Check: RACF0760
zOS RACF STIG:
RACF0760
(in versions v6 r43 through v6 r40)
Title
DASD Volume level protection must be properly defined. (Cat II impact)
Discussion
Volume access grants default access to all data sets residing on a given volume. This presents an exposure in the case of a data set improperly placed on a volume or inappropriate access being granted to a volume.
Check Content
Refer to the following reports produced by the RACF Data Collection and Data Set and Resource Data Collection: - SENSITVE.RPT(DASDVOL) - SENSITVE.RPT(GDASDVOL) - RACFCMDS.RPT(LISTUSER) - RACFCMDS.RPT(LISTGRP) Refer to all documents and procedures that apply to Storage Management including identification of the DASD backup files and all associated storage management userids. Ensure the following items are in effect regarding DASD volume controls: A profile of "**" or "*" is defined for the "DASDVOL" resource class. Access authorization to "DASDVOL" profiles is restricted to Storage Management Personnel, Storage Management Batch Userids, and Systems Programmers. All profiles defined to the “DASDVOL” resource class have "UACC(NONE)". The profile "WARNING" flag is "NO". All (i.e., failures and successes) access is logged. NOTE: Volume authorization allows access to all data sets on the volume thru the use of storage management utilities, regardless of data set profile authorization. Access to operating system and general user storage volumes should be questioned. If all of the items are in effect regarding DASD volume controls, this is not a finding. If any of the items are NOT in effect regarding DASD volume controls, this is a finding.
Fix Text
Develop a plan of action to implement the required changed. Define profiles in the "DASDVOL" class. A sample command is provided here: RDEF DASDVOL ** UACC(NONE) OWNER(<StgMgmtGrp>) AUDIT(ALL(READ)). More specific "DASDVOL" profiles should be defined to protect groups of "DASDVOLs". A sample command to create a profile protecting all DASDVOLs beginning with "SYS" is provided here: RDEF DASDVOL SYS* UACC(NONE) OWNER(<StgMgmtGrp>) AUDIT(ALL(READ)). Permission can be granted to "DASDVOL" profiles. A sample command is provided here: PE SYS* CLASS(DASDVOL) ID(<syspaudt>) ACCESS(ALTER) If any profiles are in "WARN" mode, they should be reset. A sample command is provided here: RALT DASDVOL <profilename> NOWARN. Note that the "GDASDVOL" class can also be used. See the RACF Security Admin Guide for more info.
Additional Identifiers
Rule ID: SV-298r5_rule
Vulnerability ID: V-298
Group Title: RACF0760
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
Controls
Number | Title |
---|---|
AC-3 |
Access Enforcement |