CA IDMS Security Technical Implementation Guide

  • Version/Release: V2R1
  • Published: 2024-09-13
  • Released: 2024-10-24
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
For interactive sessions, IDMS must limit the number of concurrent sessions for the same user to one or allow unlimited sessions.
AC-10 - Medium - CCI-000054 - V-251582 - SV-251582r960735_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
IDMS-DB-000010
Vuln IDs
  • V-251582
Rule IDs
  • SV-251582r960735_rule
Multiple interactive sessions can provide a way to cause a DoS attack against IDMS if a user ID and password were compromised. Not allowing multiple sign-ons can mitigate the risk of malicious attacks using multiple sessions for a user.
Checks: C-55017r807611_chk

Use task SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the System definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "DISPLAY SYSTEM 123." where 123 is the number of the system being checked. Scroll through the returned text until "MULTIPLE SIGNON" is found. If the associated value is "YES", this is a finding.

Fix: F-54971r807612_fix

Use TASK SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the system definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "MODIFY SYSTEM 123 MULTIPLE SIGNON IS NO." where 123 is the number of the system being modified. Enter: "VALIDATE." Enter: "GENERATE." The change will become effective the next time the CV is stopped and started.

b
IDMS must support the implementation of an external security manager (ESM) to handle account management and user accesses, etc.
AC-2 - Medium - CCI-000015 - V-251583 - SV-251583r960768_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000015
Version
IDMS-DB-000020
Vuln IDs
  • V-251583
Rule IDs
  • SV-251583r960768_rule
Internal security in a DBMS can be complex to implement and maintain with the increased possibility of no access or the wrong access to a needed resource. IDMS can be configured to use an ESM as the security repository allowing access rules to be added to already-known users.
Checks: C-55018r807614_chk

When securing IDMS user IDs with an ESM, some preparation must be done in IDMS itself. Identify CA IDMS security domains (a set of DC systems and local mode applications sharing a single user catalog and SRTT). For a given security domain, logon to one DC system. Issue DCPROFIL. If there is nothing specified for "Security System" and therefore no external security system being used, this is a finding. Examine load module RHDCSRTT by executing CA IDMS utility "IDMSSRTD", or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. If no TYPE=ENTRY with RESTYPE=SGON is found, this is a finding. If RESTYPE=SGON is secured internally, this is a finding. Interrogate the security office and verify the ESM has the appropriate entries to secure the RESTYPE of SGON. If not, this is a finding.

Fix: F-54972r807615_fix

The SRTT module must be coded to enable the desired security. When using an ESM, this could be done in the following manner: #SECRTT TYPE=ENTRY, X RESTYPE=SGON, X SECBY=EXTERNAL , X EXTNAME=(RESNAME), X EXTCLS='CA@IDMS' The RESNAME will be derived from the SYSTEM ID name in SYSGEN. After making the above changes, ensure the ESM has the appropriate rules defined to give access to the desired users. For example, in a Top Secret environment where the SYSGEN SYSTEM ID is SYSO187: TSS PER(user-id) CA@IDMS(SYSO187) Also assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD

c
IDMS must allow only authorized users to sign on to an IDMS CV.
AC-3 - High - CCI-000213 - V-251584 - SV-251584r960792_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
IDMS-DB-000030
Vuln IDs
  • V-251584
Rule IDs
  • SV-251584r960792_rule
Unauthorized users signing on to IDMS can pose varying amounts of risk depending upon the security of the IDMS resources in an IDMS CV. Until the IDMS sign-on resource type (SGON) is secured anyone can sign on to IDMS. This risk can be mitigated by securing the SGON resource.
Checks: C-55019r807617_chk

Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note that this requires PTFs SO07995 and SO09476. Look for a #SECRTT statement with the string "RESTYPE=SGON" and SECBY=EXTERNAL. If no "RESTYPE=SGON" is found or "SECBY=OFF" or "SECBY=INTERNAL" is specified, this is a finding. Execute an external security manager (ESM) resource access list for resource "SGON" for each CV on the system. If the resource access is not restricted to only users authorized in the site security plan, this is a finding.

Fix: F-54973r807618_fix

In the source for RHDCSRTT add a #SECRTT entry to secure the sign-on process such as this example: #SECRTT TYPE=ENTRY, X RESTYPE=SGON, X SECBY=EXTERNAL, X EXTCLS='CA@IDMS', X EXTNAME=(RESTYPE,RESNAME) The RESNAME used during sign-on is the CV system name as defined in SYSGEN. To find the system name sign into SYSGEN in the CV. Then issue command "SIGNON DICT SYST" and then issue command "DISP SYS nnn" where nnn is the CV number. Look for "SYSTEM ID IS" to find the system name used as RESNAME. Before implementing changes, contact the security administrator and ensure that the ESM has the necessary rules for the EXTCLS and EXTNAME values chosen. The appropriate ESM rules must then be given to the appropriate users. For instance, in Top Secret: TSS PER(user_id) CA@IDMS(SGON.your_extname) In ACF2: $KEY(SGON.your_extname) TYPE(CA@IDMS) UID(user_id) ALLOW After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD

c
IDMS must enforce applicable access control policies, even after a user successfully signs on to CV.
AC-3 - High - CCI-000213 - V-251585 - SV-251585r960792_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
IDMS-DB-000040
Vuln IDs
  • V-251585
Rule IDs
  • SV-251585r960792_rule
Unless the DBMS is secured properly, there are innumerable ways that a system and its data can be compromised. The IDMS SRTT is the basis for mitigating these problems.
Checks: C-55020r807620_chk

Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. In the SRTT, resources are protected by #SECRTT TYPE=ENTRY and TYPE=OCCURRENCE statements. Examine the SRTT to ensure that there are #SECRTT statements for the desired recourses that have "SECBY=EXTERNAL". If there are none, this is a finding.

Fix: F-54974r807621_fix

Secure the desired resources by updating RHDCSRTT adding #SECRTT TYPE=ENTRY and TYPE=OCCURRENCE statements as needed. For example: #SECRTT TYPE=ENTRY, X RESTYPE=resource, X SECBY=EXTERNAL, X EXTCLS='CA@IDMS', X EXTNAME=(your_extname) Before implementing changes, contact the security administrator and ensure that the external security manager (ESM) has the necessary rules for the EXTCLS and EXTNAME values that were chosen. These rules must then be given to the appropriate users. For instance, in Top Secret: TSS PER(user_id) CA@IDMS(your_extname) After making the above changes assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD

b
All installation-delivered IDMS USER-level tasks must be properly secured.
AC-3 - Medium - CCI-000213 - V-251586 - SV-251586r960792_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
IDMS-DB-000060
Vuln IDs
  • V-251586
Rule IDs
  • SV-251586r960792_rule
User-level tasks that are not secured may allow anyone who signs on to IDMS to use them to access and manipulate various resources within the DBMS. Satisfies: SRG-APP-000033-DB-000084, SRG-APP-000211-DB-000122
Checks: C-55021r807623_chk

Examine load module "RHDCSRTT" by executing CA IDMS utility "IDMSSRTD", or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Validate the following suggested user-level tasks are secured in the SRTT (included, for example, in the roles of DCADMIN-, DBADMIN-, and DEVELOPER-level security). Note: USER, DEVELOPER, DBADMIN, and DCADMIN are suggested categories only. ADS OCF OCFT OCFX OLP OLQ OLQNT OLQT OLQTNOTE If "TASK" is not found as the resource type in any of the entries, this is a finding. If "TASK" is secured internally, this is a finding. If "TASK" is secured externally in the SRTT, review the SRTT entries to ensure that the above tasks are secured and review ESM for external class and external name format to verify the appropriate authorizations have been defined. If they have not, this is a finding.

Fix: F-54975r807624_fix

The SRTT module must be coded to enable task-level security. When using an external security manager (ESM), this could be done in the following manner: #SECRTT TYPE=ENTRY, X RESTYPE=TASK, X SECBY=EXTERNAL , X EXTNAME=(RESTYPE,RESNAME), X EXTCLS='CA@IDMS' or to give access specifically to one or more tasks (in this case, to ADS): #SECRTT TYPE=ENTRY, RESTYPE=TASK, X SECBY=OFF, X EXTNAME=(RESTYPE,RESNAME),EXTCLS='CA@IDMS' with an OCCUR statement for each task: #SECRTT TYPE=OCCUR,RESTYPE=TASK, X SECBY=EXTERNAL, X RESNAME='ADS' Using the above examples, the ESM must be configured to grant access for resource name "TASK.task-name" to security group (or role) USER, for security class "CA@IDMS", where "task-name" is one of the user-level tasks listed. This grant must be repeated for each Task in the list. The appropriate ESM rules must then be given to the appropriate users. For instance, in Top Secret: TSS PER(user_id) CA@IDMS(TASK.ADS) In ACF2: $KEY(TASK.ADS) TYPE(CA@IDMS) UID(user_id) ALLOW In RACF: PERMIT TASK.ADS CLASS(CA@IDMS) ID(user_id) ACCESS(READ) After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD

b
All installation-delivered IDMS DEVELOPER-level tasks must be properly secured.
AC-3 - Medium - CCI-000213 - V-251587 - SV-251587r960792_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
IDMS-DB-000070
Vuln IDs
  • V-251587
Rule IDs
  • SV-251587r960792_rule
Developer-level tasks that are not secured may allow anyone who signs on to IDMS to use them to access and manipulate various resources within the DBMS. Satisfies: SRG-APP-000033-DB-000084, SRG-APP-000211-DB-000122
Checks: C-55022r808350_chk

Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Validate the following suggested developer-level tasks are secured in the SRTT (included, for example, in the roles of DCADMIN, DBADMIN level security). Note: USER, DEVELOPER, DBADMIN, and DCADMIN are suggested categories only. ADSA ADSAT ADSC ADSCT ADSK ADSL DEBUG IDDML IDDM IDDT LOOK MAPB MAPBT MAPC MAPCT PMAM PMIM QUED SCHEMA SCHEMAT SHOWMAP If "TASK" is not found as the resource type in any of the entries, this is a finding. If "TASK" is secured internally, this is a finding. If "TASK" is secured externally in the SRTT, review the SRTT entries to ensure that the above tasks are secured and review ESM for external class and external name format to make sure the appropriate authorizations have been defined. If they have not, this is a finding.

Fix: F-54976r808351_fix

The SRTT module must be coded to enable task-level security. When using an external security manager (ESM), this could be done in the following manner: #SECRTT TYPE=ENTRY, X RESTYPE=TASK, X SECBY=EXTERNAL , X EXTNAME=(RESTYPE,RESNAME), X EXTCLS='CA@IDMS' or to give access specifically to one or more tasks (in this case, to ADSA): #SECRTT TYPE=ENTRY, RESTYPE=TASK, X SECBY=OFF, X EXTNAME=(RESTYPE,RESNAME),EXTCLS='CA@IDMS' with an OCCUR statement for each task: #SECRTT TYPE=OCCUR,RESTYPE=TASK, X SECBY=EXTERNAL, X RESNAME='ADSA' Using the above examples, the ESM must be configured to grant access for resource name "TASK.task-name" to security group (or role) DEVELOPER, for security class "CA@IDMS", where "task-name" is one of the developer-level tasks listed. This grant must be repeated for each Task in the list. These rules should then be given to the appropriate users. For instance, in Top Secret: TSS PER(user_id) CA@IDMS(TASK.ADSA) In ACF2: $KEY(TASK.ADSA) TYPE(CA@IDMS) UID(user_id) ALLOW In RACF: PERMIT TASK.ADSA CLASS(CA@IDMS) ID(user_id) ACCESS(READ) After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD

b
All installation-delivered IDMS DBADMIN-level tasks must be properly secured.
AC-3 - Medium - CCI-000213 - V-251588 - SV-251588r960792_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
IDMS-DB-000080
Vuln IDs
  • V-251588
Rule IDs
  • SV-251588r960792_rule
DBA-level tasks that are not secured may allow anyone who signs on to IDMS to use them to access and manipulate various resources within the DBMS. Satisfies: SRG-APP-000033-DB-000084, SRG-APP-000211-DB-000122
Checks: C-55023r807629_chk

Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing the command "DCMT DISPLAY SRTT" while signed on to the CV and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Validate the following suggested DBA-level tasks are secured in the SRTT (included, for example, in the role of DCADMIN-level security): Note: USER, DEVELOPER, DBADMIN, and DCADMIN are suggested categories only. ADSM ADSOTATU IDD IDDM SSC SSCT If "TASK" is not found as the resource type in any of the entries, this is a finding. If "TASK" is secured internally this is a finding. If "TASK" is secured externally in the SRTT, review the SRTT entries to ensure that the above tasks are secured and review external security manager (ESM) for external class and external name format to make sure the appropriate authorizations have been defined. If they have not, this is a finding.

Fix: F-54977r807630_fix

The SRTT module must be coded to enable task-level security. When using an ESM, this could be done in the following manner: #SECRTT TYPE=ENTRY, X RESTYPE=TASK, X SECBY=EXTERNAL , X EXTNAME=(RESTYPE,RESNAME), X EXTCLS='CA@IDMS' or to give access specifically to one or more tasks (in this case, to ADSM): #SECRTT TYPE=ENTRY, RESTYPE=TASK, X SECBY=OFF, X EXTNAME=(RESTYPE,RESNAME),EXTCLS='CA@IDMS' with an OCCUR statement for each task: #SECRTT TYPE=OCCUR,RESTYPE=TASK, X SECBY=EXTERNAL, X RESNAME='ADSM' Using the above examples, the ESM must be configured to grant access for resource name "TASK.task-name" to security group (or role) DBADMIN, for security class "CA@IDMS", where "task-name" is one of the listed DBA-level tasks. These rules should then be given to the appropriate users. For instance, in Top Secret: TSS PER(user_id) CA@IDMS(TASK.ADSM) In ACF2: $KEY(SGON.the_extname) TYPE(TASK.ADSM) UID(user_id) ALLOW In RACF RDEFINE CA@IDMS TASK.TASK.ASF UACC(NONE) PERMIT TASK.ADSM CLASS(CA@IDMS) ID(user_id) ACCESS(READ) After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD

b
All installation-delivered IDMS DCADMIN-level tasks must be properly secured.
AC-3 - Medium - CCI-000213 - V-251589 - SV-251589r960792_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
IDMS-DB-000090
Vuln IDs
  • V-251589
Rule IDs
  • SV-251589r960792_rule
If DC Administrator-level tasks are not secured, any user logged on to IDMS may use them to access and manipulate various resources within the DBMS. This can be mitigated using the proper entries in the SRTT. Satisfies: SRG-APP-000033-DB-000084, SRG-APP-000211-DB-000122
Checks: C-55024r807632_chk

Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Validate the following suggested DC-Administrator-level tasks are secured in the SRTT. If they are not secured, this is a finding. (Note that USER, DEVELOPER, DBADMIN, and DCADMIN are suggested categories only). ASF CLOD DCMT OPER PMBILL PMRM SDEL SEND SYSGEN SYSGENT WEBC If "TASK" is not found as the resource type in any of the entries, this is a finding. IF "TASK" is secured internally, this is a finding. If "TASK" is secured externally in the SRTT, review the SRTT entries to ensure that the above tasks are secured, and review the external security manager (ESM) for external class and external name format to make sure the appropriate authorizations have been defined. If they have not, this is a finding.

Fix: F-54978r807633_fix

The SRTT module must be coded to enable task-level security. When using an ESM, this could be done in the following manner: #SECRTT TYPE=ENTRY, X RESTYPE=TASK, X SECBY=EXTERNAL , X EXTNAME=(RESTYPE,RESNAME), X EXTCLS='CA@IDMS' or to give access specifically to one or more programs (in this case, to ASF): #SECRTT TYPE=ENTRY, RESTYPE=TASK, X SECBY=OFF, X EXTNAME=(RESTYPE,RESNAME),EXTCLS='CA@IDMS' with an OCCUR statement for each task: #SECRTT TYPE=OCCUR,RESTYPE=TASK, X SECBY=EXTERNAL, X RESNAME='ASF' Using the above examples, the ESM must be configured to grant access for resource name "TASK.task-name" to security group (or role) DCADMIN, for security class "CA@IDMS", where "task-name" is one of the DC-Administrator-level programs listed. The appropriate ESM rules must then be given to the appropriate users. For instance, in Top Secret: TSS PER(user_id) CA@IDMS(TASK.ASF) In ACF2: $KEY(SGON.the_extname) TYPE(TASK.ASF) UID(user_id) ALLOW In RACF: RDEFINE CA@IDMS TASK.TASK.ASF UACC(NONE) PERMIT TASK.ASF CLASS(CA@IDMS) ID(user_id) ACCESS(READ) After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD

b
All installation-delivered IDMS User-level programs must be properly secured.
AC-3 - Medium - CCI-000213 - V-251590 - SV-251590r960792_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
IDMS-DB-000100
Vuln IDs
  • V-251590
Rule IDs
  • SV-251590r960792_rule
If user-level programs are not secured, then unauthorized users may use them to access and manipulate various resources within the DBMS. Satisfies: SRG-APP-000033-DB-000084, SRG-APP-000211-DB-000122
Checks: C-55025r807635_chk

The following are user-level batch programs that are executed using JCL rather than by the CV. As batch programs, they need to be secured by the external security manager (ESM) rather than through the SRTT. Validate the following suggested user-level programs are secured by the ESM: ADSBATCH ADSOBPLG CULPRIT IDMSBCF OLQBATCH OLQBNOTE Contact the security office to confirm that the programs in this list are secured. If the programs listed are not secured, this is a finding.

