Title

Access to IBM Security zSecure program resources must be limited to authorized users. (Cat II impact)

Discussion

Functional access (which is controlled with access to XFACILIT profiles) must not commingle multiple functions under a single resource profile.

Check Content

If the profiles protecting zSecure program resources do not allow general access by means of UACC, ID(*),WARNING, or global access, this is not a finding. Review profile(s) protecting CKF.** resources in XFACILIT class. If READ and higher access to any other CKF.<focus> profiles is not restricted to security administrators, decentralized security administrators, security batch jobs performing External Security Manager (ESM) maintenance, and trusted STC users, this is a finding. Review profile(s) protecting CKN*.** resources in XFACILIT class. If READ and higher access to any other CKNADMIN.**, and CKNDSN.**, profiles is not restricted to security administrators, decentralized security administrators, security batch jobs performing ESM maintenance, and trusted STC users, this is a finding. Review profile(s) protecting CKG.** resources in XFACILIT class. If READ and higher access to any other CKG.CMD.**, CKG.RAC.**, CKG.SCHEDULE.**, CKG.SCP.**, CKG.SCPASK.**,CKG.UCAT.**, or CKG.USRDATA.** profiles is not restricted to security administrators, decentralized security administrators, security batch jobs performing ESM maintenance, and trusted STC users, this is a finding. Review profile(s) protecting CKR.** resources in XFACILIT class. If READ and higher access to any other CKR.ACTION.**, CKR.CKRCARLA.APF, CKR.CKXLOG.**, CKR.OPTION.**, or CKR.READALL profiles is not restricted to security administrators, decentralized security administrators, security batch jobs performing ESM maintenance, and trusted STC users, this is a finding. If zSecure is used, review profile(s) protecting C2R.** resources in XFACILIT class. If READ and higher access to any other C2R.CLIENT.** or C2R.SERVER.ADMIN profiles is not restricted to security administrators, decentralized security administrators, security batch jobs performing ESM maintenance, and trusted STC users, this is a finding. Review profile(s) protecting C2X.** resources in XFACILIT class. If UPDATE access to any other C2X.ICH* profile is not restricted to automated operation STCs/batch jobs or trusted STC users, this is a finding. If all failures and successful UPDATE and higher access attempts are logged, this is not a finding.

Fix Text

Ensure READ and higher access to zSecure program resources is restricted to the appropriate staff members. READ and higher access can be given to security administrators, decentralized security administrators, security batch jobs that perform ESM maintenance, and trusted STC users. The following commands are provided as a sample for implementing zSecure functional resource controls: rdef CKF.<focus> uacc(none) owner(zSecure owner) pe CKF.<focus> class(XFACILIT) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) rdef xfacilit CKNADMIN.<type>.<node-name> uacc(none) owner(zSecure owner) pe CKNADMIN.<type>.<node-name> class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) rdef xfacilit CKNDSN.<dstype>.<node-name>.<systemname>.<type> uacc(none) owner(zSecure owner) pe CKNDSN.<dstype>.<node-name>.<systemname>.<type> class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) rdef xfacilit CKG.<type>.** uacc(none) owner(zSecure owner) pe CKG.<type>.** class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUD) access(READ) rdef xfacilit CKR.<type> uacc(none) owner(zSecure owner) pe CKR.<type>.** class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUD) access(READ) rdef xfacilit C2R.SERVER.ADMIN uacc(none) owner(zSecure owner) pe C2R.SERVER.ADMIN class(xfacilit) id(SECAAUDT, SECBAUDT, TSTCAUD) access(READ) rdef xfacilit C2R.CLIENT.** uacc(none) owner(zSecure owner) pe C2R.CLIENT.** class(xfacilit) id(SECAAUDT, SECBAUDT, TSTCAUD) access(READ) rdef xfacilit C2X.ICH* uacc(none) owner(zSecure owner) pe C2X.ICH* class(xfacilit) id(AUTOAUDT, TSTCAUDT) access(UPDATE)

Additional Identifiers

Rule ID: SV-259732r961095_rule

Vulnerability ID: V-259732

Group Title: SRG-APP-000211-MFP-000283

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.