From z/OS TSS STIG
Part of ZSMS0010
Associated with IA controls: DCCS-1, ECCD-2, DCCS-2, ECCD-1
DFSMS provides data, storage, program, and device management functions for the operating system. Some DFSMS storage administration functions allow a user to obtain a privileged status and effectively bypass all ACP data set and volume controls. Failure to properly protect DFSMS resources may result in unauthorized access. This exposure could compromise the availability and integrity of the operating system environment, system services, and customer data.
a) Refer to the following report produced by the TSS Data Collection and Data Set and Resource Data Collection: - TSSCMDS.RPT(WHOOIBMF) - SENSITVE.RPT(WHOHIBMF) Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ZSMS0010) b) Ensure that the following items are in effect: 1) The STGADMIN resource is owned by personnel who will administer access to the STGADMIN resources. 2) No access is permitted to the STGADMIN. resource. 3) STGADMIN.DPDSRN.olddsname is restricted to System Programmers only. 4) Access to STGADMIN.DPDSRN.olddsname is not granted on production systems. 5) The STGADMIN.IGD.ACTIVATE.CONFIGURATION is restricted to System Programmers. 6) The STGADMIN.IGG.DEFDEL.UALIAS is restricted to System Programmers and Security personnel. 7) The following STGADMIN resources may be allocated to the end-user. STGADMIN.ARC.ENDUSER STGADMIN.ADR.COPY.CNCURRNT STGADMIN.ADR.COPY.TOLERATE.ENQF STGADMIN.ADR.DUMP.CNCURRNT STGADMIN.ADR.DUMP.TOLERATE.ENQF STGADMIN.ADR.RESTORE.TOLERATE.ENQF STGADMIN.IGG.ALTER.SMS 8) STGADMIN resources are restricted to System programmers, DASD managers, and Application Production Support Team members. For STGADMIN.IDC.DCOLLECT, Automated Operations can have access also. STGADMIN.ARC.CANCEL STGADMIN.ARC.LIST STGADMIN.ARC.QUERY STGADMIN.ARC.REPORT STGADMIN.DMO.CONFIG STGADMIN.IDC.DCOLLECT STGADMIN.IFG.READVTOC STGADMIN.IGG.DELGDG.FORCE 9) STGADMIN resources are controlled using the first two high-level resource name qualifiers at a minimum and restricted to System programmers and DASD managers. STGADMIN.ARC.ABACKUP STGADMIN.ARC.ARECOVER STGADMIN.ARC.ADDVOL STGADMIN.ARC.ALTERDS STGADMIN.ARC.AUDIT STGADMIN.ARC.AUTH STGADMIN.ARC.BACKDS STGADMIN.ARC.BACKVOL STGADMIN.ARC.BDELETE STGADMIN.ARC.DEFINE STGADMIN.ARC.DELETE STGADMIN.ARC.DELVOL STGADMIN.ARC.DISPLAY STGADMIN.ARC.EXPIREBV STGADMIN.ARC.FIXCDS STGADMIN.ARC.FREEVOL STGADMIN.ARC.FRBACKUP STGADMIN.ARC.FRDELETE STGADMIN.ARC.FRRECOV STGADMIN.ARC.HOLD STGADMIN.ARC.LIST STGADMIN.ARC.LOG STGADMIN.ARC.MIGRATE STGADMIN.ARC.PATCH STGADMIN.ARC.RECALL STGADMIN.ARC.RECOVER STGADMIN.ARC.RECYCLE STGADMIN.ARC.RELEASE