STIGQter STIGQter: STIG Summary: z/OS Compuware Abend-AID for ACF2 STIG Version: 6 Release: 6 Benchmark Date: 27 Jul 2018: Compuware Abend-AID user data sets must be properly protected.

DISA Rule

SV-75837r1_rule

Vulnerability Number

V-21592

Group Title

ZB000002

Rule Version

ZAIDA002

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Ensure that WRITE and/or greater access to Compuware Abend-AID user data sets is limited to System Programmers and Compuware Abend-AID STC(s) and/or batch user(s) only. Ensure that WRITE access to Compuware Abend-AID user data sets is limited to Application Development Programmers and Application Production Support Team members. Read access can be given to auditors.

(Note: The data sets and/or data set prefixes identified below are examples of a possible installation. The actual data sets and/or prefixes are determined when the product is actually installed on a system through the product’s installation guide and can be site specific.)

Data sets to be protected will be:

Region dump datasets
Report databases
Source listing files/source listing shared directories

The following commands are provided as a sample for implementing data set controls:

$KEY(S3A)
$PREFIX(SYS3)
ABENDAID.SHARED-.- UID(appdaudt) R(A) W(A)
ABENDAID.SHARED-.- UID(appsaudt) R(A) W(A)
ABENDAID.SHARED-.- UID(AbendAID STCs) R(A) W(A) A(A) E(A)
ABENDAID.SHARED-.- UID(syspaudt) R(A) W(A) A(A) E(A)

ABENDAID.SHARED-.- UID(tstcaudt) R(A) W(A) A(A) E(A)
ABENDAID.SHARED-.- UID(audtaudt) R(A)
ABENDAID.REPORTDB-.- UID(appdaudt) R(A) W(A)
ABENDAID.REPORTDB-.- UID(appsaudt) R(A) W(A)
ABENDAID.REPORTDB-.- UID(AbendAID STCs) R(A) W(A) A(A) E(A)
ABENDAID.REPORTED-.- UID(syspaudt) R(A) W(A) A(A) E(A)
ABENDAID.REPORTED-.- UID(tstcaudt) R(A) W(A) A(A) E(A)
ABENDAID.REPORTDB-.- UID(audtaudt) R(A)

SET RULE
COMPILE 'ACF2.MVA.DSNRULES(S3A)' STORE

Check Contents

Refer to the following report produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(AIDUSER)

Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(ZAID0002)

Verify that the accesses to the following Compuware Abend-AID user data sets are properly restricted:
Region dump datasets
Report databases
Source listing files/source listing shared directories

If the following guidance is true, this is not a finding.

___ The ACF2 data set rules for the listed data sets restricts READ access to auditors.

___ The ACF2 data set rules for the listed data sets restricts WRITE and/or greater access to systems programming personnel.

___ The ACF2 data set rules for the listed data sets restricts WRITE and/or greater access to the Compuware Abend-AID’s STC(s) and/or batch user(s).

___ The ACF2 data set rules for the listed data sets restricts WRITE access to Application Development Programmers and Application Production Support Team members.

Vulnerability Number

V-21592

Documentable

False

Rule Version

ZAIDA002

Severity Override Guidance

Refer to the following report produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(AIDUSER)

Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(ZAID0002)

Verify that the accesses to the following Compuware Abend-AID user data sets are properly restricted:
Region dump datasets
Report databases
Source listing files/source listing shared directories

If the following guidance is true, this is not a finding.

___ The ACF2 data set rules for the listed data sets restricts READ access to auditors.

___ The ACF2 data set rules for the listed data sets restricts WRITE and/or greater access to systems programming personnel.

___ The ACF2 data set rules for the listed data sets restricts WRITE and/or greater access to the Compuware Abend-AID’s STC(s) and/or batch user(s).

___ The ACF2 data set rules for the listed data sets restricts WRITE access to Application Development Programmers and Application Production Support Team members.

Check Content Reference

M

Responsibility

Systems Programmer

Target Key

2344

Comments