STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

IBM z/OS DFSMS Program Resources must be properly defined and protected.

DISA Rule

SV-223594r533198_rule

Vulnerability Number

V-223594

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

ACF2-SM-000020

Severity

CAT II

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Weight

10

Fix Recommendation

Note: The resource type, resources, and/or resource prefixes identified below are examples of a possible installation. The actual resource type, resources, and/or resource prefixes are determined when the product is actually installed on a system through the product’s installation guide and can be site specific.

Refer to the chapter titled "Protecting the Storage Management Subsystem" in the IBM z/OS DFSMSdfp Storage Administration Guide.

Use SMS Program Resources tables to determine the resources, access requirements for SMS Program Resources. Ensure the guidelines for the resource type, resources, and/or generic equivalent specified.

The ACF2 resources as designated in the above table are defined with a default access of PREVENT.

The ACF2 resource access authorizations restrict access to the appropriate personnel as designated in the above tables.

The following commands are provided as a sample for implementing resource controls:
$KEY(ACBFUTO2) TYPE(PGM)
UID(********) ALLOW
UID(*) PREVENT

F ACF2,REBUILD(PGM)

Check Contents

Refer to the load modules residing in the following Load libraries to determine Program resource definitions:
v SYS1.DGTLLIB for DFSMSdfp/ISMF
v SYS1.DGTLLIB for DFSMSdss/ISMF
v SYS1.DFQLLIB for DFSMShsm

If the installation moves these modules to another load library the installation-defined load library must be used in the program protection.

If the RACF resources are defined with a default access of NONE, this is not a finding.

If the RACF resource access authorizations restrict access to the appropriate personnel, this is not a finding.

Refer to the chapter titled “Protecting the Storage Management Subsystem” in the IBM z/OS DFSMSdfp Storage Administration Guide to assist with guidance on appropriate access.

Vulnerability Number

V-223594

Documentable

False

Rule Version

ACF2-SM-000020

Severity Override Guidance

Refer to the load modules residing in the following Load libraries to determine Program resource definitions:
v SYS1.DGTLLIB for DFSMSdfp/ISMF
v SYS1.DGTLLIB for DFSMSdss/ISMF
v SYS1.DFQLLIB for DFSMShsm

If the installation moves these modules to another load library the installation-defined load library must be used in the program protection.

If the RACF resources are defined with a default access of NONE, this is not a finding.

If the RACF resource access authorizations restrict access to the appropriate personnel, this is not a finding.

Refer to the chapter titled “Protecting the Storage Management Subsystem” in the IBM z/OS DFSMSdfp Storage Administration Guide to assist with guidance on appropriate access.

Check Content Reference

M

Target Key

4100

Comments