STIGQter STIGQter: STIG Summary: z/OS ROSCOE for RACF STIG Version: 6 Release: 7 Benchmark Date: 20 Jan 2015:

ROSCOE STC data sets are not properly protected.

DISA Rule

SV-23706r1_rule

Vulnerability Number

V-17067

Group Title

ZB000001

Rule Version

ZROSR001

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

The IAO will ensure that update and alter access to the ROSCOE started task or batch job data sets is limited to system programmers and the started task only and all update and alter access is logged.

The IAO will ensure that all other accesses to the ROSCOE started task or batch job data sets are properly restricted and all required accesses are properly logged.

Data sets to be protected will be

SYS3.ROSCOE.sys*.**
SYS3.ROSCOE.ros*.**

The following commands are provided as a sample for implementing dataset controls:

ad 'sys3.roscoe.ros*.**' uacc(none) owner(sys3) -
audit(success(update) failures(read)) -
data('Site Customized Profile: ROSCOE')
pe 'sys3.roscoe.ros*.**' id(syspaudt) acc(a)
pe 'sys3.roscoe.ros*.**' id(roscoe) acc(a)
ad 'sys3.roscoe.sys*.**' uacc(none) owner(sys3) -
audit(success(update) failures(read)) -
data('Site Customized profile: ROSCOE')
pe 'sys3.roscoe.sys*.**' id(syspaudt) acc(a)
pe 'sys3.roscoe.sys*.**' id(roscoe) acc(a)
setr generic(dataset) refresh

Check Contents

a) Refer to the following report produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(ROSSTC)

Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(ZROS0001)

b) Verify that access to the ROSCOE STC data sets are properly restricted. The data sets in this group are the data sets identified in the ROSACTxx (if used), ROSLIBxx, and SYSAWSx DD statements of the STC or batch JCL.

___ The RACF data set rules for the data sets does not restrict UPDATE and/or ALTER access to systems programming personnel.

___ The RACF data set rules for the data sets does not restrict UPDATE and/or ALTER access to the product STC(s) and/or batch job(s).

c) If all of the above are untrue, there is NO FINDING.

d) If any of the above is true, this is a FINDING.

Vulnerability Number

V-17067

Documentable

False

Rule Version

ZROSR001

Severity Override Guidance

a) Refer to the following report produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(ROSSTC)

Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(ZROS0001)

b) Verify that access to the ROSCOE STC data sets are properly restricted. The data sets in this group are the data sets identified in the ROSACTxx (if used), ROSLIBxx, and SYSAWSx DD statements of the STC or batch JCL.

___ The RACF data set rules for the data sets does not restrict UPDATE and/or ALTER access to systems programming personnel.

___ The RACF data set rules for the data sets does not restrict UPDATE and/or ALTER access to the product STC(s) and/or batch job(s).

c) If all of the above are untrue, there is NO FINDING.

d) If any of the above is true, this is a FINDING.

Check Content Reference

M

Responsibility

Systems Programmer

Target Key

1665

Comments