The commands that allow dynamic definitions of PROGRAM/TASK and the dynamic varying of memory must be secured.

An XCCDF Rule

Description

<VulnDiscussion>IDMS provides commands that can change memory, the attributes of programs, or tasks and are meant for use by the appropriate administrators. These commands must be protected from use by the wrong personnel. Satisfies: SRG-APP-000133-DB-000362, SRG-APP-000380-DB-000360, SRG-APP-000378-DB-000365</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-251603r960960_rule
Severity: Medium
References: CCI-001499 CCI-001812 CCI-001813
Updated: 17 days ago

The SRTT must contain one or more entries to enable the external security of RESTYPE=ACTI. For example:
 
#SECRTT TYPE=ENTRY,RESTYPE=ACTI, SECBY=EXTERNAL,      EXTCLS='CA@IDMS',EXTNAME=(SYST,ACTIVITY)       

Update the source for IDMSCTAB. This example #CTABGEN entry secures the DCMT VARY DYNAMIC and DCMT VARY MEMORY commands and assigns an activity number to each:
CTAB  TITLE 'GENERATE DCMT SECURITY TABLE'                              
         #CTABGEN LOGIN=YES,                                                      X
               (A,1,B,10),                                                                     X
               (N033,A,N046,B)                          
         END                                                            

The ACTIVITY passed to the external security manager (ESM) will be the first up to five bytes of the application name followed by the three-byte activity number or, using the above example, DCMT010 for a DCMT VARY DYNAMIC or a DMCT VARY MEMORY command. 
 
After making the above changes, IDMSCTAB and RHDCSRTT must then be reassembled and relinked. To implement the new SRTT and IDMSCTAB, either recycle any CVs that use the SRTT or issue these commands:

   DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY 
    DCMT VARY NUCLEUS MODULE IDMSCTAB NEW COPY 
    DCMT VARY NUCLEUS RELOAD

Also verify that the ESM gives access to the appropriate people. Here are some Top Secret commands based on the above information. Assume that the SYSTEM ID in SYSGEN is TEST001:

TSS PER(user_id) CA@IDMS(TEST001.DCMT001) ACCESS(READ)
TSS PER(user_id) CA@IDMS(TEST001.DCMT010) ACCESS(READ)

The commands that allow dynamic definitions of PROGRAM/TASK and the dynamic varying of memory must be secured.

Description

Remediation - Manual Procedure