualified and authorized individuals must be allowed to create, read, update, and delete zSecure user data sets.

STIG	Date
IBM zSecure Suite Security Technical Implementation Guide	2024-01-18

Details

Check Text ( C-63469r943222_chk )
Verify the accesses to the zSecure user data sets are properly restricted. If the following guidance is true, this is not a finding. - The RACF profiles protecting zSecure user data sets do not allow general access by means of UACC, ID(*), WARNING, or global access. - READ access to ASSERTION, CKFREEZE, and UNLOAD data sets is restricted to auditors, automated operation STCs/batch jobs, decentralized security administrators, security administrators, batch jobs performing ESM maintenance, system programmers and trusted STC users. - UPDATE and higher access to ASSERTION, CKFREEZE, and UNLOAD data sets is restricted to decentralized security administrators, security administrators, batch jobs performing ESM maintenance, and system programmers. - All failures and successful UPDATE and higher access to ASSERTION, CKFREEZE, and UNLOAD data sets is logged. - READ access to Access Monitor output data sets is restricted to auditors, decentralized security administrators, security administrators, batch jobs performing ESM maintenance, automated operation STCs/batch jobs, and trusted STC users, and system programmers. - UPDATE and higher access to the Access Monitor output data sets is restricted to automated operation STCs/batch jobs, batch jobs performing ESM maintenance, trusted STC users, and system programmers. - All failed and all successful UPDATE and higher access to Access Monitor output data sets is logged. - READ access to CKACUST and CKACUSV data sets is restricted to auditors, batch jobs that perform ESM maintenance, decentralized security administrators, security administrators, automated operation STCs/batch jobs, trusted STC users, and systems programmers. - UPDATE access to CKACUST and CKACUSV data sets is restricted to decentralized security administrators, security administrators, automated operation STCs/batch jobs, batch jobs performing ESM maintenance, trusted STC users, and systems programmers. - CONTROL and higher access to CKACUST and CKACUSV data sets is restricted to systems programmers. - All failed and all successful UPDATE and higher access to CKACUST and CKACUSV data sets is logged. - READ access to CKXLOG log stream is restricted to auditors, decentralized security administrators, security administrators, automated operation STCs/batch jobs, trusted STC users, and system programmers. - UPDATE and higher access to CKXLOG log stream is restricted to automated operation STCs/batch jobs, trusted STC users, and system programmers. - All failed access to CKXLOG log stream is logged.

Check Text ( C-63469r943222_chk )

Verify the accesses to the zSecure user data sets are properly restricted. If the following guidance is true, this is not a finding.

- The RACF profiles protecting zSecure user data sets do not allow general access by means of UACC, ID(*), WARNING, or global access.
- READ access to ASSERTION, CKFREEZE, and UNLOAD data sets is restricted to auditors, automated operation STCs/batch jobs, decentralized security administrators, security administrators, batch jobs performing ESM maintenance, system programmers and trusted STC users.
- UPDATE and higher access to ASSERTION, CKFREEZE, and UNLOAD data sets is restricted to decentralized security administrators, security administrators, batch jobs performing ESM maintenance, and system programmers.
- All failures and successful UPDATE and higher access to ASSERTION, CKFREEZE, and UNLOAD data sets is logged.
- READ access to Access Monitor output data sets is restricted to auditors, decentralized security administrators, security administrators, batch jobs performing ESM maintenance, automated operation STCs/batch jobs, and trusted STC users, and system programmers.
- UPDATE and higher access to the Access Monitor output data sets is restricted to automated operation STCs/batch jobs, batch jobs performing ESM maintenance, trusted STC users, and system programmers.
- All failed and all successful UPDATE and higher access to Access Monitor output data sets is logged.
- READ access to CKACUST and CKACUSV data sets is restricted to auditors, batch jobs that perform ESM maintenance, decentralized security administrators, security administrators, automated operation STCs/batch jobs, trusted STC users, and systems programmers.
- UPDATE access to CKACUST and CKACUSV data sets is restricted to decentralized security administrators, security administrators, automated operation STCs/batch jobs, batch jobs performing ESM maintenance, trusted STC users, and systems programmers.
- CONTROL and higher access to CKACUST and CKACUSV data sets is restricted to systems programmers.
- All failed and all successful UPDATE and higher access to CKACUST and CKACUSV data sets is logged.
- READ access to CKXLOG log stream is restricted to auditors, decentralized security administrators, security administrators, automated operation STCs/batch jobs, trusted STC users, and system programmers.
- UPDATE and higher access to CKXLOG log stream is restricted to automated operation STCs/batch jobs, trusted STC users, and system programmers.
- All failed access to CKXLOG log stream is logged.

