Navigate

Check: ZVTM0018

zOS RACF STIG: ZVTM0018 (in versions v6 r43 through v6 r30)

Title

The System datasets used to support the VTAM network are not properly secured. (Cat II impact)

Discussion

Ensure that RACF data set rules for all VTAM system data sets restrict access to only network systems programming staff. These data sets include libraries containing VTAM load modules and exit routines, and VTAM start options and definition statements. Failure to properly control VTAM datasets could potentially compromise the network operations.

Check Content

a) Create a list of data set names containing all VTAM start options, configuration lists, network resource definitions, commands, procedures, exit routines, all SMP/E TLIBs, and all SMP/E DLIBs used for installation and in development/production VTAM environments. Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(VTAMRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZVTM0018) b) Ensure that RACF data set rules for all VTAM system data sets restrict access to only network systems programming staff. These data sets include libraries containing VTAM load modules and exit routines, and VTAM start options and definition statements. c) If (b) above is true, there is NO FINDING. d) If (b) above is untrue, this is a FINDING.

Fix Text

Data Set Controls Ensure that RACF data set rules for all VTAM system data sets restrict access to only network systems programming staff. These data sets include libraries containing VTAM load modules and exit routines, and VTAM start options and definition statements. The following sample RACF commands show proper definitions/permissions for VTAM datasets: AD 'SYS1.VTAM*.**' UACC(NONE) OWNER(SYS1) - AUDIT(SUCCESS(UPDATE) FAILURES(READ)) - DATA('IBM VTAM DS PROFILE: REF SRR PDI ZVTM0018') PE 'SYS1.VTAM.**' ID(<syspaudt>) ACC(A) AD 'SYS1.VTAMLIB.**' UACC(NONE) OWNER(SYS1) - AUDIT(SUCCESS(UPDATE) FAILURES(READ)) - DATA('IBM VTAM APF DS PROFILE: REF SRR PDI ZVTM0018') PE 'SYS1.VTAMLIB.**' ID(<syspaudt>) ACC(A) AD 'SYS1.VTAM.SISTCLIB.**' UACC(NONE) OWNER(SYS1) - AUDIT(SUCCESS(UPDATE) FAILURES(READ)) - DATA('IBM VTAM APF DS PROFILE: REF SRR PDI ZVTM0018') PE 'SYS1.VTAM.SISTCLIB.**' ID(<syspaudt>) ACC(A) AD 'SYS3.VTAM.**' UACC(NONE) OWNER(SYS3) - AUDIT(SUCCESS(UPDATE) FAILURES(READ)) - DATA('VTAM CUSTOMIZED DS: REF SRR PDI ZVTM0018') PE 'SYS3.VTAM.**' ID(<syspaudt>) ACC(A) AD 'SYS3.VTAMLIB.**' UACC(NONE) OWNER(SYS3) - AUDIT(SUCCESS(UPDATE) FAILURES(READ)) - DATA('IBM VTAM APF DS PROFILE: REF SRR PDI ZVTM0018') PE 'SYS3.VTAMLIB.**' ID(<syspaudt>) ACC(A) SETR GENERIC(DATASET) REFRESH

Additional Identifiers

Rule ID: SV-7359r2_rule

Vulnerability ID: V-6956

Group Title: ZVTM0018

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000213	The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
CCI-001499	The organization limits privileges to change software resident within software libraries.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-3	Access Enforcement
CM-5 (6)	Limit Library Privileges