Access to IBM Security zSecure user data sets must be properly restricted and logged.

An XCCDF Rule

Description

If zSecure were to allow inappropriate reading or updating of user data sets, sensitive information could be disclosed, or changes might result in incorrect results reported by the product. Only qualified and authorized individuals must be allowed to create, read, update, and delete zSecure user data sets.

ID: SV-259730r1050750_rule
Version: ZSEC-00-000080
Severity: Medium
References: CCI-001499
Updated: about 2 months ago

Remediation Templates

The following commands are provided as a RACF sample for implementing zSecure user data set controls. Convert these commands for any other ESM:

ad 'hlq.zsec.user.assert/ckfreeze/unload.dsn' uacc(none) owner(zSecure owner) - 
audit(success(update) failures(read))

pe 'hlq.zsec.user.assert/ckfreeze/unload.dsn' id(AUDTAUDT, AUTOAUDT, SECAAUDT, SECDAUDT, SECBAUDT, TSTCAUDT) access(READ)
pe 'hlq.zsec.user.assert/ckfreeze/unload.dsn' id(SECAAUDT, SECDAUDT, SECBAUDT, SYSPAUDT) access(ALTER) 

ad 'hlq.zsec.accmon.user.dsn' uacc(none) owner(zSecure owner) -
audit(success(update) failures(read))

pe 'hlq.zsec.accmon.user.dsn' id(AUDTAUDT, AUTOAUDT, SECAAUDT, SECDAUDT, SECBAUDT, TSTCAUDT) access(READ)

pe 'hlq.zsec.accmon.user.dsn' id(AUTOAUDT, SECBAUDT, TSTCAUDT, SYSPAUDT) access(ALTER)
ad ' hlq.zsec.user.ckcus*
audit(success(UPDATE) failures(READ))

pe 'hlq.zsec.user.ckcus*' id(AUDTAUDT, AUTOAUDT, SECAAUDT, SECDAUDT, SECBAUDT, TSTCAUDT) access(UPDATE)

pe 'hlq.zsec.user.ckcus*' id(SYSPAUDT) access(ALTER) 
rdef logstrm LSName uacc(none) owner(zSecure owner) - 
audit(success(UPDATE) failures(read))

pe LSName class(logstrm) id(AUDTAUDT, AUTOAUDT, SECAAUDT, SECDAUDT, TSTCAUDT, SYSPAUDT) access(READ) 
pe LSName class(logstrm) id(AUTOAUDT, TSTCAUDT, SYSPAUDT) access(ALTER)

Access to IBM Security zSecure user data sets must be properly restricted and logged.

Description

Remediation Templates

A Manual Procedure