Database management systems do not interface with the access control product to perform identification and authentication.

From z/OS TSS STIG

Part of ZDBM0010

Associated with IA controls: DCCS-1, ECCD-2, DCCS-2, ECCD-1

SV-32r1_rule Database management systems do not interface with the access control product to perform identification and authentication.

Vulnerability discussion

Data Base Management Systems (DBMS) provide the facilities to design, create, update, access and manage database files. Unauthorized access to these facilities could potentially compromise the operating system and customer data.

Check content

a) Review the production proclibs to identify the installed DBMS. b) Refer to the vendor documentation for the related DBMS to identify specific parameter settings necessary for activating I&A (Identification and Authentication) by the ACP. c) If I&A is being done by the ACP, there is NO FINDING. d) If I&A is not being done by the ACP, this is a FINDING.

Fix text

Evaluate the impact associated with correcting the deficiency, and develop a plan of action to implement the changes as required. Most database management systems require users to identify themselves by supplying a logonid and password before accessing the database system. This method provides a good defense against unauthorized access to the system. Securing the use of database options, resources, and processes is crucial. All database functions (such as commands, transactions, and interactive options) should be reviewed for potential security exposures and to prevent unauthorized use. For example, only the database administrator should be allowed access to all the internal facilities used to manage and administer the database management system. The informational data in the database should be protected against unauthorized access. Operating system level data set controls for the database data sets are essential, but these controls are not enough. Users should not have complete access to all the data in a DBMS just because they have access to the OS data sets. Consideration should be given to securing the internal data structures, such as tables or files, within the OS data sets. This level of protection is usually handled by the internal security within the database product. Use the following recommendations when securing access to database management systems: (1) Control user access to the software product's data sets, and restrict access only to authorized personnel. (2) All database systems in use at the DOD sites will interface with the system ACP to perform I&A validation. Any DBMS incapable of using the ACP to accomplish I&A will be phased out.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer