From z/OS TSS STIG
Part of TSS0840
Associated with IA controls: DCCS-1, DCCS-2
Associated with: CCI-000764
DASD management ACIDs require access to backup and restore all files and volumes, and thus present a high degree of risk to the environment.
a) Refer to the following report produced by the TSS Data Collection and Data Set and Resource Data Collection: - TSSCMDS.RPT(@ACIDS) - SENSITVE.RPT(WHOHVOL) Refer to all documents and procedures that apply to Storage Management. Including identification of the DASD backup files and all associated storage management userids. b) Refer to data obtained from the site installation identifying DASD maintenance ACIDs. Review selected ACIDs from data gathered for volume authorizations. Note: SMS utilizes IBMFAC resource class permissions. If DFSMS/MVS is used to perform DASD maintenance operations, IBMFAC permissions may also be used to authorize storage maintenance operations to non-SMS-managed volumes in lieu of using VOLUME permissions. c) If (b) above is complete, there is NO FINDING. d) If (b) above is incomplete, this is a FINDING. ACIDs assigned to production storage maintenance tasks, such as DASD management, will be granted the appropriate authorizations necessary to perform their functions. Apply the following controls to storage management ACIDs: (1) Define all batch ACIDs to the BATCH facility. (2) Permit access to sensitive programs and utilities using program protection controls, such as the PROGRAM resource class and program pathing. Note: As long as only authorized users are being granted access, program pathing is not required. (3) Permit data set access for backup, recovery, and compaction using the VOLUME resource class. Depending on the storage management software, some data set level checking may be performed under certain conditions. For such instances, the appropriate data set access authorization should be granted. Refer to the vendor's product documentation for specific requirements.
Ensure that maintenance ACIDs are controlled through the use of the VOLUME resource class. SMS does not utilize VOLUME permissions for SMS-managed volumes. IBMFAC permissions must be used instead. If DFSMS/MVS is used to perform DASD maintenance operations, IBMFAC permissions may also be used to authorize storage maintenance operations to non-SMS-managed volumes in lieu of using VOLUME permissions. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as specified. ACIDs assigned to production storage maintenance tasks, such as DASD management, will be granted the appropriate authorizations necessary to perform their functions. Apply the following controls to storage management ACIDs: (1) Define all batch ACIDs to the BATCH facility. (2) Permit access to sensitive programs and utilities using program protection controls, such as the PROGRAM resource class and program pathing. Note: As long as only authorized users are being granted access, program pathing is not required. (3) Permit data set access for backup, recovery, and compaction using the VOLUME resource class. Depending on the storage management software, some data set level checking may be performed under certain conditions. For such instances, the appropriate data set access authorization should be granted. Refer to the vendor's product documentation for specific requirements.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer