Check: IDMS-DB-000030
CA IDMS STIG:
IDMS-DB-000030
(in versions v1 r2 through v1 r1)
Title
IDMS must allow only authorized users to sign on to an IDMS CV. (Cat I impact)
Discussion
Unauthorized users signing on to IDMS can pose varying amounts of risk depending upon the security of the IDMS resources in an IDMS CV. Until the IDMS sign-on resource type (SGON) is secured anyone can sign on to IDMS. This risk can be mitigated by securing the SGON resource.
Check Content
Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note that this requires PTFs SO07995 and SO09476. Look for a #SECRTT statement with the string "RESTYPE=SGON" and SECBY=EXTERNAL. If no "RESTYPE=SGON" is found or "SECBY=OFF" or "SECBY=INTERNAL" is specified, this is a finding. Execute an external security manager (ESM) resource access list for resource "SGON" for each CV on the system. If the resource access is not restricted to only users authorized in the site security plan, this is a finding.
Fix Text
In the source for RHDCSRTT add a #SECRTT entry to secure the sign-on process such as this example: #SECRTT TYPE=ENTRY, X RESTYPE=SGON, X SECBY=EXTERNAL, X EXTCLS='CA@IDMS', X EXTNAME=(RESTYPE,RESNAME) The RESNAME used during sign-on is the CV system name as defined in SYSGEN. To find the system name sign into SYSGEN in the CV. Then issue command "SIGNON DICT SYST" and then issue command "DISP SYS nnn" where nnn is the CV number. Look for "SYSTEM ID IS" to find the system name used as RESNAME. Before implementing changes, contact the security administrator and ensure that the ESM has the necessary rules for the EXTCLS and EXTNAME values chosen. The appropriate ESM rules must then be given to the appropriate users. For instance, in Top Secret: TSS PER(user_id) CA@IDMS(SGON.your_extname) In ACF2: $KEY(SGON.your_extname) TYPE(CA@IDMS) UID(user_id) ALLOW After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD
Additional Identifiers
Rule ID: SV-251584r807619_rule
Vulnerability ID: V-251584
Group Title: SRG-APP-000033-DB-000084
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
Controls
Number | Title |
---|---|
AC-3 |
Access Enforcement |