Access to IBM Security zSecure program resources must be limited to authorized users.

An XCCDF Rule

Description

<VulnDiscussion>Functional access (which is controlled with access to XFACILIT profiles) must not commingle multiple functions under a single resource profile.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-259732r943254_rule
Severity: Medium
References: CCI-001082
Updated: 19 days ago

Ensure READ and higher access to zSecure program resources is restricted to the appropriate staff members.

READ and higher access can be given to security administrators, decentralized security administrators, security batch jobs that perform ESM maintenance, and trusted STC users.

The following commands are provided as a sample for implementing zSecure functional resource controls: 
rdef CKF.<focus> uacc(none) owner(zSecure owner)pe CKF.<focus> class(XFACILIT) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) 
rdef xfacilit CKNADMIN.<type>.<node-name> uacc(none) owner(zSecure owner) 
pe CKNADMIN.<type>.<node-name> class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) 
rdef xfacilit CKNDSN.<dstype>.<node-name>.<systemname>.<type> uacc(none) owner(zSecure owner)
pe CKNDSN.<dstype>.<node-name>.<systemname>.<type> class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) 
rdef xfacilit CKG.<type>.** uacc(none) owner(zSecure owner)
pe CKG.<type>.** class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUD) access(READ)
rdef xfacilit CKR.<type> uacc(none) owner(zSecure owner)
pe CKR.<type>.** class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUD) access(READ) 
rdef xfacilit C2R.SERVER.ADMIN uacc(none) owner(zSecure owner) 

pe C2R.SERVER.ADMIN class(xfacilit) id(SECAAUDT, SECBAUDT, TSTCAUD) access(READ) 
rdef xfacilit C2R.CLIENT.** uacc(none) owner(zSecure owner)
pe C2R.CLIENT.** class(xfacilit) id(SECAAUDT, SECBAUDT, TSTCAUD) access(READ) 
rdef xfacilit C2X.ICH* uacc(none) owner(zSecure owner)
pe C2X.ICH* class(xfacilit) id(AUTOAUDT, TSTCAUDT) access(UPDATE)

Access to IBM Security zSecure program resources must be limited to authorized users.

Description

Remediation - Manual Procedure