Sensitive and critical system data sets exist on shared DASD.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33795	AAMV0500	SV-44220r3_rule	DCCS-2 DCSL-1 ECAN-1 ECCD-1 ECCD-2	Medium

Description
Any time a sensitive or critical system data set is allocated on a shared DASD device, it is critical to validate that it is properly protected on any additional systems that are sharing that device. Without proper review and adequate restrictions to access of these data sets on all systems sharing them, can lead to corruption, integrity and availability of the operating system, ACP, and customer data.

Description

Any time a sensitive or critical system data set is allocated on a shared DASD device, it is critical to validate that it is properly protected on any additional systems that are sharing that device. Without proper review and adequate restrictions to access of these data sets on all systems sharing them, can lead to corruption, integrity and availability of the operating system, ACP, and customer data.

STIG	Date
z/OS RACF STIG	2019-12-12

Details

Check Text ( C-41843r8_chk )
Check HMC, VM, and z/OS on how to validate and determine a DASD volume(s) is shared. Note: In VM issue the command 'QUEUE DASD SYSTEM' this display will show shared volume(s) and indicates the number of systems sharing the volume. Validate all machines that require access to these shared volume(s) have the volume(s) mounted. Obtain a map or list VTOC of the shared volume(s). Check if shared volume(s) contain any critical or sensitive data sets. Identify shared and critical or sensitive data sets on the system being audited. These data sets can be APF, LINKLIST, LPA, Catalogs, etc, as well as product data sets. If all of the critical or sensitive data sets identified on shared volume(s) are protected and justified to be on shared volume(s), this is not a finding. List critical or sensitive data sets are possible security breaches, if not justified and not protected on systems having access to the data set(s) and on shared volume(s).

Check Text ( C-41843r8_chk )

Check HMC, VM, and z/OS on how to validate and determine a DASD volume(s) is shared.

Note: In VM issue the command 'QUEUE DASD SYSTEM' this display will show shared volume(s) and indicates the number of systems sharing the volume.

Validate all machines that require access to these shared volume(s) have the volume(s) mounted.

Obtain a map or list VTOC of the shared volume(s).

Check if shared volume(s) contain any critical or sensitive data sets.

Identify shared and critical or sensitive data sets on the system being audited. These data sets can be APF, LINKLIST, LPA, Catalogs, etc, as well as product data sets.

If all of the critical or sensitive data sets identified on shared volume(s) are protected and justified to be on shared volume(s), this is not a finding.

List critical or sensitive data sets are possible security breaches, if not justified and not protected on systems having access to the data set(s) and on shared volume(s).

Fix Text (F-6827r4_fix)
The System programming and system configuration personnel will review the list of shared DASD. Validate that identified volumes of shared DASD are still valid within the following. HMC VM z/OS If the shared volume(s) are valid and systems having access to these shared volume(s) are valid, map disk/VTOC list to obtain data sets on the shared volume(s). From this list obtain a list of sensitive and critical system data sets that are found on the shared volume(s). Ensure that the data sets are justified to be shared on the system and to reside on the shared volume(s). The IAO will review all access requirements to validate that sensitive and critical system data sets are protected from unauthorized access across all systems that have access to the shared volume(s). Protecting the data set(s) whether the data set(s) are used or not used on the systems that have the shared volume(s) available to them.

Fix Text (F-6827r4_fix)

The System programming and system configuration personnel will review the list of shared DASD. Validate that identified volumes of shared DASD are still valid within the following.

HMC
VM
z/OS

If the shared volume(s) are valid and systems having access to these shared volume(s) are valid, map disk/VTOC list to obtain data sets on the shared volume(s). From this list obtain a list of sensitive and critical system data sets that are found on the shared volume(s). Ensure that the data sets are justified to be shared on the system and to reside on the shared volume(s).

The IAO will review all access requirements to validate that sensitive and critical system data sets are protected from unauthorized access across all systems that have access to the shared volume(s). Protecting the data set(s) whether the data set(s) are used or not used on the systems that have the shared volume(s) available to them.