IDMS must prevent unauthorized and unintended information transfer via database buffers.

An XCCDF Rule

Description

<VulnDiscussion>The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after the resource has been released back to the information system. Control of information in shared resources is also referred to as object reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-251618r961149_rule
Severity: Medium
References: CCI-001090
Updated: 17 days ago

Do the following to place buffers into storage acquired from the operating system rather than from IDMS. Use the following system generation parameters to enable the use of OPSYS storage for the buffers: 
Set STORAGE KEY parameter of the SYSGEN SYSTEM statement to a value different from the ALTERNATE STORAGE KEY.

Set PROTECT/NOPROTECT parameter of the SYSGEN SYSTEM statement to PROTECT.

Set PROTECT/NOPROTECT parameter of the SYSGEN PROGRAM statement to PROTECT for user programs.
Using the #CTABGEN macro, secure DCMT commands:
- VARY BUFFER (code N010)
- VARY DYNAMIC PROGRAM (code N046001)
- VARY PROGRAM (code N025)
Here is an example where all three commands are assigned task code 3:
         #CTABGEN (A,3),                                               X
               (N010,A,N025,N046001,A)
Using the above example, and assuming the SYSTEM ID of this IDMS system specified in SYSGEN is TEST001 the SRTT entry could be:

#SECRTT TYPE=ENTRY,RESTYPE=ACTI,       -
        SECBY=EXTERNAL,                                     -
        EXTCLS='CA@IDMS',                                 -
        EXTNAME=(SYST,ACTI)             

The DCMT commands could be assigned to users in Top Secret:
TSS PER(user_id) CA@IDMS(TEST001.DCMT003) ACCESS(READ)

Reassemble the SRTT and/or module IDMSCTAB and issue commands:
DCMT VARY NUC MODULE IDMSCTAB NEW COPY -for IDMSCTAB
DCMT VARY NUC MODULE RHDCSRTT NEW COPY - for RHDCSRTT
then for either or both:
DCMT VARY NUCLEUS RELOAD 

To set buffers to OPSYS storage:
Access OCF or BCF and connect to the applicable dictionary.

Enter "DISPLAY BUFFER nnnnnnnn AS SYNTAX VERB ALTER" where [nnnnnnnn] is the name of the buffer.

Change the DC STORAGE parameter to "OPSYS STORAGE".

After changing all needed buffers, GENERATE the DMCL.

Punch and link the DMCL module. 

Cycle the CV or issue "DCMT VARY DMCL NEW COPY".

Note: If specifying OPSYS storage for buffers, IDMS will attempt to allocate the buffer storage in operating system storage rather than in IDMS storage. Should the allocation attempt fail, IDMS will attempt to allocate the buffer in IDMS storage, and messages DC205032 and DC205029 will be issued indicating this.

IDMS must prevent unauthorized and unintended information transfer via database buffers.

Description

Remediation - Manual Procedure