STIGQter STIGQter: STIG Summary: z/OS RACF STIG Version: 6 Release: 43 Benchmark Date: 24 Jan 2020: ACP database is not backed up on a scheduled basis.

DISA Rule

SV-105r2_rule

Vulnerability Number

V-105

Group Title

AAMV0420

Rule Version

AAMV0420

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

The IAO will ensure that procedures are in place to backup all ACP files needed for recovery on a scheduled basis.

Identify the ACP database and ensure that documented processes are in place to back up its contents on a regularly scheduled basis.

At a minimum, nightly backup of the ACP databases, and of other critical security files (such as the ACP parameter file). More frequent backups (two or three times daily) will reduce the time necessary to affect recovery. The IAO will verify that the backup job(s) run successfully.

Check Contents

a) Check with the IAO and verfiy that procedures exist to backup the security data base and files. Have the IAO identify the dataset names and frequency of the backups.

Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(AAMV0420)

For ACF2 sites only, refer to the following report produced by the ACF2 Data Collection:

- ACF2CMDS.RPT(ACFBKUP)

For TOP SECRET sites only, refer to the following report produced by the TOP SECRET Data Collection:

- TSSCMDS.RPT(STATUS)

Note: RACF creates an alternate data set and does not have any setting to specify that a backup is created

b) If, based on the information provided, it can be determined that the ACP database is being backed up on a regularly scheduled basis, there is NO FINDING.

c) If it cannot be determined that the ACP database is being backed up on a regularly scheduled basis, this is a FINDING.

Vulnerability Number

V-105

Documentable

False

Rule Version

AAMV0420

Severity Override Guidance

a) Check with the IAO and verfiy that procedures exist to backup the security data base and files. Have the IAO identify the dataset names and frequency of the backups.

Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(AAMV0420)

For ACF2 sites only, refer to the following report produced by the ACF2 Data Collection:

- ACF2CMDS.RPT(ACFBKUP)

For TOP SECRET sites only, refer to the following report produced by the TOP SECRET Data Collection:

- TSSCMDS.RPT(STATUS)

Note: RACF creates an alternate data set and does not have any setting to specify that a backup is created

b) If, based on the information provided, it can be determined that the ACP database is being backed up on a regularly scheduled basis, there is NO FINDING.

c) If it cannot be determined that the ACP database is being backed up on a regularly scheduled basis, this is a FINDING.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

106

Comments