UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

CA 1 Tape Management external security options will be specified properly.


Overview

Finding ID Version Rule ID IA Controls Severity
V-18014 ZCA1R040 SV-40101r1_rule Medium
Description
CA 1 Tape Management offers multiple external security interfaces that are controlled by parameters specified in TMOOPT00. These interfaces provide security controls for several CA 1 system and user functions. Without proper controls of these sensitive functions, the integrity of the CA 1 Tape Management System and the confidentiality of data stored on tape volumes may be compromised.
STIG Date
z/OS CA 1 Tape Management for RACF STIG 2019-03-26

Details

Check Text ( C-20124r1_chk )
Refer to the following report produced by the z/OS Data Collection:

- CA1RPT(TMSSTATS)

Automated Analysis
Refer to the following report produced by the z/OS Data Collection:

- PDI(ZCA10040)

CA 1 external security utilizing RACF is accomplished in the manner described in this section.

NOTE: The TMOOPTxx member is specified in the TMOSYSxx member in the data set allocated by the TMSPARM DD statement in the TMSINIT STC. By default, the suffix 00 is used for these members. However, overrides can be specified by PARM value(s) on the EXEC statement in the TMSINIT STC and/or in the TMOSYSxx member.

Review the options and values of the below CA 1 parameters. If the options are set to the specified value, this is not a finding.

CA 1 SECURITY OPTIONS - RACF
Option Standard Value
BATCH YES obsolete as of r12.0
CATSEC NO obsolete as of r12.0
CMD YES
CREATE UPDATE see Note 1
DSNB YES
FUNC YES see Note 2
OCEOV NO see Note 3
PMASK Do not specify or change
PSWD YES
SCRTCH NO
SECWTO YES
UNDEF FAIL
UX0AUPD NO see Note 4
YSVC YES

Note 1 The vendor default setting for CREATE option is UPDATE to avoid volume serial number authorization verification. Otherwise, in an environment where volume access rules are not utilized, user access will be denied when creating a tape data set.

Note 2 The FUNC option provides supplementary security for BLP access. The tape label bypass privilege must still be specified in the RACF userid record to allow access to BLP processing.

Note 3 The vendor recommends that OCEOV be set to NO and the RACF SETROPTS option TAPEDSN be active. Be advised that if OCEOV is disabled and RACF TAPEDSN is not active, tape data set protection will not be in effect.

Note 4 The UX0AUPD will specify YES only if you alter the fields in the TMC and the TMSUXxA (for r11.5 and below) or TMSXITA (for r12.0 and above) is changed.
Fix Text (F-258r1_fix)
The systems programmer/IAO will ensure that the CA 1 external security options are specified in accordance with the ACP being used. CA 1 Tape Management ACP security interfaces are controlled by options coded in the TMOOPTxx member identified in the TMOSYSxx member of the data set allocated by the TMSPARM DD statement in the TMSINIT STC. The specific required option settings are dependent on the ACP in use on the system.

CA 1 SECURITY OPTIONS - RACF
OPTION STANDARD VALUE
BATCH YES obsolete as of r12.0
CATSEC NO obsolete as of r12.0
CMD YES
CREATE UPDATE see note 1
DSNB YES
FUNC YES see note 2
OCEOV NO see note 3
PMASK Do not specify or change
PSWD YES
SCRTCH NO
SECWTO YES
UNDEF FAIL
UX0AUPD NO see note 4
YSVC YES

Note 1 The vendor default setting for CREATE option is UPDATE to avoid volume serial number authorization verification. Otherwise, in an environment where volume access rules are not utilized, user access will be denied when creating a tape data set.

Note 2 The FUNC option provides supplementary security for BLP access. The tape label bypass privilege must still be specified in the ACF2 user LID record to allow access to BLP processing.

Note 3 The vendor recommends that OCEOV be set to NO and the RACF SETROPTS option TAPEDSN be active. Be advised that if OCEOV is disabled and RACF TAPEDSN is not active, tape data set protection will not be in effect.

Note 4 The UX0AUPD will specify YES only if you alter the fields in the TMC and the TMSUXxA (for r11.5 and below) or TMSXITA (for r12.0 and above) is changed.