UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Write or greater access to SYS1.UADS must be limited to system programmers only and read and update access must be limited to system programmer personnel and/or security personnel.


Overview

Finding ID Version Rule ID IA Controls Severity
V-122 ACP00170 SV-122r3_rule DCCS-1 DCCS-2 ECAR-1 ECAR-2 ECAR-3 ECCD-1 ECCD-2 High
Description
SYS1.UADS is the data set where emergency USERIDs are maintained. This ensures that logon processing can occur even if the ACP is not functional. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.
STIG Date
z/OS RACF STIG 2017-03-22

Details

Check Text ( C-833r1_chk )
a) Refer to the following report produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(UADSRPT)

Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(ACP00170)

___ The ACP data set rules for SYS1.UADS allow inappropriate access.

___ The ACP data set rules for SYS1.UADS do not restrict ALTER access to only z/OS systems programming personnel.

___ The ACP data set rules for SYS1.UADS do not restrict READ and/or UPDATE access to z/OS systems programming personnel and/or security personnel.

___ The ACP data set rules for SYS1.UADS do not specify that all (i.e., failures and successes) data set access authorities (i.e., READ, UPDATE, ALTER, and CONTROL) will be logged.

b) If all of the above are untrue, there is NO FINDING.

c) If any of the above is true, this is a FINDING.
Fix Text (F-17123r1_fix)
SYS1.UADS allocate/alter authority is limited to the systems programming staff. Read and update access should be limited to the security staff. Evaluate the impact of correcting any deficiency. Develop a plan of action and implement the changes as required to protect SYS1.UADS.

The IAO will ensure that allocate access to SYS1.UADS is limited to system programmers only, read and update access to SYS1.UADS is limited to system programmer personnel and/or security personnel and all dataset access is logged.