STGADMIN.ARC.SETMIG STGADMIN.ARC.SETSYS STGADMIN.ARC.STOP STGADMIN.ARC.SWAPLOG STGADMIN.ARC.TAPECOPY STGADMIN.ARC.TAPEREPL STGADMIN.ARC.TRAP STGADMIN.ARC.UPDATEC STGADMIN.ADR.COPY.BYPASSACS STGADMIN.ADR.COPY.INCAT STGADMIN.ADR.COPY.PROCESS.SYS STGADMIN.ADR.CONVERTV STGADMIN.ADR.DEFRAG STGADMIN.ADR.DUMP.INCAT STGADMIN.ADR.DUMP.PROCESS.SYS STGADMIN.ADR.PATCH STGADMIN.ADR.RELEASE.PROCESS.SYS STGADMIN.ADR.RELEASE.INCAT STGADMIN.ADR.RESTORE.BYPASSACS STGADMIN.ADR.RESTORE.DELCATE STGADMIN.ADR.RESTORE.IMPORT STGADMIN.IDC.BINDDATA STGADMIN.IDC.DIAGNOSE.CATALOG STGADMIN.IDC.DIAGNOSE.VVDS STGADMIN.IDC.LISTDATA STGADMIN.IDC.LISTDATA.ACCESSCODE STGADMIN.IDC.SETCACHE STGADMIN.IDC.SETCACHE.DISCARDPINNED STGADMIN.IDC.SETCACHE.PENDINGOFF STGADMIN.IDC.SETCACHE.REINITIALIZE STGADMIN.IDC.SETCACHE.SUBSYSTEM STGADMIN.IGG.ALTER.UNCONVRT STGADMIN.IGG.LIBRARY STGADMIN.IGG.ALTBCS STGADMIN.IGG.DEFNVSAM.NOBCS STGADMIN.IGG.DEFNVSAM.NONVR STGADMIN.IGG.DELETE.NOSCRATCH STGADMIN.IGG.DELNVR.NOBCSCHK STGADMIN.IGG.DIRCAT STGADMIN.IGG.DLVVRNVR.NOCAT STGADMIN.IGWSHCDS.REPAIR 10) The following Storage Administrator functions are controlled using the first three high-level resource name qualifiers at a minimum; restricted to System programmers and DASD managers and all access is logged. STGADMIN.ADR.STGADMIN.BUILDSA STGADMIN.ADR.STGADMIN.COMPRESS STGADMIN.ADR.STGADMIN.COPY STGADMIN.ADR.STGADMIN.COPY.DELETE STGADMIN.ADR.STGADMIN.COPY.RENAME STGADMIN.ADR.STGADMIN.DEFRAG STGADMIN.ADR.STGADMIN.DUMP STGADMIN.ADR.STGADMIN.DUMP.DELETE STGADMIN.ADR.STGADMIN.PRINT STGADMIN.ADR.STGADMIN.RELEASE STGADMIN.ADR.STGADMIN.RESTORE STGADMIN.ADR.STGADMIN.RESTORE.RENAME 11) All access to the following STGADMIN resources are logged: STGADMIN.DPDSRN.olddsname STGADMIN.IGG.DEFDEL.UALIAS STGADMIN.IGD.ACTIVATE.CONFIGURATION c) If all items in b) above is true, there is NO FINDING. d) If any item in b) above is untrue, this is a FINDING.
The IAO will ensure that no access is given to the high-level STGADMIN resource. The IAO will ensure that STGADMIN.DPDSRN.olddsname is restricted to system programmers on an as needed basis and all access will be logged. Ensure that the following items are in effect: 1) The STGADMIN resource is owned by personnel who will administer access to the STGADMIN resources. For Example: The following command may be used to establish default protection for all DFSMS/MVS resources: TSS ADDTO(dept-acid) IBMFAC(STGADMIN.) 2) No access is permitted to the STGADMIN. resource. 3) STGADMIN.DPDSRN.olddsname is restricted to System Programmers only. For Example: TSS PERMIT(syspaudt) IBMFAC(STGADMIN.DPDSRN.olddsname) - ACCESS(READ) ACTION(AUDIT) 4) Access to STGADMIN.DPDSRN.olddsname is not granted on production systems. 