STIGQter: STIG Summary: IBM z/OS TSS Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

CA-TSS must limit WRITE or greater access to all system-level product installation libraries to system programmers only.

DISA Rule

SV-223906r561402_rule

Vulnerability Number

V-223906

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

TSS0-ES-000330

Severity

CAT II

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
• CCI-001499 - The organization limits privileges to change software resident within software libraries.
• CCI-002235 - The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Weight

10

Fix Recommendation

Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect System-level product installation libraries.

Configure allocate access to all system-level product execution libraries to be limited to system programmers only.

Check Contents

Have the systems programmer for z/OS supply the following information:

The data set name and associated SREL for each SMP/E CSI utilized to maintain this system.

The data set name of all SMP/E TLIBs and DLIBs used for installation and production support. A comprehensive list of the SMP/E DDDEFs for all CSIs may be used if valid.

The ACP data set rules for system-level product installation libraries (e.g., SMP/E CSIs) allow inappropriate access.

The ACP data set rules for system-level product installation libraries (e.g., SMP/E CSIs) do not restrict WRITE or greater access to only z/OS systems programming personnel.

If all of the above are untrue, this is not a finding.

If any of the above is true, or if these data sets cannot be identified due to a lack of requested information, this is a finding.

Vulnerability Number

V-223906

Documentable

False

Rule Version

TSS0-ES-000330

Severity Override Guidance

Have the systems programmer for z/OS supply the following information:

The data set name and associated SREL for each SMP/E CSI utilized to maintain this system.

The data set name of all SMP/E TLIBs and DLIBs used for installation and production support. A comprehensive list of the SMP/E DDDEFs for all CSIs may be used if valid.

The ACP data set rules for system-level product installation libraries (e.g., SMP/E CSIs) allow inappropriate access.

The ACP data set rules for system-level product installation libraries (e.g., SMP/E CSIs) do not restrict WRITE or greater access to only z/OS systems programming personnel.

If all of the above are untrue, this is not a finding.

If any of the above is true, or if these data sets cannot be identified due to a lack of requested information, this is a finding.

Check Content Reference

M

Target Key

4102

Comments