Databases must be secured to protect from structural changes.

An XCCDF Rule

Description

<VulnDiscussion>Database objects, like areas and run units, can be changed or deleted if not protected. Steps must be taken to secure these objects via the external security manager (ESM). Satisfies: SRG-APP-000133-DB-000362, SRG-APP-000380-DB-000360</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-251604r960960_rule
Severity: Medium
References: CCI-001499 CCI-001813
Updated: 17 days ago

Secure database object resources not found in SECRTT or found to be secured internally, through the ESM chosen by the organization (e.g., TSS, ACF 2, RACF).

Users, groups, roles, etc., are defined to the ESM, and it is here where the authorization for ownership is determined.

Once externally secured, create or modify the #SECRTT entries specify TYPE=ENTRY and TYPE=OCCURRENCE for the database resource type with the parameter of SECBY=EXTERNAL.
Use the RESTYPE DB which implicitly includes the subtypes AREA, NRU, QSCH, NSCH, TABL, DACC, and SACC. For each subtype, an entry must be added. The restypes for database tables and DMCLs are DBTB and DMCL, respectively.  

For SQL access, include #SECRTT RESTYPE=DB for  both the catalog and user database through all dbname and segment names that can access the catalog and database.                                                                                                                               

For batch jobs that access database objects, use the ESM standard dataset security and/or the user-written exit 14 to secure the database objects.

Create the corresponding entry in the ESM and give appropriate permissions to role(s)/ group(s) to allow database changes by appropriate users (usually DBAs).

Databases must be secured to protect from structural changes.

Description

Remediation - Manual Procedure