5) The STGADMIN.IGD.ACTIVATE.CONFIGURATION is restricted to System Programmers. For Example: TSS PERMIT(syspaudt) IBMFAC(STGADMIN.IGD.ACTIVATE.CONFIGURATION) - ACCESS(READ) ACTION(AUDIT) 6) The STGADMIN.IGG.DEFDEL.UALIAS is restricted to System Programmers and Security personnel. For Example: TSS PERMIT(syspaudt, secaaudt) IBMFAC(STGADMIN.IGG.DEFDEL.UALIAS) - ACCESS(READ) ACTION(AUDIT) 7) The following STGADMIN resources may be allocated to the end-user. STGADMIN.ARC.ENDUSER STGADMIN.ADR.COPY.CNCURRNT STGADMIN.ADR.COPY.TOLERATE.ENQF STGADMIN.ADR.DUMP.CNCURRNT STGADMIN.ADR.DUMP.TOLERATE.ENQF STGADMIN.ADR.RESTORE.TOLERATE.ENQF STGADMIN.IGG.ALTER.SMS For Example: TSS PERMIT(end-user-group) IBMFAC(STGADMIN.ADR.COPY.CNCURRNT) ACCESS(READ) TSS PERMIT(end-user-group) IBMFAC(STGADMIN.ADR.COPY.TOLERATE.ENQF) ACCESS(READ) TSS PERMIT(end-user-group) IBMFAC(STGADMIN.ADR.DUMP.CNCURRNT) ACCESS(READ) TSS PERMIT(end-user-group) IBMFAC(STGADMIN.ADR.DUMP.TOLERATE.ENQF) ACCESS(READ) TSS PERMIT(end-user-group) IBMFAC(STGADMIN.ADR.RESTORE.TOLERATE.ENQF) ACCESS(READ) TSS PERMIT(sysprog-group, storage-mgmt-group) IBMFAC(STGADMIN.ADR.ENDUSER.) ACCESS(READ) AUDIT(ALL) 8) STGADMIN resources are restricted to System programmers, DASD managers, and Application Production Support Team members. For STGADMIN.IDC.DCOLLECT, Automated Operations can have access also. STGADMIN.ARC.CANCEL STGADMIN.ARC.List STGADMIN.ARC.QUERY STGADMIN.ARC.REPORT STGADMIN.DMO.CONFIG STGADMIN.IDC.DCOLLECT STGADMIN.IFG.READVTOC STGADMIN.IGG.DELGDG.FORCE For Example: TSS PERMIT(syspaudt, dasdaudt, appsaudt) IBMFAC(STGADMIN.ADR.CANCEL) ACCESS(READ) TSS PERMIT(syspaudt, dasdaudt, appsaudt) IBMFAC(STGADMIN.ARC.QUERY) ACCESS(READ) TSS PERMIT(syspaudt, dasdaudt, appsaudt) IBMFAC(STGADMIN.ARC.REPORT) ACCESS(READ) TSS PERMIT(syspaudt, dasdaudt, appsaudt autoaudt) IBMFAC(STGADMIN.IDC.DCOLLECT) ACCESS(READ) TSS PERMIT(syspaudt, dasdaudt, appsaudt) IBMFAC(STGADMIN.IGG.DELGDG.FORCE) ACCESS(READ) 9) STGADMIN resources are controlled using the first two high-level resource name qualifiers at a minimum and restricted to System programmers and DASD managers. STGADMIN.ARC.ABACKUP STGADMIN.ARC.ARECOVER STGADMIN.ARC.ADDVOL STGADMIN.ARC.ALTERDS STGADMIN.ARC.AUDIT STGADMIN.ARC.AUTH STGADMIN.ARC.BACKDS STGADMIN.ARC.BACKVOL STGADMIN.ARC.BDELETE STGADMIN.ARC.DEFINE STGADMIN.ARC.DELETE STGADMIN.ARC.DELVOL STGADMIN.ARC.DISPLAY STGADMIN.ARC.EXPIREBV STGADMIN.ARC.FIXCDS STGADMIN.ARC.FREEVOL STGADMIN.ARC.FRBACKUP STGADMIN.ARC.FRDELETE STGADMIN.ARC.FRRECOV STGADMIN.ARC.HOLD STGADMIN.ARC.LIST STGADMIN.ARC.LOG STGADMIN.ARC.MIGRATE STGADMIN.ARC.PATCH