Fix: F-54979r807636_fix

Contact the security office to confirm that the programs in this list are secured via the ESM and assigned to the appropriate users. Each program listed must be secured.

b
All installation-delivered IDMS Developer-level Programs must be properly secured.
AC-3 - Medium - CCI-000213 - V-251591 - SV-251591r960792_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
IDMS-DB-000110
Vuln IDs
  • V-251591
Rule IDs
  • SV-251591r960792_rule
Developer-level programs that are not secured may allow unauthorized users to access and manipulate various resources within the DBMS. Satisfies: SRG-APP-000033-DB-000084, SRG-APP-000211-DB-000122
Checks: C-55026r807638_chk

The following are developer-level batch programs and are executed using JCL rather than the CV. As batch programs, they need to be secured in the external security manager (ESM) rather than through the SRTT. Validate the following suggested developer-level programs are secured by the ESM. ADSOBCOM ADSORPTS IDMSDMLA IDMSDMLC IDMSDMLP IDMSLOOK IDMSRPTS RHDCMAP1 RHDCMPUT Contact the security office to confirm that the programs in this list are secured. If they are not, this is a finding.

Fix: F-54980r807639_fix

Contact the security office to confirm that the programs in this list are secured via the ESM and assigned to the appropriate users. Each program in the list must be secured.

b
All installation-delivered IDMS Database-Administrator-level programs must be properly secured.
AC-3 - Medium - CCI-000213 - V-251592 - SV-251592r960792_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
IDMS-DB-000120
Vuln IDs
  • V-251592
Rule IDs
  • SV-251592r960792_rule
DBA-level programs that are not secured may allow unauthorized users to use them to access and manipulate various resources within the DBMS. Satisfies: SRG-APP-000033-DB-000084, SRG-APP-000211-DB-000122
Checks: C-55027r807641_chk

The following are DBA-level batch programs and are executed using JCL rather than the CV. As batch programs, they need to be secured for DBAs in the external security manager (ESM) (included in DCADMIN, DBADMIN level security) rather than through the SRTT. Validate the following suggested DBA-level programs are secured by the ESM. ADSOBSYS ADSOBTAT IDMSCHEM IDMSDBN1 IDMSDBN2 IDMSDDDL IDMSPASS IDMSRSTC IDMSUBSC RHDCOMVS Contact the security office to confirm that the programs in this list are secured. If not, this is a finding.

Fix: F-54981r807642_fix

Contact the security office to confirm that the programs in this list are secured via the ESM and assigned to the appropriate users. Each program in the list must be secured.

b
All installation-delivered IDMS DC-Administrator-level programs must be properly secured.
AC-3 - Medium - CCI-000213 - V-251593 - SV-251593r960792_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
IDMS-DB-000130
Vuln IDs
  • V-251593
Rule IDs
  • SV-251593r960792_rule
DC Administrator-level programs that are not secured may allow unauthorized users to use them to access and manipulate various resources within the DBMS. Satisfies: SRG-APP-000033-DB-000084, SRG-APP-000211-DB-000122
Checks: C-55028r807644_chk

The following are DC-administrator level batch programs and are executed using JCL rather than the CV. As batch programs, they need to be secured in the external security manager (ESM) rather than through the SRTT. Validate the following suggested DBA-level programs are secured by the ESM: IDMSDIRL RHDCSGEN RHDCTTBL If the suggested DC-Administrator-level programs are not secured in the SRTT and have not been authorized for DCADMINs in the ESM, this is a finding. (Note that USER, DEVELOPER, DBADMIN and DCADMIN are suggested categories only). Contact the security office if the programs in this list are not secured, for this is a finding.

Fix: F-54982r807645_fix

Contact the security office to confirm that the programs in this list are secured via the ESM and assigned to the appropriate users. Each program in the list must be secured.

a
IDMS must protect against the use of default userids.
AU-10 - Low - CCI-000166 - V-251594 - SV-251594r960864_rule
RMF Control
AU-10
Severity
Low
CCI
CCI-000166
Version
IDMS-DB-000140
Vuln IDs
  • V-251594
Rule IDs
  • SV-251594r960864_rule
Default sign-ons can be used by individuals to perform adverse actions anonymously.
Checks: C-55029r807647_chk

Examine load module "RHDCSRTT" by executing CA IDMS utility "IDMSSRTD", or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. If the TYPE=INITIAL #SECRTT has DFLTSGN=YES specified, this is a finding. If DFLTUID is defined, this is a finding.

Fix: F-54983r807648_fix

Set DFLTSGN=NO and remove the DFLTUID from the #SECRTT INITIAL macro that is input to the RHDCSRTT module, then reassemble and relink RHDCSRTT. After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD

a
IDMS must protect against the use of external request exits that change the userid to a shared id when actions are performed that may be audited.
AU-10 - Low - CCI-000166 - V-251595 - SV-251595r960864_rule
RMF Control
AU-10
Severity
Low
CCI
CCI-000166
Version
IDMS-DB-000150
Vuln IDs
  • V-251595
Rule IDs
  • SV-251595r960864_rule
Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. Non-repudiation protects against later claims by a user of not having created, modified, or deleted a particular data item or collection of data in the database. In designing a database, the organization must define the types of data and the user actions that must be protected from repudiation. The implementation must then include building audit features into the application data tables and configuring the DBMS's audit tools to capture the necessary audit trail. Design and implementation also must ensure that applications pass individual user identification to the DBMS, even where the application connects to the DBMS with a standard, shared account. User exits that change userids can be used to hide the true identities of those who may perform an action and should be carefully restricted or eliminated.
Checks: C-55030r807650_chk

Log in to the CV and enter command DCPROFIL. Press "Enter" until the page titled "Named User Exits" appears. Find the entry for USRIDXIT. If the DEFINED column says YES, then a user-written exit has been linked with IDMSUXIT. If a user-written exit USRIDXIT has been linked with IDMSUXIT (for batch or TSO-front end use), UCFCICS (UCF access from a CICS transaction) or IDMSINTC (DML or SQL access form a CICS transaction server front-end) and the USRIDXIT changes the userid to a shared userid, this is a finding.

Fix: F-54984r808359_fix

Remove code from USRIDXIT that changes the individual userid to a shared user or remove the exit entirely. After making the above changes, assemble and link IDMSUXIT. To implement the new IDMSUXIT either recycle any CVs that use it or issue these commands: DCMT VARY NUCLEUS MODULE IDMSUXIT NEW COPY DCMT VARY NUCLEUS RELOAD

a
IDMS must protect against the use of numbered exits that change the userid to a shared id.
AU-10 - Low - CCI-000166 - V-251596 - SV-251596r960864_rule
RMF Control
AU-10
Severity
Low
CCI
CCI-000166
Version
IDMS-DB-000160
Vuln IDs
  • V-251596
Rule IDs
  • SV-251596r960864_rule
Non-repudiation of actions taken is required to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. Non-repudiation protects against later claims by a user of not having created, modified, or deleted a particular data item or collection of data in the database. In designing a database, the organization must define the types of data and the user actions that must be protected from repudiation. The implementation must then include building audit features into the application data tables and configuring the DBMS's audit tools to capture the necessary audit trail. Design and implementation also must ensure that applications pass individual user identification to the DBMS, even where the application connects to the DBMS with a standard, shared account. User exits that change userids can be used to hide the true identities of those who may perform an action and should be carefully restricted or eliminated.
Checks: C-55031r807653_chk

Issue LOOK PROGRAM=RHDCUXIT. If there are non-zeros in the 12 bytes starting at X'200', exit 27 is being used. If there are non-zeros in the 12 bytes starting at X'20C', exit 28 is being used. Check exits for a change in userid and if there is a change to a shared user ID, this is a finding.

Fix: F-54985r807654_fix

Remove code from exit 27 and/or exit 28 that changes the individual user id to a shared user or remove the exit entirely, then reassemble and relink RHDCUXIT. To implement the new RHDCUXIT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCUXIT NEW COPY DCMT VARY NUCLEUS RELOAD

a
IDMS must protect against the use of web-based applications that use generic IDs.
AU-10 - Low - CCI-000166 - V-251597 - SV-251597r960864_rule
RMF Control
AU-10
Severity
Low
CCI
CCI-000166
Version
IDMS-DB-000170
Vuln IDs
  • V-251597
Rule IDs
  • SV-251597r960864_rule
Web-based applications that allow a generic ID can be a door into IDMS allowing unauthorized changes whose authors may not be determined.
Checks: C-55032r807656_chk

If there are web-based applications to which individual users sign on, and a generic ID associated with the application is used to access back-end IDMS databases, this is a finding.

Fix: F-54986r807657_fix

For web-based applications using generic IDs, set the individual user ID (external identity) to be recorded in the journal. For JDBC applications, use the "IdmsConnection setIdentity" method. For ODBC applications, use the "SQLSetConnectAttr" function with the IDMS_ATTR_EXTERNAL_IDENTITY attribute type. Run journal report "JREPORT 010" and" JREPORT 008" to audit the individual user ID.

a
IDMS must protect against the use web services that do not require a sign on when actions are performed that may be audited.
AU-10 - Low - CCI-000166 - V-251598 - SV-251598r960864_rule
RMF Control
AU-10
Severity
Low
CCI
CCI-000166
Version
IDMS-DB-000180
Vuln IDs
  • V-251598
Rule IDs
  • SV-251598r960864_rule
IDMS web services provide a way for web-based applications to access an IDMS database. If not secured, the Web services interface could be used to reveal or change sensitive data.
Checks: C-55033r807659_chk

On the IDMS CV system where CA IDMS Web Services executes, enter "WEBC" to check Web Services configuration. If "REQUIRE SIGNON = NO", this is a finding.

Fix: F-54987r807660_fix

On the IDMS CV system where CA IDMS Web Services executes, enter "WEBC REQUIRE SIGNON=YES".

c
IDMS must use the ESM to generate auditable records for resources when DoD-defined auditable events occur.
AU-12 - High - CCI-000169 - V-251599 - SV-251599r960879_rule
RMF Control
AU-12
Severity
High
CCI
CCI-000169
Version
IDMS-DB-000190
Vuln IDs
  • V-251599
Rule IDs
  • SV-251599r960879_rule
Audit records provide a tool to help research events within IDMS. IDMS does not produce audit records, but when using external security, records can be produced through the ESM. IDMS relies on the ESM to log organization-defined auditable events. To ensure that all secure actions are logged, those actions must be defined to the IDMS Security Resource Type Table (SRTT) with a type of external security. When IDMS has to perform a given security check, it will defer to the ESM to determine the user's authorization. The auditing functionality of the ESM can be used to track the IDMS security calls. Some organization-defined auditable events are expected to be handled solely by the ESM. This would include requirements such as "successful and unsuccessful attempts to modify or delete privileges, security objects, security levels, or categories of information" as well as "account creation, modification, disablement, or termination." For the audit logging of other organization-defined auditable events, IDMS requires RHDCSRTT security module set up to route requests for these events through the ESM. This will ensure that they are audited appropriately. The following resource types must be defined with SECBY type of EXTERNAL in the RHDCSRTT load module to achieve the appropriate level of audit logging. If there is not a resource type definition with a security type of EXTERNAL for the following resources, this is a finding.
Checks: C-55034r858836_chk

Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV and reviewing the output. Note: This requires PTFs SO07995 and SO09476. If the ESM specification does not match the RHDCSRTT entry, this is a finding. Validate each of the following listed entries: Access Actions such as login - Resource type SGON Privileged system access - Resource types SYST, DB, DMCL, DBTB Privileged object access - Resource types SLOD, SACC, QUEU Privileged program access - Resource type TASK, SPGM If any are not secured externally, this is a finding.

Fix: F-54988r858837_fix

If some of the resource types were not defined to the #SECRTT with SECBY=EXTERNAL, update the #SECRTT security module to include the appropriate definitions. Access Actions such as login - Resource type SGON Privileged system access - Resource types SYST, DB, DMCL, DBTB Privileged object access - Resource types SLOD, SACC, QUEU Privileged program access - Resource type TASK, SPGM To update the #SECRTT entries, change any invalid definitions of SECBY=INTERNAL to SECBY=EXTERNAL for the resources listed above. If any of the resource types are missing, add them. Once the updates are complete, recompile the RHDCSRTT module. Then confirm that the resource types are referenced appropriately by the external security manager.

c
IDMS must use the ESM to generate auditable records for commands and utilities when DoD-defined auditable events occur.
AU-12 - High - CCI-000169 - V-251600 - SV-251600r960879_rule
RMF Control
AU-12
Severity
High
CCI
CCI-000169
Version
IDMS-DB-000200
Vuln IDs
  • V-251600
Rule IDs
  • SV-251600r960879_rule
Audit records provide a tool to help research events within IDMS. IDMS itself does not produce audit records but, when external security is in place, records can be produced through the ESM. IDMS relies on the ESM to log organization-defined auditable events. To ensure that all secure actions are logged, those actions must be defined to the IDMS Security Resource Type Table (SRTT) with a type of external security. When IDMS has to perform a given security check, it will defer to the ESM to determine the user's authorization. The auditing functionality of the ESM can be used to track the IDMS security calls. Some organization-defined auditable events are expected to be handled solely by the ESM. This would include requirements such as "successful and unsuccessful attempts to modify or delete privileges, security objects, security levels, or categories of information" as well as "account creation, modification, disablement, or termination." For the audit logging of other organization-defined auditable events, IDMS requires RHDCSRTT security module set up to route requests for these events through the ESM. This will ensure that they are audited appropriately. The following resource types must be defined with SECBY type of EXTERNAL in the RHDCSRTT load module to achieve the appropriate level of audit logging. If there is not a resource type definition with a security type of EXTERNAL for the following resources, this is a finding.
Checks: C-55035r807665_chk

Examine load module IDMSCTAB by executing CA IDMS utility IDMSCTAD, or by issuing command "DCMT DISPLAY CTAB" while signed onto the CV and reviewing the output. Note: This requires PTF SO08199. If there is execution of certain OCF/BCF commands that have not defined in the IDMSCTAB module using the #CTABGEN macro, this is a finding. If these task codes are defined to the IDMSCTAB module but have not been defined for the related activities to the RHDCSRTT module, this is a finding. If the execution of DCMT utility command codes is not defined in the IDMSUTAB module using the #UTABGEN macro, this is a finding. Examine load module IDMSUTAB using CA IDMS utility IDMSUTAD, or by issuing command 'DCMT DISPLAY UTAB' while signed onto the CV, and reviewing the output. Note: This requires PTF SO08527. If IDMSUTAB load module defined commands but has not defined the related activities to the RHDCSRTT module, this is a finding. If any of the above tasks are completed from local mode, utilize a custom EXIT 14 to trigger a security check that will go through the ESM. If an EXIT 14 is not configured for each situation, this is a finding.

Fix: F-54989r807666_fix

If the IDMSUTAB load module needs to be updated to secure and audit the OCF/BCF commands, re-run the #UTABGEN macro to create an updated version. Here is an example of the syntax: #UTABGEN (FORMAT,14,PRINTPAGE,14) This syntax assigns the FORMAT and PRINTPAGE commands to activity 14, which can now be secured by the RHDCSRTT module. If the IDMSCTAB load module needs updated to secure and audit the DCMT commands, update the #CTABGEN macro to create an updated version. Here is an example of the syntax: #CTABGEN (B,2),(N022,B,N050,B) This syntax assigns security label B to activity #2, then it assigns the tasks DCMT VARY MEMORY and DCMT VARY LOADLIB to security label B. With this definition, secure activity #2 appropriately in the RHDCSRTT module.

b
Database objects in an IDMS environment must be secured to prevent privileged actions from being performed by unauthorized users.
CM-5 - Medium - CCI-001499 - V-251601 - SV-251601r960960_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
IDMS-DB-000210
Vuln IDs
  • V-251601
Rule IDs
  • SV-251601r960960_rule
If database objects like areas, schemas, and run units are not secured, they may be changed or deleted by unauthorized users.
Checks: C-55036r807668_chk

Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Examine the SRTT and verify that entries exist for all desired database resources. The database resources that may be secured are and their respective RESTYPEs are: Database - DB Area - AREA (1) Rununit - NRU (1) SQL Schema - QSCH (1) Non-SQL Schema - NSCH (1) Access Module - DACC (1) Table - TABL (1) DMCL - DMCL Database name table - DBTB Note: Securing RESTYPE=DB (Database) also secures for these resource types. SRTT TYPE=ENTRY statements with RESTYPEs of AREA, NRU, QSRCH, NSCH, DACC, and TABL do not turn security on or off for these RESTYPEs, but are used to build the EXTNAME and EXTCLAS to be passed to the external security manager (ESM). Interrogate the DBA(s) to determine which database objects may need secured. For SQL access, check that both the catalog and user database are secured in the SRTT. If not, this is a finding. If batch jobs are allowed to be run with access an IDMS database, check whether the access is covered by standard ESM dataset security and/or the user-written exit 14 (issues a security check when a BIND RUN-UNIT or READY AREA is being done). If not, this is a finding.

