From z/OS ACF2 STIG
Part of ZSMS0010
Associated with IA controls: DCCS-1, ECCD-2, DCCS-2, ECCD-1
DFSMS provides data, storage, program, and device management functions for the operating system. Some DFSMS storage administration functions allow a user to obtain a privileged status and effectively bypass all ACP data set and volume controls. Failure to properly protect DFSMS resources may result in unauthorized access. This exposure could compromise the availability and integrity of the operating system environment, system services, and customer data.
a) Refer to the following report produced by the ACF2 Data Collection and Data Set and Resource Data Collection: - SENSITVE.RPT(FACILITY) - ACF2CMDS.RPT(RESOURCE) – Alternate report Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZSMS0010) b) Ensure that the following items are in effect: 1) The resource rule for FACILITY (FAC) $KEY(STGADMIN) has a default access of NONE and grants no access at this level. 2) STGADMIN.DPDSRN.olddsname is restricted to System Programmers only. 3) Access to STGADMIN.DPDSRN.olddsname is not granted on production systems. 4) The STGADMIN.IGD.ACTIVATE.CONFIGURATION is restricted to System Programmers. 5) The STGADMIN.IGG.DEFDEL.UALIAS is restricted to System Programmers and Security personnel. 6) $KEY(STGADMIN) resources may be allocated to the end-user. ARC.ENDUSER ADR.COPY.CNCURRNT ADR.COPY.TOLERATE.ENQF ADR.DUMP.CNCURRNT ADR.DUMP.TOLERATE.ENQF ADR.RESTORE.TOLERATE.ENQF IGG.ALTER.SMS 7) $KEY(STGADMIN) resources are restricted to System programmers, DASD managers, and Application Production Support Team members. For IDC.DCOLLECT, Automated Operations can have access also. ARC.CANCEL ARC.LIST ARC.QUERY ARC.REPORT DMO.CONFIG IDC.DCOLLECT IFG.READVTOC IGG.DELGDG.FORCE 8) $KEY(STGADMIN) resources are controlled using the first two high-level resource name qualifiers at a minimum and restricted to System programmers and DASD managers. ARC.ABACKUP ARC.ARECOVER ARC.ADDVOL ARC.ALTERDS ARC.AUDIT ARC.AUTH ARC.BACKDS ARC.BACKVOL ARC.BDELETE ARC.CANCEL ARC.DEFINE ARC.DELETE ARC.DELVOL ARC.DISPLAY ARC.EXPIREBV ARC.FIXCDS ARC.FREEVOL ARC.FRBACKUP ARC.FRDELETE ARC.FRRECOV ARC.HOLD ARC.LIST ARC.LOG ARC.MIGRATE ARC.PATCH ARC.QUERY ARC.RECALL ARC.RECOVER ARC.RECYCLE ARC.RELEASE ARC.REPORT ARC.SETMIG ARC.SETSYS ARC.STOP ARC.SWAPLOG ARC.TAPECOPY ARC.TAPEREPL ARC.TRAP ARC.UPDATEC ADR.COPY.BYPASSACS ADR.COPY.INCAT ADR.COPY.PROCESS.SYS ADR.CONVERTV ADR.DEFRAG ADR.DUMP.INCAT ADR.DUMP.PROCESS.SYS ADR.PATCH ADR.RELEASE.PROCESS.SYS ADR.RELEASE.INCAT ADR.RESTORE.BYPASSACS ADR.RESTORE.DELCATE ADR.RESTORE.IMPORT IDC.BINDDATA IDC.DIAGNOSE.CATALOG IDC.DIAGNOSE.VVDS IDC.LISTDATA IDC.LISTDATA.ACCESSCODE IDC.SETCACHE IDC.SETCACHE.DISCARDPINNED IDC.SETCACHE.PENDINGOFF IDC.SETCACHE.REINITIALIZE IDC.SETCACHE.SUBSYSTEM IDC.DCOLLECT IGG.ALTER.UNCONVRT IGG.LIBRARY IGG.ALTBCS IGG.DEFNVSAM.NOBCS IGG.DEFNVSAM.NONVR IGG.DELGDG.FORCE IGG.DELETE.NOSCRATCH IGG.DELNVR.NOBCSCHK IGG.DIRCAT IGG.DLVVRNVR.NOCAT IGWSHCDS.REPAIR 9) The following Storage Administrator functions are controlled using the first three high-level resource name qualifiers at a minimum; restricted to System programmers and DASD managers and all access is logged. ADR.STGADMIN.BUILDSA ADR.STGADMIN.COMPRESS ADR.STGADMIN.COPY ADR.STGADMIN.COPY.DELETE ADR.STGADMIN.COPY.RENAME ADR.STGADMIN.STGADMIN.DEFRAG ADR.STGADMIN.DUMP ADR.STGADMIN.DUMP.DELETE ADR.STGADMIN.PRINT ADR.STGADMIN.RELEASE ADR.STGADMIN.RESTORE ADR.STGADMIN.RESTORE.RENAME 10) All access to the following $KEY(STGADMIN) resources is logged: DPDSRN.olddsname IGD.ACTIVATE.CONFIGURATION IGG.DEFDEL.UALIAS c) If all items in b) above is true, there is NO FINDING. d) If any item in b) above is untrue, this is a FINDING.
