UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

z/OS UNIX MVS data sets used as step libraries in /etc/steplib are not properly protected


Overview

Finding ID Version Rule ID IA Controls Severity
V-6977 ZUSS0033 SV-7280r2_rule DCCS-1 DCCS-2 ECCD-1 ECCD-2 Medium
Description
For the z/OS UNIX environment, there are MVS data sets that contain operating system components, MVS data sets that contain HFS file systems with operating system components, and MVS data sets that contain HFS file systems with application system and user data. All of these MVS data sets require definitions in the ACP to enforce desired access controls. In addition, the UNIX permission bits must be properly set on the HFS directories and files to enforce desired access controls.
STIG Date
z/OS RACF STIG 2016-06-30

Details

Check Text ( C-3926r1_chk )
a) Refer to the following report produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(STLLRPT)

Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(ZUSS0033)

___ The ACP data set rules for libraries specified in the STEPLIBLIST file allow inappropriate access.

___ The ACP data set rules for libraries specified in the STEPLIBLIST file do not restrict UPDATE and/or ALTER/ALLOCATE access to only systems programming personnel.

___ The ACP data set rules for libraries specified in the STEPLIBLIST file do not specify that all (i.e., failures and successes) UPDATE and/or ALTER/ALLOCATE access will be logged.

b) If all of the above are untrue, there is NO FINDING.

c) If any of the above is true, this is a FINDING.
Fix Text (F-18952r1_fix)
Verify with the IAO that update and allocate access to libraries residing in the /etc/steplib is limited to system programmers only.

The STEPLIBLIST parameter specifies the pathname of the HFS file that contains the list of MVS data sets that are used as step libraries for programs that have the set-user-id or set group id permission bit set. The use of STEPLIBLIST is at the site’s discretion, but if used the value of STEPLIBLIST will be /etc/steplib. All update and alter access to the MVS data sets in the list will be logged and only systems programming personnel will be authorized to update the data sets.