The number of USERIDs possessing the Tape Bypass Label Processing (BLP) privilege is not justified.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-296	RACF0740	SV-296r2_rule	DCCS-1 DCCS-2	Medium

Description
BLP is extremely sensitive, as it allows the circumvention of security access checking for the data. When BLP is used in z/OS, the only verification that is done is for the data set name in the JCL. Any data set name can be used. A user could specify a data set name that he has access to, the job would pass the validation check, and the job would be processed, giving access to the data. BLP is typically used for tapes that are external to the tape management system used on the processor. BLP should be granted to only a limited number of people, preferably the tape librarian and a few key people from the operations staff. If an unauthorized user possesses BLP authority, they could potentially read any restricted tape and modify any information once it has been copied.

Description

BLP is extremely sensitive, as it allows the circumvention of security access checking for the data. When BLP is used in z/OS, the only verification that is done is for the data set name in the JCL. Any data set name can be used. A user could specify a data set name that he has access to, the job would pass the validation check, and the job would be processed, giving access to the data. BLP is typically used for tapes that are external to the tape management system used on the processor. BLP should be granted to only a limited number of people, preferably the tape librarian and a few key people from the operations staff. If an unauthorized user possesses BLP authority, they could potentially read any restricted tape and modify any information once it has been copied.

STIG	Date
z/OS RACF STIG	2019-12-12

Details

Check Text ( C-409r1_chk )
a) Refer to the following reports produced by the RACF Data Collection: - SENSITVE.RPT(FACILITY) - RACFCMDS.RPT(LISTUSER) - RACFCMDS.RPT(LISTGRP) - DSMON.RPT(RACCDT) b) Ensure the following items are in effect regarding bypass label processing (BLP): 1) The ICHBLP resource is defined to the FACILITY resource class with a UACC(NONE). 2) Access authorization to the ICHBLP resource is restricted at the userid level to data center personnel (e.g., tape librarian, operations staff, etc.) 3) If no tape management system (e.g., CA-1) is installed, the TAPEVOL class is active. c) If all items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING.

Check Text ( C-409r1_chk )

a) Refer to the following reports produced by the RACF Data Collection:

- SENSITVE.RPT(FACILITY)
- RACFCMDS.RPT(LISTUSER)
- RACFCMDS.RPT(LISTGRP)
- DSMON.RPT(RACCDT)

b) Ensure the following items are in effect regarding bypass label processing (BLP):

1) The ICHBLP resource is defined to the FACILITY resource class with a UACC(NONE).

2) Access authorization to the ICHBLP resource is restricted at the userid level to data center personnel (e.g., tape librarian, operations staff, etc.)

3) If no tape management system (e.g., CA-1) is installed, the TAPEVOL class is active.

c) If all items in (b) are true, there is NO FINDING.

d) If any item in (b) is untrue, this is a FINDING.

Fix Text (F-17983r1_fix)
Review all USERIDs with the BLP attribute. Ensure documentation providing justification for access is maintained and filed with the IAO, and that unjustified access is removed. BLP is controlled thru the FACILITY class profile ICHBLP. Access is removed with the following command: PE ICHBLP CL(FACILITY) id() DELETE a subsequent REFRESH of the FACILITY class may be required via the command: SETR RACL(FACILITY) REFRESH

Fix Text (F-17983r1_fix)

Review all USERIDs with the BLP attribute. Ensure documentation providing justification for access is maintained and filed with the IAO, and that unjustified access is removed.

BLP is controlled thru the FACILITY class profile ICHBLP. Access is removed with the following command:
PE ICHBLP CL(FACILITY) id() DELETE
a subsequent REFRESH of the FACILITY class may be required via the command: SETR RACL(FACILITY) REFRESH