Check: ZCTD0060
z/OS BMC CONTROL-D for RACF STIG:
ZCTD0060
(in versions v6 r8 through v6 r6)
Title
BMC CONTROL-D security exits are not installed or configured properly. (Cat II impact)
Discussion
The BMC CONTROL-D security exits enable access authorization checking to BMC CONTROL-D commands, features, and online functionality. If these exit(s) is (are) not in place, activities by unauthorized users may result. BMC CONTROL-D security exit(s) interface with the ACP. If an unauthorized exit was introduced into the operating environment, system security could be weakened or bypassed. These exposures may result in the compromise of the operating system environment, ACP, and customer data.
Check Content
Interview the systems programmer responsible for the BMC CONTROL-D. Determine if the site has modified the following security exit(s): CTDSE01 CTDSE04 CTDSE08 CTDSE19 CTDSE24 CTDSE28 Ensure the above security exit(s) has (have) not been modified. If the above security exit(s) has (have) been modified, ensure that the security exit(s) has (have) been approved by the site systems programmer and the approval is on file for examination.
Fix Text
The System programmer responsible for the BMC CONTROL-D will review the BMC CONTROL-D operating environment. Ensure that the following security exit(s) is (are) installed properly. Determine if the site has modified the following security exit(s): CTDSE01 CTDSE04 CTDSE08 CTDSE19 CTDSE24 CTDSE28 Ensure that the security exit(s) has (have) not been modified. If the security exit(s) has (have) been modified, ensure the security exit(s) has (have) been checked as to not violate any security integrity within the system and approval documentation is on file.
Additional Identifiers
Rule ID: SV-224389r518670_rule
Vulnerability ID: V-224389
Group Title: SRG-OS-000018
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000035 |
The information system provides the capability for privileged administrators to configure the organization-defined security policy filters to support different security policies. |
Controls
Number | Title |
---|---|
AC-4 (11) |
Configuration Of Security Policy Filters |