Title

z/OS UNIX MVS data sets WITH z/OS UNIX COMPONENTS are not properly protected (Cat II impact)

Discussion

For the z/OS UNIX environment, there are MVS data sets that contain operating system components, MVS data sets that contain HFS file systems with operating system components, and MVS data sets that contain HFS file systems with application system and user data. All of these MVS data sets require definitions in the ACP to enforce desired access controls. In addition, the UNIX permission bits must be properly set on the HFS directories and files to enforce desired access controls.

Check Content

a) Refer to the following report produced by the ACP Data Collection: - SENSITVE.RPT(USSRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZUSS0032) b) If the ACP data set rules for each of the data sets listed in the MVS DATA SETS WITH z/OS UNIX COMPONENTS Table in the z/OS STIG Addendum restrict UPDATE and ALLOCATE access to systems programming personnel, there is NO FINDING. c) If (b) above is untrue, this is a FINDING.

Fix Text

Verify that the ACP data set rules for each of the data sets listed in the specified table in the z/OS STIG Addendum under MVS DATA SETS WITH z/OS UNIX COMPONENTS restrict UPDATE and ALLOCATE access to systems programming personnel. The data sets designated as distribution data sets should have all access restricted to systems programming personnel. TSO/E users who also use z/OS UNIX should have read access to the SYS1.SBPX* data sets. Read access for all users to the remaining target data sets is at the site’s discretion. All other access must be restricted to systems programming personnel.

Additional Identifiers

Rule ID: SV-7279r2_rule

Vulnerability ID: V-6976

Group Title: ZUSS0032

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.