STIGQter STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:

IBM RACF must limit WRITE or greater access to all system-level product installation libraries to system programmers.

DISA Rule

SV-223680r604139_rule

Vulnerability Number

V-223680

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

RACF-ES-000320

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect System-level product installation libraries.

Configure allocate access to all system-level product execution libraries to be limited to system programmers only.

Check Contents

Have the systems programmer for z/OS supply the following information:

The data set name and associated SREL for each SMP/E CSI utilized to maintain this system.
The data set name of all SMP/E TLIBs and DLIBs used for installation and production support. A comprehensive list of the SMP/E DDDEFs for all CSIs may be used if valid.

If the ESM data set rules for system-level product installation libraries (e.g., SMP/E CSIs) do not restrict WRITE or greater access to only z/OS systems programming personnel this is a finding.

If any of these data sets cannot be identified due to a lack of requested information, this is a finding.

Vulnerability Number

V-223680

Documentable

False

Rule Version

RACF-ES-000320

Severity Override Guidance

Have the systems programmer for z/OS supply the following information:

The data set name and associated SREL for each SMP/E CSI utilized to maintain this system.
The data set name of all SMP/E TLIBs and DLIBs used for installation and production support. A comprehensive list of the SMP/E DDDEFs for all CSIs may be used if valid.

If the ESM data set rules for system-level product installation libraries (e.g., SMP/E CSIs) do not restrict WRITE or greater access to only z/OS systems programming personnel this is a finding.

If any of these data sets cannot be identified due to a lack of requested information, this is a finding.

Check Content Reference

M

Target Key

4101

Comments