An error occurred:

Check: RACF0740

zOS RACF STIG: RACF0740 (in versions v6 r43 through v6 r30)

Title

The number of USERIDs possessing the Tape Bypass Label Processing (BLP) privilege is not justified. (Cat II impact)

Discussion

BLP is extremely sensitive, as it allows the circumvention of security access checking for the data. When BLP is used in z/OS, the only verification that is done is for the data set name in the JCL. Any data set name can be used. A user could specify a data set name that he has access to, the job would pass the validation check, and the job would be processed, giving access to the data. BLP is typically used for tapes that are external to the tape management system used on the processor. BLP should be granted to only a limited number of people, preferably the tape librarian and a few key people from the operations staff. If an unauthorized user possesses BLP authority, they could potentially read any restricted tape and modify any information once it has been copied.

Check Content

a) Refer to the following reports produced by the RACF Data Collection: - SENSITVE.RPT(FACILITY) - RACFCMDS.RPT(LISTUSER) - RACFCMDS.RPT(LISTGRP) - DSMON.RPT(RACCDT) b) Ensure the following items are in effect regarding bypass label processing (BLP): 1) The ICHBLP resource is defined to the FACILITY resource class with a UACC(NONE). 2) Access authorization to the ICHBLP resource is restricted at the userid level to data center personnel (e.g., tape librarian, operations staff, etc.) 3) If no tape management system (e.g., CA-1) is installed, the TAPEVOL class is active. c) If all items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING.

Fix Text

Review all USERIDs with the BLP attribute. Ensure documentation providing justification for access is maintained and filed with the IAO, and that unjustified access is removed. BLP is controlled thru the FACILITY class profile ICHBLP. Access is removed with the following command: PE ICHBLP CL(FACILITY) id(<userid>) DELETE a subsequent REFRESH of the FACILITY class may be required via the command: SETR RACL(FACILITY) REFRESH

Additional Identifiers

Rule ID: SV-296r2_rule

Vulnerability ID: V-296

Group Title: RACF0740

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000213

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-3

Access Enforcement