Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

z/OS IBM System Display and Search Facility (SDSF) for RACF Security Technical Implementation Guide

  • Version/Release: V6R10
  • Published: 2022-10-07
  • Released: 2022-11-23
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
IBM System Display and Search Facility (SDSF) Configuration parameters must be correctly specified.
AC-4 - Medium - CCI-000035 - V-224504 - SV-224504r868446_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-000035
Version
ZISF0040
Vuln IDs
  • V-224504
  • V-18014
Rule IDs
  • SV-224504r868446_rule
  • SV-40746
IBM System Display and Search Facility (SDSF) ISFPARMS defines global options, panel formats, and security for SDSF. Failure to properly specify these parameter values could potentially compromise the integrity and availability of the MVS operating system and user data.
Checks: C-26187r868441_chk

Refer to the JCL procedure libraries defined to JES2 for the SDSF started task member for SDSFPARM DD statement. Refer to the ISRPRMxx members in the logical PARMLIB concatenation. Refer to the results of the "F SDSF,D" command. Where SDSF should specify the SDSF started task name. Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ZISF0040) Ensure the following Group Parameters are specified or not specified in the GROUP statements defined in the ISFPARMS members. If the following guidance is true, this is not a finding. For each GROUP statement: AUPDT(0) AUTH will not be specified CMDAUTH will not be specified CMDLEV will not be specified DSPAUTH will not be specified NAME a value will be specified for the NAME

Fix: F-26175r868444_fix

Ensure that the following Group function parameters appear and/or do not appear in ISFPARMS. For each GROUP statement: AUPDT(0) AUTH will not be specified CMDAUTH will not be specified CMDLEV will not be specified DSPAUTH will not be specified NAME a value will be specified for the NAME The ISFPARMS GROUP statement defines user groups and their characteristics. Some of these characteristics include access authorization to SDSF functions and commands. Access to these functions and commands will be controlled using SAF resources. The use of the SAF interface is consistent with the DOD requirement to control all products within the operating system using the ACP. To ensure SAF security is always in effect, authorizations to SDSF functions and commands should not be defined in ISFPARMS DD statement in the SDSF JCL member.

b
IBM System Display and Search Facility (SDSF) installation data sets will be properly protected.
AC-3 - Medium - CCI-000213 - V-224505 - SV-224505r856990_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZISFR000
Vuln IDs
  • V-224505
  • V-16932
Rule IDs
  • SV-224505r856990_rule
  • SV-40697
IBM System Display and Search Facility (SDSF) installation data sets have the ability to use privileged functions and/or have access to sensitive data. Failure to properly restrict access to these data sets could result in violating the integrity of the base product which could result in compromising the operating system or sensitive data.
Checks: C-26188r840213_chk

Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(ISFRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZISF0000) Verify that the accesses to the IBM SDSF installation data sets are properly restricted. If the following guidance is true, this is not a finding. ___ The RACF data set rules for the data sets restricts READ access to all authorized users. ___ The RACF data set rules for the data sets restricts WRITE and/or greater access to systems programming personnel. ___ The RACF data set rules for the data sets specify that all (i.e., failures and successes) WRITE and/or greater access is logged. ___ The RACF data set rules for the data sets specify UACC(NONE) and NOWARNING.

Fix: F-26176r840214_fix

The ISSO will ensure that WRITE and/or greater access to IBM SDSF installation data sets is limited to System Programmers only, and all WRITE and/or greater access is logged. READ access can be given to all authorized users. The installing Systems Programmer will identify and document the product data sets and categorize them according to who will have WRITE and/or greater access and if required that all WRITE and/or greater access is logged and identify if any additional groups have WRITE and/or greater access for specific data sets, and once documented will work with the ISSO to see that they are properly restricted to the ACP (Access Control Program) active on the system. Data sets to be protected will be: SYS1.ISF.AISF SYS1.ISF.SISF The following commands are provided as a sample for implementing data set controls: AD 'sys1.isf.aisf*.**' UACC(NONE) OWNER(SYS1) AUDIT(SUCCESS(UPDATE) FAILURES(READ)) AD 'sys1.isf.sisf*.**' UACC(NONE) OWNER(SYS1) AUDIT(SUCCESS(UPDATE) FAILURES(READ)) PE 'sys1.isf.aisf*.**' ID(syspaudt) ACC(A) PE 'sys1.isf.sisf*.**' ID(syspaudt) ACC(A) PE 'sys1.isf.sisf*.**' ID(authorized users/*) ACC(R)

