V-224303

Discussion

Sensitive CICS transactions offer the ability to circumvent transaction level controls for accessing resources under CICS. These transactions must be protected so that only authorized users can access them. Unauthorized use can result in the compromise of the confidentiality, integrity, and availability of the operating system or customer data.

Check Content

Refer to the following report produced by the ACF2 Data Collection and dataset and Resource Data Collection:

- SENSITVE.RPT(TRANS).
- ACF2CMDS.RPT(RESOURCE) - Alternate report.

Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010.

Browse the dataset allocated by the ACF2PARM DD statement in each CICS startup procedure. Determine the resource type for transactions. Example:

CICSKEY OPTION=VALIDATE,TYPE=resource type, RESOURCE=TRANS

Verify the following items are in effect for all CICS transactions for each resource type. If the following guidance is true, this is not a finding.

Note: Authorized personnel include systems programming and security staffs. Additional guidance regarding authorized personnel for specific transactions is included in this z/OS STIG Addendum. For example, CEMT SPI provides a broader use of this sensitive transaction by restricting execution to inquiries.

Transactions, listed in tables CICS CATEGORY 2 CICS AND OTHER PRODUCT TRANSACTIONS and CICS CATEGORY 4 COTS-SUPPLIED SENSITIVE TRANSACTIONS, in the z/OS STIG Addendum, are restricted to authorized personnel.

Note: The exception to this is the CEOT and CSGM transactions, which can be made available to all users.
Note: The exception to this is the CWBA transaction, which can be made available to the CICS Default user.
Note: The transactions beginning with "CK" apply to regions running WebSphere MQ.
Note: Category 1 transactions are internally restricted to CICS region userids.