The IAO will ensure that no access is given to the high-level STGADMIN resource. The IAO will ensure that STGADMIN.DPDSRN.olddsname is restricted to system programmers on an as needed basis and all access will be logged. The IAO will ensure that STGADMIN.DPDSRN.olddsname is restricted to system programmers on an as needed basis and all access will be logged. Ensure that the following items are in effect: 1) The resource rule for FACILITY (FAC) $KEY(STGADMIN) has a default access of NONE and grants no access at this level. Example: $KEY(STGADMIN) TYPE(FAC) - UID(*) PREVENT 2) STGADMIN.DPDSRN.olddsname is restricted to System Programmers only. Example: $KEY(STGADMIN) TYPE(FAC) DPDSRN.- UID(syspaudt) SERVICE(READ) LOG 3) Access to STGADMIN.DPDSRN.olddsname is not granted on production systems. 4) The STGADMIN.IGD.ACTIVATE.CONFIGURATION is restricted to System Programmers. Example: $KEY(STGADMIN) TYPE(FAC) IGD.ACTIVATE.CONFIGURATION UID(syspaudt) SERVICE(READ) LOG 5) The STGADMIN.IGG.DEFDEL.UALIAS is restricted to System Programmers and Security personnel. Example: $KEY(STGADMIN) TYPE(FAC) IGG.DEFDEL.UALIAS UID(syspaudt) SERVICE(READ) LOG IGG.DEFDEL.UALIAS UID(secaaudt) SERVICE(READ) LOG 6) $KEY(STGADMIN) resources may be allocated to the end-user. ARC.ENDUSER ADR.COPY.CNCURRNT ADR.COPY.TOLERATE.ENQF ADR.DUMP.CNCURRNT ADR.DUMP.TOLERATE.ENQF ADR.RESTORE.TOLERATE.ENQF IGG.ALTER.SMS Example: $KEY(STGADMIN) TYPE(FAC) ARC.ENDUSER.- UID(endusers) SERVICE(READ) LOG ADR.COPY.TOLERATE.ENQF UID(endusers) SERVICE(READ) ADR.DUMP.TOLERATE.ENQF UID(endusers) SERVICE(READ) ADR.RESTORE.TOLERATE.- UID(endusers) SERVICE(READ) 7) $KEY(STGADMIN) resources are restricted to System programmers, DASD managers, and Application Production Support Team members. For IDC.DCOLLECT, Automated Operations can have access also. ARC.CANCEL ARC.QUERY ARC.REPORT DMO.CONFIG IDC.DCOLLECT IFG.READVTOC IGG.DELGDG.FORCE Example: $KEY(STGADMIN) TYPE(FAC) ARC.CANCEL UID(syspaudt) SERVICE(READ) ARC.QUERY UID(syspaudt) SERVICE(READ) ARC.REPORT UID(syspaudt) SERVICE(READ) IDC.DCOLLECT UID(syspaudt) SERVICE(READ) IDC.DCOLLECT UID(autoaudt) SERVICE(READ) IGG.DELGDG.FORCE UID(syspaudt) SERVICE(READ) 8) $KEY(STGADMIN) resources are controlled using the first two high-level resource name qualifiers at a minimum and restricted to System programmers and DASD managers. ARC.ABACKUP ARC.ARECOVER ARC.ADDVOL ARC.ALTERDS ARC.AUDIT ARC.AUTH ARC.BACKDS ARC.BACKVOL ARC.BDELETE ARC.DEFINE ARC.DELETE ARC.DELVOL ARC.DISPLAY ARC.EXPIREBV ARC.FIXCDS ARC.FREEVOL ARC.FRBACKUP ARC.FRDELETE ARC.FRRECOV ARC.HOLD ARC.LIST ARC.LOG ARC.MIGRATE ARC.PATCH ARC.RECALL ARC.RECOVER ARC.RECYCLE ARC.RELEASE ARC.SETMIG ARC.SETSYS ARC.STOP ARC.SWAPLOG