Fix: F-54990r807669_fix

Before securing a database externally, it is VERY IMPORTANT to weigh the following considerations: - If adding an SRTT TYPE=ENTRY that secures the DB resource type externally, it automatically secures a group of database resource types externally for all databases. - If the SRTT contains one or more TYPE=OCCUR (occurrence overrides) that specify external security for resource type DB, also add an SRTT entry specifying external resource class and external resource name for each of the database resource types that are automatically secured externally for the database being secured in that TYPE=OCCUR statement. - The only database-related RESTYPE valid with TYPE=OCCUR is DB. See the IDMS Techdocs for more information on securing database resources. The SRTT module must have an entry coded to secure one or more database resources. For instance: #SECRTT TYPE=INITIAL, x ENVNAME=SYS001 #SECRTT TYPE=ENTRY, X RESTYPE=DB, X SECBY=OFF, X EXTNAME=(ENVIR,RESNAME,RESTYPE), X EXTCLS='CA@IDMS' #SECRTT TYPE=OCCUR, X RESTYPE=DB, X SECBY=EXTERNAL , X RESNAME='PROD' The above example could be used to secure external name of SYS001.PROD.DB. When securing SQL access, it is necessary to secure both the DBNAME containing the catalog segment (probably SYSSQL in APPLDICT) and the database being accessed. #SECRTT TYPE=OCCUR,SECBY=EXT,RESTYPE=DB, X RESNAME=APPLDICT' #SECRTT TYPE=OCCUR,SECBY=EXT,RESTYPE=DB, X RESNAME='USERDB' Because the above example also secures the DB subtypes, add SRTT entries to allow the ability to grant or deny access to them: #SECRTT TYPE=ENTRY,RESTYPE=AREA, X SECBY=EXT,EXTNAME=(ENVIR,RESTYPE,RESNAME) #SECRTT TYPE=ENTRY,RESTYPE=NRU, X SECBY=EXT,EXTNAME=(ENVIR,RESTYPE,RESNAME) #SECRTT TYPE=ENTRY,RESTYPE=QSCH, X SECBY=EXT,EXTNAME=(ENVIR,RESTYPE,RESNAME) #SECRTT TYPE=ENTRY,RESTYPE=NSCH, X SECBY=EXT,EXTNAME=(ENVIR,RESTYPE,RESNAME) #SECRTT TYPE=ENTRY,RESTYPE=DACC, X SECBY=EXT,EXTNAME=(ENVIR,RESTYPE,RESNAME) #SECRTT TYPE=ENTRY,RESTYPE=TABL, X SECBY=EXT,EXTNAME=(ENVIR,RESTYPE,RESNAME) Note that the TABL resource type represents base tables, functions, procedures, table procedures, and views. Ensure that the ESM has a corresponding entry to give access to the desired users. For instance, in Top Secret: TSS PER(user_id) CA@IDMS(SYS001.PROD.DB) ACCESS(access_level) and assuming that the user wants to grant access to the area: TSS PER(user_id) CA@IDMS(SYS001.PROD.AREA) ACCESS(access_level)

b
The programs that can be run through a CA IDMS CV must be defined to the CV to prevent installation of unauthorized programs; must have the ability to dynamically register new programs; and must have the ability to secure tasks.
CM-5 - Medium - CCI-001499 - V-251602 - SV-251602r960960_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
IDMS-DB-000220
Vuln IDs
  • V-251602
Rule IDs
  • SV-251602r960960_rule
The IDMS SYSGEN must be protected against unauthorized changes. Satisfies: SRG-APP-000133-DB-000362, SRG-APP-000378-DB-000365
Checks: C-55037r807671_chk

Check the SRTT for the externally secured resource SYST which allows the SYSGEN to be modified and application program definitions to be added. Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV and reviewing the output. Note: This requires PTFs SO07995 and SO09476. If "SYST" is not found as the resource type in any of the entries, this is a finding. IF "SYST' is not coded with SECBY=EXTERNAL, this is a finding. If "SYST" is found to be secured externally, ensure the external security manager (ESM) contains the correct definition using the external resource class name and the external name construction rules. If it is not defined or not defined correctly, this is a finding. If the ESM definition is correct but the role(s)/groups(s) are not defined correctly to give the appropriate permissions, this is a finding.

Fix: F-54991r807672_fix

The SRTT module must be coded to secure the system. When using an ESM, this could be done in the following manner: #SECRTT TYPE=ENTRY, X RESTYPE=TASK, X SECBY=EXTERNAL , X EXTNAME=(RESTYPE,RESNAME), X EXTCLS='CA@IDMS' #SECRTT TYPE=OCCUR, X RESTYPE=TASK, X RESNAME='SYSGEN', X SECBY=EXT In the EXTNAME above, RESTYPE is changed to "TASK" and RESNAME is changed to "SYSGEN". Ensure the ESM has a corresponding entry to give access to the desired users. For instance, given a system named SYSO187, in Top Secret: ) TSS PER(user_id) CA@IDMS(TASK.SYSGEN) In ACF2: $KEY(TASK.SYSGEN) TYPE(CA@IDMS) UID(user_id) ALLOW RDEFINE CA@IDMS SYST UACC(NONE) PERMIT TASK.SYSGEN CLASS(CA@IDMS) ID(user_id) ACCESS(READ) After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either cycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD

b
The commands that allow dynamic definitions of PROGRAM/TASK and the dynamic varying of memory must be secured.
CM-5 - Medium - CCI-001499 - V-251603 - SV-251603r960960_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
IDMS-DB-000230
Vuln IDs
  • V-251603
Rule IDs
  • SV-251603r960960_rule
IDMS provides commands that can change memory, the attributes of programs, or tasks and are meant for use by the appropriate administrators. These commands must be protected from use by the wrong personnel. Satisfies: SRG-APP-000133-DB-000362, SRG-APP-000380-DB-000360, SRG-APP-000378-DB-000365
Checks: C-55038r807674_chk

Check the SRTT for externally secured ACTI resource which can be used to secure DCMT VARY DYNAMIC PROGRAM, DCMT VARY DYNAMIC TASK and DCMT VARY MEMORY. Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. If "ACTI" is not found as the resource type in any of the entries, this is a finding. IF "ACTI" is found but has SECBY=INTERNAL, this is a finding. If no entry is securing VARY DYNAMIC and VARY MEMORY externally, this is a finding. If there is no IDMSCTAB load module into which the #CTABGEN has been generated that specifies the nodes names that correspond to the DCMT commands (DCMT VARY DYNAMIC - N046; DCMT VARY MEMORY - N033), this is a finding. Examine load module IDMSCTAB using CA IDMS utility IDMSCTAD, or by issuing command "DCMT DISPLAY CTAB" while signed onto the CV, and reviewing the output. Note that this requires PTF SO08199. If DCMT command codes N024, N025, and N033 are not defined, this is a finding.

Fix: F-54992r807675_fix

The SRTT must contain one or more entries to enable the external security of RESTYPE=ACTI. For example: #SECRTT TYPE=ENTRY,RESTYPE=ACTI, SECBY=EXTERNAL, EXTCLS='CA@IDMS',EXTNAME=(SYST,ACTIVITY) Update the source for IDMSCTAB. This example #CTABGEN entry secures the DCMT VARY DYNAMIC and DCMT VARY MEMORY commands and assigns an activity number to each: CTAB TITLE 'GENERATE DCMT SECURITY TABLE' #CTABGEN LOGIN=YES, X (A,1,B,10), X (N033,A,N046,B) END The ACTIVITY passed to the external security manager (ESM) will be the first up to five bytes of the application name followed by the three-byte activity number or, using the above example, DCMT010 for a DCMT VARY DYNAMIC or a DMCT VARY MEMORY command. After making the above changes, IDMSCTAB and RHDCSRTT must then be reassembled and relinked. To implement the new SRTT and IDMSCTAB, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS MODULE IDMSCTAB NEW COPY DCMT VARY NUCLEUS RELOAD Also verify that the ESM gives access to the appropriate people. Here are some Top Secret commands based on the above information. Assume that the SYSTEM ID in SYSGEN is TEST001: TSS PER(user_id) CA@IDMS(TEST001.DCMT001) ACCESS(READ) TSS PER(user_id) CA@IDMS(TEST001.DCMT010) ACCESS(READ)

b
Databases must be secured to protect from structural changes.
CM-5 - Medium - CCI-001499 - V-251604 - SV-251604r960960_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
IDMS-DB-000240
Vuln IDs
  • V-251604
Rule IDs
  • SV-251604r960960_rule
Database objects, like areas and run units, can be changed or deleted if not protected. Steps must be taken to secure these objects via the external security manager (ESM). Satisfies: SRG-APP-000133-DB-000362, SRG-APP-000380-DB-000360
Checks: C-55039r807677_chk

All database objects to be secured must be specified to the CA IDMS centralized security in the security resource type table (SRTT) as being secured externally. Log on to a DC system in the security domain. Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Check each entry in the SRTT. If the resource type is DB, AREA, NRU, QSCH, NSCH, TABL, DACC, SACC, DMCL, or DBTB, the resource type is a database object. If it contains SECBY=INTERNAL, this is a finding. If any of the database types are not found in the SRTT, this is a finding. For SQL access, check that both the catalog and user database are secured in the SRTT. If not, this is a finding. If batch jobs are allowed to be run which access an IDMS database, check whether the access is covered by standard ESM dataset security and/or the user-written exit 14 (issues a security check at BIND/READY time). If not, this is a finding. If the ESM definition is correct but the role(s)/groups(s) are not defined correctly to give the appropriate permissions, this is a finding.

Fix: F-54993r807678_fix

Secure database object resources not found in SECRTT or found to be secured internally, through the ESM chosen by the organization (e.g., TSS, ACF 2, RACF). Users, groups, roles, etc., are defined to the ESM, and it is here where the authorization for ownership is determined. Once externally secured, create or modify the #SECRTT entries specify TYPE=ENTRY and TYPE=OCCURRENCE for the database resource type with the parameter of SECBY=EXTERNAL. Use the RESTYPE DB which implicitly includes the subtypes AREA, NRU, QSCH, NSCH, TABL, DACC, and SACC. For each subtype, an entry must be added. The restypes for database tables and DMCLs are DBTB and DMCL, respectively. For SQL access, include #SECRTT RESTYPE=DB for both the catalog and user database through all dbname and segment names that can access the catalog and database. For batch jobs that access database objects, use the ESM standard dataset security and/or the user-written exit 14 to secure the database objects. Create the corresponding entry in the ESM and give appropriate permissions to role(s)/ group(s) to allow database changes by appropriate users (usually DBAs).

b
Database utilities must be secured in CA IDMS and permissions given to appropriate role(s)/groups(s) in the external security manager (ESM).
CM-5 - Medium - CCI-001499 - V-251605 - SV-251605r960960_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
IDMS-DB-000250
Vuln IDs
  • V-251605
Rule IDs
  • SV-251605r960960_rule
IDMS has tasks that are used to perform necessary maintenance, but in the wrong hands could damage the integrity of the DBMS. Tasks that can change database structure must be protected. Satisfies: SRG-APP-000133-DB-000362, SRG-APP-000380-DB-000360
Checks: C-55040r807680_chk

Check the SRTT for externally secured ACTI which can be used to secure utility functions that can impact database structure, e.g., CONVERTCATALOG, CONVERTPAGE, EXPANDPAGE, MAINTAININDEX, REORG, RESTRUCTURE and TUNEINDEX. For a full list, see the UTABGEN UTILITY COMMAND CODES table in the Administrating Security for IDMS manual. Examine load module IDMSUTAB using CA IDMS utility IDMSUTAD, or by issuing command "DCMT DISPLAY UTAB" while signed onto the CV, and reviewing the output. Note: This requires PTF SO08527. If there is no IDMSUTAB load module into which the #UTABGEN has been generated that specifies the nodes names that correspond to the UTILITY statements, this is a finding. Examine load module RHDCSRTT by executing CA IDMS utility "IDMSSRTD", or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV and reviewing the output. If "ACTI" is not found as the resource type in any of the entries, this is a finding. IF "ACTI" is found to be secured internally, this is a finding. If "ACTI" is found to be secured externally, ensure that the ESM contains the correct definition using the external resource class name and the external name construction rules. If it is not defined or not defined correctly, this is a finding. If the ESM definition is correct but the role(s)/groups(s) are not defined correctly to give the appropriate permissions, this is a finding. Note: There are alternative ways to secure utilities by using RESTYPE=DB and corresponding ESM definitions can give authorization to appropriate role(s)/group(s).

Fix: F-54994r807681_fix

Create an entry in the SRTT and compile into the module RHDCSRTT for the security domain that defined the resource type of ACTI. The external class and external name construction rules must be specified. For example: #SECRTT TYPE=ENTRY,RESTYPE=ACTI, SECBY=EXTERNAL, EXTCLS='CA@IDMS',EXTNAME=(RESNAME,ACTIVITY) Compile IDMSUTAB into the custom loadlib, specifying the activity number associated with the utility statement on the #UTABGEN macro. For example, #UTABGEN (A,3),(OCF,EXPANDPAGE,I). The ACTIVITY passed to the ESM will be the first up to five bytes of the application name followed by the three-byte activity number. Using the activity number "3" in the #UTABGEN, the ACTIVITY sent to the ESM would be OCF003. Create the corresponding entry in the ESM and give appropriate permissions to roles(s)/group(s) for the ACTIVITY (e.g., OCF003 which would secure the EXPANDPAGE utility statement).

b
The online debugger which can change programs and storage in the CA IDMS address space must be secured.
CM-5 - Medium - CCI-001499 - V-251606 - SV-251606r960960_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
IDMS-DB-000260
Vuln IDs
  • V-251606
Rule IDs
  • SV-251606r960960_rule
If the DBMS were to allow any user to make changes to database structure or logic, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. Accordingly, only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Unmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations. Users of the online debugger may alter programs and storage in the IDMS CV. Satisfies: SRG-APP-000133-DB-000362, SRG-APP-000380-DB-000360
Checks: C-55041r807683_chk

Examine the load module RHDCSRTT by executing CA IDMS utility "IDMSSRTD", or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Check the SRTT for externally secured ACTI where the task name is DBUG. If none is found, this is a finding. If the entry is secured internally, this is a finding. If an ACTI statement for DBUG that secures DBUG externally is found, verify the program IDMSGTAB resides in the CV's CMDSLIB concatenation. If not, this is a finding. If IDMSGTAB is found, perform a DUMPT of IDMSGTAB using AMASPZAP. The last 28 bytes are a table of 14 halfwords, one for each security category that can be secured by the #GTABGEN macro. Examine this table in the DUMPT. If all halfwords are zero, and no debugger functions are secure, and this is a finding. If any halfword is non-zero, then the first byte will be x'01' and the second byte will contain the activity number assigned to that function in hexadecimal. The order of the security-categories in the table is: UPGMR UPGMU USTGR USTGU SHSTGR SHSTGU AUPGMR AUPGMU ASYSTGR ASYSTGU ASYSPGR ASYSPGU ALLR ALLU If the debug activity is found to be secured externally, confer with the security office to ensure that the external security manager (ESM) contains the correct definition using the external resource class name the external name construction rules. If it is not defined correctly, this is a finding. If the ESM definition is correct but the role(s)/groups(s) are not defined correctly to give the appropriate permissions, this is a finding.

Fix: F-54995r807684_fix

Create, or modify as needed, an entry in the SRTT to secure the DEBUG categories and compile into module RHDCSRTT. The external class and external name construction rules must be specified. The following example shows a TYPE=ENTRY #SECRTT macro defining the EXTNAME format for RESTYPE=ACTI and an occurrence override defining the information for a specific occurrence for the DBUG activity. #SECRTT TYPE=ENTRY,RESTYPE=ACTI,SECBY=OFF, EXTNAME=(ENVIR,ACTI) ,EXTCLS='CA@IDMS' #SECRTT TYPE=OCCUR,RESTYPE=ACTI,RESNAME='DBUG',SECBY=EXT After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD Review the IDMSGTAB module and make changes to the #GTABGEN macro as needed. Here is an example that secures all possible DEBUG categories: #GTABGEN (A,01,B,02,C,03,D,04,E,05,F,06,G,07,H,08,I,09,J,10, X K,11,L,12,M,13,N,14), X (UPGMR,A,UPGMU,B,USTGR,C,USTGU,D,SHSTGR,E,SHSTGU,F, X AUPGMR,G,AUPGMU,H,ASYSTGR,I,ASYSTGU,J, X ASYSPGR,K,ASYSPGU,L,ALLR,M,ALLU,N) END Assume the TYPE=INITIAL #SECRTT macro specified ENVNAME=TEST0001 and the particular debug activity was UPGMR (allow the user to retrieve user programs, schemas, maps, and tables). In that case, the external resource name would be TEST0001.DBUG001. Using this information, a Top Secret example to grant access could be: TSS PER(user_1) CA@IDMS(TEST0001.DBUG001) Confer with the security office to ensure that the correct entries are in the ESM to give access to the appropriate role(s)/group(s) permissions for the desired DEBUG categories.

b
CA IDMS must secure the ability to create, alter, drop, grant, and revoke user and/or system profiles to users or groups.
CM-5 - Medium - CCI-001499 - V-251607 - SV-251607r960960_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
IDMS-DB-000270
Vuln IDs
  • V-251607
Rule IDs
  • SV-251607r960960_rule
Even when using an external security manager (ESM), IDMS system and user profiles which reside in an IDMS user catalog may be assigned to users or groups. The ability to administer user and system profiles must be secured.
Checks: C-55042r807686_chk

Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Check the SRTT for externally secured RESTYPE=SYSA. If none is found, this is a finding. If the entry is secured internally, this is a finding.

