UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

ACF2/CICS parameter data sets are not protected in accordance with the proper security requirements.


Overview

Finding ID Version Rule ID IA Controls Severity
V-224308 ZCICA011 SV-224308r520246_rule Medium
Description
CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Unauthorized access to ACF2/CICS parameter data sets (i.e., product, security) could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data.
STIG Date
z/OS IBM CICS Transaction Server for ACF2 Security Technical Implementation Guide 2022-10-06

Details

Check Text ( C-25985r520244_chk )
a) Refer to the following report produced by the ACF2 Data Collection:

- SENSITVE.RPT(CICSRPT)

Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010.

b) UPDATE and/or ALLOCATE access to the ACF2/CICS parameter data set, specified on the ACF2PARM DD statement, is restricted to systems programming personnel and security personnel.

c) If all items in (b) are true, there is NO FINDING.

d) If any item in (b) is untrue, this is a FINDING.
Fix Text (F-25973r520245_fix)
The IAO will ensure that update and allocate access to the ACF2/CICS parameter data set is limited to system programmers and security personnel.

Review the access authorizations for CICS system data sets.

UPDATE and/or ALLOCATE access to the ACF2/CICS parameter data set, specified on the ACF2PARM DD statement, is restricted to systems programming personnel and security personnel.

Example:

$KEY(S3C)
$PREFIX(SYS3)
CICSTS.SYSIN UID(syspaudt) R(A) W(L) A(L) E(A)
CICSTS.SYSIN UID(secaaudt) R(A) W(L) A(L) E(A)
CICSTS.SYSIN UID(*) PREVENT

SET RULE
COMPILE 'ACF2.MVA.DSNRULES(S3C)' STORE