Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-108 | ACP00010 | SV-108r2_rule | DCCS-1 DCCS-2 DCSL-1 ECAR-1 ECAR-2 ECAR-3 | High |
Description |
---|
SYS1.PARMLIB contains the parameters which control system IPL, configuration characteristics, security facilities, and performance. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data. |
STIG | Date |
---|---|
z/OS RACF STIG | 2016-06-30 |
Check Text ( C-676r1_chk ) |
---|
a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(PARMRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00010) ___ The ACP data set rules for SYS1.PARMLIB allow inappropriate (e.g., global READ) access. ___ The ACP data set rules for SYS1.PARMLIB do not restrict READ, UPDATE and ALTER access to only systems programming personnel. ___ The ACP data set rules for SYS1.PARMLIB do not restrict READ and UPDATE access to only domain level security administrators. ___ The ACP data set rules for SYS1.PARMLIB do not restrict READ access to only system Level Started Tasks, authorized Data Center personnel, and auditors. ___ The ACP data set rules for SYS1.PARMLIB do not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged. b) If all of the above are untrue, there is NO FINDING. c) If any of the above is true, this is a FINDING. |
Fix Text (F-25790r1_fix) |
---|
The IAO will ensure that update and alter access to SYS1.PARMLIB is limited to system programmers only and all update and alter access is logged. Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required The IAO will implement controls to specify the valid users authorized to update the SYS1.PARMLIB concatenation. All update and alter access to libraries in the concatenation will be logged using the ACP's facilities. 1. That systems programming personnel will be authorized to update and alter the SYS1.PARMLIB concatenation. 2. That domain level security administrators can be authorized to update the SYS1.PARMLIB concatenation. 3. That System Level Started Tasks, authorized Data Center personnel, and auditor can be authorized read access by the IAO. 4. That all update and alter access is logged. |