Fix: F-54996r807687_fix

The SRTT module must be coded to secure SYSADMIN. When using an ESM, this could be done in the following manner: #SECRTT TYPE=ENTRY, X RESTYPE=SYSA, X SECBY=EXTERNAL , X EXTNAME=(ENVIR,RESTYPE), X EXTCLS='CA@IDMS' Using the above example and supposing that was specified ENVNAME=TESTSYS on the INITIAL SRTT entry, the external resource name would be TESTSYS.SYSA. To give access using to a user in Top Secret the command would be: TSS PER(user_id) CA@IDMS(TESTSYS.SYSA) After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD

a
The EMPDEMO databases, database objects, and applications must be removed.
CM-7 - Low - CCI-000381 - V-251608 - SV-251608r960963_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
IDMS-DB-000280
Vuln IDs
  • V-251608
Rule IDs
  • SV-251608r960963_rule
Demonstration and sample database objects and applications present publicly known attack points for malicious users. These demonstration and sample objects are meant to provide simple examples of coding specific functions, and are not developed to prevent vulnerabilities from being introduced to the DBMS and host system.
Checks: C-55043r807689_chk

If a CAISAG base installation completed with EMPDEMO=YES and/or SQLDEMO=YES, or if a base installation completed with CSM and CREATE_DB_DEMO and/or CREATE_SQL_DEMO selected, this is a finding. In OCF/BCF, DISPLAY DMCL <dmclname>. If segments EMPDEMO, SQLDEMO, and/or PROJDEMO exist, this is a finding. In OCF/BCF, DISPLAY DBTABLE <dbtbname>. If segments EMPDEMO, SQLDEMO, and/or PROJDEMO exist, this is a finding. In OCF/BCF, DISPLAY SCHEMA DEMOEMPL and DISPLAY SCHEMA DEMOPROJ. If either or both exist, this is a finding. If schema EMPSCHM exists, this is a finding. If any of the following load modules are in load libs used by the installation, this is a finding: EMPSS01, EMPDMCL, EMPLOAD, EMPRPT, EMPINQ If any of the following files are found to be used by the installation, this is a finding: <installation prefix>.EMPDEMO.EMPDEMO. <installation prefix>.EMPDEMO.INSDEMO, <installation prefix>.ORGDEMO.EMPDEMO, <installation prefix>.SQLDEMO.EMPLDEMO, <installation prefix>.SQLDEMO.INDXDEMO, <installation prefix>.SQLDEMO.INFODEMO, <installation prefix>.PROJSEG.PROJDEMO

Fix: F-54997r807690_fix

In OCF/BCF, ALTER DMCL <dmclname> and EXCLUDE SEGMENT EMPDEMO, SQLDEMO and/or PROJDEMO. Generate, punch, and relink dmcl. Do the same for DBTABLE <dbtbname>. Remove load modules EMPSS01, EMPDMCL, EMPLOAD, EMPRPT, and EMPINQ from installation load libraries. Remove files <installation prefix>.EMPDEMO.EMPDEMO. <installation prefix>.EMPDEMO.INSDEMO, <installation prefix>.ORGDEMO.EMPDEMO, <installation prefix>.SQLDEMO.EMPLDEMO, <installation prefix>.SQLDEMO.INDXDEMO, <installation prefix>.SQLDEMO.INFODEMO, <installation prefix>.PROJSEG.PROJDEMO from installation and installation JCL. Remove database demo objects from application dictionaries including EMPSCHM record elements and records, EMPSS01, and schemas DEMOEMPL and DEMOPROJ, dropping all the tables in theses schemas. For future base installs, specify EMPDEMO=NO and SQLDEMO=NO for CAISAG installs and do not select CREATE_DB_DEMO and CREATE_SQL_DEMO fields on CSM installs. Note that specified names are default names. Use modified names if they were changed during base installation.

a
Default demonstration and sample databases, database objects, and applications must be removed.
CM-7 - Low - CCI-000381 - V-251609 - SV-251609r960963_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
IDMS-DB-000290
Vuln IDs
  • V-251609
Rule IDs
  • SV-251609r960963_rule
Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). It is detrimental for software products to provide, or install by default, functionality exceeding requirements or mission objectives. DBMSs must adhere to the principles of least functionality by providing only essential capabilities.
Checks: C-55044r807692_chk

If a CAISAG base installation done with EMPDEMO=YES and/or SQLDEMO=YES, or if a base installation done with CSM and CREATE_DB_DEMO and/or CREATE_SQL_DEMO selected, this is a finding. In OCF/BCF, DISPLAY DMCL &lt;dmclname&gt;. If segments EMPDEMO, SQLDEMO and/or PROJDEMO exist, this is a finding. In OCF/BCF, DISPLAY DBTABLE &lt;dbtbname&gt;. If segments EMPDEMO, SQLDEMO and/or PROJDEMO exist, this is a finding. In OCF/BCF, DISPLAY SCHEMA DEMOEMPL and DISPLAY SCHEMA DEMOPROJ. If either or both exist, this is a finding. If schema EMPSCHM exists, this is a finding. If any of the following load modules are in load libs used by the installation, this is a finding. EMPSS01, EMPDMCL, EMPLOAD, EMPRPT, EMPINQ If any of the following files are found to be used by the installation, this is a finding. &lt;installation prefix&gt;.EMPDEMO.EMPDEMO. &lt;installation prefix&gt;.EMPDEMO.INSDEMO, &lt;installation prefix&gt;.ORGDEMO.EMPDEMO, &lt;installation prefix&gt;.SQLDEMO.EMPLDEMO, &lt;installation prefix&gt;.SQLDEMO.INDXDEMO, &lt;installation prefix&gt;.SQLDEMO.INFODEMO, &lt;installation prefix&gt;.PROJSEG.PROJDEMO

Fix: F-54998r807693_fix

In OCF/BCF, ALTER DMCL <dmclname> and EXCLUDE SEGMENT EMPDEMO, SQLDEMO and/or PROJDEMO. Generate, punch, and relink dmcl. Do the same for DBTABLE <dbtbname>. Remove load modules EMPSS01, EMPDMCL, EMPLOAD, EMPRPT, and EMPINQ from installation load libraries. Remove files <installation prefix>.EMPDEMO.EMPDEMO. <installation prefix>.EMPDEMO.INSDEMO, <installation prefix>.ORGDEMO.EMPDEMO, <installation prefix>.SQLDEMO.EMPLDEMO, <installation prefix>.SQLDEMO.INDXDEMO, <installation prefix>.SQLDEMO.INFODEMO, <installation prefix>.PROJSEG.PROJDEMO from installation and installation jcl. Remove database demo objects from application dictionaries including EMPSCHM and all the record elements and records, EMPSS01, schemas DEMOEMPL, and DEMOPROJ, dropping all the tables in theses schemas. For future base installations, specify EMPDEMO=NO and SQLDEMO=NO for CAISAG installs and do not select CREATE_DB_DEMO and CREATE_SQL_DEMO fields on CSM installs. Note that specified names are default names. Use modified names if they were changed during base installation.

a
IDMS components that cannot be uninstalled must be disabled.
CM-7 - Low - CCI-000381 - V-251610 - SV-251610r960963_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
IDMS-DB-000300
Vuln IDs
  • V-251610
Rule IDs
  • SV-251610r960963_rule
DBMSs must adhere to the principles of least functionality by providing only essential capabilities. At installation, all CA IDMS products are installed but can be disabled (i.e., forced to fail if invoked).
Checks: C-55045r807695_chk

Log on to IDMS DC system and issue DCPROFIL. Scroll to the Product Intent Status screen. If any unused product has a status of "YES", this is a finding.

Fix: F-54999r807696_fix

Edit RHDCPINT source and remove or comment out products identified as unused. Reassemble, relink, and implement changes by either recycling any affected CV or by issuing the following commands in any affected CV: DCMT VARY NUCLEUS MODULE RHDCPINT NEW COPY DCMT VARY NUCLEUS RELOAD

b
IDMS nodes, lines, and pterms must be protected from unauthorized use.
CM-7 - Medium - CCI-000382 - V-251611 - SV-251611r960966_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
IDMS-DB-000310
Vuln IDs
  • V-251611
Rule IDs
  • SV-251611r960966_rule
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols/services on information systems. Applications are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the application must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. Database Management Systems using ports, protocols, and services deemed unsafe are open to attack through those ports, protocols, and services. This can allow unauthorized access to the database and through the database to other components of the information system. Unused nodes, lines, and ports must be secured to prevent unauthorized use.
Checks: C-55046r807698_chk

For each load area, run a CREPORT 43 to check the nodes and access types for each node. For each node, issue DCMT D LINE. For each LINE type with a status of InSrv, inspect the access type for potential unauthorized connection types. For TCP/IP, any line with access type SOCKET, issue DCMT D LINE &lt;tcp-line-id&gt;. If any terminals are of type LIST and status InSrv, check port number for a valid port. If the port number is unacceptable as defined in the PPSM CAL, this is a finding. For each terminal with the type of LIST and InSrv, issue DCMT D PTE &lt;pterm-id&gt;. For each task and (possible PARM STRING which could pass a task) identified in the PTE display, issue DCMT D TASK &lt;task-id&gt;. If the task is IDMSJSRV and the associated program is not RHDCNP3J, this is a finding. If the task/program has not been authorized, this is a finding. If other access types (e.g., VTAM, SVC, CCI) have been deemed nonsecure in the PPSM CAL, this is a finding.

Fix: F-55000r807699_fix

For any pterm found to have nonsecure attributes (task, program, or port), disable by issuing DCMT V PTE <pterm-id> OFF. Using SYSGEN, remove offending lines, pterms, lterms, and/or port numbers, then validate and regenerate the system.

b
The IDMS environment must require sign-on for users and restrict them to only authorized functions.
IA-2 - Medium - CCI-000764 - V-251612 - SV-251612r960969_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
IDMS-DB-000320
Vuln IDs
  • V-251612
Rule IDs
  • SV-251612r960969_rule
To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses, except the following: (i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and (ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals using shared accounts, for detailed accountability of individual activity. The SGON resource must be protected to prevent unauthorized users from signing on.
Checks: C-55047r807701_chk

For each CA IDMS system, verify the resource module RHDCSRTT for the security domain in which the CA IDMS system exists has an entry for sign-on. Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. If no SGON entry exists (sign-on not secured), this is a finding. If found and the entry is not secured externally, this is a finding. Ensure the external security manager (ESM) entry for the externally secured "SGON" resource is correctly configured for the external resource class and the external name of the "SGON" resource. The external name must match the format of the external name construction tokens found in the SRTT entry. If not, this is a finding. For local batch jobs that access database files, if there is no ESM security defined for the users submitting the jobs or securing the database datasets, this is a finding.

Fix: F-55001r807702_fix

In the source for RHDCSRTT, add a #SECRTT entry to secure the sign-on process using the ESM such as this example: #SECRTT TYPE=ENTRY, X RESTYPE=SGON, X SECBY=EXTERNAL, X EXTCLS='CA@IDMS', X EXTNAME=(RESTYPE,RESNAME) The RESNAME used during sign-on is the CV system name as defined in SYSGEN. To find the system name, sign in to SYSGEN in the CV. Then, issue the commands "SIGNON DICT SYST" and "DISP SYS nnn" (where nnn is the CV number). Look for "SYSTEM ID IS" to find the system name used as RESNAME. After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD Before implementing changes, contact the security administrator and verify the ESM has the necessary rules for the EXTCLS and EXTNAME values chosen. The appropriate ESM rules must then be given to the appropriate users. For instance, in Top Secret: TSS PER(user_id) CA@IDMS(SGON.the_extname) In ACF2: $KEY(SGON.the_extname) TYPE(CA@IDMS) UID(user_id) ALLOW After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD For local batch jobs, use OS-level security for job submission or secure database files using ESM dataset-level security.

b
DBMS authentication using passwords must be avoided.
IA-5 - Medium - CCI-000192 - V-251613 - SV-251613r981946_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000192
Version
IDMS-DB-000330
Vuln IDs
  • V-251613
Rule IDs
  • SV-251613r981946_rule
Passwords that are easy to guess open a vulnerability allowing an unauthorized user to potentially gain access to the DBMS. IDMS uses the External Security Manager (ESM) to enforce complexity and lifetime standards.
Checks: C-55048r807704_chk

Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Find the entry for RESTYPE=SGON. If no SGON entry exists, this is a finding. If found, verify that the entry has SECBY=EXTERNAL. If it does not, this is a finding. Verify that the ESM entry for the externally secured "SGON" resource is correctly configured for the external resource class and the external name of the "SGON" SRTT entry. For local batch jobs that access database files, if there is no ESM security defined for the users submitting the jobs or securing the database datasets, this is a finding.

Fix: F-55002r807705_fix

The SRTT module must be coded to secure the system. When using an ESM, this could be done in the following manner: #SECRTT TYPE=ENTRY, X RESTYPE=SGON, X SECBY=EXTERNAL , X EXTNAME=(RESTYPE,RESNAME), X EXTCLS='CA@IDMS' EXTCLS maps the CA IDMS resource type to the resource class defined in the ESM. The EXTNAME defines the format of the resource name defined to the ESM. After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD Ensure the ESM has a corresponding entry to give access to the desired users. For instance, in Top Secret: TSS PER(user_id) CA@IDMS(SGON.the_extname) In ACF2: $KEY(SGON.the_extname) TYPE(CA@IDMS) UID(user_id) ALLOW After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD

a
Passwords sent through ODBC/JDBC must be encrypted.
IA-5 - Low - CCI-000197 - V-251614 - SV-251614r961029_rule
RMF Control
IA-5
Severity
Low
CCI
CCI-000197
Version
IDMS-DB-000340
Vuln IDs
  • V-251614
Rule IDs
  • SV-251614r961029_rule
Unencrypted passwords transmitted from ODBC and JDBC may be intercepted to prevent their being intercepted in a plain-text format.
Checks: C-55049r807707_chk

When using ODBC (with the CCI communications protocol) or a JDBC type 2 driver, if SSL encryption is not being used with CAICCI r2.1 and above, this is a finding. When using ODBC (with the IDMS communications protocol), if SSL encryption is not being used as indicated on the "Server" tab of the Data Source definition, this is a finding. When using a JDBC type 4 driver, if SSL is not being used as indicated by the connection URL, this is a finding.

Fix: F-55003r807708_fix

If using ODBC (with the CCI communications protocol) or a JDBC type 2 driver, SSL encryption can be enabled using CAICCI r2.1 and above. Select the SSL option in the CAICCI properties panel and configure and start the CCISSL task on the mainframe. If using ODBC (with the IDMS communications protocol), SSL encryption can be enabled by selecting the "SSL" check-box on the "Server" tab of the Data Source definition, and providing the certificate name(s) on the "SSL" tab within the CA IDMS ODBC Administrator. If using a JDBC type 4 driver, SSL encryption can be enabled by using the SSL parameter on the JDBC connection URL. Setup is described in informational APAR QI83006 on CA Support Online.

b
The DBMS must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
IA-8 - Medium - CCI-000804 - V-251615 - SV-251615r961053_rule
RMF Control
IA-8
Severity
Medium
CCI
CCI-000804
Version
IDMS-DB-000350
Vuln IDs
  • V-251615
Rule IDs
  • SV-251615r961053_rule
Non-organizational users include all information system users other than organizational users, which include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). Non-organizational users must be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use of anonymous access, such as accessing a web server. Accordingly, a risk assessment is used in determining the authentication needs of the organization. Scalability, practicality, and security are simultaneously considered in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.
Checks: C-55050r807710_chk

Check that sign-on has been secured. Examine load module RHDCSRTT by executing CA IDMS utility "IDMSSRTD", or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Find the entry for sign-on by examining the entries. If no SGON entry exists (sign-on not secured), this is a finding. If found, but the entry is not secured externally, this is a finding. Verify the ESM entry for the externally secured "SGON" resource is correctly configured for the external resource class and the external name of the "SGON" resource in the SRTT. If not, this is a finding. If users, groups, and roles have not been appropriately defined to the external security manager (ESM), this is a finding. Interrogate the security administrator and verify that only authorized users have permission through the ESM to access IDMS. For local batch jobs that access database files, if there is no ESM security defined for the users submitting the jobs or securing the database datasets, this is a finding.

Fix: F-55004r807711_fix

In the source for RHDCSRTT add a #SECRTT entry to secure the sign-on process using the ESM such as this example: #SECRTT TYPE=ENTRY, X RESTYPE=SGON, X SECBY=EXTERNAL, X EXTCLS='CA@IDMS', X EXTNAME=(RESTYPE,RESNAME) The RESNAME used during sign on is the CV system name as defined in SYSGEN. To find the system name, sign in to SYSGEN in the CV. Then, issue commands "SIGNON DICT SYST" and "DISP SYS nnn" (where nnn is the CV number). Look for "SYSTEM ID IS" to find the system name used as RESNAME. After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD Before implementing the changes, contact the security administrator and verify the ESM has the necessary rules for the EXTCLS and EXTNAME values chosen. The appropriate ESM rules must then be given to the appropriate users. For instance, in Top Secret: TSS PER(user_id) CA@IDMS(SGON.the_extname) In ACF2: $KEY(SGON.the_extname) TYPE(CA@IDMS) UID(user_id) ALLOW After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD For local batch jobs, use OS-level security for job submission or secure database files using ESM dataset-level security.

a
IDMS executing in a local mode batch environment must be able to manually recover or restore database areas affected by failed transactions.
SC-24 - Low - CCI-001190 - V-251616 - SV-251616r961122_rule
RMF Control
SC-24
Severity
Low
CCI
CCI-001190
Version
IDMS-DB-000440
Vuln IDs
  • V-251616
Rule IDs
  • SV-251616r961122_rule
Local mode update jobs can either use local mode journaling or perform a backup of the database prior to executing the local mode updates. Local mode journaling could be completed if the database is too large to back up in a reasonable amount of time. To use local mode journals for manual recovery, the journals must be defined in the IDMS DMCL as a TAPE JOURNAL and a DD for the journal file must be coded in the update job step JCL. The local mode update job must include the IDMS DMCL name in the SYSIDMS parameter file as DMCL=dmcl-name. If the local mode update step fails, then a rollback step must be performed to recover the database. Without local mode journaling, the local mode batch job should include a backup of the database step, a local mode update step and another backup of the database step if the local updates step successfully complete. If the local mode update step fails, then a step to restore the database from the first backup step must be performed. Satisfies: SRG-APP-000225-DB-000153, SRG-APP-000226-DB-000147
Checks: C-55051r807713_chk

Check that the job or prior job contains a step to vary the areas offline to the CV and takes a backup. If not there, it is a finding. Perform a second check to verify there is a restore step or JCL that can be used when the job fails.

