Title

Update and allocate access to System backup files are not limited to system programmers and/or batch jobs that perform DASD backups. (Cat II impact)

Discussion

System backup data sets are necessary for recovery of DASD resident data sets. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.

Check Content

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(BKUPRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00210) Collect from the storage management group the identification of the DASD backup files and all associated storage management userids/LIDs/ACIDs. ___ The ACP data set rules for system DASD backup files allow inappropriate access. ___ The ACP data set rules for system DASD backup files do not restrict UPDATE and ALLOCATE access to z/OS systems programming and/or batch jobs that perform DASD backups. b) If both of the above are untrue, there is NO FINDING. c) If either of the above is true, or if these data sets cannot be identified due to a lack of requested information, this is a FINDING.

Fix Text

Obtain the high level indexes to backup datasets names and verify that their access is restricted by the System's ACP to System Programmers and batch jobs that perform the backups. If any other userids are specified, make sure that the IAO has documented justification for the access.

Additional Identifiers

Rule ID: SV-126r2_rule

Vulnerability ID: V-126

Group Title: ACP00210

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.