Title

Write or greater access to SYS1.IMAGELIB must be limited to system programmers only. (Cat I impact)

Discussion

SYS1.IMAGELIB is a partitioned data set containing universal character set (UCS), forms control buffer (FCB), and printer control information. Most IBM standard UCS images are included in SYS1.IMAGELIB during system installation. This data set should be protected as a z/OS system data set.

Check Content

Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(IMAGERPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection. - PDI(ACP00040) If the following guidance is true, this is not a finding. ___ The ACP data set rules for SYS1.IMAGELIB allow inappropriate access. ___ The ACP data set rules for SYS1.IMAGELIB do not restrict UPDATE and/or ALTER access to only systems programming personnel. ___ The ACP data set rules for SYS1.IMAGELIB do not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged.

Fix Text

The IAO must ensure that UPDATE and/or ALLOCATE access to SYS1.IMAGELIB is limited to system programmers only and all update and allocate access is logged. Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect SYS1.IMAGELIB. SYS1.IMAGELIB is automatically APF-authorized. This data set contains modules, images, tables, and character sets which are essential to system print services.

Additional Identifiers

Rule ID: SV-111r4_rule

Vulnerability ID: V-111

Group Title: ACP00040

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.