Fix: F-55005r807714_fix

Add a backup step/job if needed and create a restore step/job if needed.

b
CA IDMS must isolate the security manager to which users, groups, roles are assigned authorities/permissions to resources.
SC-3 - Medium - CCI-001084 - V-251617 - SV-251617r961131_rule
RMF Control
SC-3
Severity
Medium
CCI
CCI-001084
Version
IDMS-DB-000460
Vuln IDs
  • V-251617
Rule IDs
  • SV-251617r961131_rule
An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. Security functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. Database Management Systems typically separate security functionality from non-security functionality via separate databases or schemas. Database objects or code implementing security functionality should not be commingled with objects or code implementing application logic. When security and non-security functionality are commingled, users who have access to non-security functionality may be able to access security functionality.
Checks: C-55052r807716_chk

Identify CA IDMS security domains (a set of DC systems and local mode applications sharing a single user catalog and SRTT). For a given security domain, log on to one DC system. Issue DCPROFIL. If there is nothing specified for "Security System" and therefore no external security system being used, this is a finding. Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. If any entries have SECBY=INTERNAL, this is a finding. For local batch jobs (i.e., those jobs that access database files without going through the CA IDMS system), dataset-level security should be defined in the external security manager (ESM) with authorizations according the site security plan. If it is not, this is a finding. Check those resources that are secured externally to make sure the mapping to the ESM is correct. Check that the ESM entry for the externally secured resource is correctly configured for the external resource class and the external name of the resource being secured. The external name must match the format of the external name construction tokens found in the entry. If the ESM specification does not match the RHDCSRTT entry, this is a finding.

Fix: F-55006r807717_fix

In the internally secured entries that are to be changed to external security, change the #SECRTT parms SECBY=INTERNAL to SECBY=EXTERNAL. Add the parameters EXTCLS and EXTNAME to the entry using the resource class and name defined in the ESM. For instance: #SECRTT TYPE=ENTRY,SECBY=EXTERNAL, X RESTYPE=restype,EXTCLS=CA@IDMS, X EXTNAME=(extname_definition) Secure the resources through the ESM chosen by the organization (e.g., TSS, ACF 2, RACF) using the EXTCLS and the EXTNAME defined in the SRTT on the entry for the resource type. EXTCLS maps the CA IDMS resource type to the resource class defined in the external security system. The EXTNAME defines the format of the resource name defined to the ESM. Interrogate the security office regarding current and needed rules and definitions in the ESM. Define the users, groups, roles access to the resource in the ESM. For local batch jobs that access database files, define appropriate dataset-level security through the ESM. For example, in Top Secret: TSS ADDTO(restype) CA@IDMS(SYST) TSS PER(user_id) CA@IDMS(restype.the_extname) In ACF2: $KEY(restype.the_extname) TYPE(CA@IDMS) UID(user_id) ALLOW RDEFINE CA@IDMS restype UACC(NONE) PERMIT restype.the_extname CLASS(CA@IDMS) ID(user_id) ACCESS(READ) After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD

b
IDMS must prevent unauthorized and unintended information transfer via database buffers.
SC-4 - Medium - CCI-001090 - V-251618 - SV-251618r961149_rule
RMF Control
SC-4
Severity
Medium
CCI
CCI-001090
Version
IDMS-DB-000470
Vuln IDs
  • V-251618
Rule IDs
  • SV-251618r961149_rule
The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after the resource has been released back to the information system. Control of information in shared resources is also referred to as object reuse.
Checks: C-55053r807719_chk

Log on to IDMS DC system and issue "DCPROFIL". If PRIMARY STORAGE PROTECT KEY is the same as the ALTERNATE STORAGE KEY, this is a finding. If SYSTEM STORAGE PROTECTED is "NO", this is a finding. Issue command "DCMT DISP PROG xxxxxxxx" and "DCMT DISP DYN PROG xxxxxxxx" replacing [xxxxxxxx] with the names of user programs and look for Storage Prot. If any are "NO", then this is a finding. Issue command "DCMT DISP BUFFER". If any of the buffers do not have OPSYS in the Getstg column, this is a finding.

Fix: F-55007r807720_fix

Do the following to place buffers into storage acquired from the operating system rather than from IDMS. Use the following system generation parameters to enable the use of OPSYS storage for the buffers: Set STORAGE KEY parameter of the SYSGEN SYSTEM statement to a value different from the ALTERNATE STORAGE KEY. Set PROTECT/NOPROTECT parameter of the SYSGEN SYSTEM statement to PROTECT. Set PROTECT/NOPROTECT parameter of the SYSGEN PROGRAM statement to PROTECT for user programs. Using the #CTABGEN macro, secure DCMT commands: - VARY BUFFER (code N010) - VARY DYNAMIC PROGRAM (code N046001) - VARY PROGRAM (code N025) Here is an example where all three commands are assigned task code 3: #CTABGEN (A,3), X (N010,A,N025,N046001,A) Using the above example, and assuming the SYSTEM ID of this IDMS system specified in SYSGEN is TEST001 the SRTT entry could be: #SECRTT TYPE=ENTRY,RESTYPE=ACTI, - SECBY=EXTERNAL, - EXTCLS='CA@IDMS', - EXTNAME=(SYST,ACTI) The DCMT commands could be assigned to users in Top Secret: TSS PER(user_id) CA@IDMS(TEST001.DCMT003) ACCESS(READ) Reassemble the SRTT and/or module IDMSCTAB and issue commands: DCMT VARY NUC MODULE IDMSCTAB NEW COPY -for IDMSCTAB DCMT VARY NUC MODULE RHDCSRTT NEW COPY - for RHDCSRTT then for either or both: DCMT VARY NUCLEUS RELOAD To set buffers to OPSYS storage: Access OCF or BCF and connect to the applicable dictionary. Enter "DISPLAY BUFFER nnnnnnnn AS SYNTAX VERB ALTER" where [nnnnnnnn] is the name of the buffer. Change the DC STORAGE parameter to "OPSYS STORAGE". After changing all needed buffers, GENERATE the DMCL. Punch and link the DMCL module. Cycle the CV or issue "DCMT VARY DMCL NEW COPY". Note: If specifying OPSYS storage for buffers, IDMS will attempt to allocate the buffer storage in operating system storage rather than in IDMS storage. Should the allocation attempt fail, IDMS will attempt to allocate the buffer in IDMS storage, and messages DC205032 and DC205029 will be issued indicating this.

b
IDMS must check the validity of all data input unless the organization says otherwise.
SI-10 - Medium - CCI-001310 - V-251619 - SV-251619r961158_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-001310
Version
IDMS-DB-000480
Vuln IDs
  • V-251619
Rule IDs
  • SV-251619r961158_rule
Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. With respect to database management systems, one class of threat is known as SQL injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. Potentially, the attacker can gain unauthorized access to data, including security settings, and severely corrupt or destroy the database. Even when no such hijacking takes place, invalid input that gets recorded in the database, whether accidental or malicious, reduces the reliability and usability of the system. Available protections include data types, referential constraints, uniqueness constraints, range checking, and application-specific logic. Application-specific logic can be implemented within the database in stored procedures and triggers, where appropriate.
Checks: C-55054r807722_chk

Validate SQL-defined tables, DISPLAY TABLE &lt;schema-name&gt;.&lt;table-name&gt; . If there is not a CHECK for the columns and accompanying accepted values, this is a finding. Validate network-defined records, DISPLAY SCHEMA or DISPLAY RECORD. If there is no CALL to a procedure BEFORE STORE and BEFORE MODIFY, this is a finding. If the procedure does not validate the non-exempt columns, this is a finding. Other applications and front-ends using mapping can use the automatic editing feature and edit and code tables to verify that an input value is valid.

Fix: F-55008r807723_fix

For SQL-defined tables, ALTER TABLE <schema-name>.<table-name> ADD CHECK (search-condition). For network-defined records, MODIFY <record-name> CALL procedure BEFORE STORE/MODIFY. Create or update procedure to validate provided record field values. Other applications and front-ends using mapping can use the automatic editing feature and edit and code tables to verify that an input value is valid.

b
CA IDMS must permit the use of dynamic code execution only in circumstances determined by the organization and limit use of online and batch command facilities from which dynamic statements can be issued.
SI-10 - Medium - CCI-001310 - V-251620 - SV-251620r961158_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-001310
Version
IDMS-DB-000490
Vuln IDs
  • V-251620
Rule IDs
  • SV-251620r961158_rule
The IDMS Common Facilities (BCF and OCF) can execute commands that can make updates to IDMS, and their use should be protected.
Checks: C-55055r807725_chk

Check the SRTT for externally secured resource TASK for command facility task codes (e.g., OCF or organization-defined task codes that invokes program IDMSOCF or IDMSBCF). Examine load module RHDCSRTT by executing CA IDMS utility "IDMSSRTD", or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Review the output looking for those statements that secure RESTYPE=TASK and RESNAMEs OCF or any organization-defined task codes that invoke programs IDMSOCF or IDMSBCF. If none are found for OCF, this is a finding. BCF may not be defined as a task. If it is, this is a finding. The program invoked by installation-defined task codes can be determined by issuing command "DCMT DISP TASK" task-name. Issue command "DCMT DISP TASK" and look for organization-defined tasks, then issue the "DCMT DISP TASK" task-name to determine the program being invoked. Review the code to determine if any of these execute dynamic code. If any do, this is a finding. If command facility tasks are found to be secured externally, ensure the external security manager (ESM) contains the correct definition using the external resource class name and the external resource name construction rules in the #SECRTT. If it is not defined or not defined correctly, this is a finding.

Fix: F-55009r807726_fix

Create, or modify as needed, entries in the SRTT and then reassemble and relink the module RHDCSRTT for the security domain. An example of the external class and external name construction rules to secure OCF is: #SECRTT TYPE=ENTRY,RESTYPE=TASK,SECBY=OFF, X EXTNAME=(RESTYPE,RESNAME),EXTCLS='CA@IDMS' #SECRTT TYPE=OCCUR,RESTYPE=TASK,RESNAME='OCF', SECBY=EXT Consult with the security department to ensure that the ESM contains the correct rules to secure the entries and permit access to the appropriate users. After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD

b
CA IDMS must limit the use of dynamic statements in applications, procedures, and exits to circumstances determined by the organization.
SI-10 - Medium - CCI-001310 - V-251621 - SV-251621r961158_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-001310
Version
IDMS-DB-000500
Vuln IDs
  • V-251621
Rule IDs
  • SV-251621r961158_rule
Dynamic SQL statements are compiled at runtime and, if manipulated by an unauthorized user, can produce an innumerable array of undesired results. These statements should not be used casually.
Checks: C-55056r807728_chk

If EXECUTE IMMEDIATE, PREPARE, and EXECUTE statements are found while reviewing source code in applications, procedures, and exits in code that does not require it, this is a finding.

Fix: F-55010r807729_fix

Modify the code to remove the dynamic statements EXECUTE IMMEDIATE, PREPARE, and EXECUTE. If these statements must be used, use other measures to eliminate possible code injection success by securing resources (databases, access modules, tasks, programs, etc.). Since security checks are issued by CA IDMS as it executes the commands and the authorization permissions are cached for the life of the transaction or task, whichever ends first. The use of strongly typing parameters and validating inputs are other ways to guard against code injection when dynamic statement execution must be used.

b
CA IDMS must limit use of IDMS server used in issuing dynamic statements from client applications circumstances determined by the organization.
SI-10 - Medium - CCI-001310 - V-251622 - SV-251622r961158_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-001310
Version
IDMS-DB-000510
Vuln IDs
  • V-251622
Rule IDs
  • SV-251622r961158_rule
Server tasks can execute dynamic SQL code and should be protected.
Checks: C-55057r807731_chk

Check the SRTT for externally secured resource TASK for IDMS Server task codes IDMSJSRV and CASERVER. Examine load module RHDCSRTT by executing CA IDMS utility "IDMSSRTD", or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. If no TASK entry is found for either IDJSJSRV or CASERVER, this is a finding. If either is not secured external, this is a finding. If tasks IDMSJSRV and CASERVER are found to be secured externally, ensure that the external security manager (ESM) contains the correct definition using the external resource class name and the external name construction rules. If it is not defined or not defined correctly, this is a finding.

Fix: F-55011r807732_fix

Create or modify as needed entries in the SRTT, then reassemble and relink module RHDCSRTT for the security domain. The external class and external name construction rules must be specified. The following is an example of how IDMSJSRV and CASERVER may be secured externally. #SECRTT TYPE=ENTRY,RESTYPE=TASK,SECBY=OFF,EXTNAME=(RESTYPE,RESNAME), EXTCLS='CA@IDMS' #SECRTT TYPE=OCCUR,RESTYPE=TASK,RESNAME='IDMSJSRV', SECBY=EXT #SECRTT TYPE=OCCUR,RESTYPE=TASK,RESNAME='CASERVER', SECBY=EXT Consult with the security department to ensure that the ESM contains the correct rules to secure the entries and permit access to the appropriate users. After making the above changes, assemble and link RHDCSRTT to create a new SRTT. To implement the new SRTT, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS RELOAD

b
CA IDMS and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
SI-10 - Medium - CCI-001310 - V-251623 - SV-251623r961158_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-001310
Version
IDMS-DB-000520
Vuln IDs
  • V-251623
Rule IDs
  • SV-251623r961158_rule
When the use of dynamic SQL is necessary, the code should be written so that the invalid data can be found and the appropriate action taken.
Checks: C-55058r807734_chk

If dynamic code execution is used and identified user input is not validity checked user input, this is a finding. If SQL-defined tables, DISPLAY TABLE &lt;schema-name&gt;.&lt;table-name&gt; . If there is not a CHECK for the columns and accompanying accepted values, this is a finding. If network-defined records, DISPLAY SCHEMA or DISPLAY RECORD. If there is no CALL to a procedure BEFORE STORE and BEFORE MODIFY, this is a finding. If the procedure does not validate the non-exempt columns, this is a finding. Other applications and front-ends using mapping can use the automatic editing feature and edit and code tables to verify that an input value is valid.

Fix: F-55012r807735_fix

For SQL-defined tables, ALTER TABLE <schema-name>.<table-name> ADD CHECK (search-condition). For network-defined records, MODIFY <record-name> CALL procedure BEFORE STORE/MODIFY. Create or update procedure to validate provided record field values. Other applications and front-ends using mapping can use the automatic editing feature and edit and code tables to verify that an input value is valid.

b
IDMS must suppress security-related messages so that no information is returned that can be exploited.
SI-11 - Medium - CCI-001312 - V-251624 - SV-251624r961167_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
IDMS-DB-000530
Vuln IDs
  • V-251624
Rule IDs
  • SV-251624r961167_rule
Error messages issued to non-privileged users may have contents that should be considered confidential. IDMS should be configured so that these messages are not issued to those users.
Checks: C-55059r807737_chk

Log on to IDMS DC system and issue "DCPROFIL". Scroll to the OPTION FLAGS screen. If "OPT00051" is not listed, this is a finding. For IDMS LOG messages, if OPT00226 is not listed, this is a finding.

Fix: F-55013r807738_fix

Reassemble, relink, and reload (V NC) RHDCOPTF with #DEFOPTF OPT00051 (for messages sent to user) and optional #DEFOPTF OPT00226 (for messages sent to IDMS log).

b
Custom database code and associated application code must not contain information beyond what is needed for troubleshooting.
SI-11 - Medium - CCI-001312 - V-251625 - SV-251625r961167_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
IDMS-DB-000540
Vuln IDs
  • V-251625
Rule IDs
  • SV-251625r961167_rule
Error codes issued by custom code could provide more information than needed for problem resolution and should be vetted to make sure this does not occur.
Checks: C-55060r807740_chk

Check custom database code to verify that error messages do not contain information beyond what is needed for troubleshooting the issue. If database errors contain PII data, sensitive business data, or information useful for identifying the host system or database structure, this is a finding.

Fix: F-55014r807741_fix

Configure custom database code, and associated application code not to divulge sensitive information or information useful for system identification in error messages.

b
IDMS must reveal security-related messages only to authorized users.
SI-11 - Medium - CCI-001314 - V-251626 - SV-251626r961170_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
IDMS-DB-000550
Vuln IDs
  • V-251626
Rule IDs
  • SV-251626r961170_rule
Error messages issued to non-privileged users may have contents that should be considered confidential. IDMS should be configured so that these messages are not issued to those users.
Checks: C-55061r807743_chk

Check that security messages from external security managers (ESMs) are sent only to the log which can be secured. Log on to IDMS DC system and issue "DCPROFIL". Scroll to the "OPTION FLAGS" screen. If OPT00051 is not listed, this is a finding. For IDMS LOG messages, if OPT00226 is not listed, this is a finding. Contact the security office and verify that the user, groups, and roles are defined to the ESM so that DC log can only be viewed by Information System Security Officer (ISSO), Information System Security manager (ISSM), Systems Administrator (SA), and Database Administrator (DBA).

