STIGQter: STIG Summary: z/OS IBM System Display and Search Facility (SDSF) for TSS STIG Version: 6 Release: 8 Benchmark Date: 22 Apr 2016:

IBM System Display and Search Facility (SDSF) Configuration parameters must be correctly specified.

DISA Rule

SV-40746r5_rule

Vulnerability Number

V-18014

Group Title

ZB000040

Rule Version

ZISF0040

Severity

CAT II

CCI(s)

• CCI-000035 - The information system provides the capability for privileged administrators to configure the organization-defined security policy filters to support different security policies.

Weight

10

Fix Recommendation

Ensure that the following Group function parameters appear and/or do not appear in ISFPARMS.

For each GROUP statement:
AUPDT(0)
AUTH will not be specified
CMDAUTH will not be specified
CMDLEV will not be specified
DSPAUTH will not be specified
NAME a value will be specified for the NAME

The ISFPARMS GROUP statement defines user groups and their characteristics. Some of these characteristics include access authorization to SDSF functions and commands. Access to these functions and commands will be controlled using SAF resources. The use of the SAF interface is consistent with the DOD requirement to control all products within the operating system using the ACP. To ensure SAF security is always in effect, authorizations to SDSF functions and commands should not be defined in ISFPARMS DD statement in the SDSF JCL member.

Check Contents

Refer to the JCL procedure libraries defined to JES2 for the SDSF started task member for SDSFPARM DD statement.

Refer to the ISRPRMxx members in the logical PARMLIB concatenation.

Refer to the results of the “F SDSF,D” command. Where SDSF should specify the SDSF started task name.

Automated Analysis
Refer to the following report produced by the z/OS Data Collection:

- PDI(ZISF0040)

Ensure the following Group Parameters are specified or not specified in the GROUP statements defined in the ISFPARMS members. If the following guidance is true, this is not a finding.

For each GROUP statement:
AUPDT(0)
AUTH will not be specified
CMDAUTH will not be specified
CMDLEV will not be specified
DSPAUTH will not be specified
NAME a value will be specified for the NAME

Vulnerability Number

V-18014

Documentable

False

Rule Version

ZISF0040

Severity Override Guidance

Refer to the JCL procedure libraries defined to JES2 for the SDSF started task member for SDSFPARM DD statement.

Refer to the ISRPRMxx members in the logical PARMLIB concatenation.

Refer to the results of the “F SDSF,D” command. Where SDSF should specify the SDSF started task name.

Automated Analysis
Refer to the following report produced by the z/OS Data Collection:

- PDI(ZISF0040)

Ensure the following Group Parameters are specified or not specified in the GROUP statements defined in the ISFPARMS members. If the following guidance is true, this is not a finding.

For each GROUP statement:
AUPDT(0)
AUTH will not be specified
CMDAUTH will not be specified
CMDLEV will not be specified
DSPAUTH will not be specified
NAME a value will be specified for the NAME

Check Content Reference

M

Responsibility

Systems Programmer

Target Key

2190

Comments