Check: ACF2-ES-000380
IBM z/OS ACF2 STIG:
ACF2-ES-000380
(in versions v9 r2 through v7 r3)
Title
CA-ACF2 must limit Update and Allocate access to system backup files to system programmers and/or batch jobs that perform DASD backups. (Cat II impact)
Discussion
Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.
Check Content
Collect from the storage management group the identification of the DASD backup files and all associated storage management userids/LIDs/ACIDs. If ESM data set rules for system DASD backup files do not restrict UPDATE and ALLOCATE access to z/OS systems programming and/or batch jobs that perform DASD backups, this is a finding. If READ Access to system backup data sets is not limited to auditors and others approved by the ISSM, this is a finding.
Fix Text
Obtain the high level indexes to backup data sets names define their access to be restricted by the System's ESM to System Programmers and batch jobs that perform the backups. Define READ Access to system backup data sets to be limited to auditors and others approved by the ISSM.
Additional Identifiers
Rule ID: SV-223458r958726_rule
Vulnerability ID: V-223458
Group Title: SRG-OS-000324-GPOS-00125
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002235 |
Prevent non-privileged users from executing privileged functions. |
Controls
Number | Title |
---|---|
AC-6(10) |
Prohibit Non-privileged Users from Executing Privileged Functions |