STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:SV-223663r604139_rule
V-223663
SRG-OS-000080-GPOS-00048
RACF-ES-000150
CAT II
10
Develop a plan of action to implement the required changed.
Define profiles in the "DASDVOL" class. A sample command is provided here:
RDEF DASDVOL ** UACC(NONE) OWNER(<StgMgmtGrp>) AUDIT(ALL(READ)).
More specific "DASDVOL" profiles should be defined to protect groups of "DASDVOLs". A sample command to create a profile protecting all DASDVOLs beginning with "SYS" is provided here:
RDEF DASDVOL SYS* UACC(NONE) OWNER(<StgMgmtGrp>) AUDIT(ALL(READ)).
Permission can be granted to "DASDVOL" profiles. A sample command is provided here:
PE SYS* CLASS(DASDVOL) ID(<syspsmpl>) ACCESS(ALTER)
If any profiles are in "WARN" mode, they should be reset. A sample command is provided here:
RALT DASDVOL <profilename> NOWARN.
Note that the "GDASDVOL" class can also be used. See the RACF Security Admin Guide for more information.
From the ISPF Command Shell enter:
RLIST DASDVOL AUTHUSER
If a profile of "**" is defined for the "DASDVOL" resource class, this is not finding.
If access authorization to "DASDVOL" profiles is restricted to Storage Management Personnel, Storage Management Batch Userids, and Systems Programmers, this is not a finding.
If all (i.e., failures and successes) access is logged, this is not a finding.
V-223663
False
RACF-ES-000150
From the ISPF Command Shell enter:
RLIST DASDVOL AUTHUSER
If a profile of "**" is defined for the "DASDVOL" resource class, this is not finding.
If access authorization to "DASDVOL" profiles is restricted to Storage Management Personnel, Storage Management Batch Userids, and Systems Programmers, this is not a finding.
If all (i.e., failures and successes) access is logged, this is not a finding.
M
4101