Access to IBM Security zSecure program resources must be limited to authorized users.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259732	ZSEC-00-000120	SV-259732r943254_rule		Medium

Description
Functional access (which is controlled with access to XFACILIT profiles) must not commingle multiple functions under a single resource profile.

STIG	Date
IBM zSecure Suite Security Technical Implementation Guide	2024-01-18

Details

Check Text ( C-63471r943253_chk )
If the profiles protecting zSecure program resources do not allow general access by means of UACC, ID(),WARNING, or global access, this is not a finding. Review profile(s) protecting CKF.* resources in XFACILIT class. If READ and higher access to any other CKF. profiles is not restricted to security administrators, decentralized security administrators, security batch jobs performing External Security Manager (ESM) maintenance, and trusted STC users, this is a finding. Review profile(s) protecting CKN.* resources in XFACILIT class. If READ and higher access to any other CKNADMIN., and CKNDSN., profiles is not restricted to security administrators, decentralized security administrators, security batch jobs performing ESM maintenance, and trusted STC users, this is a finding. Review profile(s) protecting CKG. resources in XFACILIT class. If READ and higher access to any other CKG.CMD., CKG.RAC., CKG.SCHEDULE., CKG.SCP., CKG.SCPASK.,CKG.UCAT., or CKG.USRDATA. profiles is not restricted to security administrators, decentralized security administrators, security batch jobs performing ESM maintenance, and trusted STC users, this is a finding. Review profile(s) protecting CKR. resources in XFACILIT class. If READ and higher access to any other CKR.ACTION., CKR.CKRCARLA.APF, CKR.CKXLOG., CKR.OPTION., or CKR.READALL profiles is not restricted to security administrators, decentralized security administrators, security batch jobs performing ESM maintenance, and trusted STC users, this is a finding. If zSecure is used, review profile(s) protecting C2R. resources in XFACILIT class. If READ and higher access to any other C2R.CLIENT. or C2R.SERVER.ADMIN profiles is not restricted to security administrators, decentralized security administrators, security batch jobs performing ESM maintenance, and trusted STC users, this is a finding. Review profile(s) protecting C2X.** resources in XFACILIT class. If UPDATE access to any other C2X.ICH* profile is not restricted to automated operation STCs/batch jobs or trusted STC users, this is a finding. If all failures and successful UPDATE and higher access attempts are logged, this is not a finding.

Check Text ( C-63471r943253_chk )

If the profiles protecting zSecure program resources do not allow general access by means of UACC, ID(*),WARNING, or global access, this is not a finding.

Review profile(s) protecting CKF.** resources in XFACILIT class.

If READ and higher access to any other CKF. profiles is not restricted to security administrators, decentralized security administrators, security batch jobs performing External Security Manager (ESM) maintenance, and trusted STC users, this is a finding.

Review profile(s) protecting CKN*.** resources in XFACILIT class.

If READ and higher access to any other CKNADMIN.**, and CKNDSN.**, profiles is not restricted to security administrators, decentralized security administrators, security batch jobs performing ESM maintenance, and trusted STC users, this is a finding.

Review profile(s) protecting CKG.** resources in XFACILIT class.

If READ and higher access to any other CKG.CMD.**, CKG.RAC.**, CKG.SCHEDULE.**, CKG.SCP.**, CKG.SCPASK.**,CKG.UCAT.**, or CKG.USRDATA.** profiles is not restricted to security administrators, decentralized security administrators, security batch jobs performing ESM maintenance, and trusted STC users, this is a finding.

Review profile(s) protecting CKR.** resources in XFACILIT class.

If READ and higher access to any other CKR.ACTION.**, CKR.CKRCARLA.APF, CKR.CKXLOG.**, CKR.OPTION.**, or CKR.READALL profiles is not restricted to security administrators, decentralized security administrators, security batch jobs performing ESM maintenance, and trusted STC users, this is a finding.

If zSecure is used, review profile(s) protecting C2R.** resources in XFACILIT class.

If READ and higher access to any other C2R.CLIENT.** or C2R.SERVER.ADMIN profiles is not restricted to security administrators, decentralized security administrators, security batch jobs performing ESM maintenance, and trusted STC users, this is a finding.

Review profile(s) protecting C2X.** resources in XFACILIT class.

If UPDATE access to any other C2X.ICH* profile is not restricted to automated operation STCs/batch jobs or trusted STC users, this is a finding.

If all failures and successful UPDATE and higher access attempts are logged, this is not a finding.

Fix Text (F-63378r943254_fix)
Ensure READ and higher access to zSecure program resources is restricted to the appropriate staff members. READ and higher access can be given to security administrators, decentralized security administrators, security batch jobs that perform ESM maintenance, and trusted STC users. The following commands are provided as a sample for implementing zSecure functional resource controls: rdef CKF. uacc(none) owner(zSecure owner) pe CKF. class(XFACILIT) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) rdef xfacilit CKNADMIN.. uacc(none) owner(zSecure owner) pe CKNADMIN.. class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) rdef xfacilit CKNDSN.... uacc(none) owner(zSecure owner) pe CKNDSN.... class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) rdef xfacilit CKG.. uacc(none) owner(zSecure owner) pe CKG.. class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUD) access(READ) rdef xfacilit CKR. uacc(none) owner(zSecure owner) pe CKR.. class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUD) access(READ) rdef xfacilit C2R.SERVER.ADMIN uacc(none) owner(zSecure owner) pe C2R.SERVER.ADMIN class(xfacilit) id(SECAAUDT, SECBAUDT, TSTCAUD) access(READ) rdef xfacilit C2R.CLIENT. uacc(none) owner(zSecure owner) pe C2R.CLIENT.** class(xfacilit) id(SECAAUDT, SECBAUDT, TSTCAUD) access(READ) rdef xfacilit C2X.ICH* uacc(none) owner(zSecure owner) pe C2X.ICH* class(xfacilit) id(AUTOAUDT, TSTCAUDT) access(UPDATE)

Fix Text (F-63378r943254_fix)

Ensure READ and higher access to zSecure program resources is restricted to the appropriate staff members.

READ and higher access can be given to security administrators, decentralized security administrators, security batch jobs that perform ESM maintenance, and trusted STC users.

The following commands are provided as a sample for implementing zSecure functional resource controls:
rdef CKF. uacc(none) owner(zSecure owner)
pe CKF. class(XFACILIT) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ)
rdef xfacilit CKNADMIN.. uacc(none) owner(zSecure owner)
pe CKNADMIN.. class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ)
rdef xfacilit CKNDSN.... uacc(none) owner(zSecure owner)
pe CKNDSN.... class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ)
rdef xfacilit CKG..** uacc(none) owner(zSecure owner)
pe CKG..** class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUD) access(READ)
rdef xfacilit CKR. uacc(none) owner(zSecure owner)
pe CKR..** class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUD) access(READ)
rdef xfacilit C2R.SERVER.ADMIN uacc(none) owner(zSecure owner)

pe C2R.SERVER.ADMIN class(xfacilit) id(SECAAUDT, SECBAUDT, TSTCAUD) access(READ)
rdef xfacilit C2R.CLIENT.** uacc(none) owner(zSecure owner)
pe C2R.CLIENT.** class(xfacilit) id(SECAAUDT, SECBAUDT, TSTCAUD) access(READ)
rdef xfacilit C2X.ICH* uacc(none) owner(zSecure owner)
pe C2X.ICH* class(xfacilit) id(AUTOAUDT, TSTCAUDT) access(UPDATE)