Each IDMS CV is not uniquely defined to the ACP IDMS resource class.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6907	ZIDM0014	SV-7202r2_rule	DCCS-1 DCCS-2 ECCD-1 ECCD-2	Medium

Description
IDMS is a database management system that provides the facilities to design, create, access, and manage database files. The improper implementation of resource controls could result in the compromise of the confidentiality, integrity, and availability of the IDMS region, applications, and customer data.

STIG	Date
z/OS RACF STIG	2015-03-27

Details

Check Text ( C-20322r1_chk )
Check for ACF2 a) Refer to the following report produced by the ACF2 Data Collection and Data Set and Resource Data Collection: - SENSITVE.RPT(IDMSSGON) - ACF2CMDS.RPT(RESOURCE) Refer to the IDMS Worksheet in the z/OS STIG Adendum and copy it and fill out the information for each IDMS CV running on this LPAR. b) If the TYPE(SGO) is defined, there is NO FINDING. c) If each IDMS Central Version (CV) is defined to the TYPE(SGO), there is NO FINDING. NOTE: The resource name is the IDMS SYSTEM ID specified when the IDMS CV is generated. d) If (b) or (c) above is untrue, this is a FINDING.

Check Text ( C-20322r1_chk )

Check for ACF2

a) Refer to the following report produced by the ACF2 Data Collection and Data Set and Resource Data Collection:

- SENSITVE.RPT(IDMSSGON)
- ACF2CMDS.RPT(RESOURCE)

Refer to the IDMS Worksheet in the z/OS STIG Adendum and copy it and fill out the information for each IDMS CV running on this LPAR.

b) If the TYPE(SGO) is defined, there is NO FINDING.

c) If each IDMS Central Version (CV) is defined to the TYPE(SGO), there is NO FINDING.

NOTE: The resource name is the IDMS SYSTEM ID specified when the IDMS CV is generated.

d) If (b) or (c) above is untrue, this is a FINDING.

Fix Text (F-18264r1_fix)
Have the IAO ensure that each IDMS CV is uniquely defined to the ACP IDMS resource class. Please refer to the CA-IDMS Security Administration Guide for further details on coding the #SECRTT macro. In addition to the resource class, the value for what is generally referred to as resource name must be specified. The resource name uniquely identifies each IDMS CV, and is the value specified for SYSTEM ID on the SYSTEM statement specified when the IDMS CV is generated. This SYSTEM ID should match the userid assigned to the CV. The SYSTEM statement is coded as follows: MOD SYSTEM 120 SYSTEM ID IS resource name For example, if the resource name is IDMSD: MOD SYSTEM 120 SYSTEM ID IS IDMSD Each CV will have a unique name within the LPAR so that access granted for a specific CV does not automatically give access to other CVs. Note: IDMS also requires that the last entry made in the #SECRTT macro must specify TYPE=FINAL. Do not change this.

Fix Text (F-18264r1_fix)

Have the IAO ensure that each IDMS CV is uniquely defined to the ACP IDMS resource class.

Please refer to the CA-IDMS Security Administration Guide for further details on coding the #SECRTT macro.

In addition to the resource class, the value for what is generally referred to as resource name must be specified. The resource name uniquely identifies each IDMS CV, and is the value specified for SYSTEM ID on the SYSTEM statement specified when the IDMS CV is generated. This SYSTEM ID should match the userid assigned to the CV. The SYSTEM statement is coded as follows:

MOD SYSTEM 120 SYSTEM ID IS resource name

For example, if the resource name is IDMSD:

MOD SYSTEM 120 SYSTEM ID IS IDMSD

Each CV will have a unique name within the LPAR so that access granted for a specific CV does not automatically give access to other CVs.

Note:

IDMS also requires that the last entry made in the #SECRTT macro must specify TYPE=FINAL. Do not change this.