{"stig":{"title":"z/OS IBM System Display and Search Facility (SDSF) for ACF2 Security Technical Implementation Guide","version":"7","release":"2"},"checks":[{"vulnId":"V-224316","ruleId":"SV-224316r1141542_rule","severity":"medium","ruleTitle":"IBM System Display and Search Facility (SDSF) Configuration parameters must be correctly specified.","description":"IBM SDSF ISFPARMS defines global options, panel formats, and security for SDSF. Failure to properly specify these parameter values could potentially compromise the integrity and availability of the MVS operating system and user data.","checkContent":"Refer to the JCL procedure libraries defined to JES2 for the SDSF started task member for SDSFPARM DD statement.\n\nRefer to the ISRPRMxx members in the logical PARMLIB concatenation.\n\nRefer to the results of the \"F SDSF,D\" command. Where SDSF should specify the SDSF started task name.\n\nAutomated Analysis\nRefer to the following report produced by the z/OS Data Collection:\n\n- PDI(ZISF0040).\n\nVerify the following Group Parameters are specified or not specified in the GROUP statements defined in the ISFPARMS members. If the following guidance is true, this is not a finding.\n\nFor each GROUP statement:\nAUPDT(0)\nAUTH will not be specified\nCMDAUTH will not be specified\nCMDLEV will not be specified\nDSPAUTH will not be specified\nNAME a value will be specified for the NAME","fixText":"Ensure that the following Group function parameters appear and/or do not appear in ISFPARMS.\n\nFor each GROUP statement:\nAUPDT(0)\nAUTH will not be specified\nCMDAUTH will not be specified\nCMDLEV will not be specified\nDSPAUTH will not be specified\nNAME a value will be specified for the NAME\n\nThe ISFPARMS GROUP statement defines user groups and their characteristics. Some of these characteristics include access authorization to SDSF functions and commands. Access to these functions and commands will be controlled using SAF resources. The use of the SAF interface is consistent with the DOD requirement to control all products within the operating system using the ACP. To ensure SAF security is always in effect, authorizations to SDSF functions and commands should not be defined in ISFPARMS DD statement in the SDSF JCL member.","ccis":["CCI-000381"]},{"vulnId":"V-224317","ruleId":"SV-224317r1141545_rule","severity":"medium","ruleTitle":"IBM System Display and Search Facility (SDSF) installation datasets will be properly protected.","description":"IBM SDSF installation datasets have the ability to use privileged functions and/or have access to sensitive data. Failure to properly restrict access to these datasets could result in violating the integrity of the base product, which could result in compromising the operating system or sensitive data.","checkContent":"Refer to the following report produced by the dataset and Resource Data Collection:\n\n- SENSITVE.RPT(ISFRPT).\n\nAutomated Analysis\nRefer to the following report produced by the dataset and Resource Data Collection:\n\n- PDI(ZISF0000).\n\nVerify that the accesses to the IBM SDSF installation datasets are properly restricted. If the following guidance is true, this is not a finding.\n\nThe ACF2 dataset rules for the datasets restrict READ access to all authorized users.\n\nThe ACF2 dataset rules for the datasets restrict WRITE and/or greater access to systems programming personnel.\n\nThe ACF2 dataset rules for the datasets specify that all (i.e., failures and successes) WRITE and/or greater access is logged.","fixText":"The ISSO will ensure that WRITE and/or greater access to IBM SDSF installation datasets is limited to systems programmers only, and all WRITE and/or greater access is logged. READ access can be given to all authorized users.\n\nThe installing systems programmer will identify and document the product datasets, categorize them according to who will have WRITE and/or greater access, and if required, ensure that all WRITE and/or greater access is logged. The installing systems programmer will identify if any additional groups have WRITE and/or greater access for specific datasets, and once documented, will work with the ISSO to ensure they are properly restricted to the Access Control Program (ACP) active on the system.