Fix: F-55015r807744_fix

In the source for RHDCOPTF, add lines: #DEFOPT OPT00051 <-for messages sent to user #DEFOPT OPT00226 <-for messages sent to IDMS log Then, reassemble and relink RHDCOPTF. Reload RHDCOPTF in the CV by issuing the following commands: DCMT VARY NUCLEUS MODULE RHDCOPTF NEW COPY DCMT VARY NUCLEUS RELOAD Contact the security office to ensure that ADSOBPLG, the ADS print log utility, is secured via the ESM and assigned to the appropriate users, and that the ADS log file is secured from being read by others than ISSO, ISSM, SA, and DBA, also via the ESM.

b
Custom database code and associated application code must reveal detailed error messages only to the Information System Security Officer (ISSO), Information System Security manager (ISSM), Systems Administrator (SA), and Database Administrator (DBA).
SI-11 - Medium - CCI-001314 - V-251627 - SV-251627r961170_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
IDMS-DB-000560
Vuln IDs
  • V-251627
Rule IDs
  • SV-251627r961170_rule
Detailed error messages issued by custom or user-written code can possibly give too much detail to the users. This code should be examined to ensure that this does not happen.
Checks: C-55062r807746_chk

Check custom database code to determine if detailed error messages are ever displayed to unauthorized individuals. If detailed error messages are displayed to individuals not authorized to view them, this is a finding.

Fix: F-55016r807747_fix

Configure custom database code and associated application code not to display detailed error messages to those not authorized to view them.

b
CA IDMS must automatically terminate a terminal session after organization-defined conditions or trigger events of terminal inactivity time.
AC-12 - Medium - CCI-002361 - V-251628 - SV-251628r961221_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002361
Version
IDMS-DB-000570
Vuln IDs
  • V-251628
Rule IDs
  • SV-251628r961221_rule
A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination ends all processes associated with a user's logical session except those batch processes/jobs that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. This capability is typically reserved for specific cases where the system owner, data owner, or organization requires additional assurance. If a user does not sign off a terminal after use it can be used for illegitimate purposes. The IDMS RESOURCE TIMEOUT INTERVAL allows the organization to set a limit to the amount of time it can be left unattended.
Checks: C-55063r807749_chk

Use task SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the System definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "DISPLAY SYSTEM 123." where 123 is the number of the system being checked. Scroll through the returned text until "RESOURCE TIMEOUT INTERVAL" is found. If the associated value is not the organization-defined timeout number of wall-clock seconds, this is a finding.

Fix: F-55017r807750_fix

Use TASK SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the system definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "MODIFY SYSTEM 123 RESOURCE TIMEOUT INTERVAL is <the organization-defined timeout number of wall-clock seconds> ." where 123 is the number of the system being modified. Enter: "VALIDATE." Enter: "GENERATE. The change will become effective the next time the CV is stopped and started. Note: The system RESOURCE TIMEOUT INTERVAL can be overridden with the TASK RESOURCE TIMEOUT INTERVAL for individual tasks.

b
CA IDMS must automatically terminate a batch external request unit after organization-defined conditions or trigger events after the batch program abnormally terminates.
AC-12 - Medium - CCI-002361 - V-251629 - SV-251629r961221_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002361
Version
IDMS-DB-000580
Vuln IDs
  • V-251629
Rule IDs
  • SV-251629r961221_rule
A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination ends all processes associated with a user's logical session except those batch processes/jobs that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. This capability is typically reserved for specific cases where the system owner, data owner, or organization requires additional assurance. If a batch request terminates abnormally the external run unit process needs to be terminated.
Checks: C-55064r807752_chk

Use task SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the System definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "DISPLAY SYSTEM 123." where 123 is the number of the system being checked. Scroll through the returned text until "CHKUSER TASK" is found. If the associated value is not the organization-defined number of subtasks that detect abnormally terminated batch external request units, this is a finding.

Fix: F-55018r807753_fix

Use TASK SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the system definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "MODIFY SYSTEM 123 CHKUSER TASK is <the organization-defined number of subtasks> ." where 123 is the number of the system being modified. Enter: "VALIDATE." Enter: "GENERATE." The change will become effective the next time the CV is stopped and started.

b
CA IDMS must automatically terminate an external run-unit after organization-defined conditions or trigger events of time waiting to issue a database request.
AC-12 - Medium - CCI-002361 - V-251630 - SV-251630r961221_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002361
Version
IDMS-DB-000590
Vuln IDs
  • V-251630
Rule IDs
  • SV-251630r961221_rule
Inactive sessions, such as a logged on user who leaves their terminal, may give a bad actor access to the system.
Checks: C-55065r807755_chk

Use task SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the System definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "DISPLAY SYSTEM 123." where 123 is the number of the system being checked. Scroll through the returned text until "EXTERNAL WAIT" is found. If the associated value is not the organization-defined timeout number of wall-clock seconds, this is a finding.

Fix: F-55019r807756_fix

Use TASK SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the system definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "MODIFY SYSTEM 123 EXTERNAL WAIT is <the organization-defined timeout number of wall-clock seconds> ." where 123 is the number of the system being modified. Enter: "VALIDATE." Enter: "GENERATE." The change will become effective the next time the CV is stopped and started. Note: The system EXTERNAL WAIT and can be overridden with the EXTERNAL WAIT parameter of the TASK statement. Note: The UCFCICZ interface may also be used to clean up the CA IDMS session if access is through CICS and the CICS session has ended.

b
CA IDMS must automatically terminate a task or session after organization-defined conditions or trigger events of time waiting to get a resource and/or time of inactivity.
AC-12 - Medium - CCI-002361 - V-251631 - SV-251631r961221_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002361
Version
IDMS-DB-000600
Vuln IDs
  • V-251631
Rule IDs
  • SV-251631r961221_rule
A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination ends all processes associated with a user's logical session except those batch processes/jobs that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. This capability is typically reserved for specific cases where the system owner, data owner, or organization requires additional assurance. It may be desired to limit the amount of time a task can wait for a resource before terminating it.
Checks: C-55066r807758_chk

Use task SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the System definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "DISPLAY SYSTEM 123." where 123 is the number of the system being checked. Scroll through the returned text until "INACTIVE INTERVAL" is found. If the associated value is not the organization-defined timeout number of wall-clock seconds, this is a finding. Scroll through the returned text until "RUNAWAY INTERVAL" is found. If the associated value is not the organization-defined timeout number of wall-clock seconds, this is a finding.

Fix: F-55020r807759_fix

Use TASK SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the system definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "MODIFY SYSTEM 123 INACTIVE INTERVAL is <the organization-defined timeout number of wall-clock seconds> ." where 123 is the number of the system being modified. Enter: "MODIFY SYSTEM 123 RUNAWAY INTERVAL is <the organization-defined timeout number of wall-clock seconds> ." where 123 is the number of the system being modified. Enter: "VALIDATE." Enter: "GENERATE." The change will become effective the next time the CV is stopped and started. Note: The system INACTIVE INTERVAL can be overridden with the INACTIVE INTERVAL TASK parameters, e.g., for task RHDCNP3S which services external tasks/sessions. Note: The UCFCICZ interface may also be used to clean up the CA IDMS session if access is through CICS and the CICS session has ended.

b
CA IDMS CV must supply logout functionality to allow the user to implicitly terminate a session initiated by the terminal user.
AC-12 - Medium - CCI-002363 - V-251632 - SV-251632r961224_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002363
Version
IDMS-DB-000610
Vuln IDs
  • V-251632
Rule IDs
  • SV-251632r961224_rule
If a user does not sign off a terminal after use, it can be used for illegitimate purposes. The IDMS RESOURCE TIMEOUT INTERVAL allows the organization to set a limit to the amount of time it can be left unattended.
Checks: C-55067r807761_chk

Use TASK SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the System definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "DISPLAY SYSTEM 123." where 123 is the number of the system being checked. Scroll through the returned text until "RESOURCE TIMEOUT INTERVAL" is found. If the associated value is not the organization-defined timeout number of wall-clock seconds, this is a finding.

Fix: F-55021r807762_fix

Use TASK SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the system definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "MODIFY SYSTEM 123 RESOURCE TIMEOUT INTERVAL is <the organization-defined timeout number of wall-clock seconds> ." where 123 is the number of the system being modified. Enter: "GENERATE." The change will become effective the next time the CV is stopped and started. Note: The system RESOURCE TIMEOUT INTERVAL can be overridden with the TASK RESOURCE TIMEOUT INTERVAL for individual tasks.

b
CA IDMS CV must supply logout functionality to allow the user to implicitly terminate a session by disconnecting or ending before an explicit logout.
AC-12 - Medium - CCI-002363 - V-251633 - SV-251633r961224_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002363
Version
IDMS-DB-000620
Vuln IDs
  • V-251633
Rule IDs
  • SV-251633r961224_rule
If a user cannot explicitly end a DBMS session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Such logouts may be explicit or implicit. Examples of explicit logouts are: clicking on a "Log Out" link or button in the application window; clicking the Windows Start button and selecting "Log Out" or "Shut Down." Examples of implicit logouts are: closing the application's (main) window; powering off the workstation without invoking the OS shutdown. Both the explicit and implicit logouts must be detected by the DBMS. In all cases, the DBMS must ensure that the user's DBMS session and all processes owned by the session are terminated. This should not, however, interfere with batch processes/jobs initiated by the user during their online session: these should be permitted to run to completion. IDMS must provide a facility by which an inactive user session may be terminated after a predetermined period of time.
Checks: C-55068r807764_chk

Use TASK SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the System definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "DISPLAY SYSTEM 123." where 123 is the number of the system being checked. Scroll through the returned text until "INACTIVE INTERVAL" is found. If the associated value is not the organization-defined timeout number of wall-clock seconds, this is a finding. Scroll through the returned text until "RUNAWAY INTERVAL" is found. If the associated value is not the organization-defined timeout number of wall-clock seconds, this is a finding.

Fix: F-55022r807765_fix

Use TASK SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the system definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "MODIFY SYSTEM 123 INACTIVE INTERVAL is <the organization-defined timeout number of wall-clock seconds> ." where 123 is the number of the system being modified. Enter: "MODIFY SYSTEM 123 RUNAWAY INTERVAL is <the organization-defined timeout number of wall-clock seconds> ." where 123 is the number of the system being modified. Enter: "GENERATE." The change will become effective the next time the CV is stopped and started. Note: The system INACTIVE INTERVAL can be overridden with the INACTIVE INTERVAL TASK parameters, e.g., for task RHDCNP3S which services external tasks/sessions. Note: The UCFCICZ interface may also be used to clean up the CA IDMS session if access is through CICS and the CICS session has ended.

b
CA IDMS CV must supply logout functionality to allow the user to implicitly terminate an external run-unit when a database request has not been made in an organizationally prescribed time frame.
AC-12 - Medium - CCI-002363 - V-251634 - SV-251634r961224_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002363
Version
IDMS-DB-000630
Vuln IDs
  • V-251634
Rule IDs
  • SV-251634r961224_rule
If a user cannot explicitly end a DBMS session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Such logout may be explicit or implicit. Examples of explicit logouts are: clicking on a "Log Out" link or button in the application window; clicking the Windows Start button and selecting "Log Out" or "Shut Down." Examples of implicit logouts are: closing the application's (main) window; powering off the workstation without invoking the OS shutdown. Both the explicit and implicit logouts must be detected by the DBMS. In all cases, the DBMS must ensure that the user's DBMS session and all processes owned by the session are terminated. This should not, however, interfere with batch processes/jobs initiated by the user during his/her online session: these should be permitted to run to completion. IDMS must provide a facility by which an inactive user session may be terminated after a predetermined period of time.
Checks: C-55069r807767_chk

Use TASK SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the System definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "DISPLAY SYSTEM 123." where 123 is the number of the system being checked. Scroll through the returned text until "EXTERNAL WAIT" is found. If the associated value is not the organization-defined timeout number of wall-clock seconds, this is a finding.

Fix: F-55023r807768_fix

Use TASK SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the system definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "MODIFY SYSTEM 123 EXTERNAL WAIT is <the organization-defined timeout number of wall-clock seconds> ." where 123 is the number of the system being modified. Enter: "GENERATE." The change will become effective the next time the CV is stopped and started. Note: The system EXTERNAL WAIT and can be overridden with the EXTERNAL WAIT parameter of the TASK statement. Note: The UCFCICZ interface may also be used to clean up the CA IDMS session if access is through CICS and the CICS session has ended.

b
CA IDMS CV must supply logout functionality to allow the user to implicitly terminate a batch external request unit when the batch job abnormally terminates.
AC-12 - Medium - CCI-002363 - V-251635 - SV-251635r961224_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002363
Version
IDMS-DB-000640
Vuln IDs
  • V-251635
Rule IDs
  • SV-251635r961224_rule
IDMS must provide a facility by which an inactive user session may be terminated after a predetermined period of time.
Checks: C-55070r807770_chk

Use TASK SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the System definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "DISPLAY SYSTEM 123." where 123 is the number of the system being checked. Scroll through the returned text until "CHKUSER TASK" is found. If the associated value is not the organization-defined number of subtasks that detect abnormally terminated batch external request units, this is a finding.

Fix: F-55024r807771_fix

Use TASK SYSGEN if online, or program RHDCSGEN if batch. Sign on to the dictionary where the system definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example. Enter: "MODIFY SYSTEM 123 CHKUSER TASK is <the organization-defined number of subtasks> ." where 123 is the number of the system being modified. Enter: "GENERATE." The change will become effective the next time the CV is stopped and started.

b
IDMS must prevent users without the appropriate access from executing privileged functions or tasks within the IDMS environment.
AC-6 - Medium - CCI-002235 - V-251636 - SV-251636r961353_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-002235
Version
IDMS-DB-000650
Vuln IDs
  • V-251636
Rule IDs
  • SV-251636r961353_rule
In general, all functions within IDMS can be controlled, therefore it is up to the IDMS system administrator to determine which functions or tasks are secured or require proper authorization. Any function within the IDMS environment can be considered privileged if the administrator deems it appropriate. Access to different functions is protected through a number of load modules that are generated from assembler macros. The load modules are RHDCSRTT, IDMSCTAB, and IDMSUTAB. The related assembler macros are #SECRTT, #CTABGEN, and #UTABGEN. The #SECRTT macro is used to define different functions to the ESM so that they can be secured. The #UTABGEN macro is used to secure specific OCF/BCF commands. The #CTABGEN macro is used to secure DCMT commands. IDMS provides several tasks, programs and data sets that, in the wrong hands, could allow access to sensitive data or give access to make detrimental changes. These tasks, programs and data sets should be deemed privileged and protected from unauthorized users.
Checks: C-55071r807773_chk

The following steps apply to "Online" and "Batch to CV" access to IDMS. If CAGJMAC and AAGJMAC libraries with external security manager (ESM) dataset level security are not secured, this is a finding. If the functions to be protected within the RHDCSRTT, IDMSCTAB, or IDMSUTAB modules are not defined, this is a finding. Note: The recommended method of securing the IDMS environment is through the ESM. The RHDCSRTT module allows users to define the different functions and applications as type EXTERNAL to make them visible to the ESM so that they can be secured. These load modules are used by the IDMS Central Version to understand how access to the IDMS environment is to be controlled. Again, it is not sufficient to merely define what should be secured via the RHDCSRTT module, these functions must be secured through the ESM. The security of the assembler macros and the security load modules must be upheld to protect the environment. Use the ESM to enact Dataset Level Security on the CAGJMAC macro library where the IDMS assembler macros reside. This is to protect unauthorized users from creating their own versions of the security load modules. Also, protect the CUSTLOAD load library or wherever the generated security load modules used by the IDMS environment are stored. By defining the functions to be protected in the RHDCSRTT module and then protecting those functions via the ESM, users are able to protect the DBMS environment. By taking these steps, unauthorized users are prevented from performing privileged functions when executing jobs in either a "Batch to Central Version" or "Online Central Version" environment. If accessing CA IDMS in "Batch Local" mode, access control is performed at the dataset level using the ESM. It is necessary to restrict users from accessing the CA IDMS Database files in Local Mode. If the CA IDMS Database files are not secured using the ESM, this is a finding. If limited access is allowed to database files in a batch to local scenario, consider utilizing a custom EXIT 14. If a user wishes to granularly protect specific DBMS verbs and have not implemented an EXIT 14, this is a finding.

Fix: F-55025r807774_fix

1. Define the functions to secure using the #SECRTT, #CTABGEN, and #UTABGEN macros. See the IDMS documentation for information on how use these macros to secure the CA IDMS environment. 2. Protect the IDMS macro libraries with the ESM's dataset level security (see the ESM's documentation to restrict access except for the administrators). 3. Protect the IDMS custom load library containing the RHDCUXIT, RHDCSRTT, IDMSCTAB, or IDMSUTAB modules. See the ESM's documentation to restrict access except for the IDMS Central Version, administrators, and any other users who require access. 4. If access must be restricted to the CA IDMS Database files in Local Mode, and the CA IDMS Database files are not properly secured using an ESM, then do so. All pertinent CA IDMS software load libraries and customization load libraries should also be secured. Only allow access to these files by the IDMS Central Version or specific administrator IDs as specified by the ESM. This protects the system from unauthorized users utilizing alternative load libraries or security settings to access database files, and also prevents them from directly accessing the database files. 5. If granularly controlling user access in batch to local mode is required and EXIT 14 is not set up in the RHDCUXIT module, see the IDMS documentation. Use EXIT 14 to decide which database verbs to protect. Access is protected by associating the verbs with a security resource in the RHDCSRTT, which is protected by the ESM. This is an exit that must be compiled into the RHDCUXIT load module. This exit is called at the time of a database verb being called and allows users to define which verbs are secured and how they are secured by issued Security Checks based on the user making the calls. This allows a user to choose which verbs are privileged and who is able to access them. As before, the verbs are secured by associating them with a defined access type in the RHDCSRTT, module which then needs to be secured by the ESM. By using the ESM's dataset level security and Exit 14, access is restricted to functions that should be protected.

b
IDMS must prevent unauthorized users from executing certain privileged commands that can be used to change the runtime IDMS environment.
AC-6 - Medium - CCI-002235 - V-251637 - SV-251637r961353_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-002235
Version
IDMS-DB-000660
Vuln IDs
  • V-251637
Rule IDs
  • SV-251637r961353_rule
Ensure that a subset DCMT commands are secured so that only those with the appropriate authority are able to execute them. Access to these DCMT commands can allow a user to circumvent defined security policies and procedures, and to make other detrimental changes to the CV environment.
Checks: C-55072r807776_chk

Verify that the following DCMT commands are protected for use by the appropriate users: DCMT DISPLAY MEMORY DCMT VARY DYNAMIC PROGRAM DCMT VARY DYNAMIC TASK DCMT VARY LOADLIB DCMT VARY MEMORY DCMT VARY NUCLEUS DCMT VARY PROGRAM DCMT VARY RUN UNIT DCMT VARY SYSGEN Examine load module IDMSCTAB using CA IDMS utility IDMSCTAD, or by issuing command "DCMT DISPLAY CTAB" while signed onto the CV and reviewing the output. Note: This requires PTF SO08199. If the command codes for the commands listed above are not present in the output, this is a finding. Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Review the output to determine if there are ACTI entries to secure the above commands. Activity numbers are assigned in IDMSCTAB and used in the SRTT formats for the external resource name. Contact the security office if the resource access is not restricted to only users authorized in the site security plan. If the resource access is not restricted to only users authorized in the site security plan, this is a finding.

