STIG ID - BACF1040: Limit Access to PROCLIB Data Set

Severity
: 1- High
Unauthorized access to PROCLIB data sets referenced in the master JCL, JES2, and JES3 procedure for started tasks (STCs) and TSO logons can cause unauthorized modifications to STCs and other system-level procedures. Unauthorized access can result in compromise of the operating system environment, the external security manager, and customer data.
The organization must ensure that write or greater access to all PROCLIBs referenced in the master JCL and JES2 or JES3 procedure for started tasks (STCs) and TSO logons are limited to system programmers and activity is logged.
This STIG article shows how to identify all PROCLIB data sets that contain STCs and TSO logons, how to limit write or greater access to only system programmers, and how to log all access.
Identify Audit Finding
Review the following data to determine if you should consider remediation.
Follow these steps
:
  1. Identify PROCLIB data sets that contain STCs and TSO logons from the following sources:
    • The MSTJCL
      xx
      member used during an IPL. The PROCLIB data sets are obtained from the IEFPDSI and IEFJOBS DD statements.
    • PROC
      xx
      DD statements and JES2 Dynamic PROCLIBs. Where '
      xx
      ' is the PROCLIB entries for the STC and TSO JOBCLASS configuration definitions.
    TSO ACFUNIX “access dsn(‘SYS1.PROCLIB’)” ACCESS Subcommand Results as of 08/04/20-2:20 for: SYS1.PROCLIB $Key: SYS1 Ruleline: PROCLIB UID(*)READ ***
    In this example, all users have read access to SYS1.PROCLIB.
  2. Review the output, ensuring the following:
    • All users have limited read only access to the PROCLIB where trusted started task procedures are stored, if access is required.
    • All users have read access to any other system PROCLIB where started task procedures are stored (non-trusted started tasks), while write or greater access is limited to system programmers as needed.
    • All access greater than read is logged.
  3. If the PROCLIB data sets access authorizations do not restrict read access to all authorized users,
    your organization has an audit finding
    . See Remediate Audit Finding.
  4. If the PROCLIB data sets where the trusted started tasks procedures are called from, access authorizations is not restricted to read only to all authorized users, including system programmers,
    your organization has an audit finding
    . See Remediate Audit Finding.
    Temporary write access is allowed for limited system programmers, where logged and formally identified with an approved change to be made for a specific trusted started task.
  5. If the PROCLIB data sets do not limit write or greater access to only system programmers,
    your organization has an audit finding
    . See Remediate Audit Finding.
  6. If the PROCLIB data sets access authorization restrict read access to all authorized users, and write or greater access to only system programmers,
    your organization does not have an audit finding
    .
Remediate Audit Finding
The Information System Security Officer (ISSO) is responsible for ensuring that write or greater access to PROCLIB data sets that contain STC and TSO procedures are limited to system programmers and all write or greater activity is logged. Ensure any PROCLIB data sets where trusted started task procedures are stored have read only access as indicated above for all users including system programmers.
Follow these steps:
  1. Implement controls for all PROCLIB data sets identified as containing STCs and TSO logons. Specify only system programmers have write or greater access and all authorized users have only read access to the to the PROCLIB data sets. For example for the SYS1.PROCLIB data set:
    $KEY(SYS1) PROCLIB UID(*****AUTHUSER) READ(A) PROCLIB UID(*****SYSPROG) READ(L) WRITE(L) ALLOC(L) EXEC(A)
    Or,
    $KEY(SYS1) ROLESET PROCLIB ROLE(AUTHUSER) READ(A) PROCLIB ROLE(ZSYSPROG) READ(L) WRITE(L) ALLOC(L) EXEX(A)
    In this example, the ZSYSPROG is now authorized write and allocate access to SYS1.PROCLIB and AUTHUSERS have read access.
Ensuring PROCLIB data sets referenced in the master JCl, JES2, or JES3 procedure for STCs and TSO logons access is limited to system programmers, keeps your operating system environment, external security manager, and customer data safe from possible exposure.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG.  For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000213
CCI
:
CCI-000213
Published Date
:
2009-09-14
Definition
:
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AC-3
NIST: NIST SP 800-53 Revision 4 (v4): AC-3
NIST: NIST SP 800-53A (v1): AC-3.1