Check: ITCP0070
zOS RACF STIG:
ITCP0070
(in versions v6 r43 through v6 r30)
Title
MVS data sets for the Base TCP/IP component are not properly protected, (Cat II impact)
Discussion
MVS data sets of the Base TCP/IP component provide the configuration, operational, and executable properties of IBMs TCP/IP system product. Failure to properly secure these data sets may lead to unauthorized access resulting in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.
Check Content
a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(TCPRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ITCP0070) b) Ensure the following data set controls are in effect for the Base TCP/IP component: 1) WRITE and ALLOCATE access to product data sets is restricted to systems programming personnel (i.e., SMP/E distribution data sets with the prefix SYS1.TCPIP.AEZA and target data sets with the prefix SYS1.TCPIP.SEZA). 2) WRITE and ALLOCATE access to the data set(s) containing the Data and Profile configuration files is restricted to systems programming personnel. NOTE: If any INCLUDE statements are specified in the Profile configuration file, the named MVS data sets have the same access authorization requirements. 3) WRITE and ALLOCATE access to the data set(s) containing the Data and Profile configuration files is logged. NOTE: If any INCLUDE statements are specified in the Profile configuration file, the named MVS data sets have the same logging requirements. 4) WRITE and ALLOCATE access to the data set(s) containing the configuration files shared by TCP/IP applications is restricted to systems programming personnel. c) If all of the items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING. NOTE: For systems running the TSS ACP replace the WRITE and ALLOCATE with WRITE, UPDATE, CREATE, CONTROL, SCRATCH, and ALL.
Fix Text
Review with the IAO the data set access authorizations defined to the ACP for the Base TCP/IP component. Ensure these data sets are protected in accordance with the following rules: WRITE and ALLOCATE access to product data sets is restricted to systems programming personnel (i.e., SMP/E distribution data sets with the prefix SYS1.TCPIP.AEZA and target data sets with the prefix SYS1.TCPIP. SEZA). WRITE and ALLOCATE access to the data set(s) containing the Data and Profile configuration files is restricted to systems programming personnel. NOTE: If any INCLUDE statements are specified in the Profile configuration file, the named MVS data sets have the same access authorization requirements. WRITE and ALLOCATE access to the data set(s) containing the Data and Profile configuration files is logged. NOTE: If any INCLUDE statements are specified in the Profile configuration file, the named MVS data sets have the same logging requirements. WRITE and ALLOCATE access to the data set(s) containing the configuration files shared by TCP/IP applications is restricted to systems programming personnel. NOTE: For systems running the TSS ACP replace the WRITE and ALLOCATE with WRITE, UPDATE, CREATE, CONTROL, SCRATCH, and ALL.
Additional Identifiers
Rule ID: SV-3221r2_rule
Vulnerability ID: V-3221
Group Title: ITCP0070
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
CCI-001499 |
The organization limits privileges to change software resident within software libraries. |
CCI-002234 |
The information system audits the execution of privileged functions. |