Maintenance USERIDs are improperly controlled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-290	RACF0680	SV-290r3_rule	DCCS-1 DCCS-2 ECCD-1 ECCD-2	Medium

Description
DASD management USERIDs require access to backup and restore all files, and present a high degree of risk to the environment. These users should be given access to perform necessary functions thru use of the DASDVOL class (for non-SMS volumes) and/or thru STGADMIN profiles in the FACILITY class for SMS managed volumes. Access to individual profiles in the DATASET class should be disallowed. These userids should also set up IAW RACF0595 for batch userids which includes use of the PROTECTED Attribute.

Description

DASD management USERIDs require access to backup and restore all files, and present a high degree of risk to the environment. These users should be given access to perform necessary functions thru use of the DASDVOL class (for non-SMS volumes) and/or thru STGADMIN profiles in the FACILITY class for SMS managed volumes. Access to individual profiles in the DATASET class should be disallowed. These userids should also set up IAW RACF0595 for batch userids which includes use of the PROTECTED Attribute.

STIG	Date
z/OS RACF STIG	2015-03-27

Details

Check Text ( C-54513r1_chk )
Refer to the following reports produced by the RACF Data Collection and Data Set and Resource Data Collection: - SENSITVE.RPT(DASDVOL) - SENSITVE.RPT(GDASDVOL) - RACFCMDS.RPT(LISTUSER) - RACFCMDS.RPT(LISTGRP) Refer to all documents and procedures that apply to Storage Management. Including identification of the DASD backup data sets and associated storage management userids. Review storage management userids, If the following guidance is true, this is not a finding. ___ Storage management userids will not be given the OPERATIONS attribute. __ Storage management userids will be defined with the PROTECTED attribute. ___ Storage management userids are permitted to the appropriate STGADMIN profiles in the FACILITY class for SMS-managed volumes. ___ Storage management userids assigned to storage management tasks (e.g., volume backup, data set archive and restore, etc.) are given access to data sets using DASDVOL and/or GDASDVOL profiles for non-SMS-managed volumes. NOTE: DASDVOL profiles will not work with SMS-managed volume. FACILITY class profiles must be used instead. If DFSMS/MVS is used to perform DASD management operations, FACILITY class profiles may also be used to authorize storage management operations to non-SMS-managed volumes in lieu of using DASDVOL profiles. Therefore, not all volumes may be defined to the DASDVOL/GDASDVOL resource classes, and not all storage management userids may be represented in the profile access lists.

Check Text ( C-54513r1_chk )

Refer to the following reports produced by the RACF Data Collection and Data Set and Resource Data Collection:

- SENSITVE.RPT(DASDVOL)
- SENSITVE.RPT(GDASDVOL)
- RACFCMDS.RPT(LISTUSER)
- RACFCMDS.RPT(LISTGRP)

Refer to all documents and procedures that apply to Storage Management. Including identification of the DASD backup data sets and associated storage management userids.

Review storage management userids, If the following guidance is true, this is not a finding.

___ Storage management userids will not be given the OPERATIONS attribute.

__ Storage management userids will be defined with the PROTECTED attribute.

___ Storage management userids are permitted to the appropriate STGADMIN profiles in the FACILITY class for SMS-managed volumes.

___ Storage management userids assigned to storage management tasks (e.g., volume backup, data set archive and restore, etc.) are given access to data sets using DASDVOL and/or GDASDVOL profiles for non-SMS-managed volumes.

NOTE: DASDVOL profiles will not work with SMS-managed volume. FACILITY class profiles must be used instead. If DFSMS/MVS is used to perform DASD management operations, FACILITY class profiles may also be used to authorize storage management operations to non-SMS-managed volumes in lieu of using DASDVOL profiles. Therefore, not all volumes may be defined to the DASDVOL/GDASDVOL resource classes, and not all storage management userids may be represented in the profile access lists.

Fix Text (F-57515r2_fix)
Evaluate the impact of accomplishing the change. Develop a plan of action and implement the change as required. Ensure that storage management userids do not possess the OPERATIONS attribute. A sample command to accomplish this is shown here: ALU NOOPERATIONS Ensure that storage management userids possess the PROTECTED attribute. A sample command to accomplish this is shown here: ALU NOPASS NOOIDCARD Ensure that storage management userids are permitted to the appropriate STGADMIN profiles in the FACILITY class for SMS-managed volumes. Ensure that storage management userids are permitted to appropriate DASDVOL profiles for non-SMS-managed volumes.

Fix Text (F-57515r2_fix)

Evaluate the impact of accomplishing the change. Develop a plan of action and implement the change as required.

Ensure that storage management userids do not possess the OPERATIONS attribute. A sample command to accomplish this is shown here: ALU NOOPERATIONS

Ensure that storage management userids possess the PROTECTED attribute. A sample command to accomplish this is shown here: ALU NOPASS NOOIDCARD

Ensure that storage management userids are permitted to the appropriate STGADMIN profiles in the FACILITY class for SMS-managed volumes.

Ensure that storage management userids are permitted to appropriate DASDVOL profiles for non-SMS-managed volumes.