Fix Text (F-63376r943223_fix)
The following commands are provided as a sample for implementing zSecure user data set controls: ad 'hlq.zsec.user.assert/ckfreeze/unload.dsn' uacc(none) owner(zSecure owner) - audit(success(update) failures(read)) pe 'hlq.zsec.user.assert/ckfreeze/unload.dsn' id(AUDTAUDT, AUTOAUDT, SECAAUDT, SECDAUDT, SECBAUDT, TSTCAUDT) access(READ) pe 'hlq.zsec.user.assert/ckfreeze/unload.dsn' id(SECAAUDT, SECDAUDT, SECBAUDT, SYSPAUDT) access(ALTER) ad 'hlq.zsec.accmon.user.dsn' uacc(none) owner(zSecure owner) - audit(success(update) failures(read)) pe 'hlq.zsec.accmon.user.dsn' id(AUDTAUDT, AUTOAUDT, SECAAUDT, SECDAUDT, SECBAUDT, TSTCAUDT) access(READ) pe 'hlq.zsec.accmon.user.dsn' id(AUTOAUDT, SECBAUDT, TSTCAUDT, SYSPAUDT) access(ALTER) ad ' hlq.zsec.user.ckcus* audit(success(UPDATE) failures(READ)) pe 'hlq.zsec.user.ckcus' id(AUDTAUDT, AUTOAUDT, SECAAUDT, SECDAUDT, SECBAUDT, TSTCAUDT) access(UPDATE) pe 'hlq.zsec.user.ckcus' id(SYSPAUDT) access(ALTER) rdef logstrm LSName uacc(none) owner(zSecure owner) - audit(success(UPDATE) failures(read)) pe LSName class(logstrm) id(AUDTAUDT, AUTOAUDT, SECAAUDT, SECDAUDT, TSTCAUDT, SYSPAUDT) access(READ) pe LSName class(logstrm) id(AUTOAUDT, TSTCAUDT, SYSPAUDT) access(ALTER)

Fix Text (F-63376r943223_fix)

The following commands are provided as a sample for implementing zSecure user data set controls:

ad 'hlq.zsec.user.assert/ckfreeze/unload.dsn' uacc(none) owner(zSecure owner) -
audit(success(update) failures(read))

pe 'hlq.zsec.user.assert/ckfreeze/unload.dsn' id(AUDTAUDT, AUTOAUDT, SECAAUDT, SECDAUDT, SECBAUDT, TSTCAUDT) access(READ)

pe 'hlq.zsec.user.assert/ckfreeze/unload.dsn' id(SECAAUDT, SECDAUDT, SECBAUDT, SYSPAUDT) access(ALTER)

ad 'hlq.zsec.accmon.user.dsn' uacc(none) owner(zSecure owner) -
audit(success(update) failures(read))

pe 'hlq.zsec.accmon.user.dsn' id(AUDTAUDT, AUTOAUDT, SECAAUDT, SECDAUDT, SECBAUDT, TSTCAUDT) access(READ)

pe 'hlq.zsec.accmon.user.dsn' id(AUTOAUDT, SECBAUDT, TSTCAUDT, SYSPAUDT) access(ALTER)
ad ' hlq.zsec.user.ckcus*
audit(success(UPDATE) failures(READ))

pe 'hlq.zsec.user.ckcus*' id(AUDTAUDT, AUTOAUDT, SECAAUDT, SECDAUDT, SECBAUDT, TSTCAUDT) access(UPDATE)

pe 'hlq.zsec.user.ckcus*' id(SYSPAUDT) access(ALTER)
rdef logstrm LSName uacc(none) owner(zSecure owner) -
audit(success(UPDATE) failures(read))

pe LSName class(logstrm) id(AUDTAUDT, AUTOAUDT, SECAAUDT, SECDAUDT, TSTCAUDT, SYSPAUDT) access(READ)
pe LSName class(logstrm) id(AUTOAUDT, TSTCAUDT, SYSPAUDT) access(ALTER)