IDMS must prevent users without the appropriate access from executing privileged functions or tasks within the IDMS environment.

An XCCDF Rule

Description

<VulnDiscussion>In general, all functions within IDMS can be controlled, therefore it is up to the IDMS system administrator to determine which functions or tasks are secured or require proper authorization. Any function within the IDMS environment can be considered privileged if the administrator deems it appropriate. Access to different functions is protected through a number of load modules that are generated from assembler macros. The load modules are RHDCSRTT, IDMSCTAB, and IDMSUTAB. The related assembler macros are #SECRTT, #CTABGEN, and #UTABGEN. The #SECRTT macro is used to define different functions to the ESM so that they can be secured. The #UTABGEN macro is used to secure specific OCF/BCF commands. The #CTABGEN macro is used to secure DCMT commands. IDMS provides several tasks, programs and data sets that, in the wrong hands, could allow access to sensitive data or give access to make detrimental changes. These tasks, programs and data sets should be deemed privileged and protected from unauthorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-251636r961353_rule
Severity: Medium
References: CCI-002235
Updated: 17 days ago

1. Define the functions to secure using the #SECRTT, #CTABGEN, and #UTABGEN macros. See the IDMS documentation for information on how use these macros to secure the CA IDMS environment. 

2. Protect the IDMS macro libraries with the ESM's dataset level security (see the ESM's documentation to restrict access except for the administrators).

3. Protect the IDMS custom load library containing the RHDCUXIT, RHDCSRTT, IDMSCTAB, or IDMSUTAB modules. See the ESM's documentation to restrict access except for the IDMS Central Version, administrators, and any other users who require access.
4. If access must be restricted to the CA IDMS Database files in Local Mode, and the CA IDMS Database files are not properly secured using an ESM, then do so. All pertinent CA IDMS software load libraries and customization load libraries should also be secured. Only allow access to these files by the IDMS Central Version or specific administrator IDs as specified by the ESM. This protects the system from unauthorized users utilizing alternative load libraries or security settings to access database files, and also prevents them from directly accessing the database files.

5. If granularly controlling user access in batch to local mode is required and EXIT 14 is not set up in the RHDCUXIT module, see the IDMS documentation. Use EXIT 14 to decide which database verbs to protect. Access is protected by associating the verbs with a security resource in the RHDCSRTT, which is protected by the ESM. This is an exit that must be compiled into the RHDCUXIT load module. This exit is called at the time of a database verb being called and allows users to define which verbs are secured and how they are secured by issued Security Checks based on the user making the calls. This allows a user to choose which verbs are privileged and who is able to access them. As before, the verbs are secured by associating them with a defined access type in the RHDCSRTT, module which then needs to be secured by the ESM. By using the ESM's dataset level security and Exit 14, access is restricted to functions that should be protected.

IDMS must prevent users without the appropriate access from executing privileged functions or tasks within the IDMS environment.

Description

Remediation - Manual Procedure