UCF STIG Viewer Logo

MVS data sets for the Base TCP/IP component are not properly protected,


Overview

Finding ID Version Rule ID IA Controls Severity
V-3221 ITCP0070 SV-3221r2_rule DCCS-1 DCCS-2 ECCD-1 Medium
Description
MVS data sets of the Base TCP/IP component provide the configuration, operational, and executable properties of IBMs TCP/IP system product. Failure to properly secure these data sets may lead to unauthorized access resulting in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.
STIG Date
z/OS RACF STIG 2019-12-12

Details

Check Text ( C-3138r1_chk )
a) Refer to the following report produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(TCPRPT)

Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(ITCP0070)

b) Ensure the following data set controls are in effect for the Base TCP/IP component:

1) WRITE and ALLOCATE access to product data sets is restricted to systems programming personnel (i.e., SMP/E distribution data sets with the prefix SYS1.TCPIP.AEZA and target data sets with the prefix SYS1.TCPIP.SEZA).

2) WRITE and ALLOCATE access to the data set(s) containing the Data and Profile configuration files is restricted to systems programming personnel.

NOTE: If any INCLUDE statements are specified in the Profile configuration file, the named MVS data sets have the same access authorization requirements.

3) WRITE and ALLOCATE access to the data set(s) containing the Data and Profile configuration files is logged.

NOTE: If any INCLUDE statements are specified in the Profile configuration file, the named MVS data sets have the same logging requirements.

4) WRITE and ALLOCATE access to the data set(s) containing the configuration files shared by TCP/IP applications is restricted to systems programming personnel.

c) If all of the items in (b) are true, there is NO FINDING.

d) If any item in (b) is untrue, this is a FINDING.

NOTE: For systems running the TSS ACP replace the WRITE and ALLOCATE with WRITE, UPDATE, CREATE, CONTROL, SCRATCH, and ALL.
Fix Text (F-18180r1_fix)
Review with the IAO the data set access authorizations defined to the ACP for the Base TCP/IP component. Ensure these data sets are protected in accordance with the following rules:

WRITE and ALLOCATE access to product data sets is restricted to systems programming personnel (i.e., SMP/E distribution data sets with the prefix SYS1.TCPIP.AEZA and target data sets with the prefix SYS1.TCPIP. SEZA).

WRITE and ALLOCATE access to the data set(s) containing the Data and Profile configuration files is restricted to systems programming personnel.

NOTE: If any INCLUDE statements are specified in the Profile configuration file, the named MVS data sets have the same access authorization requirements.

WRITE and ALLOCATE access to the data set(s) containing the Data and Profile configuration files is logged.

NOTE: If any INCLUDE statements are specified in the Profile configuration file, the named MVS data sets have the same logging requirements.

WRITE and ALLOCATE access to the data set(s) containing the configuration files shared by TCP/IP applications is restricted to systems programming personnel.

NOTE: For systems running the TSS ACP replace the WRITE and ALLOCATE with WRITE, UPDATE, CREATE, CONTROL, SCRATCH, and ALL.