Check: ACP00170
zOS RACF STIG:
ACP00170
(in versions v6 r43 through v6 r30)
Title
Write or greater access to SYS1.UADS must be limited to system programmers only and read and update access must be limited to system programmer personnel and/or security personnel. (Cat I impact)
Discussion
SYS1.UADS is the data set where emergency USERIDs are maintained. This ensures that logon processing can occur even if the ACP is not functional. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.
Check Content
a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(UADSRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00170) ___ The ACP data set rules for SYS1.UADS allow inappropriate access. ___ The ACP data set rules for SYS1.UADS do not restrict ALTER access to only z/OS systems programming personnel. ___ The ACP data set rules for SYS1.UADS do not restrict READ and/or UPDATE access to z/OS systems programming personnel and/or security personnel. ___ The ACP data set rules for SYS1.UADS do not specify that all (i.e., failures and successes) data set access authorities (i.e., READ, UPDATE, ALTER, and CONTROL) will be logged. b) If all of the above are untrue, there is NO FINDING. c) If any of the above is true, this is a FINDING.
Fix Text
SYS1.UADS allocate/alter authority is limited to the systems programming staff. Read and update access should be limited to the security staff. Evaluate the impact of correcting any deficiency. Develop a plan of action and implement the changes as required to protect SYS1.UADS. The IAO will ensure that allocate access to SYS1.UADS is limited to system programmers only, read and update access to SYS1.UADS is limited to system programmer personnel and/or security personnel and all dataset access is logged.
Additional Identifiers
Rule ID: SV-122r3_rule
Vulnerability ID: V-122
Group Title: ACP00170
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
CCI-002234 |
The information system audits the execution of privileged functions. |