Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-259 | RACF0300 | SV-259r4_rule | Medium |
Description |
---|
The ERASE ALL specifies that data management is to erase all scratched data sets including temporary data sets. NOERASE specifies that no DASD data sets are erased when deleted. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation. |
STIG | Date |
---|---|
z/OS RACF STIG | 2018-12-20 |
Check Text ( C-17760r4_chk ) |
---|
Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis requires Additional Analysis. Refer to the following report produced by the RACF Data Collection: - PDI(RACF0300) For all systems, if the ERASE values are set as follows, this is not a finding. ERASE-ON-SCRATCH IS ACTIVE, CURRENT OPTIONS: ERASE-ON-SCRATCH FOR ALL DATA SETS IS IN EFFECT |
Fix Text (F-16879r2_fix) |
---|
The IAO must ensure that ERASE SETROPTS value is set to ERASE(ALL) this allows DASD datasets to be erased when deleted. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: - Issue the RACF Command SETR LIST to show the status of RACF Controls including the status of the ERASE options. - Take the appropriate actions to ensure that the SETR ERASE(ALL) has been issued to enable Erase On Scratch for all datasets. |