STIGQter STIGQter: STIG Summary: z/OS RACF STIG Version: 6 Release: 43 Benchmark Date: 24 Jan 2020: CICS system data sets are not properly protected.

DISA Rule

SV-7978r2_rule

Vulnerability Number

V-7516

Group Title

ZCIC0010

Rule Version

ZCIC0010

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Review the access authorizations for CICS system data sets for each region. Ensure they conform to the specifications below:

A CICS environment may include several data set types required for operation. Typically they are CICS product libraries, which are usually included in the STEPLIB concatenation but may be found in DD DFHRPL. CICS system data sets that can be identified with DFH DD statements, other product system data sets, and application program libraries. Restrict alter and update access to CICS program libraries and all system data sets to systems programmers only. Other access must be documented and approved by the IAO. The site may determine access to application data sets included in the DD DFHRPL and CICS region startup JCL according to need. Ensure that procedures are established; documented, and followed that prevents the introduction of unauthorized or untested application programs into production application systems.

Check Contents

a) Refer to the following report produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(CICSRPT)

Since it is possible to have multiple CICS regions running on an LPAR, it is recommended that you go into the z/OS STIG Addendum and fill out all the information in the "CICS System Programmers Worksheet" for each CICS region running on your LPAR. It is recommended that you save this information for any other CICS vulnerabilities that will require it.

b) WRITE and/or ALLOCATE access to CICS system data sets is restricted to systems programming personnel.

c) If (b) is true, there is NO FINDING.

d) If (b) is untrue, this is a FINDING.

Vulnerability Number

V-7516

Documentable

False

Rule Version

ZCIC0010

Severity Override Guidance

a) Refer to the following report produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(CICSRPT)

Since it is possible to have multiple CICS regions running on an LPAR, it is recommended that you go into the z/OS STIG Addendum and fill out all the information in the "CICS System Programmers Worksheet" for each CICS region running on your LPAR. It is recommended that you save this information for any other CICS vulnerabilities that will require it.

b) WRITE and/or ALLOCATE access to CICS system data sets is restricted to systems programming personnel.

c) If (b) is true, there is NO FINDING.

d) If (b) is untrue, this is a FINDING.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

106

Comments