All installation-delivered IDMS DCADMIN-level tasks must be properly secured.

An XCCDF Rule

Description

<VulnDiscussion>If DC Administrator-level tasks are not secured, any user logged on to IDMS may use them to access and manipulate various resources within the DBMS. This can be mitigated using the proper entries in the SRTT. Satisfies: SRG-APP-000033-DB-000084, SRG-APP-000211-DB-000122</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-251589r960792_rule
Severity: Medium
References: CCI-000213 CCI-001082
Updated: 17 days ago

The SRTT module must be coded to enable task-level security. When using an ESM, this could be done in the following manner:
 
#SECRTT TYPE=ENTRY,                          X
 RESTYPE=TASK,                                     X
 SECBY=EXTERNAL ,                               X
 EXTNAME=(RESTYPE,RESNAME),        X EXTCLS='CA@IDMS'

or to give access specifically to one or more programs (in this case, to ASF):

#SECRTT TYPE=ENTRY, RESTYPE=TASK,                             X
  SECBY=OFF,                                                                        X               
 EXTNAME=(RESTYPE,RESNAME),EXTCLS='CA@IDMS'

with an OCCUR statement for each task:

#SECRTT TYPE=OCCUR,RESTYPE=TASK,                              X
 SECBY=EXTERNAL,                                                                X 
 RESNAME='ASF'                                                                           

Using the above examples, the ESM must be configured to grant access for resource name "TASK.task-name" to security group (or role) DCADMIN, for security class "CA@IDMS", where "task-name" is one of  the DC-Administrator-level programs listed. The appropriate ESM rules must then be given to the appropriate users. For instance, in Top Secret:
TSS PER(user_id) CA@IDMS(TASK.ASF) 

In ACF2:
$KEY(SGON.the_extname) TYPE(TASK.ASF) 
 UID(user_id) ALLOW

In RACF:
RDEFINE CA@IDMS TASK.TASK.ASF UACC(NONE)
PERMIT TASK.ASF CLASS(CA@IDMS) ID(user_id) ACCESS(READ)

After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands:       
 DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY 
DCMT VARY NUCLEUS RELOAD

All installation-delivered IDMS DCADMIN-level tasks must be properly secured.

Description

Remediation - Manual Procedure