STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 2 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to IBM z/OS RACF Security Technical Implementation Guide

V-223869

CAT II (Medium)

IBM z/OS System datasets used to support the VTAM network must be properly secured.

Rule ID

SV-223869r1137691_rule

STIG

IBM z/OS RACF Security Technical Implementation Guide

Version

V9R8

CCIs

CCI-000213CCI-001499

Discussion

To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Satisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000259-GPOS-00100

Check Content

Determine data set names containing all VTAM start options, configuration lists, network resource definitions, commands, procedures, exit routines, all SMP/E TLIBs, and all SMP/E DLIBs used for installation and in development/production VTAM environments.

If RACF data set rules for all VTAM system data sets restrict access to only network systems programming staff, this is not a finding.

If RACF data set rules for all VTAM system data sets all READ access to auditors only, this is not a finding.

Fix Text

Configure RACF data set rules for all VTAM system data sets restrict access to only network systems programming staff. These data sets include libraries containing VTAM load modules and exit routines, and VTAM start options and definition statements.

Auditors may have READ access as documented by and approved by the ISSM.

The following sample RACF commands show proper definitions/permissions for VTAM datasets:

AD 'SYS1.VTAM*.**' UACC(NONE) OWNER(SYS1) - 
AUDIT(SUCCESS(UPDATE) FAILURES(READ)) - 
DATA('IBM VTAM DS PROFILE: REF SRR PDI ZVTM0018') 
PE 'SYS1.VTAM.**' ID(<syspsmpl>) ACC(A) 

AD 'SYS1.VTAMLIB.**' UACC(NONE) OWNER(SYS1) - 
AUDIT(SUCCESS(UPDATE) FAILURES(READ)) - 
DATA('IBM VTAM APF DS PROFILE: REF SRR PDI ZVTM0018') 
PE 'SYS1.VTAMLIB.**' ID(<syspsmpl>) ACC(A) 

AD 'SYS1.VTAM.SISTCLIB.**' UACC(NONE) OWNER(SYS1) -
AUDIT(SUCCESS(UPDATE) FAILURES(READ)) - 
DATA('IBM VTAM APF DS PROFILE: REF SRR PDI ZVTM0018') 
PE 'SYS1.VTAM.SISTCLIB.**' ID(<syspsmpl>) ACC(A) 

AD 'SYS3.VTAM.**' UACC(NONE) OWNER(SYS3) - 
AUDIT(SUCCESS(UPDATE) FAILURES(READ)) - 
DATA('VTAM CUSTOMIZED DS: REF SRR PDI ZVTM0018') 
PE 'SYS3.VTAM.**' ID(<syspsmpl>) ACC(A) 

AD 'SYS3.VTAMLIB.**' UACC(NONE) OWNER(SYS3) - 
AUDIT(SUCCESS(UPDATE) FAILURES(READ)) - 
DATA('IBM VTAM APF DS PROFILE: REF SRR PDI ZVTM0018')
PE 'SYS3.VTAMLIB.**' ID(<syspsmpl>) ACC(A) 

SETR GENERIC(DATASET) REFRESH