Fix: F-55026r807777_fix

The SRTT must contain one or more entries to enable the external security of RESTYPE=ACTI. For example: #SECRTT TYPE=ENTRY,RESTYPE=ACTI, SECBY=EXTERNAL, EXTCLS='CA@IDMS',EXTNAME=(SYST,ACTIVITY) Update the source for IDMSCTAB as needed. This example #CTABGEN entry secures the DCMT commands listed in the check and assigns a task number to each: CTAB TITLE 'GENERATE DCMT SECURITY TABLE' #CTABGEN LOGIN=YES, X (A,1,B,2,C,3,D,4,E,5,F,6,G,7,H,8,I,9), X (N022,A), DCMT DISPLAY MEMORY X (N046001,B), DCMT VARY DYNAMIC PROGRAM X (N046002,C), DCMT VARY DYNAMIC TASK X (N050,D), DCMT VARY LOADLIB X (N033,E), DCMT VARY MEMORY X (N063,F), DCMT VARY NUCLEUS X (N025,G), DCMT VARY PROGRAM X (N073,H), DCMT VARY RUN UNIT X (N095,I) DCMT VARY SYSGEN END The ACTIVITY passed to the ESM will be the first up to five bytes of the application name followed by the three-byte activity number or, using the above example, DCMT009 for a DCMT VARY SYSGEN command. After making the above changes, IDMSCTAB and RHDCSRTT must be reassembled and relinked. To implement the new SRTT and IDMSCTAB, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS MODULE IDMSCTAB NEW COPY DCMT VARY NUCLEUS RELOAD Also verify the ESM gives access to the appropriate users. Here are Top Secret commands based on the above information. Assume that the SYSTEM ID in SYSGEN is TEST001: TSS PER(user_id) CA@IDMS(TEST001.DCMT001)

b
IDMS must protect its user catalogs and system dictionaries to prevent unauthorized users from bypassing or updating security settings.
AC-6 - Medium - CCI-002235 - V-251638 - SV-251638r961353_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-002235
Version
IDMS-DB-000670
Vuln IDs
  • V-251638
Rule IDs
  • SV-251638r961353_rule
Unauthorized access to user profiles, dictionaries, and user catalogs provides the ability to damage the IDMS system.
Checks: C-55073r807779_chk

Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Confirm that the #SECRTT macro contains entries for the following resource names: UPRF for User Profile, SYSTEM for System Dictionary, SYSMSG for System Messages, and CATSYS for the User Catalog. If all of these resource names are not defined to external security, this is a finding.

Fix: F-55027r807780_fix

Secure database object resources not found in SECRTT or found to be secured internally, through the external security manager (ESM) chosen by the organization (e.g., TSS, ACF 2, RACF). Users, groups, roles, etc., are defined to the ESM, and it is here where the authorization for ownership is determined. Once externally secured, create or modify the #SECRTT entries specify TYPE=ENTRY and TYPE=OCCURRENCE for the database resource type with the parameter of SECBY=EXTERNAL. Use the RESTYPE DB which implicitly includes the subtypes AREA, NRU, QSCH, NSCH, TABL, DACC, and SACC. For each subtype, an entry must be added. The restypes for database tables and DMCLs are DBTB and DMCL, respectively. Update the #SECRTT macro to contain the following entries: #SECRTT TYPE=ENTRY, RESTYPE=UPRF, X SECBY=EXTERNAL, X Additional parameters required #SECRTT TYPE=OCCURRENCE, X RESNAME='SYSUSER', X RESTYPE=DB, X SECBY=EXTERNAL, X Additional parameters required #SECRTT TYPE=OCCURRENCE, X RESTYPE=DB, X RESNAME='SYSTEM', X SECBY=EXTERNAL, X Additional parameters required #SECRTT TYPE=OCCURRENCE, X RESTYPE=DB, X RESNAME='SYSMSG', X SECBY=EXTERNAL, X Additional parameters required #SECRTT TYPE=OCCURRENCE, X RESTYPE=DB, X RESNAME='CATSYS', X SECBY=EXTERNAL, X Additional parameters required For batch jobs that access database objects, use the ESM standard dataset security and/or the user-written exit 14 to secure the database objects.

b
IDMS must restrict the use of code that provides elevated privileges to specific instances.
AC-6 - Medium - CCI-002233 - V-251639 - SV-251639r961359_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-002233
Version
IDMS-DB-000690
Vuln IDs
  • V-251639
Rule IDs
  • SV-251639r961359_rule
When a user has elevated privileges, they may be able to deliberately or inadvertently make alterations to the DBMS structure or data.
Checks: C-55074r807782_chk

Review the system documentation, database, and DBMS security configuration (in SRTT and ESM), source code for DBMS internal logic, source code of external modules invoked by the DBMS, and source code of the application(s) using the database. If elevation of DBMS privileges is utilized but not documented, this is a finding. If elevation of DBMS privileges is documented, but not implemented as described in the documentation, this is a finding. If the privilege-elevation logic can be invoked in ways other than intended, or in contexts other than intended, or by subjects/principals other than intended, this is a finding.

Fix: F-55028r807783_fix

Determine where, when, how, and by what principals/subjects elevated privilege is needed. Modify the database and DBMS security configuration (in SRTT and external security manager [ESM]), DBMS internal logic, external modules invoked by the DBMS, and the application(s) using the database, to ensure privilege elevation is used only as required.

b
CA IDMS programs that can be run through a CA IDMS CV must be defined to the CV.
CM-5 - Medium - CCI-001813 - V-251640 - SV-251640r961461_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001813
Version
IDMS-DB-000720
Vuln IDs
  • V-251640
Rule IDs
  • SV-251640r961461_rule
The ability to add programs to be executed under IDMS can be a problem if malicious programs are added. CA IDMS must prevent installation of unauthorized programs and the ability to dynamically register new programs and tasks.
Checks: C-55075r807785_chk

Examine load module RHDCSRTT by executing CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV, and reviewing the output. Note: This requires PTFs SO07995 and SO09476. Check the SRTT for externally secured resource SYST which allows the SYSGEN to be modified and application program definitions added. If "SYST" is not found as the resource type in any of the entries, this is a finding. If "SYST" is secured internally, this is a finding. If "SYST" is found to be secured externally, ensure that the ESM contains the correct definition using the external resource class name and the external name construction rules. If it is not defined or not defined correctly, this is a finding.

Fix: F-55029r807786_fix

Create an entry in the SRTT and compile into the module RHDCSRTT for the security domain that defined the resource type of SYST. The external class and external name construction rules must be specified. For instance: #SECRTT TYPE=ENTRY,RESTYPE=SYST, SECBY=EXTERNAL, EXTCLS='CA@IDMS',EXTNAME=(RESNAME) Create the corresponding entry in the external security manager (ESM) and authorize appropriate users, groups, etc., to allow access to system generation including program definition.

b
IDMS terminal and lines that are not secure must be disabled.
CM-7 - Medium - CCI-001762 - V-251641 - SV-251641r961470_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001762
Version
IDMS-DB-000770
Vuln IDs
  • V-251641
Rule IDs
  • SV-251641r961470_rule
Use of nonsecure network functions, ports, protocols, and services exposes the system to avoidable threats.
Checks: C-55076r807788_chk

For each load area, run a CREPORT 43 to check the nodes and access types for each node. For each node, issue DCMT D LINE. For each LINE type with a status of InSrv, inspect the access type for potential unauthorized connection types. For TCP/IP, any line with access type SOCKET, issue DCMT D LINE &lt;tcp-line-id&gt;. If any terminals are of type LIST and status InSrv, check port number for a valid port. If the port number is unacceptable as defined in the PPSM CAL, this is a finding. For each terminal with the type of LIST and InSrv, issue DCMT D PTE &lt;pterm-id&gt;. For each task and (possible PARM STRING which could pass a task) identified in the PTE display, issue DCMT D TASK &lt;task-id&gt;. If the task is IDMSJSRV and the associated program is RHDCNP3J, this is not a finding. If the task/program has not been authorized, this is a finding. If other access types (e.g., VTAM, SVC, CCI) have been deemed nonsecure in the PPSM CAL, this is a finding.

Fix: F-55030r807789_fix

For any pterm found to have nonsecure attributes (task, program, port), disable by issuing DCMT V PTE <pterm-id> OFF. Using SYSGEN, remove offending lines, pterms, lterms, and/or port numbers and regenerate the system.

b
CA IDMS must protect the system code and storage from corruption by user programs.
SC-39 - Medium - CCI-002530 - V-251642 - SV-251642r961608_rule
RMF Control
SC-39
Severity
Medium
CCI
CCI-002530
Version
IDMS-DB-000780
Vuln IDs
  • V-251642
Rule IDs
  • SV-251642r961608_rule
Database management systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each process has a distinct address space so that communication between processes is controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces.
Checks: C-55077r807791_chk

Log on to IDMS DC system and issue DCPROFIL. If HPSPO ENABLED: display is "NO", this is a finding.

Fix: F-55031r807792_fix

Use the following system generation parameters to enable the use of high performance storage protection: Set STORAGE KEY parameter of the SYSTEM statement to "9". Set PROTECT/NOPROTECT parameter of the SYSTEM statement to "PROTECT". Set PROTECT/NOPROTECT parameter of the PROGRAM statement to "PROTECT" for PROGRAMS required to run with the alternate protect key (i.e., 9). DCMT DISPLAY ALL STORAGE POOLS can be used to take note of what pools support any type of user storage, that is, user, user-kept, shared, shared-kept, or ALL, in preparation for the next step. If necessary, redefine storage pools in such a manner that all forms of user-oriented storage (user, user-kept, shared, and shared-kept) are segregated from the system storage (database, terminal). For example: ADD STORAGE POOL 1 CONTAINS TYPES ( SHARED SHARED-KEPT USER USER-KEPT ) ADD XA STORAGE POOL 128 CONTAINS TYPES ( USER USER-KEPT ) ADD XA STORAGE POOL 129 CONTAINS TYPES ( SHARED SHARED-KEPT ) ADD XA STORAGE POOL 130 CONTAINS TYPES ( TERMINAL DATABASE ) Generate and start the system. The storage pool definitions have been set up correctly if the message DC004001 HPSPO HAS BEEN DISABLED DUE TO INCORRECT STORAGE POOL DEFINITIONS is not issued at startup.

b
CA IDMS must protect system and user code and storage from corruption by user programs.
SC-39 - Medium - CCI-002530 - V-251643 - SV-251643r961608_rule
RMF Control
SC-39
Severity
Medium
CCI
CCI-002530
Version
IDMS-DB-000790
Vuln IDs
  • V-251643
Rule IDs
  • SV-251643r961608_rule
Database management systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each process has a distinct address space so that communication between processes is controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces.
Checks: C-55078r807794_chk

Log on to IDMS DC system and issue "DCPROFIL". If SYSTEM STORAGE PROTECTED: display is "NO", this is a finding. Issue DCMT D PROGRAM pgmname where pgmname is ADSOMAIN, ADSORUN1, and user programs. If "Storage Prot" is "NO", this is a finding.

Fix: F-55032r807795_fix

Use the following system generation parameters to enable the use of standard storage protection: Set STORAGE KEY parameter of the SYSTEM statement to a value that is not" 9". (The value other than 9 is dependent on how the z/OS parm AllowUserKeyCSA is set). Set PROTECT/NOPROTECT parameter of the SYSTEM statement to "PROTECT". Set PROTECT/NOPROTECT parameter of the PROGRAM statement to "PROTECT" for ADSOMAIN, ADSORUN1, and user programs. Generate and restart the system.

b
CA IDMS must prevent user code from issuing selected SVC privileged functions.
SC-39 - Medium - CCI-002530 - V-251644 - SV-251644r961608_rule
RMF Control
SC-39
Severity
Medium
CCI
CCI-002530
Version
IDMS-DB-000800
Vuln IDs
  • V-251644
Rule IDs
  • SV-251644r961608_rule
If an SVC is used to facilitate interpartition communication for online applications executing under other DC systems, batch application programs, and programs executed under TP monitors other than DC when running on the same LPAR, privileged functions of the SVC can be protected from these entities that do not run within the IDMS DC partition with a combination of the key specification and the disabling of selected SVC functions.
Checks: C-55079r807797_chk

Log on to IDMS DC system. Issue DCMT D MEM SVC+6D0 to get address of SVC options (svcopt-addr). Issue DCMT D MEM svcopt-addr. With all lengths of 1, at offset 1 is the SVC number, offset 3 contains CVKEY number, offset x' D' contains a flag byte where a setting of X'20' indicates AUTHREQ=YES. If there is no valid number for CVKEY and the flag byte of X'20' is not set, this is a finding. Note: Offsets are subject to change.

Fix: F-55033r807798_fix

Set #SVCOPT parameters CVKEY to the chosen key for startup modules and AUTHREQ=YES to create a secured SVC. Assemble, relink and install SVC. Create an entry in the Z/OS PPT for the startup module in the chosen key. All IDMS CV startup modules must reside in an authorized library and must be linked as authorized (SETCODE AC(1)). The IBM Z/OS parameter AllowUserKeyCsa should also be checked since the setting may impact the CVKEY choice (see TEC574934 for details).

b
The system storage used for data collection by the CA IDMS server must be protected.
SC-8 - Medium - CCI-002420 - V-251645 - SV-251645r961638_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002420
Version
IDMS-DB-000810
Vuln IDs
  • V-251645
Rule IDs
  • SV-251645r961638_rule
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, the DBMS, associated applications, and infrastructure must leverage transmission protection mechanisms. Satisfies: SRG-APP-000441-DB-000378, SRG-APP-000442-DB-000379
Checks: C-55080r807800_chk

Log on to IDMS DC system and issue DCPROFIL. If HPSPO ENABLED: display is "NO", this is a finding.

Fix: F-55034r807801_fix

Use the following system generation parameters to enable the use of high performance storage protection: Set STORAGE KEY parameter of the SYSTEM statement to "9". Set PROTECT/NOPROTECT parameter of the SYSTEM statement to "PROTECT". Set PROTECT/NOPROTECT parameter of the PROGRAM statement to "PROTECT" for PROGRAMS required to run with the alternate protect key (i.e., 9). DCMT DISPLAY ALL STORAGE POOLS can be used to take note of what pools support any type of user storage; that is, user, user-kept, shared, shared-kept, or ALL, in preparation for the next step. If necessary, redefine storage pools so all forms of user-oriented storage (user, user-kept, shared, and shared-kept) are segregated from the system storage (database, terminal). For example: ADD STORAGE POOL 1 CONTAINS TYPES ( SHARED SHARED-KEPT USER USER-KEPT ) ADD XA STORAGE POOL 128 CONTAINS TYPES ( USER USER-KEPT ) ADD XA STORAGE POOL 129 CONTAINS TYPES ( SHARED SHARED-KEPT ) ADD XA STORAGE POOL 130 CONTAINS TYPES ( TERMINAL DATABASE ) Generate and start the system. The storage pool definitions have been set up correctly if the message "DC004001 HPSPO HAS BEEN DISABLED DUE TO INCORRECT STORAGE POOL DEFINITIONS" is not issued at startup.

b
The cache table procedures and views used for performance enhancements for dynamic SQL must be protected.
SC-8 - Medium - CCI-002420 - V-251646 - SV-251646r961638_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002420
Version
IDMS-DB-000820
Vuln IDs
  • V-251646
Rule IDs
  • SV-251646r961638_rule
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, the DBMS, associated applications, and infrastructure must leverage transmission protection mechanisms.
Checks: C-55081r807803_chk

For CA IDMS CV, issue "SELECT * FROM SYSCA.DSCCACHEOPT". If rows are returned, caching is on. For local, if no statement, SQL_CACHE_ENTRIES=0 exists in the SYSIDMS specification, caching is on. Examine RHDCSRTT in security domain for security on table procedures and views of DSCCACHE table; those supplied at installation (SYSCA.DSCCACHE, SYSCA.DSCCACHEOPT,SYSCA.DSCCACHECTRL, SYSCA.DSCCACHEV) or those created by organization. If no security is found for these table procedures and views, this is a finding.

