BMC IOA security exits are not installed or configured properly.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17985	ZIOA0060	SV-32018r1_rule	DCCS-1 DCCS-2 ECSD-1 ECSD-2	Medium

Description
The BMC IOA security exits enable access authorization checking to BMC IOA commands, features, and online functionality. If these exit(s) is (are) not in place, activities by unauthorized users may result. BMC IOA security exit(s) interface with the ACP. If an unauthorized exit was introduced into the operating environment, system security could be weakened or bypassed. These exposures may result in the compromise of the operating system environment, ACP, and customer data.

Description

The BMC IOA security exits enable access authorization checking to BMC IOA commands, features, and online functionality. If these exit(s) is (are) not in place, activities by unauthorized users may result. BMC IOA security exit(s) interface with the ACP. If an unauthorized exit was introduced into the operating environment, system security could be weakened or bypassed. These exposures may result in the compromise of the operating system environment, ACP, and customer data.

STIG	Date
z/OS BMC IOA for RACF STIG	2015-09-28

Details

Check Text ( C-5253r1_chk )
Interview the systems programmer responsible for the BMC IOA. Determine if the site has modified the following security exit(s): IOASE06 IOASE07 IOASE09 IOASE12 IOASE16 IOASE32 IOASE40 IOASE42 Ensure the above security exit(s) has (have) not been modified. If the above security exit(s) has (have) been modified, ensure that the security exit(s) has (have) been approved by the site systems programmer and the approval is on file for examination.

Check Text ( C-5253r1_chk )

Interview the systems programmer responsible for the BMC IOA. Determine if the site has modified the following security exit(s):

IOASE06
IOASE07
IOASE09
IOASE12
IOASE16
IOASE32
IOASE40
IOASE42

Ensure the above security exit(s) has (have) not been modified.

If the above security exit(s) has (have) been modified, ensure that the security exit(s) has (have) been approved by the site systems programmer and the approval is on file for examination.

Fix Text (F-423r1_fix)
The System programmer responsible for the BMC IOA will review the BMC IOA operating environment. Ensure that the following security exit(s) is (are) installed properly. Determine if the site has modified the following security exit(s): IOASE06 IOASE07 IOASE09 IOASE12 IOASE16 IOASE32 IOASE40 IOASE42 Ensure that the security exit(s) has (have) not been modified. If the security exit(s) has (have) been modified, ensure the security exit(s) has (have) been checked as to not violate any security integrity within the system and approval documentation is on file.

Fix Text (F-423r1_fix)

The System programmer responsible for the BMC IOA will review the BMC IOA operating environment. Ensure that the following security exit(s) is (are) installed properly. Determine if the site has modified the following security exit(s):

IOASE06
IOASE07
IOASE09
IOASE12
IOASE16
IOASE32
IOASE40
IOASE42

Ensure that the security exit(s) has (have) not been modified.

If the security exit(s) has (have) been modified, ensure the security exit(s) has (have) been checked as to not violate any security integrity within the system and approval documentation is on file.