Check: IDMS-DB-000220
CA IDMS STIG:
IDMS-DB-000220
(in versions v1 r2 through v1 r1)
Title
The programs that can be run through a CA IDMS CV must be defined to the CV to prevent installation of unauthorized programs; must have the ability to dynamically register new programs; and must have the ability to secure tasks. (Cat II impact)
Discussion
The IDMS SYSGEN must be protected against unauthorized changes. Satisfies: SRG-APP-000133-DB-000362, SRG-APP-000378-DB-000365
Check Content
Check the SRTT for the externally secured resource SYST which allows the SYSGEN to be modified and application program definitions to be added. Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV and reviewing the output. Note: This requires PTFs SO07995 and SO09476. If "SYST" is not found as the resource type in any of the entries, this is a finding. IF "SYST' is not coded with SECBY=EXTERNAL, this is a finding. If "SYST" is found to be secured externally, ensure the external security manager (ESM) contains the correct definition using the external resource class name and the external name construction rules. If it is not defined or not defined correctly, this is a finding. If the ESM definition is correct but the role(s)/groups(s) are not defined correctly to give the appropriate permissions, this is a finding.
Fix Text
The SRTT module must be coded to secure the system. When using an ESM, this could be done in the following manner: #SECRTT TYPE=ENTRY, X RESTYPE=TASK, X SECBY=EXTERNAL , X EXTNAME=(RESTYPE,RESNAME), X EXTCLS='CA@IDMS' #SECRTT TYPE=OCCUR, X RESTYPE=TASK, X RESNAME='SYSGEN', X SECBY=EXT In the EXTNAME above, RESTYPE is changed to "TASK" and RESNAME is changed to "SYSGEN". Ensure the ESM has a corresponding entry to give access to the desired users. For instance, given a system named SYSO187, in Top Secret: ) TSS PER(user_id) CA@IDMS(TASK.SYSGEN) In ACF2: $KEY(TASK.SYSGEN) TYPE(CA@IDMS) UID(user_id) ALLOW RDEFINE CA@IDMS SYST UACC(NONE) PERMIT TASK.SYSGEN CLASS(CA@IDMS) ID(user_id) ACCESS(READ) After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either cycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD
Additional Identifiers
Rule ID: SV-251602r855261_rule
Vulnerability ID: V-251602
Group Title: SRG-APP-000133-DB-000362
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001499 |
The organization limits privileges to change software resident within software libraries. |
CCI-001812 |
The information system prohibits user installation of software without explicit privileged status. |