STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:SV-223459r533198_rule
V-223459
SRG-OS-000324-GPOS-00125
ACF2-ES-000390
CAT II
10
Configure the PPGM GSO value indicating protected programs that are only executed by privileged users in the table below.
Sensitive Utility Controls
Program Product Function
AHLGTF z/OS System Activity Tracing
HHLGTF
IHLGTF
ICPIOCP z/OS System Configuration
IOPIOCP
IXPIOCP
IYPIOCP
IZPIOCP
BLSROPTR z/OS Data Management
DEBE OS/DEBE Data Management
DITTO OS/DITTO Data Management
FDRZAPOP FDR Product Internal Modification
GIMSMP SMP/E Change Management Product
ICKDSF z/OS DASD Management
IDCSC01 z/OS IDCAMS Set Cache Module
IEHINITT z/OS Tape Management
IFASMFDP z/OS SMF Data Dump Utility
IND$FILE z/OS PC to Mainframe File Transfer
(Applicable only for classified systems)
CSQJU003 IBM WebSphereMQ
CSQJU004
CSQUCVX
CSQ1LOGP
CSQUTIL
WHOIS z/OS Share MOD to identify user name from USERID.
Restricted to data center personnel only.
Define protected programs that can only be executed by privileged users.
PGM MASK(pgm mask1, ...,pgm-mask255)
Example:
SET C(GSO)
INSERT PPGM PGM-MASK(<program name or generic equivalent>)
F ACF2,REFRESH(PPGM)
From the ACF command screen enter:
SET CONTROL(GSO)
LIST LIKE(PPGM-)
Refer to the table of Sensitive Utilities resources and/or generic equivalent as detailed in the table.
If all applicable programs or their generic equivalent referenced below are represented by GSO PPGM record values, this is not a finding.
Sensitive Utility Controls
Program Product Function
AHLGTF z/OS System Activity Tracing
HHLGTF
IHLGTF
ICPIOCP z/OS System Configuration
IOPIOCP
IXPIOCP
IYPIOCP
IZPIOCP
BLSROPTR z/OS Data Management
DEBE OS/DEBE Data Management
DITTO OS/DITTO Data Management
FDRZAPOP FDR Product Internal Modification
GIMSMP SMP/E Change Management Product
ICKDSF z/OS DASD Management
IDCSC01 z/OS IDCAMS Set Cache Module
IEHINITT z/OS Tape Management
IFASMFDP z/OS SMF Data Dump Utility
IND$FILE z/OS PC to Mainframe File Transfer
(Applicable only for classified systems)
CSQJU003 IBM WebSphereMQ
CSQJU004
CSQUCVX
CSQ1LOGP
CSQUTIL
WHOIS z/OS Share MOD to identify user name from USERID.
Restricted to data center personnel only.
V-223459
False
ACF2-ES-000390
From the ACF command screen enter:
SET CONTROL(GSO)
LIST LIKE(PPGM-)
Refer to the table of Sensitive Utilities resources and/or generic equivalent as detailed in the table.
If all applicable programs or their generic equivalent referenced below are represented by GSO PPGM record values, this is not a finding.
Sensitive Utility Controls
Program Product Function
AHLGTF z/OS System Activity Tracing
HHLGTF
IHLGTF
ICPIOCP z/OS System Configuration
IOPIOCP
IXPIOCP
IYPIOCP
IZPIOCP
BLSROPTR z/OS Data Management
DEBE OS/DEBE Data Management
DITTO OS/DITTO Data Management
FDRZAPOP FDR Product Internal Modification
GIMSMP SMP/E Change Management Product
ICKDSF z/OS DASD Management
IDCSC01 z/OS IDCAMS Set Cache Module
IEHINITT z/OS Tape Management
IFASMFDP z/OS SMF Data Dump Utility
IND$FILE z/OS PC to Mainframe File Transfer
(Applicable only for classified systems)
CSQJU003 IBM WebSphereMQ
CSQJU004
CSQUCVX
CSQ1LOGP
CSQUTIL
WHOIS z/OS Share MOD to identify user name from USERID.
Restricted to data center personnel only.
M
4100