V-259730

Discussion

If zSecure were to allow inappropriate reading or updating of user data sets, sensitive information could be disclosed, or changes might result in incorrect results reported by the product. Only qualified and authorized individuals must be allowed to create, read, update, and delete zSecure user data sets.

Check Content

Verify the accesses to the zSecure user data sets are properly restricted. If the following guidance is true, this is not a finding. 

- The RACF profiles protecting zSecure user data sets do not allow general access by means of UACC, ID(*), WARNING, or global access.
- READ access to ASSERTION, CKFREEZE, and UNLOAD data sets is restricted to auditors, automated operation STCs/batch jobs, decentralized security administrators, security administrators, batch jobs performing ESM maintenance, system programmers and trusted STC users.
- UPDATE and higher access to ASSERTION, CKFREEZE, and UNLOAD data sets is restricted to decentralized security administrators, security administrators, batch jobs performing ESM maintenance, and system programmers. 
- All failures and successful UPDATE and higher access to ASSERTION, CKFREEZE, and UNLOAD data sets is logged. 
- READ access to Access Monitor output data sets is restricted to auditors, decentralized security administrators, security administrators, batch jobs performing ESM maintenance, automated operation STCs/batch jobs, and trusted STC users, and system programmers. 
- UPDATE and higher access to the Access Monitor output data sets is restricted to automated operation STCs/batch jobs, batch jobs performing ESM maintenance, trusted STC users, and system programmers. 
- All failed and all successful UPDATE and higher access to Access Monitor output data sets is logged.
- READ access to CKACUST and CKACUSV data sets is restricted to auditors, batch jobs that perform ESM maintenance, decentralized security administrators, security administrators, automated operation STCs/batch jobs, trusted STC users, and systems programmers.
- UPDATE access to CKACUST and CKACUSV data sets is restricted to decentralized security administrators, security administrators, automated operation STCs/batch jobs, batch jobs performing ESM maintenance, trusted STC users, and systems programmers.
- CONTROL and higher access to CKACUST and CKACUSV data sets is restricted to systems programmers.
- All failed and all successful UPDATE and higher access to CKACUST and CKACUSV data sets is logged.
- READ access to CKXLOG log stream is restricted to auditors, decentralized security administrators, security administrators, automated operation STCs/batch jobs, trusted STC users, and system programmers.
- UPDATE and higher access to CKXLOG log stream is restricted to automated operation STCs/batch jobs, trusted STC users, and system programmers.
- All failed access to CKXLOG log stream is logged.