STGADMIN.ARC.RECALL STGADMIN.ARC.RECOVER STGADMIN.ARC.RECYCLE STGADMIN.ARC.RELEASE STGADMIN.ARC.SETMIG STGADMIN.ARC.SETSYS STGADMIN.ARC.STOP STGADMIN.ARC.SWAPLOG STGADMIN.ARC.TAPECOPY STGADMIN.ARC.TAPEREPL STGADMIN.ARC.TRAP STGADMIN.ARC.UPDATEC STGADMIN.ADR.COPY.BYPASSACS STGADMIN.ADR.COPY.INCAT STGADMIN.ADR.COPY.PROCESS.SYS STGADMIN.ADR.CONVERTV STGADMIN.ADR.DEFRAG STGADMIN.ADR.DUMP.INCAT STGADMIN.ADR.DUMP.PROCESS.SYS STGADMIN.ADR.PATCH STGADMIN.ADR.RELEASE.PROCESS.SYS STGADMIN.ADR.RELEASE.INCAT STGADMIN.ADR.RESTORE.BYPASSACS STGADMIN.ADR.RESTORE.DELCATE STGADMIN.ADR.RESTORE.IMPORT STGADMIN.IDC.BINDDATA STGADMIN.IDC.DIAGNOSE.CATALOG STGADMIN.IDC.DIAGNOSE.VVDS STGADMIN.IDC.LISTDATA STGADMIN.IDC.LISTDATA.ACCESSCODE STGADMIN.IDC.SETCACHE STGADMIN.IDC.SETCACHE.DISCARDPINNED STGADMIN.IDC.SETCACHE.PENDINGOFF STGADMIN.IDC.SETCACHE.REINITIALIZE STGADMIN.IDC.SETCACHE.SUBSYSTEM STGADMIN.IGG.ALTER.UNCONVRT STGADMIN.IGG.LIBRARY STGADMIN.IGG.ALTBCS STGADMIN.IGG.DEFNVSAM.NOBCS STGADMIN.IGG.DEFNVSAM.NONVR STGADMIN.IGG.DELETE.NOSCRATCH STGADMIN.IGG.DELNVR.NOBCSCHK STGADMIN.IGG.DIRCAT STGADMIN.IGG.DLVVRNVR.NOCAT STGADMIN.IGWSHCDS.REPAIR For Example: TSS PERMIT(syspaudt, dasdaudt) IBMFAC(STGADMIN.ADR.) ACCESS(READ) TSS PERMIT(syspaudt, dasdaudt) IBMFAC(STGADMIN.IDC.) ACCESS(READ) TSS PERMIT(syspaudt, dasdaudt) IBMFAC(STGADMIN.IGG.) ACCESS(READ) TSS PERMIT(syspaudt, dasdaudt) IBMFAC(STGADMIN.IGWSHCDS.REPAIR) ACCESS(READ) TSS PERMIT(syspaudt, dasdaudt) IBMFAC(STGADMIN.ARC.) ACCESS(READ) 10) The following Storage Administrator functions are controlled using the first three high-level resource name qualifiers at a minimum; restricted to System programmers and DASD managers and all access is logged. STGADMIN.ADR.STGADMIN.BUILDSA STGADMIN.ADR.STGADMIN.COMPRESS STGADMIN.ADR.STGADMIN.COPY STGADMIN.ADR.STGADMIN.COPY.DELETE STGADMIN.ADR.STGADMIN.COPY.RENAME STGADMIN.ADR.STGADMIN.DEFRAG STGADMIN.ADR.STGADMIN.DUMP STGADMIN.ADR.STGADMIN.DUMP.DELETE STGADMIN.ADR.STGADMIN.PRINT STGADMIN.ADR.STGADMIN.RELEASE STGADMIN.ADR.STGADMIN.RESTORE STGADMIN.ADR.STGADMIN.RESTORE.RENAME For Example: TSS PERMIT(syspaudt, dasdaudt) IBMFAC(STGADMIN.ADR.STGADMIN.) ACCESS(READ) ACTION(AUDIT) 11) All access to the following STGADMIN resources are logged: STGADMIN.DPDSRN.olddsname STGADMIN.IGG.DEFDEL.UALIAS STGADMIN.IGD.ACTIVATE.CONFIGURATION For Example: TSS PERMIT(syspaudt) IBMFAC(STGADMIN.DPDSRN.olddsname) ACCESS(READ) ACTION(AUDIT) TSS PERMIT(syspaudt, secaudt) IBMFAC(STGADMIN.IGG.DEFDEL.UALIAS) ACCESS(READ) ACTION(AUDIT) TSS PERMIT(syspaudt) IBMFAC(STGADMIN.IGD.ACTIVATE.CONFIGURATION) ACCESS(READ) ACTION(AUDIT)
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer