IDMS must allow only authorized users to sign on to an IDMS CV.

An XCCDF Rule

Description

<VulnDiscussion>Unauthorized users signing on to IDMS can pose varying amounts of risk depending upon the security of the IDMS resources in an IDMS CV. Until the IDMS sign-on resource type (SGON) is secured anyone can sign on to IDMS. This risk can be mitigated by securing the SGON resource.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-251584r807619_rule
Severity: High
References: CCI-000213
Updated: about 1 year ago

In the source for RHDCSRTT add a #SECRTT entry to secure the sign-on process such as this example:

          #SECRTT TYPE=ENTRY,                                           X
                    RESTYPE=SGON,                                           X
                   SECBY=EXTERNAL,                                         X
                   EXTCLS='CA@IDMS',                                  X                   EXTNAME=(RESTYPE,RESNAME)                                    

The RESNAME used during sign-on is the CV system name as defined in SYSGEN. To find the system name sign into SYSGEN in the CV. Then issue command "SIGNON DICT SYST" and then issue command "DISP SYS nnn" where nnn is the CV number. Look for "SYSTEM ID IS" to find the system name used as RESNAME.

Before implementing changes, contact the security administrator and ensure that the ESM has the necessary rules for the EXTCLS and EXTNAME values chosen. The appropriate ESM rules must then be given to the appropriate users. For instance, in Top Secret:
TSS PER(user_id) CA@IDMS(SGON.your_extname)

In ACF2:
$KEY(SGON.your_extname) TYPE(CA@IDMS) 
 UID(user_id) ALLOW

After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands:

DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY 
DCMT VARY NUCLEUS RELOAD

IDMS must allow only authorized users to sign on to an IDMS CV.

Description

Remediation - Manual Procedure