Check: ZUSS0033
zOS ACF2 STIG:
ZUSS0033
(in versions v6 r43 through v6 r30)
Title
z/OS UNIX MVS data sets used as step libraries in /etc/steplib are not properly protected (Cat II impact)
Discussion
For the z/OS UNIX environment, there are MVS data sets that contain operating system components, MVS data sets that contain HFS file systems with operating system components, and MVS data sets that contain HFS file systems with application system and user data. All of these MVS data sets require definitions in the ACP to enforce desired access controls. In addition, the UNIX permission bits must be properly set on the HFS directories and files to enforce desired access controls.
Check Content
a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(STLLRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZUSS0033) ___ The ACP data set rules for libraries specified in the STEPLIBLIST file allow inappropriate access. ___ The ACP data set rules for libraries specified in the STEPLIBLIST file do not restrict UPDATE and/or ALTER/ALLOCATE access to only systems programming personnel. ___ The ACP data set rules for libraries specified in the STEPLIBLIST file do not specify that all (i.e., failures and successes) UPDATE and/or ALTER/ALLOCATE access will be logged. b) If all of the above are untrue, there is NO FINDING. c) If any of the above is true, this is a FINDING.
Fix Text
Verify with the IAO that update and allocate access to libraries residing in the /etc/steplib is limited to system programmers only. The STEPLIBLIST parameter specifies the pathname of the HFS file that contains the list of MVS data sets that are used as step libraries for programs that have the set-user-id or set group id permission bit set. The use of STEPLIBLIST is at the site’s discretion, but if used the value of STEPLIBLIST will be /etc/steplib. All update and alter access to the MVS data sets in the list will be logged and only systems programming personnel will be authorized to update the data sets.
Additional Identifiers
Rule ID: SV-7280r2_rule
Vulnerability ID: V-6977
Group Title: ZUSS0033
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
CCI-001499 |
The organization limits privileges to change software resident within software libraries. |
CCI-002234 |
The information system audits the execution of privileged functions. |