UCF STIG Viewer Logo

SYS1.PARMLIB is not limited to only system programmers.


Overview

Finding ID Version Rule ID IA Controls Severity
V-108 ACP00010 SV-108r2_rule DCCS-1 DCCS-2 DCSL-1 ECAR-1 ECAR-2 ECAR-3 High
Description
SYS1.PARMLIB contains the parameters which control system IPL, configuration characteristics, security facilities, and performance. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.
STIG Date
z/OS RACF STIG 2019-12-12

Details

Check Text ( C-676r1_chk )
a) Refer to the following report produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(PARMRPT)

Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(ACP00010)

___ The ACP data set rules for SYS1.PARMLIB allow inappropriate (e.g., global READ) access.

___ The ACP data set rules for SYS1.PARMLIB do not restrict READ, UPDATE and ALTER access to only systems programming personnel.

___ The ACP data set rules for SYS1.PARMLIB do not restrict READ and UPDATE access to only domain level security administrators.

___ The ACP data set rules for SYS1.PARMLIB do not restrict READ access to only system Level Started Tasks, authorized Data Center personnel, and auditors.

___ The ACP data set rules for SYS1.PARMLIB do not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged.

b) If all of the above are untrue, there is NO FINDING.

c) If any of the above is true, this is a FINDING.
Fix Text (F-25790r1_fix)
The IAO will ensure that update and alter access to SYS1.PARMLIB is limited to system programmers only and all update and alter access is logged.

Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required

The IAO will implement controls to specify the valid users authorized to update the SYS1.PARMLIB concatenation. All update and alter access to libraries in the concatenation will be logged using the ACP's facilities.

1. That systems programming personnel will be authorized to update and alter the SYS1.PARMLIB concatenation.
2. That domain level security administrators can be authorized to update the SYS1.PARMLIB concatenation.
3. That System Level Started Tasks, authorized Data Center personnel, and auditor can be authorized read access by the IAO.
4. That all update and alter access is logged.