\n\nDatasets to be protected will be:\nSYS1.ISF.AISF\nSYS1.ISF.SISF\n\nThe following commands are provided as a sample for implementing dataset controls:\n\n$KEY(S1I)\n$PREFIX(SYS1)\nISF.AISF-.- UID(syspaudt) R(A) W(L) A(L) E(A)\nISF.SISF-.- UID(syspaudt) R(A) W(L) A(L) E(A)\nISF.SISF-.- UID(authorized users/*) R(A) E(A)\n\nSET RULE\nCOMPILE 'ACF2.MVA.DSNRULES(S1I)' STORE","ccis":["CCI-001499","CCI-002234"]},{"vulnId":"V-224318","ruleId":"SV-224318r1141548_rule","severity":"medium","ruleTitle":"IBM System Display and Search Facility (SDSF) HASPINDX dataset identified in the INDEX parameter must be properly protected.","description":"IBM SDSF HASPINDX datasets control the execution, configuration, and security of the SDSF products. Failure to properly protect access to these datasets could result in unauthorized access. This exposure may threaten the availability of SDSF and compromise the confidentiality of customer data.","checkContent":"If the z/OS operating system is Release 2.2 or higher, this is not applicable.\n\nRefer to the following report produced by the dataset and Resource Data Collection:\n\n- SENSITVE.RPT(SDSFRPT).\n\nAutomated Analysis\nRefer to the following report produced by the dataset and Resource Data Collection:\n\n- PDI(ZISF0002).\n\nVerify that the accesses to the IBM SDSF HASPINDX dataset specified on the INDEX control statement in the ISFPARMS statements (identified in the SFSFPARM DD statement of the SDSF stc) are properly restricted. \n\nIf the following guidance is true, this is not a finding.\n\nThe ACF2 dataset rules for the datasets restrict READ access to the auditors.\n\nThe ACF2 dataset rules for the datasets restrict UPDATE access to SDSF Started Tasks.\n\nThe ACF2 dataset rules for the datasets restrict WRITE and/or greater access to systems programming personnel.\n\nNote: If running z/OS V1R11 or above, with the use of a new JES logical log, the HASPINDX, may not exist and may make this vulnerability not applicable (NA). However if used the HASPINDX dataset must be restricted.\n\nNote: If running z/OS V1R11 systems or above and NOT using JES logical log, the HASPINDX dataset must be protected.","fixText":"Ensure that the HASPINDX dataset identified in the INDEX parameter value of ISFPARMS options statement is restricted as described below.\n\nThe HASPINDX dataset is used by SDSF when building the SYSLOG panel. This dataset contains information related to all SYSLOG jobs and datasets on the spool. Since SDSF dynamically allocates this dataset, explicit user access authorization to this dataset should not be required. Due to the potentially sensitive data in this dataset, access authorization will be restricted.\n\nREAD access is restricted to the auditors.\n\nUPDATE access is restricted to SDSF Started Tasks.\n\nWRITE and/or greater access is restricted to systems programming personnel.\n\nNote: If running z/OS V1R11 or above, with the use of a new JES logical log, the HASPINDX, may not exist and may make this vulnerability not applicable (N/A). However if used the HASPINDX dataset must be restricted.\n\nNote: If running z/OS V1R11 systems or above and NOT using JES logical log, the HASPINDX dataset must be protected.\n\nDatasets to be protected may be:\nSYS1.HASPINDX\n\nThe following commands are provided as a sample for implementing dataset controls:\n\n$KEY(S1H)\n$PREFIX(SYS1)\nHASPINDX.- UID(syspaudt) R(A) W(A) A(A) E(A)\nHASPINDX.- UID(sdsf stc) R(A) W(A) E(A)\nHASPINDX.- UID(audtaudt) R(A) E(A)\n\nSET RULE\nCOMPILE 'ACF2.MVA.DSNRULES(S1H)' STORE","ccis":["CCI-001499"]},{"vulnId":"V-224319","ruleId":"SV-224319r1141551_rule","severity":"medium","ruleTitle":"IBM System Display and Search Facility (SDSF) resources must be properly defined and protected.","description":"IBM SDSF can run with sensitive system privileges, and potentially can circumvent system controls. Failure to properly control access to product resources could result in the compromise of the operating system environment, and compromise the confidentiality of customer data. Many utilities assign resource controls that can be granted to systems programmers only in greater than read authority. Resources are also granted to certain nonsystems personnel with read only authority.","checkContent":"Refer to the following report produced by the ACF2 Data Collection and dataset and Resource Data Collection:\n\n- SENSITVE.RPT(ZISF0020).