b
IBM System Display and Search Facility (SDSF) HASPINDX data set identified in the INDEX parameter must be properly protected.
AC-3 - Medium - CCI-000213 - V-224506 - SV-224506r520369_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZISFR002
Vuln IDs
  • V-224506
  • V-21592
Rule IDs
  • SV-224506r520369_rule
  • SV-40731
IBM System Display and Search Facility (SDSF) HASPINDX data set control the execution, configuration, and security of the SDSF products. Failure to properly protect access to these data sets could result in unauthorized access. This exposure may threaten the availability of SDSF, and compromise the confidentiality of customer data.
Checks: C-26189r520367_chk

If the z/OS operating system is Release 2.2 or higher this is not applicable. Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(SDSFRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZISF0002) Verify that the accesses to the IBM System Display and Search Facility (SDSF) HASPINDX data set specified on the INDEX control statement in the ISFPARMS statements (identified in the SFSFPARM DD statement of the SDSF stc) are properly restricted. If the following guidance is true, this is not a finding. ___ The RACF data set rules for the data sets restricts READ access to the auditors. ___ The RACF data set rules for the data sets restricts UPDATE access to SDSF Started Tasks. ___ The RACF data set rules for the data sets restricts WRITE and/or greater access to systems programming personnel. ___ The RACF data set rules for the data sets specify UACC(NONE) and NOWARNING. Note: If running z/OS V1R11 or above, with the use of a new JES logical log, the HASPINDX, may not exist and may make this vulnerability not applicable (N/A). However if used the HASPINDX dataset must be restricted. Note: If running z/OS V1R11 systems or above and NOT using JES logical log, the HASPINDX data set must be protected.

Fix: F-26177r520368_fix

Ensure that the HASPINDX dataset identified in the INDEX parameter value of ISFPARMS options statement is restricted as described below. The HASPINDX data set is used by SDSF when building the SYSLOG panel. This data set contains information related to all SYSLOG jobs and data sets on the spool. Since SDSF dynamically allocates this data set, explicit user access authorization to this data set should not be required. Due to the potentially sensitive data in this data set, access authorization will be restricted. READ access is restricted to the auditors. UPDATE access is restricted to SDSF Started Tasks. WRITE and/or greater access is restricted to systems programming personnel. Note: If running z/OS V1R11 or above, with the use of a new JES logical log, the HASPINDX, may not exist and may make this vulnerability not applicable (N/A). However if used the HASPINDX dataset must be restricted. Note: If running z/OS V1R11 systems or above and NOT using JES logical log, the HASPINDX data set must be protected. Data sets to be protected will be: SYS1.ISF.AISF SYS1.ISF.SISF The following commands are provided as a sample for implementing data set controls: AD 'sys1.haspindx.**' UACC(NONE) OWNER(SYS1) AUDIT(FAILURES(READ)) PE ' sys1.haspindx.**' ID(syspaudt) ACC(A) PE ' sys1.haspindx.**' ID(sdsf stc) ACC(U) PE ' sys1.haspindx.**' ID(audtaudt) ACC(R)

b
IBM System Display and Search Facility (SDSF) resources will be properly defined and protected.
AC-4 - Medium - CCI-000035 - V-224507 - SV-224507r868450_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-000035
Version
ZISFR020
Vuln IDs
  • V-224507
  • V-17947
Rule IDs
  • SV-224507r868450_rule
  • SV-40819
IBM System Display and Search Facility (SDSF) can run with sensitive system privileges, and potentially can circumvent system controls. Failure to properly control access to product resources could result in the compromise of the operating system environment, and compromise the confidentiality of customer data. Many utilities assign resource controls that can be granted to systems programmers only in greater than read authority. Resources are also granted to certain non systems personnel with read only authority.
Checks: C-26190r868447_chk

Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(ZISF0020) Automated Analysis requiring additional analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZISF0020) Ensure that all IBM System Display and Search Facility (SDSF) resources are properly protected according to the requirements specified in SDSF SAF Resources table in the z/OS STIG Addendum. If the following guidance is true, this is not a finding. ___ The RACF resources and/or generic equivalent as designated in the above table are defined with a default access of NONE. ___ The RACF resource access authorizations restrict access to the appropriate personnel as designated in the above table. ___ The RACF resource logging is specified as designated in the above table. ___ The RACF resource access authorizations are defined with UACC(NONE) and NOWARNING. ___ The RACF resource access authorizations for SDSF GROUP.group-name will require additional analysis to justify access.

