DASD Volume level protection does not exist or is improperly defined.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-298	RACF0760	SV-298r2_rule	DCCS-1 DCCS-2	Medium

Description
Volume access grants default access to all data sets residing on a given volume. This presents an exposure in the case of a data set improperly placed on a volume or inappropriate access being granted to a volume.

STIG	Date
z/OS RACF STIG	2015-03-27

Details

Check Text ( C-19679r1_chk )
a) Refer to the following reports produced by the RACF Data Collection and Data Set and Resource Data Collection: - SENSITVE.RPT(DASDVOL) - SENSITVE.RPT(GDASDVOL) - RACFCMDS.RPT(LISTUSER) - RACFCMDS.RPT(LISTGRP) Refer to all documents and procedures that apply to Storage Management. Including identification of the DASD backup files and all associated storage management userids. b) Ensure the following items are in effect regarding DASD volume controls: 1) A profile of ‘*’ is defined to the DASDVOL resource class. 2) Access authorization to DASDVOL profiles is restricted to Storage Management Personnel, Storage Management Batch Userids, and Systems Programmers. 3) All profiles defined to the DASDVOL resource class have UACC(NONE). 4) The profile WARNING flag is NO. NOTE: Volume authorization allows access to all data sets on the volume thru the use of storage management utilities, regardless of data set profile authorization. Access to operating system and general user storage volumes should be questioned. c) If both items in (b) are true, there is NO FINDING. d) If either item in (b) is untrue, this is a FINDING.

Check Text ( C-19679r1_chk )

a) Refer to the following reports produced by the RACF Data Collection and Data Set and Resource Data Collection:

- SENSITVE.RPT(DASDVOL)
- SENSITVE.RPT(GDASDVOL)
- RACFCMDS.RPT(LISTUSER)
- RACFCMDS.RPT(LISTGRP)

Refer to all documents and procedures that apply to Storage Management. Including identification of the DASD backup files and all associated storage management userids.

b) Ensure the following items are in effect regarding DASD volume controls:

1) A profile of ‘*’ is defined to the DASDVOL resource class.
2) Access authorization to DASDVOL profiles is restricted to Storage Management Personnel, Storage Management Batch Userids, and Systems Programmers.
3) All profiles defined to the DASDVOL resource class have UACC(NONE).
4) The profile WARNING flag is NO.

NOTE: Volume authorization allows access to all data sets on the volume thru the use of storage management utilities, regardless of data set profile authorization. Access to operating system and general user storage volumes should be questioned.

c) If both items in (b) are true, there is NO FINDING.

d) If either item in (b) is untrue, this is a FINDING.

Fix Text (F-18017r1_fix)
Develop a plan of action to implement the required changed. 1. Define profiles in the DASDVOL class. A sample command is provided here: RDEF DASDVOL ** UACC(NONE) OWNER() AUDIT(ALL(READ)). 2. More specific DASDVOL profiles should be defined to protect groups of DASDVOLs. A sample command to create a profile protecting all DASDVOLs beginning with "SYS" is provided here: RDEF DASDVOL SYS* UACC(NONE) OWNER() AUDIT(ALL(READ)). 3. Permission can be granted to DASDVOL profiles. A sample command is provided here: PE SYS* CLASS(DASDVOL) ID() ACCESS(ALTER) 4. If any profiles are in WARN Mode, they should be reset. A sample command is provided here: RALT DASDVOL NOWARN. 5. Note that the GDASDVOL class can also be used. See the RACF Security Admin Guide for more info.

Fix Text (F-18017r1_fix)

Develop a plan of action to implement the required changed.

1. Define profiles in the DASDVOL class. A sample command is provided here: RDEF DASDVOL ** UACC(NONE) OWNER() AUDIT(ALL(READ)).

2. More specific DASDVOL profiles should be defined to protect groups of DASDVOLs. A sample command to create a profile protecting all DASDVOLs beginning with "SYS" is provided here:
RDEF DASDVOL SYS* UACC(NONE) OWNER() AUDIT(ALL(READ)).

3. Permission can be granted to DASDVOL profiles. A sample command is provided here: PE SYS* CLASS(DASDVOL) ID() ACCESS(ALTER)

4. If any profiles are in WARN Mode, they should be reset. A sample command is provided here: RALT DASDVOL NOWARN.

5. Note that the GDASDVOL class can also be used. See the RACF Security Admin Guide for more info.