Check: IDMS-DB-000160
CA IDMS STIG:
IDMS-DB-000160
(in versions v1 r2 through v1 r1)
Title
IDMS must protect against the use of numbered exits that change the userid to a shared id. (Cat III impact)
Discussion
Non-repudiation of actions taken is required to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. Non-repudiation protects against later claims by a user of not having created, modified, or deleted a particular data item or collection of data in the database. In designing a database, the organization must define the types of data and the user actions that must be protected from repudiation. The implementation must then include building audit features into the application data tables and configuring the DBMS's audit tools to capture the necessary audit trail. Design and implementation also must ensure that applications pass individual user identification to the DBMS, even where the application connects to the DBMS with a standard, shared account. User exits that change userids can be used to hide the true identities of those who may perform an action and should be carefully restricted or eliminated.
Check Content
Issue LOOK PROGRAM=RHDCUXIT. If there are non-zeros in the 12 bytes starting at X'200', exit 27 is being used. If there are non-zeros in the 12 bytes starting at X'20C', exit 28 is being used. Check exits for a change in userid and if there is a change to a shared user ID, this is a finding.
Fix Text
Remove code from exit 27 and/or exit 28 that changes the individual user id to a shared user or remove the exit entirely, then reassemble and relink RHDCUXIT. To implement the new RHDCUXIT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCUXIT NEW COPY DCMT VARY NUCLEUS RELOAD
Additional Identifiers
Rule ID: SV-251596r807655_rule
Vulnerability ID: V-251596
Group Title: SRG-APP-000080-DB-000063
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000166 |
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. |
Controls
Number | Title |
---|---|
AU-10 |
Non-Repudiation |