Fix: F-26178r868448_fix

The ISSO will work with the systems programmer to verify that the following are properly specified in the ACP. (Note: The resource class, resources, and/or resource prefixes identified below are examples of a possible installation. The actual resource class, resources, and/or prefixes are determined when the product is actually installed on a system through the product's installation guide and can be site specific.) Ensure that the IBM System Display and Search Facility (SDSF) command resource access is in accordance with those outlined in SDSF SAF Resources table in the zOS STIG Addendum. Use SDSF SAF Resources and SDSF SAF Resource Descriptions tables in the zOS STIG Addendum. These tables list the resources and access requirements for IBM System Display and Search Facility (SDSF); ensure the following guidelines are followed: The RACF resources and/or generic equivalent as designated in the above table are defined with a default access of NONE. The RACF resource access authorizations restrict access to the appropriate personnel as designated in the above table. The RACF resource logging is specified as designated in the above table. The RACF resource access authorizations for the resources designated in the above table specify UACC(NONE) and NOWARNING. The RACF resource access authorizations for SDSF GROUP.group-name will require additional analysis to justify access. The following commands are provided as a sample for implementing resource controls: RDEFINE SDSF ISFATTR.JOBCL.** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ)) PERMIT ISFATTR.JOBCL.** CLASS(SDSF) ACCESS(UPDATE) ID(operaudt) PERMIT ISFATTR.JOBCL.** CLASS(SDSF) ACCESS(UPDATE) ID(syspaudt)

b
IBM System Display and Search Facility (SDSF) resources will be properly defined and protected.
AC-4 - Medium - CCI-000035 - V-224508 - SV-224508r868455_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-000035
Version
ZISFR021
Vuln IDs
  • V-224508
  • V-17982
Rule IDs
  • SV-224508r868455_rule
  • SV-40751
IBM System Display and Search Facility (SDSF) can run with sensitive system privileges, and potentially can circumvent system controls. Failure to properly control access to product resources could result in the compromise of the operating system environment, and compromise the confidentiality of customer data. Many utilities assign resource controls that can be granted to systems programmers only in greater than read authority. Resources are also granted to certain non systems personnel with read only authority.
Checks: C-26191r868453_chk

Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(ZISF0021) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZISF0021) Ensure that all SDSF resources are properly protected according to the requirements specified in the SDSF Server OPERCMDS Resources table in the z/OS STIG Addendum. If the following guidance is true, this is not a finding. ___ The RACF resources and/or generic equivalent as designated in the above table are defined with a default access of NONE. ___ The RACF resource access authorizations restrict access to the appropriate personnel as designated in the above table. ___ The RACF resource logging is specified as designated in the above table. ___ The RACF resource rules for the resources designated in the above table specify UACC(NONE) and NOWARNING.

Fix: F-26179r868454_fix

The ISSO will work with the systems programmer to verify that the following are properly specified in the ACP. Ensure that the IBM SDSF resource access is in accordance with those outlined in SDSF Server OPERCMDS Resources table in the zOS STIG Addendum. Use SDSF Server OPERCMDS Resources table in the zOS STIG Addendum. These tables list the resources and access requirements for IBM SDSF; ensure the following guidelines are followed: The RACF resources and/or generic equivalent as designated in the above table are defined with a default access of NONE. The RACF resource access authorizations restrict access to the appropriate personnel as designated in the above table. The RACF resource logging is specified as designated in the above table. The RACF resource rules for the resources designated in the above table specify UACC(NONE) and NOWARNING. The following commands are provided as a sample for implementing resource controls: RDEFINE OPERCMDS SDSF.MODIFY.** UACC(NONE) OWNER(ADMIN) - AUDIT(FAILURE(READ),SUCCESSFUL(UPDATE)) RDEFINE OPERCMDS SDSF.MODIFY.DISPLAY UACC(NONE) OWNER(ADMIN) - AUDIT(FAILURE(READ)) PERMIT SDSF.MODIFY.** CLASS(OPERCMDS) ACCESS(CONTROL) ID(syspaudt) PERMIT SDSF.MODIFY.DISPLAY CLASS(OPERCMDS) ACCESS(READ) ID(audtaudt) PERMIT SDSF.MODIFY.DISPLAY CLASS(OPERCMDS) ACCESS(READ) ID(operaudt) PERMIT SDSF.MODIFY.DISPLAY CLASS(OPERCMDS) ACCESS(READ) ID(syspaudt)