\n- ACF2CMDS.RPT(RESOURCE) - Alternate report.\n\nAutomated Analysis requiring additional analysis.\nRefer to the following report produced by the dataset and Resource Data Collection:\n\n- PDI(ZISF0020).\n\nVerify all IBM SDSF resources are properly protected according to the requirements specified in the Site Security Plan (SSP). The plan should be based on the SDSF SAF Resources table in the z/OS STIG Addendum and validated by the site ISSO. If the following guidance is true, this is not a finding.\n\nThe ACF2 resources and/or generic equivalent as designated in the above table are defined with a default access of NONE.\n\nThe ACF2 resource access authorizations restrict access to the appropriate personnel as designated in the above table.\n\nThe ACF2 resource logging is specified as designated in the above table.\n\nThe ACF2 resource access authorizations for SDSF GROUP.group-name will require additional analysis to justify access.","fixText":"The ISSO will work with the systems programmer to verify that the following are properly specified in the Access Control Program (ACP).\n\n(Note: The resource type, resources, and/or resource prefixes identified below are examples of a possible installation. The actual resource type, resources, and/or resource prefixes are determined when the product is installed on a system through the product's installation guide and can be site-specific.)\n\nEnsure that all IBM SDSF resources are properly protected according to the requirements specified in the Site Security Plan (SSP). The plan should be based on the SDSF SAF Resources table in the z/OS STIG Addendum and validated by the site ISSO.\n\nUse SDSF SAF Resources and SDSF SAF Resource Descriptions tables in the z/OS STIG Addendum/SSP. These tables list the resources and access requirements for IBM SDSF; ensure the following guidelines are followed:\n\nThe ACF2 resources and/or generic equivalent as designated in the above table are defined with a default access of NONE.\n\nThe ACF2 resource access authorizations restrict access to the appropriate personnel as designated in the above table.\n\nThe ACF2 resource logging is specified as designated in the above table.\n\nThe ACF2 resource access authorizations for SDSF GROUP.group-name will require additional analysis to justify access.\n\nThe following commands are provided as a sample for implementing resource controls:\n\n$KEY(ISFATTR) TYPE(SDS)\nJOBCL.- UID(operaudt) SERVICE(READ,UPDATE) ALLOW\nJOBCL.- UID(syspaudt) SERVICE(READ,UPDATE) ALLOW\n- UID(*) PREVENT","ccis":["CCI-000213","CCI-002234"]},{"vulnId":"V-224320","ruleId":"SV-224320r1141553_rule","severity":"medium","ruleTitle":"IBM System Display and Search Facility (SDSF) resources will be properly defined and protected.","description":"IBM SDSF can run with sensitive system privileges, and potentially can circumvent system controls. Failure to properly control access to product resources could result in the compromise of the operating system environment, and compromise the confidentiality of customer data. Many utilities assign resource controls that can be granted to systems programmers only in greater than read authority. Resources are also granted to certain nonsystems personnel with read only authority.","checkContent":"Refer to the following report produced by the ACF2 Data Collection and dataset and Resource Data Collection:\n\n- SENSITVE.RPT(ZISF0021).\n- ACF2CMDS.RPT(RESOURCE) - Alternate report.\n\nAutomated Analysis\nRefer to the following report produced by the dataset and Resource Data Collection:\n\n- PDI(ZISF0021).