STIGQter STIGQter: STIG Summary: z/OS RACF STIG Version: 6 Release: 43 Benchmark Date: 24 Jan 2020: Write or greater access to SYS1.UADS must be limited to system programmers only and read and update access must be limited to system programmer personnel and/or security personnel.

DISA Rule

SV-122r3_rule

Vulnerability Number

V-122

Group Title

ACP00170

Rule Version

ACP00170

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

SYS1.UADS allocate/alter authority is limited to the systems programming staff. Read and update access should be limited to the security staff. Evaluate the impact of correcting any deficiency. Develop a plan of action and implement the changes as required to protect SYS1.UADS.

The IAO will ensure that allocate access to SYS1.UADS is limited to system programmers only, read and update access to SYS1.UADS is limited to system programmer personnel and/or security personnel and all dataset access is logged.

Check Contents

a) Refer to the following report produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(UADSRPT)

Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(ACP00170)

___ The ACP data set rules for SYS1.UADS allow inappropriate access.

___ The ACP data set rules for SYS1.UADS do not restrict ALTER access to only z/OS systems programming personnel.

___ The ACP data set rules for SYS1.UADS do not restrict READ and/or UPDATE access to z/OS systems programming personnel and/or security personnel.

___ The ACP data set rules for SYS1.UADS do not specify that all (i.e., failures and successes) data set access authorities (i.e., READ, UPDATE, ALTER, and CONTROL) will be logged.

b) If all of the above are untrue, there is NO FINDING.

c) If any of the above is true, this is a FINDING.

Vulnerability Number

V-122

Documentable

False

Rule Version

ACP00170

Severity Override Guidance

a) Refer to the following report produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(UADSRPT)

Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(ACP00170)

___ The ACP data set rules for SYS1.UADS allow inappropriate access.

___ The ACP data set rules for SYS1.UADS do not restrict ALTER access to only z/OS systems programming personnel.

___ The ACP data set rules for SYS1.UADS do not restrict READ and/or UPDATE access to z/OS systems programming personnel and/or security personnel.

___ The ACP data set rules for SYS1.UADS do not specify that all (i.e., failures and successes) data set access authorities (i.e., READ, UPDATE, ALTER, and CONTROL) will be logged.

b) If all of the above are untrue, there is NO FINDING.

c) If any of the above is true, this is a FINDING.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

106

Comments