The online debugger which can change programs and storage in the CA IDMS address space must be secured.

An XCCDF Rule

Description

<VulnDiscussion>If the DBMS were to allow any user to make changes to database structure or logic, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. Accordingly, only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Unmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations. Users of the online debugger may alter programs and storage in the IDMS CV. Satisfies: SRG-APP-000133-DB-000362, SRG-APP-000380-DB-000360</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-251606r960960_rule
Severity: Medium
References: CCI-001499 CCI-001813
Updated: 17 days ago

Create, or modify as needed, an entry in the SRTT to secure the DEBUG categories and compile into module RHDCSRTT. The external class and external name construction rules must be specified. 

The following example shows a TYPE=ENTRY #SECRTT macro defining the EXTNAME format for RESTYPE=ACTI and an occurrence override defining the information for a specific occurrence for the DBUG activity. 

#SECRTT TYPE=ENTRY,RESTYPE=ACTI,SECBY=OFF,
 EXTNAME=(ENVIR,ACTI) ,EXTCLS='CA@IDMS' #SECRTT TYPE=OCCUR,RESTYPE=ACTI,RESNAME='DBUG',SECBY=EXT

After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands:

   DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY 
   DCMT VARY NUCLEUS RELOAD

Review the IDMSGTAB module and make changes to the #GTABGEN macro as needed. Here is an example that secures all possible DEBUG categories:  
 
         #GTABGEN (A,01,B,02,C,03,D,04,E,05,F,06,G,07,H,08,I,09,J,10,  X
               K,11,L,12,M,13,N,14),                                   X
               (UPGMR,A,UPGMU,B,USTGR,C,USTGU,D,SHSTGR,E,SHSTGU,F,     X
               AUPGMR,G,AUPGMU,H,ASYSTGR,I,ASYSTGU,J,                  X
               ASYSPGR,K,ASYSPGU,L,ALLR,M,ALLU,N)                       
         END                                                            

Assume the TYPE=INITIAL #SECRTT macro specified ENVNAME=TEST0001 and the particular debug activity was UPGMR (allow the user to retrieve user programs, schemas, maps, and tables). In that case, the external resource name would be TEST0001.DBUG001. Using this information, a Top Secret example to grant access could be:
TSS PER(user_1) CA@IDMS(TEST0001.DBUG001) 

Confer with the security office to ensure that the correct entries are in the ESM to give access to the appropriate role(s)/group(s) permissions for the desired DEBUG categories.

The online debugger which can change programs and storage in the CA IDMS address space must be secured.

Description

Remediation - Manual Procedure