z/OS UNIX MVS data sets used as step libraries in /etc/steplib are not properly protected

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6977	ZUSS0033	SV-7280r2_rule	DCCS-1 DCCS-2 ECCD-1 ECCD-2	Medium

Description
For the z/OS UNIX environment, there are MVS data sets that contain operating system components, MVS data sets that contain HFS file systems with operating system components, and MVS data sets that contain HFS file systems with application system and user data. All of these MVS data sets require definitions in the ACP to enforce desired access controls. In addition, the UNIX permission bits must be properly set on the HFS directories and files to enforce desired access controls.

Description

For the z/OS UNIX environment, there are MVS data sets that contain operating system components, MVS data sets that contain HFS file systems with operating system components, and MVS data sets that contain HFS file systems with application system and user data. All of these MVS data sets require definitions in the ACP to enforce desired access controls. In addition, the UNIX permission bits must be properly set on the HFS directories and files to enforce desired access controls.

STIG	Date
z/OS RACF STIG	2019-12-12

Details

Check Text ( C-3926r1_chk )
a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(STLLRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZUSS0033) ___ The ACP data set rules for libraries specified in the STEPLIBLIST file allow inappropriate access. ___ The ACP data set rules for libraries specified in the STEPLIBLIST file do not restrict UPDATE and/or ALTER/ALLOCATE access to only systems programming personnel. ___ The ACP data set rules for libraries specified in the STEPLIBLIST file do not specify that all (i.e., failures and successes) UPDATE and/or ALTER/ALLOCATE access will be logged. b) If all of the above are untrue, there is NO FINDING. c) If any of the above is true, this is a FINDING.

Check Text ( C-3926r1_chk )

a) Refer to the following report produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(STLLRPT)

Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(ZUSS0033)

___ The ACP data set rules for libraries specified in the STEPLIBLIST file allow inappropriate access.

___ The ACP data set rules for libraries specified in the STEPLIBLIST file do not restrict UPDATE and/or ALTER/ALLOCATE access to only systems programming personnel.

___ The ACP data set rules for libraries specified in the STEPLIBLIST file do not specify that all (i.e., failures and successes) UPDATE and/or ALTER/ALLOCATE access will be logged.

b) If all of the above are untrue, there is NO FINDING.

c) If any of the above is true, this is a FINDING.

Fix Text (F-18952r1_fix)
Verify with the IAO that update and allocate access to libraries residing in the /etc/steplib is limited to system programmers only. The STEPLIBLIST parameter specifies the pathname of the HFS file that contains the list of MVS data sets that are used as step libraries for programs that have the set-user-id or set group id permission bit set. The use of STEPLIBLIST is at the site’s discretion, but if used the value of STEPLIBLIST will be /etc/steplib. All update and alter access to the MVS data sets in the list will be logged and only systems programming personnel will be authorized to update the data sets.

Fix Text (F-18952r1_fix)

Verify with the IAO that update and allocate access to libraries residing in the /etc/steplib is limited to system programmers only.

The STEPLIBLIST parameter specifies the pathname of the HFS file that contains the list of MVS data sets that are used as step libraries for programs that have the set-user-id or set group id permission bit set. The use of STEPLIBLIST is at the site’s discretion, but if used the value of STEPLIBLIST will be /etc/steplib. All update and alter access to the MVS data sets in the list will be logged and only systems programming personnel will be authorized to update the data sets.