IDMS is not using external security and/or the resource class is not configured properly to the IDMS-CV

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-45	ZIDM0010	SV-45r2_rule	DCCS-1 DCCS-2	Medium

Description
IDMS is a database management system that provides the facilities to design, create, access, and manage database files. The improper implementation of resource controls could result in the compromise of the confidentiality, integrity, and availability of the IDMS region, applications, and customer data.

STIG	Date
z/OS RACF STIG	2015-03-27

Details

Check Text ( C-3286r1_chk )
IDMS External Security a) Refer to the following report produced by the IDMS Data Collection: - SRTTDUMP(SRTTnn) b) This checklist item will verify two values, the first check is to make sure that the IDMS Central Version (CV) is using an external ACP for Signon processing. The second check is to verify that the correct EXTCLS or resource class has been specified. Browse the SRTTnn report(s), where nn is a number between 01 and 99 that the reviewer assigned in the data collection portion of the SRR. Determine if EXTERNAL security is being used. In the TEXT representation of the dump, located on the right-hand side, locate the following string: SGON.SIGNON Once found, locate the HEX representation of the string directly to the left of the TEXT representation. Three FULLWORDS (4 bytes per word) of blanks (HEX representation is 40 for a blank) follow the end of the string (for a total of 12 blanks or 12 iterations of 40). The very next byte (or 2 HEX characters) will contain one of the following: NOTE: Alternatively, this field is located at offset x‘824’ from the beginning of the module (record sequence number 6). x’00’ - Indicates that security has been turned off. x’01’ - Indicates INTERNAL security is being used. x’02’ - Indicates EXTERNAL security is being used. c) If the value found in the dump is x‘02’, there is NO FINDING. d) If the value found in the dump is x‘00’ or x‘01’, this is a FINDING. Determine if the standard resource class value has been specified. Check the value of the field starting at offset x’869’ from the beginning of the module (record sequence 6). The value should be #IDMSGON for RACF, SGO for ACF2, or IDMSSGON for TSS. e) If the value found in the dump is correct, there is NO FINDING. f) If the value found in the dump is not correct, this is a FINDING. NOTE: If the only finding is that the ACP standard value is not used for the resource class name, this is not a finding. Also, the reviewer should make a note of this value, as it will be needed elsewhere in the IDMS checklist.

Check Text ( C-3286r1_chk )

IDMS External Security

a) Refer to the following report produced by the IDMS Data Collection:

- SRTTDUMP(SRTTnn)

b) This checklist item will verify two values, the first check is to make sure that the IDMS Central Version (CV) is using an external ACP for Signon processing. The second check is to verify that the correct EXTCLS or resource class has been specified.

Browse the SRTTnn report(s), where nn is a number between 01 and 99 that the reviewer assigned in the data collection portion of the SRR.

Determine if EXTERNAL security is being used.

In the TEXT representation of the dump, located on the right-hand side, locate the following string:

SGON.SIGNON

Once found, locate the HEX representation of the string directly to the left of the TEXT representation.

Three FULLWORDS (4 bytes per word) of blanks (HEX representation is 40 for a blank) follow the end of the string (for a total of 12 blanks or 12 iterations of 40). The very next byte (or 2 HEX characters) will contain one of the following:

NOTE: Alternatively, this field is located at offset x‘824’ from the beginning of the module (record sequence number 6).

x’00’ - Indicates that security has been turned off.
x’01’ - Indicates INTERNAL security is being used.
x’02’ - Indicates EXTERNAL security is being used.

c) If the value found in the dump is x‘02’, there is NO FINDING.

d) If the value found in the dump is x‘00’ or x‘01’, this is a FINDING.

Determine if the standard resource class value has been specified.

Check the value of the field starting at offset x’869’ from the beginning of the module (record sequence 6). The value should be #IDMSGON for RACF, SGO for ACF2, or IDMSSGON for TSS.

e) If the value found in the dump is correct, there is NO FINDING.

f) If the value found in the dump is not correct, this is a FINDING.

NOTE: If the only finding is that the ACP standard value is not used for the resource class name, this is not a finding. Also, the reviewer should make a note of this value, as it will be needed elsewhere in the IDMS checklist.

Fix Text (F-18263r1_fix)
Verify that external security is being specified in the assembly of the SECRTT macro and that the resource is properly specified. IDMS security starts with load module RHDCSRTT, also known as the SRTT (Security Resource Type Table). This module comes with IDMS and initially contains default values. The values the module contains are changed through modification and assembly of the #SECRTT macro. Entries are made in the SRTT that specify what resources are to be secured and how they are to be secured. The SRTT is loaded at IDMS system start up, and can be reloaded dynamically by issuing a DCMT VARY NUCLEUS command for module RHDCSRTT. The scope of the SRTT extends over one or more CA-IDMS systems, depending on the security scheme. Generally, the following is defined in the SRTT: • Each resource type to be secured • The system that enforces security on the resource (internal IDMS or external ACP) • For resources to be secured externally, information that the external security system needs to service a security check request on the resource Resource rules are written for the ACP to arbitrate access to the IDMS regions (central versions [CVs]) based on the resource classes and names specified in the SRTT. Ensure that IDMS is using external security and that the resource to be protected is configured properly to the IDMS-CV. The recommended resource class is SGO for ACF2, #IDMSGON for RACF, and IDMSSGON for TOP SECRET. This field, also referred to as a resource type, is used when coding ACP security rules.

Fix Text (F-18263r1_fix)

Verify that external security is being specified in the assembly of the SECRTT macro and that the resource is properly specified.

IDMS security starts with load module RHDCSRTT, also known as the SRTT (Security Resource Type Table). This module comes with IDMS and initially contains default values. The values the module contains are changed through modification and assembly of the #SECRTT macro. Entries are made in the SRTT that specify what resources are to be secured and how they are to be secured. The SRTT is loaded at IDMS system start up, and can be reloaded dynamically by issuing a DCMT VARY NUCLEUS command for module RHDCSRTT. The scope of the SRTT extends over one or more CA-IDMS systems, depending on the security scheme. Generally, the following is defined in the SRTT:

• Each resource type to be secured

• The system that enforces security on the resource (internal IDMS or external ACP)

• For resources to be secured externally, information that the external security system needs to service a security check request on the resource

Resource rules are written for the ACP to arbitrate access to the IDMS regions (central versions [CVs]) based on the resource classes and names specified in the SRTT.

Ensure that IDMS is using external security and that the resource to be protected is configured properly to the IDMS-CV.

The recommended resource class is SGO for ACF2, #IDMSGON for RACF, and IDMSSGON for TOP SECRET. This field, also referred to as a resource type, is used when coding ACP security rules.