CA IDMS must prevent user code from issuing selected SVC privileged functions.
An XCCDF Rule
Description
<VulnDiscussion>If an SVC is used to facilitate interpartition communication for online applications executing under other DC systems, batch application programs, and programs executed under TP monitors other than DC when running on the same LPAR, privileged functions of the SVC can be protected from these entities that do not run within the IDMS DC partition with a combination of the key specification and the disabling of selected SVC functions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-251644r855282_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Set #SVCOPT parameters CVKEY to the chosen key for startup modules and AUTHREQ=YES to create a secured SVC. Assemble, relink and install SVC. Create an entry in the Z/OS PPT for the startup module in the chosen key.
All IDMS CV startup modules must reside in an authorized library and must be linked as authorized (SETCODE AC(1)).
The IBM Z/OS parameter AllowUserKeyCsa should also be checked since the setting may impact the CVKEY choice (see TEC574934 for details).