Access to SYSTEM DUMP data sets are not limited to system programmers only.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-125 | ACP00200 | SV-125r2_rule | DCCS-1 DCCS-2 ECCD-1 ECCD-2 | Medium |
| Description |
|---|
| System DUMP data sets are used to record system data areas and virtual storage associated with system task failures. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data. |
| STIG | Date |
|---|---|
| z/OS RACF STIG | 2019-12-12 |
Details
| Check Text ( C-17994r1_chk ) |
|---|
| a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(DUMPRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00200) ___ The ACP data set rules for System Dump data sets allow inappropriate access. ___ The ACP data set rules for System Dump data sets do not restrict READ, UPDATE and/or ALTER access to only systems programming personnel. ___ The ACP data set rules for all System Dump data sets do not restrict READ access to personnel having justification to review these dump data sets for debugging proposes. b) If all of the above are untrue, there is NO FINDING. c) If any of the above is true, this is a FINDING. The dump data sets displayed by the DD command along with the dump datasets specified in the DUMPSRV routine are to be restricted to system programmers unless unless a letter justifying access is filed with the IAO. |
| Fix Text (F-17241r1_fix) |
|---|
| The IAO will ensure that access to SYSTEM DUMP data set(s) is limited to system programmers only, unless a letter justifying access is filed with the IAO. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to restrict access to these data sets. |