From z/OS RACF STIG
Part of RACF0740
Associated with IA controls: DCCS-1, DCCS-2
BLP is extremely sensitive, as it allows the circumvention of security access checking for the data. When BLP is used in z/OS, the only verification that is done is for the data set name in the JCL. Any data set name can be used. A user could specify a data set name that he has access to, the job would pass the validation check, and the job would be processed, giving access to the data. BLP is typically used for tapes that are external to the tape management system used on the processor.
a) Refer to the following reports produced by the RACF Data Collection: - SENSITVE.RPT(FACILITY) - RACFCMDS.RPT(LISTUSER) - RACFCMDS.RPT(LISTGRP) - DSMON.RPT(RACCDT) b) Ensure the following items are in effect regarding bypass label processing (BLP): 1) The ICHBLP resource is defined to the FACILITY resource class with a UACC(NONE). 2) Access authorization to the ICHBLP resource is restricted at the userid level to data center personnel (e.g., tape librarian, operations staff, etc.) 3) If no tape management system (e.g., CA-1) is installed, the TAPEVOL class is active. c) If all items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING.
Review all USERIDs with the BLP attribute. Ensure documentation providing justification for access is maintained and filed with the IAO, and that unjustified access is removed.
BLP is controlled thru the FACILITY class profile ICHBLP. Access is removed with the following command:
PE ICHBLP CL(FACILITY) id(
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer