MVS data sets for the Base TCP/IP component are not properly protected,

From z/OS RACF STIG

Part of ITCP0070

Associated with IA controls: DCCS-1, DCCS-2, ECCD-1

SV-3221r1_rule MVS data sets for the Base TCP/IP component are not properly protected,

Vulnerability discussion

MVS data sets of the Base TCP/IP component provide the configuration, operational, and executable properties of IBMs TCP/IP system product. Failure to properly secure these data sets may lead to unauthorized access resulting in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.

Check content

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(TCPRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ITCP0070) b) Ensure the following data set controls are in effect for the Base TCP/IP component: 1) WRITE and ALLOCATE access to product data sets is restricted to systems programming personnel (i.e., SMP/E distribution data sets with the prefix SYS1.TCPIP.AEZA and target data sets with the prefix SYS1.TCPIP.SEZA). 2) WRITE and ALLOCATE access to the data set(s) containing the Data and Profile configuration files is restricted to systems programming personnel. NOTE: If any INCLUDE statements are specified in the Profile configuration file, the named MVS data sets have the same access authorization requirements. 3) WRITE and ALLOCATE access to the data set(s) containing the Data and Profile configuration files is logged. NOTE: If any INCLUDE statements are specified in the Profile configuration file, the named MVS data sets have the same logging requirements. 4) WRITE and ALLOCATE access to the data set(s) containing the configuration files shared by TCP/IP applications is restricted to systems programming personnel. c) If all of the items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING. NOTE: For systems running the TSS ACP replace the WRITE and ALLOCATE with WRITE, UPDATE, CREATE, CONTROL, SCRATCH, and ALL.

Fix text

Review with the IAO the data set access authorizations defined to the ACP for the Base TCP/IP component. Ensure these data sets are protected in accordance with the following rules: WRITE and ALLOCATE access to product data sets is restricted to systems programming personnel (i.e., SMP/E distribution data sets with the prefix SYS1.TCPIP.AEZA and target data sets with the prefix SYS1.TCPIP. SEZA). WRITE and ALLOCATE access to the data set(s) containing the Data and Profile configuration files is restricted to systems programming personnel. NOTE: If any INCLUDE statements are specified in the Profile configuration file, the named MVS data sets have the same access authorization requirements. WRITE and ALLOCATE access to the data set(s) containing the Data and Profile configuration files is logged. NOTE: If any INCLUDE statements are specified in the Profile configuration file, the named MVS data sets have the same logging requirements. WRITE and ALLOCATE access to the data set(s) containing the configuration files shared by TCP/IP applications is restricted to systems programming personnel. NOTE: For systems running the TSS ACP replace the WRITE and ALLOCATE with WRITE, UPDATE, CREATE, CONTROL, SCRATCH, and ALL.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer