Database management systems must interface with the access control product to perform identification and authentication.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32	ZDBM0010	SV-32r3_rule	DCCS-1 DCCS-2 ECCD-1 ECCD-2	High

Description
Data Base Management Systems (DBMS) provide the facilities to design, create, update, access and manage database files. Unauthorized access to these facilities could potentially compromise the operating system and customer data.

STIG	Date
z/OS RACF STIG	2015-03-27

Details

Check Text ( C-49264r1_chk )
Review the production proclibs to identify the installed DBMS. Refer to the vendor documentation for the related DBMS to identify specific parameter settings necessary for activating I&A (Identification and Authentication) by the ACP. If I&A is being done by the ACP, this is not a finding.

Fix Text (F-18247r1_fix)
Evaluate the impact associated with correcting the deficiency, and develop a plan of action to implement the changes as required. Most database management systems require users to identify themselves by supplying a logonid and password before accessing the database system. This method provides a good defense against unauthorized access to the system. Securing the use of database options, resources, and processes is crucial. All database functions (such as commands, transactions, and interactive options) should be reviewed for potential security exposures and to prevent unauthorized use. For example, only the database administrator should be allowed access to all the internal facilities used to manage and administer the database management system. The informational data in the database should be protected against unauthorized access. Operating system level data set controls for the database data sets are essential, but these controls are not enough. Users should not have complete access to all the data in a DBMS just because they have access to the OS data sets. Consideration should be given to securing the internal data structures, such as tables or files, within the OS data sets. This level of protection is usually handled by the internal security within the database product. Use the following recommendations when securing access to database management systems: (1) Control user access to the software product's data sets, and restrict access only to authorized personnel. (2) All database systems in use at the DOD sites will interface with the system ACP to perform I&A validation. Any DBMS incapable of using the ACP to accomplish I&A will be phased out.

Fix Text (F-18247r1_fix)

Evaluate the impact associated with correcting the deficiency, and develop a plan of action to implement the changes as required.

Most database management systems require users to identify themselves by supplying a logonid and password before accessing the database system. This method provides a good defense against unauthorized access to the system.

Securing the use of database options, resources, and processes is crucial. All database functions (such as commands, transactions, and interactive options) should be reviewed for potential security exposures and to prevent unauthorized use. For example, only the database administrator should be allowed access to all the internal facilities used to manage and administer the database management system.

The informational data in the database should be protected against unauthorized access. Operating system level data set controls for the database data sets are essential, but these controls are not enough. Users should not have complete access to all the data in a DBMS just because they have access to the OS data sets. Consideration should be given to securing the internal data structures, such as tables or files, within the OS data sets. This level of protection is usually handled by the internal security within the database product.

Use the following recommendations when securing access to database management systems:

(1) Control user access to the software product's data sets, and restrict access only to authorized personnel.

(2) All database systems in use at the DOD sites will interface with the system ACP to perform I&A validation. Any DBMS incapable of using the ACP to accomplish I&A will be phased out.