ARC.TAPECOPY ARC.TAPEREPL ARC.TRAP ARC.UPDATEC ADR.COPY.BYPASSACS ADR.COPY.INCAT ADR.COPY.PROCESS.SYS ADR.CONVERTV ADR.DEFRAG ADR.DUMP.INCAT ADR.DUMP.PROCESS.SYS ADR.PATCH ADR.RELEASE.PROCESS.SYS ADR.RELEASE.INCAT ADR.RESTORE.BYPASSACS ADR.RESTORE.DELCATE ADR.RESTORE.IMPORT IDC.BINDDATA IDC.DIAGNOSE.CATALOG IDC.DIAGNOSE.VVDS IDC.LISTDATA IDC.LISTDATA.ACCESSCODE IDC.SETCACHE IDC.SETCACHE.DISCARDPINNED IDC.SETCACHE.PENDINGOFF IDC.SETCACHE.REINITIALIZE IDC.SETCACHE.SUBSYSTEM IDC.DCOLLECT IGG.ALTER.SMS IGG.ALTER.UNCONVRT IGG.LIBRARY IGG.ALTBCS IGG.DEFNVSAM.NOBCS IGG.DEFNVSAM.NONVR IGG.DELETE.NOSCRATCH IGG.DELNVR.NOBCSCHK IGG.DIRCAT IGG.DLVVRNVR.NOCAT IGWSHCDS.REPAIR Example: $KEY(STGADMIN) TYPE(FAC) ADR.CONVERTV UID(syspaudt) SERVICE(READ) ADR.COPY.BYPASSACS UID(syspaudt) SERVICE(READ) ADR.COPY.INCAT UID(syspaudt) SERVICE(READ) ADR.COPY.PROCESS.SYS UID(syspaudt) SERVICE(READ) ADR.DEFRAG UID(syspaudt) SERVICE(READ) ADR.DUMP.- UID(syspaudt) SERVICE(READ) ADR.PATCH UID(syspaudt) SERVICE(READ) ADR.RELEASE.- UID(syspaudt) SERVICE(READ) ADR.RESTORE.- UID(syspaudt) SERVICE(READ) IDC.- UID(syspaudt) SERVICE(READ) IGG.- UID(syspaudt) SERVICE(READ) IGWSHCDS.REPAIR UID(syspaudt) SERVICE(READ) ARC.- UID(syspaudt) SERVICE(READ) 9) The following Storage Administrator functions are controlled using the first three high-level resource name qualifiers at a minimum; restricted to System programmers and DASD managers and all access is logged. ADR.STGADMIN.BUILDSA ADR.STGADMIN.COMPRESS ADR.STGADMIN.COPY ADR.STGADMIN.COPY.DELETE ADR.STGADMIN.COPY.RENAME ADR.STGADMIN.STGADMIN.DEFRAG ADR.STGADMIN.DUMP ADR.STGADMIN.DUMP.DELETE ADR.STGADMIN.PRINT ADR.STGADMIN.RELEASE ADR.STGADMIN.RESTORE ADR.STGADMIN.RESTORE.RENAME Example: $KEY(STGADMIN) TYPE(FAC) ADR.STGADMIN.BUILDSA UID(syspaudt) SERVICE(READ) LOG ADR.STGADMIN.COMPRESS UID(syspaudt) SERVICE(READ) LOG ADR.STGADMIN.COPY UID(syspaudt) SERVICE(READ) LOG ADR.STGADMIN.COPY.DELETE UID(syspaudt) SERVICE(READ) LOG ADR.STGADMIN.COPY.RENAME UID(syspaudt) SERVICE(READ) LOG ADR.STGADMIN.DEFRAG UID(syspaudt) SERVICE(READ) LOG ADR.STGADMIN.DUMP.- UID(syspaudt) SERVICE(READ) LOG ADR.STGADMIN.PRINT UID(syspaudt) SERVICE(READ) LOG ADR.STGADMIN.RELEASE.- UID(syspaudt) SERVICE(READ) LOG ADR.STGADMIN.RESTORE.- UID(syspaudt) SERVICE(READ) LOG 10) All access to the following $KEY(STGADMIN) resources is logged: DPDSRN.olddsname IGG.DEFDEL.UALIAS IGD.ACTIVATE.CONFIGURATION Example: $KEY(STGADMIN) TYPE(FAC) DPDSRN.- UID(syspaudt) SERVICE(READ) LOG IGG.DEFDEL.UALIAS UID(syspaudt) SERVICE(READ) LOG IGG.DEFDEL.UALIAS UID(secaaudt) SERVICE(READ) LOG IGD.ACTIVATE.CONFIGURATION UID(syspaudt) SERVICE(READ) LOG
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer