UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

DFSMS DFP Resource Ownership is not configured in accordance with security requirements.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6934 ZSMS0014 SV-7353r2_rule DCCS-1 DCCS-2 ECCD-1 ECCD-2 Medium
Description
DFSMS provides data, storage, program, and device management functions for the operating system. Some DFSMS storage administration functions allow a user to obtain a privileged status and effectively bypass all ACP data set and volume controls. Failure to properly protect DFSMS resources may result in unauthorized access. This exposure could compromise the availability and integrity of the operating system environment, system services, and customer data.
STIG Date
z/OS TSS STIG 2015-03-27

Details

Check Text ( C-25959r1_chk )
NOTE: This PDI applies only if USE_RESOWNER(YES) is specified either explicitly or implicitly in the active IGDSMxx member of SYS1.PARMLIB. If USE_RESOWNER(NO) is specified, this FINDING will be marked NOT APPLICABLE.

a) Refer to the following reports produced by the TSS Data Collection:

- TSSCMDS.RPT(@DIVS)
- TSSCMDS.RPT(@DEPTS)
- TSSCMDS.RPT(@ACIDS)

Provide a list of data set names and/or high-level qualifiers of all DFSMS-controlled data sets.

b) Review the DFP segment of each ACID.

c) If the TSS data set rules for the SMS controlled data sets define a DFP resource owner, there is NO FINDING.

d) If the TSS data set rules for the SMS controlled data sets do not define a DFP resource owner, this is a FINDING.
Fix Text (F-22463r1_fix)
The IAO will ensure that if USE_RESOWNER(YES) is in effect, that each ACP's SMS controlled data sets has a resource owner (RESOWNER) with a DFP segment defined.

NOTE: This PDI applies only if USE_RESOWNER(YES) is specified either explicitly or implicitly in the active IGDSMxx member of SYS1.PARMLIB. If USE_RESOWNER(NO) is specified, this FINDING will be marked NOT APPLICABLE.

Review the ownership of TSS data sets under the control of SMS. Ensure that SMS controlled data sets are define with a DFP resource owner.

For all data set profiles under SMS control, define a resource owner within the DFP segment using the following command as an example. Replace user-id with a user, department, or division, data name with the prefix of the SMS controlled data sets, and resource-id with a userid or control-type user:

TSS ADD(user-id) DSN(data name) RESOWNER(resource-id)