Title

IDMS must reveal security-related messages only to authorized users. (Cat II impact)

Discussion

Error messages issued to non-privileged users may have contents that should be considered confidential. IDMS should be configured so that these messages are not issued to those users.

Check Content

Check that security messages from external security managers (ESMs) are sent only to the log which can be secured. Log on to IDMS DC system and issue "DCPROFIL". Scroll to the "OPTION FLAGS" screen. If OPT00051 is not listed, this is a finding. For IDMS LOG messages, if OPT00226 is not listed, this is a finding. Contact the security office and verify that the user, groups, and roles are defined to the ESM so that DC log can only be viewed by Information System Security Officer (ISSO), Information System Security manager (ISSM), Systems Administrator (SA), and Database Administrator (DBA).

Fix Text

In the source for RHDCOPTF, add lines: #DEFOPT OPT00051 <-for messages sent to user #DEFOPT OPT00226 <-for messages sent to IDMS log Then, reassemble and relink RHDCOPTF. Reload RHDCOPTF in the CV by issuing the following commands: DCMT VARY NUCLEUS MODULE RHDCOPTF NEW COPY DCMT VARY NUCLEUS RELOAD Contact the security office to ensure that ADSOBPLG, the ADS print log utility, is secured via the ESM and assigned to the appropriate users, and that the ADS log file is secured from being read by others than ISSO, ISSM, SA, and DBA, also via the ESM.

Additional Identifiers

Rule ID: SV-251626r807745_rule

Vulnerability ID: V-251626

Group Title: SRG-APP-000267-DB-000163

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.