Update and allocate access to System backup files are not limited to system programmers and/or batch jobs that perform DASD backups.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-126 | ACP00210 | SV-126r2_rule | CODB-1 DCCS-1 DCCS-2 ECCD-1 | Medium |
| Description |
|---|
| System backup data sets are necessary for recovery of DASD resident data sets. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data. |
| STIG | Date |
|---|---|
| z/OS RACF STIG | 2019-12-12 |
Details
| Check Text ( C-5027r1_chk ) |
|---|
| a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(BKUPRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00210) Collect from the storage management group the identification of the DASD backup files and all associated storage management userids/LIDs/ACIDs. ___ The ACP data set rules for system DASD backup files allow inappropriate access. ___ The ACP data set rules for system DASD backup files do not restrict UPDATE and ALLOCATE access to z/OS systems programming and/or batch jobs that perform DASD backups. b) If both of the above are untrue, there is NO FINDING. c) If either of the above is true, or if these data sets cannot be identified due to a lack of requested information, this is a FINDING. |
| Fix Text (F-17416r1_fix) |
|---|
| Obtain the high level indexes to backup datasets names and verify that their access is restricted by the System's ACP to System Programmers and batch jobs that perform the backups. If any other userids are specified, make sure that the IAO has documented justification for the access. |