From z/OS ACF2 STIG
Part of ZDBM0010
Associated with IA controls: DCCS-1, ECCD-2, DCCS-2, ECCD-1
Data Base Management Systems (DBMS) provide the facilities to design, create, update, access and manage database files. Unauthorized access to these facilities could potentially compromise the operating system and customer data.
a) Review the production proclibs to identify the installed DBMS. b) Refer to the vendor documentation for the related DBMS to identify specific parameter settings necessary for activating I&A (Identification and Authentication) by the ACP. c) If I&A is being done by the ACP, there is NO FINDING. d) If I&A is not being done by the ACP, this is a FINDING.
Evaluate the impact associated with correcting the deficiency, and develop a plan of action to implement the changes as required. Most database management systems require users to identify themselves by supplying a logonid and password before accessing the database system. This method provides a good defense against unauthorized access to the system. Securing the use of database options, resources, and processes is crucial. All database functions (such as commands, transactions, and interactive options) should be reviewed for potential security exposures and to prevent unauthorized use. For example, only the database administrator should be allowed access to all the internal facilities used to manage and administer the database management system. The informational data in the database should be protected against unauthorized access. Operating system level data set controls for the database data sets are essential, but these controls are not enough. Users should not have complete access to all the data in a DBMS just because they have access to the OS data sets. Consideration should be given to securing the internal data structures, such as tables or files, within the OS data sets. This level of protection is usually handled by the internal security within the database product. Use the following recommendations when securing access to database management systems: (1) Control user access to the software product's data sets, and restrict access only to authorized personnel. (2) All database systems in use at the DOD sites will interface with the system ACP to perform I&A validation. Any DBMS incapable of using the ACP to accomplish I&A will be phased out.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer