STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

IBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected.

DISA Rule

SV-223626r533198_rule

Vulnerability Number

V-223626

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

ACF2-US-000110

Severity

CAT II

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
• CCI-001499 - The organization limits privileges to change software resident within software libraries.
• CCI-002235 - The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Weight

10

Fix Recommendation

Define the STEPLIBLIST with update and allocate access to libraries residing in the /etc/steplib limited to system programmers only.

The STEPLIBLIST parameter specifies the pathname of the HFS file that contains the list of MVS data sets that are used as step libraries for programs that have the set-user-id or set group id permission bit set. The use of STEPLIBLIST is at the site’s discretion, but if used the value of STEPLIBLIST will be /etc/steplib. All update and alter access to the MVS data sets in the list will be logged and only systems programming personnel will be authorized to update the data sets.

Check Contents

Refer to the STEPLIBLIST statement in the BPXPRMxx member of PARMLIB.
If the STEPLIBLIST points to an etc/steplib go to the ISPF Command Shell enter:
OMVS
cd /etc
cat <filename>

If the ESM data set rules for libraries specified in the STEPLIBLIST file do not restrict UPDATE and/or ALTER/ALLOCATE access to only systems programming personnel, this is a finding.

If the ESM data set rules for libraries specified in the STEPLIBLIST file do not specify that all (i.e., failures and successes) UPDATE and/or ALTER/ALLOCATE access will be logged this is a finding.

Vulnerability Number

V-223626

Documentable

False

Rule Version

ACF2-US-000110

Severity Override Guidance

Refer to the STEPLIBLIST statement in the BPXPRMxx member of PARMLIB.
If the STEPLIBLIST points to an etc/steplib go to the ISPF Command Shell enter:
OMVS
cd /etc
cat <filename>

If the ESM data set rules for libraries specified in the STEPLIBLIST file do not restrict UPDATE and/or ALTER/ALLOCATE access to only systems programming personnel, this is a finding.

If the ESM data set rules for libraries specified in the STEPLIBLIST file do not specify that all (i.e., failures and successes) UPDATE and/or ALTER/ALLOCATE access will be logged this is a finding.

Check Content Reference

M

Target Key

4100

Comments