UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The number of USERIDs possessing the Tape Bypass Label Processing (BLP) privilege is not justified.


Overview

Finding ID Version Rule ID IA Controls Severity
V-296 RACF0740 SV-296r2_rule DCCS-1 DCCS-2 Medium
Description
BLP is extremely sensitive, as it allows the circumvention of security access checking for the data. When BLP is used in z/OS, the only verification that is done is for the data set name in the JCL. Any data set name can be used. A user could specify a data set name that he has access to, the job would pass the validation check, and the job would be processed, giving access to the data. BLP is typically used for tapes that are external to the tape management system used on the processor. BLP should be granted to only a limited number of people, preferably the tape librarian and a few key people from the operations staff. If an unauthorized user possesses BLP authority, they could potentially read any restricted tape and modify any information once it has been copied.
STIG Date
z/OS RACF STIG 2017-03-22

Details

Check Text ( C-409r1_chk )
a) Refer to the following reports produced by the RACF Data Collection:

- SENSITVE.RPT(FACILITY)
- RACFCMDS.RPT(LISTUSER)
- RACFCMDS.RPT(LISTGRP)
- DSMON.RPT(RACCDT)

b) Ensure the following items are in effect regarding bypass label processing (BLP):

1) The ICHBLP resource is defined to the FACILITY resource class with a UACC(NONE).

2) Access authorization to the ICHBLP resource is restricted at the userid level to data center personnel (e.g., tape librarian, operations staff, etc.)

3) If no tape management system (e.g., CA-1) is installed, the TAPEVOL class is active.

c) If all items in (b) are true, there is NO FINDING.

d) If any item in (b) is untrue, this is a FINDING.
Fix Text (F-17983r1_fix)
Review all USERIDs with the BLP attribute. Ensure documentation providing justification for access is maintained and filed with the IAO, and that unjustified access is removed.

BLP is controlled thru the FACILITY class profile ICHBLP. Access is removed with the following command:
PE ICHBLP CL(FACILITY) id() DELETE
a subsequent REFRESH of the FACILITY class may be required via the command: SETR RACL(FACILITY) REFRESH