Fix: F-55035r807804_fix

Either turn off use of SQL cache or secure SQL cache tables. Turn off SQL cache use in local using SYSIDMS parameter SQL_CACHE_ENTRIES=0. Turn off SQL cache use in IDMS CV and modify sysgen with statement DELETE SQL CACHE. To secure SQL cache tables add RESTYPE DB entry and RESTYPE TABL occurrences for SQL cache tables (table procedures and views) SYSCA.DSCCACHE, SYSCA.DSCCACHEOPT,SYSCA.DSCCACHECTRL, SYSCA.DSCCACHEV) and any other views of SYSCA.DSCCACHE created by the organization. For example: #SECRTT TYPE=ENTRY,RESTYPE=DB,EXTCLS='CA@IDMS', EXTNAME=(RESTYPE,ENVI,RESNAME),SECBY=OFF #SECRTT TYPE=ENTRY,RESTYPE=TABL,EXTCLS='CA@IDMS', EXTNAME=(ENVI,RESTYPE,SCHEMA,RESNAME),SECBY=EXTERNAL ... (other DB-covered ENTRYs e.g., NRU, DACC. etc.) #SECRTT TYPE=OCCUR,RESNAME='<db/segment to secure>',RESTYPE=DB,SECBY=EXTERNAL Secure SQL cache tables in external security manager (ESM) using the corresponding chosen external name (e.g., PROD.TABL.SYSCA.DSCCACHE).

b
The storage used for data collection by CA IDMS web services must be protected.
SC-8 - Medium - CCI-002420 - V-251647 - SV-251647r961638_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002420
Version
IDMS-DB-000830
Vuln IDs
  • V-251647
Rule IDs
  • SV-251647r961638_rule
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, the DBMS, associated applications, and infrastructure must leverage transmission protection mechanisms. Satisfies: SRG-APP-000441-DB-000378, SRG-APP-000442-DB-000379
Checks: C-55082r807806_chk

Log on to IDMS DC system and issue "DCPROFIL". If SYSTEM STORAGE PROTECTED: display is "NO", this is a finding. Issue DCMT D PROGRAM RHDCWSSP. If Storage Prot is "NO", this is a finding.

Fix: F-55036r807807_fix

Use the following system generation parameters to enable the use of standard storage protection: Set STORAGE KEY parameter of the SYSTEM statement to a value that is not "9". (The value other than 9 is dependent on how the z/OS parm AllowUserKeyCSA is set). Set PROTECT/NOPROTECT parameter of the SYSTEM statement to "PROTECT". Set PROTECT/NOPROTECT parameter of the PROGRAM statement to "PROTECT" for RHDCWSSP. Generate and restart the system.

b
The storage used for data collection by CA IDMS Server and CA IDMS Web Services must be protected from online display and update.
SC-8 - Medium - CCI-002420 - V-251648 - SV-251648r961638_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002420
Version
IDMS-DB-000840
Vuln IDs
  • V-251648
Rule IDs
  • SV-251648r961638_rule
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, the DBMS, associated applications, and infrastructure must leverage transmission protection mechanisms. Satisfies: SRG-APP-000441-DB-000378, SRG-APP-000442-DB-000379
Checks: C-55083r807809_chk

Check the SRTT for externally secured ACTI which can be used to secure DCMT DISPLAY MEMORY and DCMT VARY MEMORY. Examine load module RHDCSRTT using CA IDMS utility IDMSSRTD, or by issuing command "DCMT DISPLAY SRTT" while signed onto the CV and reviewing the output. Note: This requires PTFs SO07995 and SO09476. If RESTYPE=ACTI is not found as the resource type in any of the entries, this is a finding. If RESTYPE=ACTI is found but the entry is secured internally, this is a finding. Examine load module IDMSCTAB using CA IDMS utility IDMSCTAD, or by issuing command "DCMT DISPLAY CTAB" while signed onto the CV and reviewing the output. Note: This requires PTF SO08199. Verify that these DCMT command codes are present: N022 - DISPLAY MEMORY N033 - VARY MEMORY If they are not present, this is a finding.

Fix: F-55037r807810_fix

The SRTT must contain one or more entries to enable the external security of RESTYPE=ACTI. For example: #SECRTT TYPE=ENTRY,RESTYPE=ACTI, SECBY=EXTERNAL, EXTCLS='CA@IDMS',EXTNAME=(SYST,ACTIVITY) Update the source for IDMSCTAB. This example #CTABGEN entry secures the DCMT DISPLAY MEMORY and DCMT VARY MEMORY commands and assigns an activity number to each: CTAB TITLE 'GENERATE DCMT SECURITY TABLE' #CTABGEN LOGIN=YES, X (A,1,B,11), X (N033,A, VARY MEMORY - TASK 1 X N022,B) DISPLAY MEMORY - TASK 11 END The ACTIVITY passed to the ESM will be the first up to 5 bytes of the application name followed by the 3 byte activity number or, using the above example, DCMT011 for a DCMT DISPLAY MEMORY. After making the above changes, IDMSCTAB and RHDCSRTT must be reassembled and relinked. To implement the new SRTT and IDMSCTAB, either recycle any CVs that use the SRTT or issue these commands: DCMT VARY NUCLEUS MODULE RHDCSRTT NEW COPY DCMT VARY NUCLEUS MODULE IDMSCTAB NEW COPY DCMT VARY NUCLEUS RELOAD Also, verify the ESM gives access to the appropriate people. Here are some Top Secret commands based on the above information. Assume that the SYSTEM ID in SYSGEN is TEST001: TSS PER(user_id) CA@IDMS(TEST001.DCMT001) TSS PER(user_id) CA@IDMS(TEST001.DCMT011)

b
IDMS must check for invalid data and behave in a predictable manner when encountered.
SI-10 - Medium - CCI-002754 - V-251649 - SV-251649r961656_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-002754
Version
IDMS-DB-000880
Vuln IDs
  • V-251649
Rule IDs
  • SV-251649r961656_rule
A common vulnerability is unplanned behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior caused by invalid inputs, where information system responses to the invalid input may be disruptive or cause the system to fail into an unsafe state. The behavior will be derived from the organizational and system requirements and includes, but is not limited to, notification of the appropriate personnel, creating an audit record, and rejecting invalid input.
Checks: C-55084r807812_chk

If data inputs are specifically identified by the organization as exempt from validity checks, this is not applicable. If SQL-defined tables, DISPLAY TABLE &lt;schema-name&gt;.&lt;table-name&gt; . If there is not a CHECK for the columns and accompanying accepted values, this is a finding. If network-defined records, DISPLAY SCHEMA or DISPLAY RECORD. If there is no CALL to a procedure BEFORE STORE and BEFORE MODIFY, this is a finding. If the procedure does not validate the non-exempt columns, this is a finding. Other applications and front-ends using mapping can use the automatic editing feature and edit and code tables to verify that an input value is valid. Review the source code for checks, procedures, and edits to identify how the system responds to invalid input. If it does not implement the documented behavior, this is a finding.

Fix: F-55038r855287_fix

Revise and deploy source code changes for checks, procedures, and edits to implement the documented behavior. For SQL-defined tables, ALTER TABLE <schema-name>.<table-name> ADD CHECK (search-condition). For network-defined records, MODIFY <record-name> CALL procedure BEFORE STORE/MODIFY. Create or update procedure to validate provided record field values. Other applications and front-ends using mapping can use the automatic editing feature and edit and code tables to verify that an input value is valid.

b
Maintenance for security-related software updates for CA IDMS modules must be provided.
SI-2 - Medium - CCI-002605 - V-251650 - SV-251650r1001008_rule
RMF Control
SI-2
Severity
Medium
CCI
CCI-002605
Version
IDMS-DB-000890
Vuln IDs
  • V-251650
Rule IDs
  • SV-251650r1001008_rule
When a problem is found in IDMS, corrective maintenance is published to correct the problem (including security related problems). Published fixes should be applied to the IDMS system to correct any problems found.
Checks: C-55085r807815_chk

Determining which PTFs have been applied, a query can be done to an SMP/E CSI using the IBM SMP/E utility. New and existing PTFs must be reviewed using CA CARS or CSO in a timeframe determined by an authoritative source. If not, this is a finding.

Fix: F-55039r807816_fix

Institute and adhere to policies and procedures to ensure that patches are consistently applied to the IDMS within the time allowed.

b
The DBMS must develop a procedure to limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.
AC-10 - Medium - CCI-000054 - V-251652 - SV-251652r960735_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
IDMS-DB-000910
Vuln IDs
  • V-251652
Rule IDs
  • SV-251652r960735_rule
Database management includes the ability to control the number of users and user sessions utilizing a DBMS. Unlimited concurrent connections to the DBMS could allow a successful Denial of Service (DoS) attack by exhausting connection resources; and a system can also fail or be degraded by an overload of legitimate users. Limiting the number of concurrent sessions per user is helpful in reducing these risks. This requirement addresses concurrent session control for a single account. It does not address concurrent sessions by a single user via multiple system accounts; and it does not deal with the total number of sessions across all accounts. The capability to limit the number of concurrent sessions per user must be configured in or added to the DBMS (for example, by use of a logon trigger), when this is technically feasible. Note that it is not sufficient to limit sessions via a web server or application server alone, because legitimate users and adversaries can potentially connect to the DBMS by other means. The organization will need to define the maximum number of concurrent sessions by account type, by account, or a combination thereof. In deciding on the appropriate number, it is important to consider the work requirements of the various types of users. For example, two might be an acceptable limit for general users accessing the database via an application; but 10 might be too few for a database administrator using a database management GUI tool, where each query tab and navigation pane may count as a separate session. (Sessions may also be referred to as connections or logons, which for the purposes of this requirement are synonyms.)
Checks: C-55087r807821_chk

Consult the system DBA and review system procedures for measures that establish a dataset to be used as a lock file. If there is no such procedure, this is a finding.

Fix: F-55041r807822_fix

Require users to use specific JCL that includes exclusive access to a dataset used as a lock file. This would prevent more than one job from running at a time. This would not allow multiple users to have one session active at a time, this would be one active session, no matter how many individual users are attempting to run the batch jobs. The CA IDMS DBA must develop a Journal Analyzer procedure for authorized users to capture, record, and log all content related to a user.

b
The DBMS must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
SI-11 - Medium - CCI-001312 - V-251653 - SV-251653r961167_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
IDMS-DB-000920
Vuln IDs
  • V-251653
Rule IDs
  • SV-251653r961167_rule
Any DBMS or associated application providing too much information in error messages on the screen or printout risks compromising the data and security of the system. The structure and content of error messages need to be carefully considered by the organization and development team. Databases can inadvertently provide a wealth of information to an attacker through improperly handled error messages. In addition to sensitive business or personal information, database errors can provide host names, IP addresses, usernames, and other system information not required for troubleshooting but very useful to someone targeting the system. Carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, Social Security numbers, and credit card numbers.
Checks: C-55088r807824_chk

Consult the system DBA and review system procedures for WTO exits that modify IDMS messages that go to non-privileged users. If there is no procedure, this is a finding.

Fix: F-55042r807825_fix

Develop an IDMS user exit WTOEXIT to review, alter, redirect and suppress text of IDMS messages written to the operator's console. (Note that some system messages are written to the DC/UCF log as they are originally issued. Some system messages are written only to the console, regardless of how they are defined in the message dictionary).

c
CA IDMS must use pervasive encryption to cryptographically protect the confidentiality and integrity of all information at rest in accordance with data owner requirements.
AU-1 - High - CCI-000119 - V-251654 - SV-251654r1028319_rule
RMF Control
AU-1
Severity
High
CCI
CCI-000119
Version
IDMS-DB-000930
Vuln IDs
  • V-251654
Rule IDs
  • SV-251654r1028319_rule
This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an organizational information system. Applications and application users generate information throughout the course of their application use. User data generated, as well as application-specific configuration data, needs to be protected. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate. If the confidentiality and integrity of application data is not protected, the data will be open to compromise and unauthorized modification. Satisfies: SRG-APP-000428-DB-000386, SRG-APP-000429-DB-000387, SRG-APP-000231-DB-000154
Checks: C-55092r807836_chk

If this CA IDMS has no requirement for confidentiality and integrity of all information at rest in accordance with the data owners requirements, this not applicable. If required files are not defined as a VSAM dataset this is a finding. Perform the following for the VSAM dataset 1. LISTC ENT('dsn') ALL" Where "dsn" is the DSNAME of the cluster; review the ATTRIBUTES section of the output to ensure that the database is defined as NONINEXED (the cluster is an ESDS). If not, this is a finding. 2. In the IDCAMS LISTC output, look for the SMSDATA section. If none is found this is a finding. Otherwise, find the "DATACLASS" name and query the systems programmer to ensure that the SMS data class specifies "Extended Format" but does not specify "Extended Addressing". If not, this is a finding. 3. In the IDCAMS LISTC output: Find the "STORAGECLASS" and query the systems programmer to ensure it supports extended format VSAM dataset. If not, this is a finding. 4. Confirm that the database(s) have a data set key label. Places to check for a data set key label: a. In the SMS data class definition by reviewing the entry for the appropriate data class in ISMF b. In the output of an IDCAMS LISTC in the ENCRYPTIONDATA section. If "DATA SET ENCRYPTION" is "YES", then the label will be displayed after "DATA SET KEY LABEL". c. The key label may be assigned through the ESM. Query the security team to determine if this is the case. 5. The database(s) must be defined in the DMCL as "VSAM". Run "IDMSLOOK" to print the contents of the DMCL and look for the desired database(s). If the TYPE column is not "VSAM", this is a finding.

Fix: F-55046r855290_fix

Enable pervasive encryption to protect data at rest: 1. Query system programmers, DBAs, and security team members as needed to determine SMS data and storage classes and data set key labels to use 2. Convert the desired database to a VSAM cluster. a. If necessary, expand the page size of the area(s) current files. The optimal page size is eight bytes less than the VSAM control interval size. b. Alter the file definition to change its access method and then generate, punch, and link all DMCLs in which the file's segment is included. Optionally, specify a new database name or other location information c. Allocate the new database file(s). 3. Modify the CV and batch JCL to reference the new VSAM data set(s). 4. Using the appropriate OS utility, copy the original database file(s) to the new, VSAM database file(s). Note that the actual data encryption takes place when the database is written to or read from.

b
The DBMS must associate organization-defined types of security labels having organization-defined security label values with information in process.
AC-16 - Medium - CCI-002263 - V-251655 - SV-251655r961272_rule
RMF Control
AC-16
Severity
Medium
CCI
CCI-002263
Version
IDMS-DB-000940
Vuln IDs
  • V-251655
Rule IDs
  • SV-251655r961272_rule
Without the association of security labels to information, there is no basis for the DBMS to make security-related access-control decisions. Security labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies; reflect special dissemination, handling, or distribution instructions; or support other aspects of the information security policy. One example includes marking data as classified or FOUO. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise. The mechanism used to support security labeling may be a feature of the DBMS product, a third-party product, or custom application code.
Checks: C-55093r807839_chk

If the site system plan does not require security labels, this requirement is Not Applicable. Consult the system DBA and review system procedures for an application that maintains security label processing. If there is no label application procedure, this is a finding.

Fix: F-55047r807840_fix

Update an application DB to include label fields in each database record and to maintain the status through the application.

b
CA IDMS must implement NIST FIPS 140-2 validated cryptographic modules to protect data-in-transit.
SC-13 - Medium - CCI-002450 - V-251656 - SV-251656r961857_rule
RMF Control
SC-13
Severity
Medium
CCI
CCI-002450
Version
IDMS-DB-000950
Vuln IDs
  • V-251656
Rule IDs
  • SV-251656r961857_rule
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. It is the responsibility of the data owner to assess the cryptography requirements in light of applicable federal laws, Executive Orders, directives, policies, regulations, and standards. For detailed information, refer to NIST FIPS Publication 140-2, Security Requirements for Cryptographic Modules. Note that the product's cryptographic modules must be validated and certified by NIST as FIPS-compliant.
Checks: C-55094r807842_chk

Verify that connection to IDMS is FIPS-compliant. 1. For ODBC and JDBC Type 2 connections: a. Configure the Data Source to enable the DTS-JCLI logging option. b. Perform a connection test using the "Test" function on the administrator. c. View the generated log entries to determine the TLS version, cipher algorithm, and certificate employed. 2020/04/27 09:51:41.946 P:0000502C T:00005DC8 JCLI Trace: SSL_connect(832) successful! 2020/04/27 09:51:41.946 P:0000502C T:00005DC8 JCLI Trace: SSL_connect(832) connection attempts: 1 2020/04/27 09:51:41.947 P:0000502C T:00005DC8 JCLI Trace: SSL_connect(832) TLS version TLSv1.2 2020/04/27 09:51:41.947 P:0000502C T:00005DC8 JCLI Trace: SSL_connect(832) cipher TLS_RSA_WITH_AES_256_CBC_SHA256 (this should be one or more of the accepted ciphers) Cipher Specifications 3DES_SHA AES_256_SHA AES_128_SHA If connection is not verified this is a finding. 2. For all connection types: IBM provides configuration options for multiple SSL components, to force FIPS-140 compliance. a. System SSL: The environment variable GSK_FIPS_STATE specifies GSK_FIPS_STATE_ON in the envar file in the GSKSRVR home directory or message "GSK01057I SSL server starting in FIPS mode" is in the JES log. b. ICFS: Review the JES log for the ICSF region for the following message is issued on startup CSFM015I FIPS 140 SELF CHECKS FOR PKCS11 SERVICES SUCCESSFUL. If either of the above is true this is not a finding. If none of the above is true this is a finding.

Fix: F-55048r807843_fix

Contact the appropriate system administrators to make the needed changes to allow the use of AT-TLS and the associated software. See Broadcom Techdocs for further information: - Configure Secure Sockets See IBM's z/OS Communications Server bookshelf for information on: - Configuring AT-TLS See IBM's z/OS Cryptographic Services System bookshelf for information on - Algorithms and key sizes - System SSL - ICSF Services