Title

The IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements. (Cat II impact)

Discussion

Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.

Check Content

From the ISPF Command Shell enter: Search all Class(Facility) MASK(ieasymup) For each entity found enter: RL facility <entity> If RACF resources are defined with a default access of NONE, this is not a finding. If RACF resource access authorizations restrict UPDATE and/or greater access to appropriate personnel (i.e., DASD administrators, Tape Library personnel, and system programming personnel), this is not a finding. If RACF resource logging requirements are specified for UPDATE and/or greater access, this is not a finding.

Fix Text

Ensure that the System level symbolic resources are defined to the FACILITY resource class and protected. UPDATE access to the System level symbolic resources are limited to System Programmers, DASD Administrators, and/or Tape Library personnel. All access is logged. Ensure the guidelines for the resources and/or generic equivalent are followed. Limit access to the IEASYMUP resources to above personnel with UPDATE and/or greater access. The following commands are provided as a sample for implementing resource controls: rdef facility ieasymup.* uacc(none) owner(admin) - audit(all(read)) - data('protected per acp00350') rdef facility ieasymup.symbolname uacc(none) owner(admin) - audit(all(read)) - data('protected per acp00350') pe ieasymup.symbolname cl(facility) id(<dasdsmpl) acc(u) pe ieasymup.symbolname cl(facility) id(<syspsmpl) acc(u) pe ieasymup.symbolname cl(facility) id(<tapesmpl) acc(u)

Additional Identifiers

Rule ID: SV-223691r877392_rule

Vulnerability ID: V-223691

Group Title: SRG-OS-000324-GPOS-00125

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.