STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:SV-223427r533198_rule
V-223427
SRG-OS-000080-GPOS-00048
ACF2-ES-000060
CAT II
10
Configure z/OS Sensitive System Commands to be defined to the OPERCMDS resource class. Only limited number of authorized people are able to issue these commands. All access is logged.
Configure the MVS resource to be defined to the OPERCMDS class with a default access of PREVENT, all access is logged, and access is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users).
Note: Ensure access to z/OS system commands defined in the MVS commands, RACF access authorities, and resource names, in the IBM z/OS MVS System Commands, is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users).
Example for ACF2:
$KEY(MVS) TYPE(OPR)
ACTIVATE.- UID(sysprgmr) LOG
ACTIVATE.- UID(*) PREVENT
SET R(OPR)
COMPILE 'ACF2.MVA.OPR(MVS)' STORE
F ACF2,REBUILD(OPR)
From a Command input line enter:
SET RESOURCE(OPR)
SET VERBOSE
LIST LIKE(MVS-)
NOTE: If CLASMAP defines OPERCMDS as anything other than the default of TYPE(OPR), replace OPR with the appropriate three letters.
If the MVS resource is defined to the OPERCMDS class with a default access of PREVENT, and all access logged, i.e., MVS.** is defined with access of PREVENT, this is not finding.
If Access to z/OS system commands defined in the table entitled MVS commands, RACF access authorities, and resource names, in the IBM z/OS MVS System Commands manual, is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users) as determined in the Documented site Security Plan, this is not a finding.
Note: Display commands and others as deemed by the site IAW site security plan may be allowed for all users with no logging. The (MVS.SEND) Command will not be a finding if used by all.
V-223427
False
ACF2-ES-000060
From a Command input line enter:
SET RESOURCE(OPR)
SET VERBOSE
LIST LIKE(MVS-)
NOTE: If CLASMAP defines OPERCMDS as anything other than the default of TYPE(OPR), replace OPR with the appropriate three letters.
If the MVS resource is defined to the OPERCMDS class with a default access of PREVENT, and all access logged, i.e., MVS.** is defined with access of PREVENT, this is not finding.
If Access to z/OS system commands defined in the table entitled MVS commands, RACF access authorities, and resource names, in the IBM z/OS MVS System Commands manual, is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users) as determined in the Documented site Security Plan, this is not a finding.
Note: Display commands and others as deemed by the site IAW site security plan may be allowed for all users with no logging. The (MVS.SEND) Command will not be a finding if used by all.
M
4100