The number of USERIDs possessing the Tape Bypass Label Processing (BLP) privilege is not justified.

From z/OS RACF STIG

Part of RACF0740

Associated with IA controls: DCCS-1, DCCS-2

SV-296r1_rule The number of USERIDs possessing the Tape Bypass Label Processing (BLP) privilege is not justified.

Vulnerability discussion

BLP is extremely sensitive, as it allows the circumvention of security access checking for the data. When BLP is used in z/OS, the only verification that is done is for the data set name in the JCL. Any data set name can be used. A user could specify a data set name that he has access to, the job would pass the validation check, and the job would be processed, giving access to the data. BLP is typically used for tapes that are external to the tape management system used on the processor.BLP should be granted to only a limited number of people, preferably the tape librarian and a few key people from the operations staff. If an unauthorized user possesses BLP authority, they could potentially read any restricted tape and modify any information once it has been copied.

Check content

a) Refer to the following reports produced by the RACF Data Collection: - SENSITVE.RPT(FACILITY) - RACFCMDS.RPT(LISTUSER) - RACFCMDS.RPT(LISTGRP) - DSMON.RPT(RACCDT) b) Ensure the following items are in effect regarding bypass label processing (BLP): 1) The ICHBLP resource is defined to the FACILITY resource class with a UACC(NONE). 2) Access authorization to the ICHBLP resource is restricted at the userid level to data center personnel (e.g., tape librarian, operations staff, etc.) 3) If no tape management system (e.g., CA-1) is installed, the TAPEVOL class is active. c) If all items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING.

Fix text

Review all USERIDs with the BLP attribute. Ensure documentation providing justification for access is maintained and filed with the IAO, and that unjustified access is removed. BLP is controlled thru the FACILITY class profile ICHBLP. Access is removed with the following command: PE ICHBLP CL(FACILITY) id() DELETE a subsequent REFRESH of the FACILITY class may be required via the command: SETR RACL(FACILITY) REFRESH

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer