All installation-delivered IDMS DBADMIN-level tasks must be properly secured.

An XCCDF Rule

Description

<VulnDiscussion>DBA-level tasks that are not secured may allow anyone who signs on to IDMS to use them to access and manipulate various resources within the DBMS. Satisfies: SRG-APP-000033-DB-000084, SRG-APP-000211-DB-000122</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-251588r807631_rule
Severity: Medium
References: CCI-000213 CCI-001082
Updated: about 1 year ago

The SRTT module must be coded to enable task-level security. When using an ESM, this could be done in the following manner:
 
#SECRTT TYPE=ENTRY,                          X
 RESTYPE=TASK,                                     X
 SECBY=EXTERNAL ,                               X
 EXTNAME=(RESTYPE,RESNAME),        X EXTCLS='CA@IDMS'

or to give access specifically to one or more tasks (in this case, to ADSM):

#SECRTT TYPE=ENTRY, RESTYPE=TASK,                             X
  SECBY=OFF,                                                                        X               
 EXTNAME=(RESTYPE,RESNAME),EXTCLS='CA@IDMS'

with an OCCUR statement for each task:

#SECRTT TYPE=OCCUR,RESTYPE=TASK,                               X
 SECBY=EXTERNAL,                                                                 X 
 RESNAME='ADSM'                                                                           

Using the above examples, the ESM must be configured to grant access for resource name "TASK.task-name" to security group (or role) DBADMIN, for security class "CA@IDMS", where "task-name" is one of the listed DBA-level tasks. These rules should then be given to the appropriate users. For instance, in Top Secret:

TSS PER(user_id) CA@IDMS(TASK.ADSM)

In ACF2:

$KEY(SGON.the_extname) TYPE(TASK.ADSM) 
 UID(user_id) ALLOW

In RACF
RDEFINE CA@IDMS TASK.TASK.ASF UACC(NONE)
PERMIT TASK.ADSM CLASS(CA@IDMS) ID(user_id) ACCESS(READ)

After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands:       
 
DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY 
DCMT VARY NUCLEUS RELOAD

All installation-delivered IDMS DBADMIN-level tasks must be properly secured.

Description

Remediation - Manual Procedure