STIGQter: STIG Summary: IBM z/OS TSS Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

CA-TSS must limit WRITE or greater access to libraries containing EXIT modules to system programmers only.

DISA Rule

SV-223914r561402_rule

Vulnerability Number

V-223914

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

TSS0-ES-000410

Severity

CAT I

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
• CCI-001499 - The organization limits privileges to change software resident within software libraries.
• CCI-002235 - The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Weight

10

Fix Recommendation

Using the ESM, protect the data sets associated with all product exits installed in the z/OS environment. This reduces the potential of a hacker adding a routine to a library and possibly creating an exposure. See that all exits are tracked using a CMP. Develop usermods to include the source/object code used to support the exits. Have Systems programming personnel review all z/OS and other product exits to confirm that the exits are required and are correctly installed.

Configure ESM data set rules for all WRITE or greater access to libraries containing z/OS and other system level exits will be logged using the ACP’s facilities. Only systems programming personnel will be authorized to update the libraries containing z/OS and other system level exits.

Check Contents

Examine the system for active exit modules. You may need the system administrator help for this. There are third-party software products that can determine standard and dynamic exits loaded in the system.

If all the exits are found within APF, LPA and LINKLIST, this is not applicable.

If ESM data set rules for libraries that contain system exit modules restrict WRITE or greater access to only z/OS systems programming personnel this is not a finding.

If the ESM data set rules for libraries that contain exit modules specify that all WRITE or greater access will be logged this is not a finding.

Vulnerability Number

V-223914

Documentable

False

Rule Version

TSS0-ES-000410

Severity Override Guidance

Examine the system for active exit modules. You may need the system administrator help for this. There are third-party software products that can determine standard and dynamic exits loaded in the system.

If all the exits are found within APF, LPA and LINKLIST, this is not applicable.

If ESM data set rules for libraries that contain system exit modules restrict WRITE or greater access to only z/OS systems programming personnel this is not a finding.

If the ESM data set rules for libraries that contain exit modules specify that all WRITE or greater access will be logged this is not a finding.

Check Content Reference

M

Target Key

4102

Comments