STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← Back to z/OS ROSCOE for RACF Security Technical Implementation Guide

V-224529

CAT II (Medium)

ROSCOE STC data sets are not properly protected.

Rule ID

SV-224529r1145275_rule

STIG

z/OS ROSCOE for RACF Security Technical Implementation Guide

Version

V7R2

CCIs

CCI-001499

Discussion

ROSCOE STC data sets provide the capability to use privileged functions and/or have access to sensitive data. Failure to properly restrict access to their data sets could result in violating the integrity of the base product which could result in compromising the operating system or sensitive data.

Check Content

Refer to the following report produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(ROSSTC).

Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(ZROS0001).

Verify that access to the ROSCOE STC data sets is properly restricted. The data sets in this group are the data sets identified in the ROSACTxx (if used), ROSLIBxx, and SYSAWSx DD statements of the STC or batch JCL. If the following guidance is true, this is not a finding.
 
The RACF data set rules for the data sets restrict WRITE and/or greater access to systems programming personnel.

The RACF data set rules for the data sets restrict WRITE and/or greater access to the product STC(s) and/or batch job(s).

Fix Text

The ISSO will ensure that WRITE and/or greater access to the ROSCOE started task or batch job data sets is limited to system programmers and the started task only and all WRITE and/or greater access is logged.

The ISSO will ensure that all other accesses to the ROSCOE started task or batch job data sets are properly restricted and all required accesses are properly logged.

Data sets to be protected will be:

SYS3.ROSCOE.sys*.**
SYS3.ROSCOE.ros*.**

The following commands are provided as a sample for implementing data set controls: 

ad 'sys3.roscoe.ros*.**' uacc(none) owner(sys3) -
	audit(success(update) failures(read)) -
	data('Site Customized Profile: ROSCOE')
pe 'sys3.roscoe.ros*.**' id(syspaudt) acc(a)
pe 'sys3.roscoe.ros*.**' id(roscoe) acc(a)
ad 'sys3.roscoe.sys*.**' uacc(none) owner(sys3) -
	audit(success(update) failures(read)) -
	data('Site Customized profile: ROSCOE')
pe 'sys3.roscoe.sys*.**' id(syspaudt) acc(a)
pe 'sys3.roscoe.sys*.**' id(roscoe) acc(a)
setr generic(dataset) refresh