From z/OS RACF STIG
Part of ZSMS0010
Associated with IA controls: DCCS-1, ECCD-2, DCCS-2, ECCD-1
DFSMS provides data, storage, program, and device management functions for the operating system. Some DFSMS storage administration functions allow a user to obtain a privileged status and effectively bypass all ACP data set and volume controls. Failure to properly protect DFSMS resources may result in unauthorized access. This exposure could compromise the availability and integrity of the operating system environment, system services, and customer data.
a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(FACILITY) Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ZSMS0010) b) Ensure that the following items are in effect: 1) The STGADMIN.** profile in the FACILITY resource class has a default access of NONE and grants no access at this level. 2) STGADMIN.DPDSRN.olddsname is restricted to System Programmers only. 3) Access to STGADMIN.DPDSRN.olddsname is not granted on production systems. 4) The STGADMIN.IGD.ACTIVATE.CONFIGURATION is restricted to System Programmers. 5) The STGADMIN.IGG.DEFDEL.UALIAS is restricted to System Programmers and Security personnel. 6) The following STGADMIN resource profiles may be allocated to the end-user. STGADMIN.ADR.COPY.CNCURRNT STGADMIN.ADR.COPY.TOLERATE.ENQF STGADMIN.ADR.DUMP.CNCURRNT STGADMIN.ADR.DUMP.TOLERATE.ENQF STGADMIN.ADR.RESTORE.TOLERATE.ENQF STGADMIN.ARC.ENDUSER STGADMIN.IGG.ALTER.SMS 7) STGADMIN resources are restricted to System programmers, DASD managers, and Application Production Support Team members. For STGADMIN.IDC.DCOLLECT, Automated Operations can have access also. STGADMIN.ARC.CANCEL STGADMIN.ARC.LIST STGADMIN.ARC.QUERY STGADMIN.ARC.REPORT STGADMIN.DMO.CONFIG STGADMIN.IDC.DCOLLECT STGADMIN.IFG.READVTOC STGADMIN.IGG.DELGDG.FORCE 8) STGADMIN resource profiles are controlled using the first two high-level resource name qualifiers at a minimum and restricted to System programmers and DASD managers. STGADMIN.ARC.ABACKUP STGADMIN.ARC.ARECOVER STGADMIN.ARC.ADDVOL STGADMIN.ARC.ALTERDS STGADMIN.ARC.AUDIT STGADMIN.ARC.AUTH STGADMIN.ARC.BACKDS STGADMIN.ARC.BACKVOL STGADMIN.ARC.BDELETE STGADMIN.ARC.DEFINE STGADMIN.ARC.DELETE STGADMIN.ARC.DELVOL STGADMIN.ARC.DISPLAY STGADMIN.ARC.EXPIREBV STGADMIN.ARC.FIXCDS STGADMIN.ARC.FREEVOL STGADMIN.ARC.FRBACKUP STGADMIN.ARC.FRDELETE STGADMIN.ARC.FRRECOV STGADMIN.ARC.HOLD STGADMIN.ARC.LIST STGADMIN.ARC.LOG STGADMIN.ARC.MIGRATE STGADMIN.ARC.PATCH STGADMIN.ARC.RECALL STGADMIN.ARC.RECOVER STGADMIN.ARC.RECYCLE STGADMIN.ARC.RELEASE STGADMIN.ARC.SETMIG STGADMIN.ARC.SETSYS STGADMIN.ARC.STOP STGADMIN.ARC.SWAPLOG STGADMIN.ARC.TAPECOPY STGADMIN.ARC.TAPEREPL STGADMIN.ARC.TRAP STGADMIN.ARC.UPDATEC STGADMIN.ADR.COPY.BYPASSACS STGADMIN.ADR.COPY.INCAT STGADMIN.ADR.COPY.PROCESS.SYS STGADMIN.ADR.CONVERTV STGADMIN.ADR.DEFRAG STGADMIN.ADR.DUMP.INCAT STGADMIN.ADR.DUMP.PROCESS.SYS STGADMIN.ADR.PATCH STGADMIN.ADR.RELEASE.PROCESS.SYS STGADMIN.ADR.RELEASE.INCAT STGADMIN.ADR.RESTORE.BYPASSACS STGADMIN.ADR.RESTORE.DELCATE STGADMIN.ADR.RESTORE.IMPORT STGADMIN.IDC.BINDDATA STGADMIN.IDC.DIAGNOSE.CATALOG STGADMIN.IDC.DIAGNOSE.VVDS STGADMIN.IDC.LISTDATA STGADMIN.IDC.LISTDATA.ACCESSCODE STGADMIN.IDC.SETCACHE STGADMIN.IDC.SETCACHE.DISCARDPINNED STGADMIN.IDC.SETCACHE.PENDINGOFF STGADMIN.IDC.SETCACHE.REINITIALIZE STGADMIN.IDC.SETCACHE.SUBSYSTEM STGADMIN.IGG.ALTER.UNCONVRT STGADMIN.IGG.LIBRARY STGADMIN.IGG.ALTBCS STGADMIN.IGG.DEFNVSAM.NOBCS STGADMIN.IGG.DEFNVSAM.NONVR STGADMIN.IGG.DELETE.NOSCRATCH STGADMIN.IGG.DELNVR.NOBCSCHK STGADMIN.IGG.DIRCAT STGADMIN.IGG.DLVVRNVR.NOCAT STGADMIN.IGWSHCDS.REPAIR 9) The following Storage Administrator functions are controlled using the first three high-level resource name qualifiers at a minimum; restricted to System programmers and DASD managers and all access is logged. STGADMIN.ADR.STGADMIN.BUILDSA STGADMIN.ADR.STGADMIN.COMPRESS STGADMIN.ADR.STGADMIN.COPY STGADMIN.ADR.STGADMIN.COPY.DELETE STGADMIN.ADR.STGADMIN.COPY.RENAME STGADMIN.ADR.STGADMIN.DEFRAG STGADMIN.ADR.STGADMIN.DUMP STGADMIN.ADR.STGADMIN.DUMP.DELETE STGADMIN.ADR.STGADMIN.PRINT STGADMIN.ADR.STGADMIN.RELEASE STGADMIN.ADR.STGADMIN.RESTORE STGADMIN.ADR.STGADMIN.RESTORE.RENAME 10) All access to the following STGADMIN resources are logged: STGADMIN.DPDSRN.olddsname STGADMIN.IGG.DEFDEL.UALIAS STGADMIN.IGD.ACTIVATE.CONFIGURATION c) If all items in b) above is true, there is NO FINDING. d) If any item in b) above is untrue, this is a FINDING.
The IAO will ensure that no access is given to the high-level STGADMIN resource.
The IAO will ensure that STGADMIN.DPDSRN.olddsname is restricted to system programmers on an as needed basis and all access will be logged.
Ensure that the following items are in effect:
1) The STGADMIN.** profile in the FACILITY resource class has a default access of NONE and grants no access at this level.
Sample command:
RDEF FACILITY STGADMIN.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ))
2) STGADMIN.DPDSRN.olddsname is restricted to System Programmers only.
Sample Command:
RDEF FACILITY STGADMIN.DPDSRN.olddsname UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ))
PE STGADMIN.DPDSRN.olddsname CL(FACILITY) ID(
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer