CA IDMS STIG Version Comparison
CA IDMS Security Technical Implementation Guide
Comparison
There are 1 differences between versions v1 r1 (Oct. 21, 2021) (the "left" version) and v1 r2 (Oct. 26, 2022) (the "right" version).
Check IDMS-DB-000190 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.
The regular view of the left check and right check may be easier to read.
Text Differences
Title
IDMS must use the ESM to generate auditable records for resources when DoD-defined auditable events occur.
Check Content
Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV and reviewing the output. Note: This requires PTFs SO07995 and SO09476. If the ESM specification does not match the RHDCSRTT entry, this is a finding. Validate each of the following listed entries: Access Actions such as login – - Resource type SGON Privileged system access – - Resource types SYST, DB, DMCL, DBTB Privileged object access – - Resource types SLOD, SACC, QUEU Privileged program access – - Resource type TASK, SPGM If any are not secured externally, this is a finding.
Discussion
Audit records provide a tool to help research events within IDMS. IDMS does not produce audit records, but when using external security, records can be produced through the ESM. IDMS relies on the ESM to log organization-defined auditable events. To ensure that all secure actions are logged, those actions must be defined to the IDMS Security Resource Type Table (SRTT) with a type of external security. When IDMS has to perform a given security check, it will defer to the ESM to determine the user's authorization. The auditing functionality of the ESM can be used to track the IDMS security calls. Some organization-defined auditable events are expected to be handled solely by the ESM. This would include requirements such as "successful and unsuccessful attempts to modify or delete privileges, security objects, security levels, or categories of information" as well as "account creation, modification, disablement, or termination." For the audit logging of other organization-defined auditable events, IDMS requires RHDCSRTT security module set up to route requests for these events through the ESM. This will ensure that they are audited appropriately. The following resource types must be defined with SECBY type of EXTERNAL in the RHDCSRTT load module to achieve the appropriate level of audit logging. If there is not a resource type definition with a security type of EXTERNAL for the following resources, this is a finding.
Fix
If some of the resource types were not defined to the #SECRTT with SECBY=EXTERNAL, update the #SECRTT security module to include the appropriate definitions. Access Actions such as login – - Resource type SGON Privileged system access – - Resource types SYST, DB, DMCL, DBTB Privileged object access – - Resource types SLOD, SACC, QUEU Privileged program access – - Resource type TASK, SPGM To update the #SECRTT entries, change any invalid definitions of SECBY=INTERNAL to SECBY=EXTERNAL for the resources listed above. If any of the resource types are missing, add them. Once the updates are complete, recompile the RHDCSRTT module. Then confirm that the resource types are referenced appropriately by the external security manager.