Update and allocate access to System backup files are not limited to system programmers and/or batch jobs that perform DASD backups.

From z/OS RACF STIG

Part of ACP00210

Associated with IA controls: DCCS-1, DCCS-2, ECCD-1, CODB-1

Associated with: CCI-000213

SV-126r2_rule Update and allocate access to System backup files are not limited to system programmers and/or batch jobs that perform DASD backups.

Vulnerability discussion

System backup data sets are necessary for recovery of DASD resident data sets. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.

Check content

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(BKUPRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00210) Collect from the storage management group the identification of the DASD backup files and all associated storage management userids/LIDs/ACIDs. ___ The ACP data set rules for system DASD backup files allow inappropriate access. ___ The ACP data set rules for system DASD backup files do not restrict UPDATE and ALLOCATE access to z/OS systems programming and/or batch jobs that perform DASD backups. b) If both of the above are untrue, there is NO FINDING. c) If either of the above is true, or if these data sets cannot be identified due to a lack of requested information, this is a FINDING.

Fix text

Obtain the high level indexes to backup datasets names and verify that their access is restricted by the System's ACP to System Programmers and batch jobs that perform the backups. If any other userids are specified, make sure that the IAO has documented justification for the access.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer