Skip to content

IDMS must protect against the use of numbered exits that change the userid to a shared id.

An XCCDF Rule

Description

<VulnDiscussion>Non-repudiation of actions taken is required to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. Non-repudiation protects against later claims by a user of not having created, modified, or deleted a particular data item or collection of data in the database. In designing a database, the organization must define the types of data and the user actions that must be protected from repudiation. The implementation must then include building audit features into the application data tables and configuring the DBMS's audit tools to capture the necessary audit trail. Design and implementation also must ensure that applications pass individual user identification to the DBMS, even where the application connects to the DBMS with a standard, shared account. User exits that change userids can be used to hide the true identities of those who may perform an action and should be carefully restricted or eliminated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-251596r807655_rule
Severity
Low
References
Updated



Remediation - Manual Procedure

Remove code from exit 27 and/or exit 28 that changes the individual user id to a shared user or remove the exit entirely, then reassemble and relink RHDCUXIT.

To implement the new RHDCUXIT, either recycle any CVs that use the SRTT or issue these commands:
 
DCMT VARY NUCLEUS MODULE RHDCUXIT NEW COPY
DCMT VARY NUCLEUS RELOAD