STIGQter STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

IBM z/OS Sensitive Utility Controls must be properly defined and protected.

DISA Rule

SV-223428r533198_rule

Vulnerability Number

V-223428

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

ACF2-ES-000070

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Refer to the Site Security plan for Sensitive Programs/Utilities for lists the resources, access requirements, and logging requirements for Sensitive Utilities.

Configure ACF2 resources to be defined with a default access of PREVENT.

Configure ACF2 resource access authorizations to restrict access to the appropriate personnel.

Configure ACF2 resource logging to be correctly specified.

The following commands are provided as a sample for implementing resource controls:

$KEY(AHLGTF) TYPE(PGM)
UID(stcg) LOG
UID(*) PREVENT

F ACF2,REBUILD(PGM)

Check Contents

Refer to the table of Sensitive Utilities resources and/or generic equivalent as detailed in the table.

If the ACF2 resources are defined with a default access of PREVENT, this is not a finding.

If the ACF2 resource access authorizations restrict access to the appropriate personnel according to the site security plan, this not a finding.

If the ACF2 resource logging is correctly specified, this is not a finding.

Sensitive Utility Controls
Program Product Function
AHLGTF z/OS System Activity Tracing
HHLGTF
IHLGTF

ICPIOCP z/OS System Configuration
IOPIOCP
IXPIOCP
IYPIOCP
IZPIOCP

BLSROPTR z/OS Data Management

DEBE OS/DEBE Data Management

DITTO OS/DITTO Data Management

FDRZAPOP FDR Product Internal Modification

GIMSMP SMP/E Change Management Product

ICKDSF z/OS DASD Management

IDCSC01 z/OS IDCAMS Set Cache Module

IEHINITT z/OS Tape Management

IFASMFDP z/OS SMF Data Dump Utility

IND$FILE z/OS PC to Mainframe File Transfer
(Applicable only for classified systems)

CSQJU003 IBM WebSphereMQ
CSQJU004
CSQUCVX
CSQ1LOGP
CSQUTIL

WHOIS z/OS Share MOD to identify user name from USERID.
Restricted to data center personnel only.

Vulnerability Number

V-223428

Documentable

False

Rule Version

ACF2-ES-000070

Severity Override Guidance

Refer to the table of Sensitive Utilities resources and/or generic equivalent as detailed in the table.

If the ACF2 resources are defined with a default access of PREVENT, this is not a finding.

If the ACF2 resource access authorizations restrict access to the appropriate personnel according to the site security plan, this not a finding.

If the ACF2 resource logging is correctly specified, this is not a finding.

Sensitive Utility Controls
Program Product Function
AHLGTF z/OS System Activity Tracing
HHLGTF
IHLGTF

ICPIOCP z/OS System Configuration
IOPIOCP
IXPIOCP
IYPIOCP
IZPIOCP

BLSROPTR z/OS Data Management

DEBE OS/DEBE Data Management

DITTO OS/DITTO Data Management

FDRZAPOP FDR Product Internal Modification

GIMSMP SMP/E Change Management Product

ICKDSF z/OS DASD Management

IDCSC01 z/OS IDCAMS Set Cache Module

IEHINITT z/OS Tape Management

IFASMFDP z/OS SMF Data Dump Utility

IND$FILE z/OS PC to Mainframe File Transfer
(Applicable only for classified systems)

CSQJU003 IBM WebSphereMQ
CSQJU004
CSQUCVX
CSQ1LOGP
CSQUTIL

WHOIS z/OS Share MOD to identify user name from USERID.
Restricted to data center personnel only.

Check Content Reference

M

Target Key

4100

Comments