DASD Management USERIDs must be properly controlled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-290	RACF0680	SV-290r4_rule		Medium

Description
DASD management USERIDs require access to backup and restore all files, and present a high degree of risk to the environment. These users should be given access to perform necessary functions thru use of the DASDVOL class (for non-SMS volumes) and/or thru STGADMIN profiles in the FACILITY class for SMS managed volumes. Access to individual profiles in the DATASET class should be disallowed. These userids should also set up IAW RACF0595 for batch userids which includes use of the PROTECTED Attribute.

Description

DASD management USERIDs require access to backup and restore all files, and present a high degree of risk to the environment. These users should be given access to perform necessary functions thru use of the DASDVOL class (for non-SMS volumes) and/or thru STGADMIN profiles in the FACILITY class for SMS managed volumes. Access to individual profiles in the DATASET class should be disallowed. These userids should also set up IAW RACF0595 for batch userids which includes use of the PROTECTED Attribute.

STIG	Date
z/OS RACF STIG	2019-12-12

Details

Check Text ( C-19567r2_chk )
Note: This applies to non-SMS volumes. Please refer to the System Managed Storage group (i.e., ZSMSnnnn) for requirements for System managed Storage. Refer to the following reports produced by the RACF Data Collection and Data Set and Resource Data Collection: - SENSITVE.RPT(DASDVOL) - SENSITVE.RPT(GDASDVOL) - RACFCMDS.RPT(LISTUSER) - RACFCMDS.RPT(LISTGRP) Refer to all documents and procedures that apply to Storage Management. Including identification of the DASD backup data sets and associated storage management userids. Review storage management userids, If the following guidance is true, this is not a finding. ___ Storage management userids will not be given the "OPERATIONS" attribute. ___ Storage management userids will be defined with the "PROTECTED" attribute. ___ Storage management userids are permitted to the appropriate "STGADMIN" profiles in the "FACILITY" class for SMS-managed volumes. ___ Storage management userids assigned to storage management tasks (e.g., volume backup, data set archive and restore, etc.) are given access to data sets using "DASDVOL" and/or "GDASDVOL" profiles for non-SMS-managed volumes. NOTE: "DASDVOL" profiles will not work with SMS-managed volume. "FACILITY" class profiles must be used instead. If "DFSMS/MVS" is used to perform DASD management operations, "FACILITY" class profiles may also be used to authorize storage management operations to non-SMS-managed volumes in lieu of using "DASDVOL" profiles. Therefore, not all volumes may be defined to the "DASDVOL/GDASDVOL" resource classes, and not all storage management userids may be represented in the profile access lists.

Check Text ( C-19567r2_chk )

Note: This applies to non-SMS volumes. Please refer to the System Managed Storage group (i.e., ZSMSnnnn) for requirements for System managed Storage.

Refer to the following reports produced by the RACF Data Collection and Data Set and Resource Data Collection:

- SENSITVE.RPT(DASDVOL)
- SENSITVE.RPT(GDASDVOL)
- RACFCMDS.RPT(LISTUSER)
- RACFCMDS.RPT(LISTGRP)

Refer to all documents and procedures that apply to Storage Management. Including identification of the DASD backup data sets and associated storage management userids.

Review storage management userids, If the following guidance is true, this is not a finding.

___ Storage management userids will not be given the "OPERATIONS" attribute.

___ Storage management userids will be defined with the "PROTECTED" attribute.

___ Storage management userids are permitted to the appropriate "STGADMIN" profiles in the "FACILITY" class for SMS-managed volumes.

___ Storage management userids assigned to storage management tasks (e.g., volume backup, data set archive and restore, etc.) are given access to data sets using "DASDVOL" and/or "GDASDVOL" profiles for non-SMS-managed volumes.

NOTE: "DASDVOL" profiles will not work with SMS-managed volume. "FACILITY" class profiles must be used instead. If "DFSMS/MVS" is used to perform DASD management operations, "FACILITY" class profiles may also be used to authorize storage management operations to non-SMS-managed volumes in lieu of using "DASDVOL" profiles. Therefore, not all volumes may be defined to the "DASDVOL/GDASDVOL" resource classes, and not all storage management userids may be represented in the profile access lists.

Fix Text (F-17961r2_fix)
Note: This applies to non-SMS volumes. Please refer to the System Managed Storage group (i.e., ZSMSnnnn) for requirements for System managed Storage. Evaluate the impact of accomplishing the change. Develop a plan of action and implement the change as required. Ensure that storage management userids do not possess the "OPERATIONS" attribute. A sample command to accomplish this is shown here: ALU NOOPERATIONS Ensure that storage management userids possess the "PROTECTED" attribute. A sample command to accomplish this is shown here: ALU NOPASS NOOIDCARD Ensure that storage management userids are permitted to the appropriate "STGADMIN" profiles in the "FACILITY" class for SMS-managed volumes. Ensure that storage management userids are permitted to appropriate "DASDVOL" profiles for non-SMS-managed volumes.

Fix Text (F-17961r2_fix)

Note: This applies to non-SMS volumes. Please refer to the System Managed Storage group (i.e., ZSMSnnnn) for requirements for System managed Storage.
Evaluate the impact of accomplishing the change. Develop a plan of action and implement the change as required.

Ensure that storage management userids do not possess the "OPERATIONS" attribute. A sample command to accomplish this is shown here:

ALU NOOPERATIONS

Ensure that storage management userids possess the "PROTECTED" attribute. A sample command to accomplish this is shown here:

ALU NOPASS NOOIDCARD

Ensure that storage management userids are permitted to the appropriate "STGADMIN" profiles in the "FACILITY" class for SMS-managed volumes.

Ensure that storage management userids are permitted to appropriate "DASDVOL" profiles for non-SMS-managed volumes.