Title

ACF2/CICS parameter data sets are not protected in accordance with the proper security requirements. (Cat II impact)

Discussion

CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Unauthorized access to ACF2/CICS parameter data sets (i.e., product, security) could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data.

Check Content

a) Refer to the following report produced by the ACF2 Data Collection: - SENSITVE.RPT(CICSRPT) Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. b) UPDATE and/or ALLOCATE access to the ACF2/CICS parameter data set, specified on the ACF2PARM DD statement, is restricted to systems programming personnel and security personnel. c) If all items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING.

Fix Text

The IAO will ensure that update and allocate access to the ACF2/CICS parameter data set is limited to system programmers and security personnel. Review the access authorizations for CICS system data sets. UPDATE and/or ALLOCATE access to the ACF2/CICS parameter data set, specified on the ACF2PARM DD statement, is restricted to systems programming personnel and security personnel. Example: $KEY(S3C) $PREFIX(SYS3) CICSTS.SYSIN UID(syspaudt) R(A) W(L) A(L) E(A) CICSTS.SYSIN UID(secaaudt) R(A) W(L) A(L) E(A) CICSTS.SYSIN UID(*) PREVENT SET RULE COMPILE 'ACF2.MVA.DSNRULES(S3C)' STORE

Additional Identifiers

Rule ID: SV-7475r2_rule

Vulnerability ID: V-7091

Group Title: ZCICA011

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.