\n\nVerify that all SDSF resources are properly protected according to the requirements specified in the SDSF Server OPERCMDS Resources table in the z/OS STIG Addendum. If the following guidance is true, this is not a finding.\n\nThe ACF2 resources and/or generic equivalent as designated in the above table are defined with a default access of NONE.\n\nThe ACF2 resource access authorizations restrict access to the appropriate personnel as designated in the above table.\n\nThe ACF2 resource logging is specified as designated in the above table.","fixText":"The ISSO will work with the systems programmer to verify that the following are properly specified in the Access Control Program (ACP).\n\nEnsure that the IBM SDSF resource access is in accordance with those outlined in SDSF Server OPERCMDS Resources table in the z/OS STIG Addendum.\n\nUse SDSF Server OPERCMDS Resources table in the z/OS STIG Addendum. These tables list the resources and access requirements for IBM SDSF; ensure the following guidelines are followed:\n\nThe ACF2 resources and/or generic equivalent as designated in the above table are defined with a default access of NONE.\n\nThe ACF2 resource access authorizations restrict access to the appropriate personnel as designated in the above table.\n\nThe ACF2 resource logging is specified as designated in the above table.\n\nThe following commands are provided as a sample for implementing resource controls:\n\n$KEY(SDSF) TYPE(OPR)\nMODIFY.DISPLAY UID(audtaudt) SERVICE(READ)\nMODIFY.DISPLAY UID(operaudt) SERVICE(READ)\nMODIFY.DISPLAY UID(syspaudt) SERVICE(READ)\nMODIFY.- UID(syspaudt) SERVICE(READ,UPDATE,DELETE) LOG\n- UID(*) PREVENT","ccis":["CCI-000213","CCI-002234"]},{"vulnId":"V-224321","ruleId":"SV-224321r1141556_rule","severity":"medium","ruleTitle":"IBM System Display and Search Facility (SDSF) Started Task name will be properly identified and/or defined to the system ACP.","description":"IBM System Display and Search Facility (SDSF) requires a started task that will be restricted to certain resources, datasets and other system functions. By defining the started task as a userid to the system ACP, it allows the ACP to control the access and authorized users that require these capabilities. Failure to properly control these capabilities, could compromise of the operating system environment, ACP, and customer data.","checkContent":"Refer to the following report produced by the ACF2 Data Collection:\n\n- ACF2CMDS.RPT(ATTSTC).\n\nVerify that the logonid(s) for the IBM SDSF started task(s) is (are) properly defined. If the following attributes are defined, this is not a finding.\n\nSTC","fixText":"The ISSO working with the systems programmer will ensure the IBM SDSF Started Task(s) is properly identified and/or defined to the System ACP.\n\nIf the product requires a Started Task, verify that it is properly defined to the System ACP with the proper attributes.\n\nMost installation manuals will indicate how a Started Task is identified and any additional attributes that must be specified.\n\nThe following commands are provided as a sample for defining Started Task(s):\n\nSET LID\ninsert SDSF stc name('STC, SDSF')","ccis":["CCI-000764"]},{"vulnId":"V-224322","ruleId":"SV-224322r1141558_rule","severity":"medium","ruleTitle":"IBM System Display and Search Facility (SDSF) Resource Class will be defined or active in the ACP.","description":"Failure to use a robust ACP to control a product could potentially compromise the integrity and availability of the MVS operating system and user data.","checkContent":"Refer to the following report produced by the ACF2 Data Collection:\n\n- ACF2CMDS.RPT(ACFGSO).\n\nIf the following GSO CLASMAP record entry(ies) is (are) defined, this is not a finding.\n\nCLASMAP.SDSF RESOURCE(SDSF) RSRCTYPE(xxx) ENTITYLN(nn)\n\nNote: The site determines the appropriate three-letter RSRCTYPE that is unique for the SDSF. The ENTITYLN must be appropriate for the site's installation.","fixText":"Use SAF security to define and protect the IBM SDSF resource class(es).\n\nUse the following commands as an example:\n\nCLASMAP.SDSF RESOURCE(SDSF) RSRCTYPE(SDF) ENTITYLN(39)","ccis":["CCI-000336","CCI-002358"]}]}