Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-232 | TSS0840 | SV-232r2_rule | DCCS-1 DCCS-2 | Medium |
Description |
---|
DASD management ACIDs require access to backup and restore all files and volumes, and thus present a high degree of risk to the environment. |
STIG | Date |
---|---|
z/OS TSS STIG | 2016-06-30 |
Check Text ( C-27326r1_chk ) |
---|
a) Refer to the following report produced by the TSS Data Collection and Data Set and Resource Data Collection: - TSSCMDS.RPT(@ACIDS) - SENSITVE.RPT(WHOHVOL) Refer to all documents and procedures that apply to Storage Management. Including identification of the DASD backup files and all associated storage management userids. b) Refer to data obtained from the site installation identifying DASD maintenance ACIDs. Review selected ACIDs from data gathered for volume authorizations. Note: SMS utilizes IBMFAC resource class permissions. If DFSMS/MVS is used to perform DASD maintenance operations, IBMFAC permissions may also be used to authorize storage maintenance operations to non-SMS-managed volumes in lieu of using VOLUME permissions. c) If (b) above is complete, there is NO FINDING. d) If (b) above is incomplete, this is a FINDING. ACIDs assigned to production storage maintenance tasks, such as DASD management, will be granted the appropriate authorizations necessary to perform their functions. Apply the following controls to storage management ACIDs: (1) Define all batch ACIDs to the BATCH facility. (2) Permit access to sensitive programs and utilities using program protection controls, such as the PROGRAM resource class and program pathing. Note: As long as only authorized users are being granted access, program pathing is not required. (3) Permit data set access for backup, recovery, and compaction using the VOLUME resource class. Depending on the storage management software, some data set level checking may be performed under certain conditions. For such instances, the appropriate data set access authorization should be granted. Refer to the vendor's product documentation for specific requirements. |
Fix Text (F-23397r1_fix) |
---|
Ensure that maintenance ACIDs are controlled through the use of the VOLUME resource class. SMS does not utilize VOLUME permissions for SMS-managed volumes. IBMFAC permissions must be used instead. If DFSMS/MVS is used to perform DASD maintenance operations, IBMFAC permissions may also be used to authorize storage maintenance operations to non-SMS-managed volumes in lieu of using VOLUME permissions. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as specified. ACIDs assigned to production storage maintenance tasks, such as DASD management, will be granted the appropriate authorizations necessary to perform their functions. Apply the following controls to storage management ACIDs: (1) Define all batch ACIDs to the BATCH facility. (2) Permit access to sensitive programs and utilities using program protection controls, such as the PROGRAM resource class and program pathing. Note: As long as only authorized users are being granted access, program pathing is not required. (3) Permit data set access for backup, recovery, and compaction using the VOLUME resource class. Depending on the storage management software, some data set level checking may be performed under certain conditions. For such instances, the appropriate data set access authorization should be granted. Refer to the vendor's product documentation for specific requirements. |