IBM System Display and Search Facility (SDSF) Configuration parameters will be correctly specified.

From z/OS IBM System Display and Search Facility (SDSF) for TSS STIG

Part of ZB000040

Associated with IA controls: ECCD-2, ECCD-1

SV-40746r2_rule IBM System Display and Search Facility (SDSF) Configuration parameters will be correctly specified.

Vulnerability discussion

IBM System Display and Search Facility (SDSF) ISFPARMS defines global options, panel formats, and security for SDSF. Failure to properly specify these parameter values could potentially compromise the integrity and availability of the MVS operating system and user data.

Check content

Refer to the JCL procedure libraries defined to JES2 for the SDSF started task member for SDSFPARM DD statement. Refer to the ISRPRMxx members in the logical parmlib concatenation. Refer to the results of the “F SDSF,D” command. Where SDSF should specify the SDSF started task name. Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ZISF0040) Ensure the following Group Parameters are specified or not specified in the GROUP statements defined in the ISFPARMS members. If the following guidance is true, this is not a finding. For each GROUP statement: AUTH will not be specified CMDAUTH will not be specified CMDLEV will not be specified DSPAUTH will not be specified NAME a value will be specified for the NAME Note: AUPDT is a parameter for Auto Update and allows overriding of terminal lockout times. The GROUP statements that specify a value greater than 0 for AUPDT will be only available to system programming personnel.

Fix text

IBM System Display and Search Facility (SDSF) system programmer will verify that the following Group function parameters appear and/or do not appear in ISFPARMS. For each GROUP statement: AUTH will not be specified CMDAUTH will not be specified CMDLEV will not be specified DSPAUTH will not be specified NAME a value will be specified for the NAME Note: AUPDT is a parameter for Auto Update and allows overriding of terminal lockout times. The GROUP statements that specify a value greater than 0 for AUPDT will be only available to system programming personnel. The ISFPARMS GROUP statement defines user groups and their characteristics. Some of these characteristics include access authorization to SDSF functions and commands. Access to these functions and commands can be controlled alternatively using SAF resources. The use of the SAF interface is consistent with the DOD requirement to control all products within the operating system using the ACP. To ensure SAF security is always in effect, authorizations to SDSF functions and commands should not be defined in ISFPARMS DD statement in the SDSF JCL member.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer