IDMS regions (central versions) Userids/ACIDs are not defined to the PROPCNTL resource class.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-6908 | ZIDM0032 | SV-8009r2_rule | DCCS-1 DCCS-2 ECCD-1 ECCD-2 | Medium |
| Description |
|---|
| Improperly defined IDMS central versions (CVs) have the potential to bypass security controls and obtain unauthorized access to system resources. This could potentially compromise the confidentiality, integrity, and availability of the operating system, ACP, and customer data. |
| STIG | Date |
|---|---|
| z/OS TSS STIG | 2015-03-27 |
Details
| Check Text ( C-3293r1_chk ) |
|---|
| a) Refer to the following report produced by the TSS Data Collection: - TSSCMDS.RPT(WHOOPROP) Refer to the IDMS Worksheet in the z/OS STIG Addendum and copy it and fill out the information for each IDMS CV running on this LPAR. b) Ensure the following items are in effect: - ACIDs of IDMS CVs that runs as a started task, have the following: Are owned in the PROPCNTL resource class. - ACIDs of IDMS CVs that runs as a batch job, have the following: Are owned in the PROPCNTL resource class. c) If both items in (b) are true, there is NO FINDING. d) If either item in (b) is untrue, this is a FINDING. |
| Fix Text (F-18717r1_fix) |
|---|
| Propagation control must be implemented for each region/CV to ensure that the CV's ACID is not propagated to batch jobs submitted by that region. This is accomplished by defining each IDMS CV ACID to the PROPCNTL resource class. The following command example shows an IDMS CV ACID being owned to the PROPCNTL resource class: TSS ADD(deptacid) PROPCNTL(idms-cv-acid) |