b
IBM System Display and Search Facility (SDSF) Started Task name will be properly identified and/or defined to the system ACP.
IA-2 - Medium - CCI-000764 - V-224509 - SV-224509r868461_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
ZISFR030
Vuln IDs
  • V-224509
  • V-17452
Rule IDs
  • SV-224509r868461_rule
  • SV-40822
IBM System Display and Search Facility (SDSF) requires a started task that will be restricted to certain resources, datasets and other system functions. By defining the started task as a userid to the system ACP, It allows the ACP to control the access and authorized users that require these capabilities. Failure to properly control these capabilities, could compromise of the operating system environment, ACP, and customer data.
Checks: C-26192r868456_chk

Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(LISTUSER) Verify that the userid(s) for the IBM SDSF started task(s) is (are) properly defined. If the following attributes are defined, this is not a finding. PROTECTED

Fix: F-26180r868460_fix

The ISSO working with the systems programmer will ensure the IBM SDSF Started Task(s) is properly identified and/or defined to the System ACP. If the product requires a Started Task, verify that it is properly defined to the System ACP with the proper attributes. Most installation manuals will indicate how a Started Task is identified and any additional attributes that must be specified. The following commands are provided as a sample for defining Started Task(s): au SDSF name('STC, SDSF') owner(stc) dfltgrp(stc) nopass - data('SDSF stc')

b
IBM System Display and Search Facility (SDSF) Started task will be properly defined to the STARTED resource class for RACF.
IA-2 - Medium - CCI-000764 - V-224510 - SV-224510r868467_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
ZISFR032
Vuln IDs
  • V-224510
  • V-17454
Rule IDs
  • SV-224510r868467_rule
  • SV-40824
Access to product resources should be restricted to only those individuals responsible for the application connectivity and who have a requirement to access these resources. Improper control of product resources could potentially compromise the operating system, ACP, and customer data.
Checks: C-26193r868462_chk

Refer to the following report produced by the RACF Data Collection: - DSMON.RPT(RACSPT) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(ZISF0032) If the IBM SDSF started task(s) is (are) defined to the STARTED resource class profile and/or ICHRIN03 table entry, this is not a finding.

Fix: F-26181r868464_fix

The ISSO working with the systems programmer will ensure the IBM SDSF Started Task(s) is properly identified and/or defined to the System ACP. A unique userid must be assigned for the IBM SDSF started task(s) thru a corresponding STARTED class entry. The following commands are provided as a sample for defining Started Task(s): rdef started SDSF.** uacc(none) owner(admin) audit(all(read)) - stdata(user(SDSF) group(stc)) setr racl(started) ref

b
IBM System Display and Search Facility (SDSF) Resource Class will be active in the RACF.
CM-4 - Medium - CCI-000336 - V-224511 - SV-224511r856992_rule
RMF Control
CM-4
Severity
Medium
CCI
CCI-000336
Version
ZISFR038
Vuln IDs
  • V-224511
  • V-18011
Rule IDs
  • SV-224511r856992_rule
  • SV-40831
Failure to use a robust ACP to control a product could potentially compromise the integrity and availability of the MVS operating system and user data.
Checks: C-26194r520382_chk

Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) - DSMON.RPT(RACCDT) - Alternate list of active resource classes Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(ZISF0038) If the IBM System Display and Search Facility (SDSF) resource class(es) is (are) active, this is not a finding.

Fix: F-26182r840224_fix

The ISSO will ensure that the IBM SDSF Resource Class(es) is (are) active. Use the following commands as an example: SETROPTS CLASSACT(SDSF)