STIG ID - BACF1015: Protect Sensitive and Critical Data Sets on Shared DASD
Severity: 1 - High
If sensitive or critical system data sets are allocated on a shared DASD device, you must validate that the data sets are properly protected and justified to be on the shared volumes and systems. Without proper review and access restrictions to these data sets on all systems sharing them, you are opening your organization up to corruption, risk, exposure, and the integrity and availability of the operating system, external security manager (ESM), and customer data are subject to compromise.
Your organization must ensure formal documentation exists identifying shared DASD volumes, which systems those volumes are shared with, catalog names in use for data on those shared DASD volumes, and the list of authorized shared sensitive and critical system data sets. The formal documentation must include justification for those data sets to be shared, and identified roles and levels of access allowed per system DASD volumes, ensuring least privileged access of shared DASD across all shared systems.
This STIG article shows how to validate and determine a DASD volume is shared and the sensitive and critical data sets are protected.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps:
- Information System Security Officer (ISSO) works with storage administrators and system programmers to identify and document all shared DASD volumes, catalog data set names, shared data set names and systems those resource are shared with.
- ISSO works with the storage administrators to validate all machines that require access to these shared volumes have the volumes mounted.
- Obtain a map or list VTOC of the shared volumes from storage administrators.
- ISSO works with system programmers, storage administrators, production schedulers, automation team, and applications teams to identify which data sets were found on the shard DASD volumes. Check if shared volumes contain any critical or sensitive data sets. These data sets can be APF, LINKLIST, LPA, and catalogs as well as product data sets.ACF SHOW STATE . . . RUNNING CA ACF2 REL 16 /MVS SP7.2.4; WITH MODE = ABORT OPTIONS IN EFFECT: ....... --- DSNAME PROTECTED VOLUMES ---********--- VOLSER PROTECTED VOLUMES ---None SpecifiedIn this example, all data sets and all DASD volumes are protected.
- If all critical or sensitive data sets identified on shared volumes are equally protected on all systems shared, all shared data sets are justified to be on shared volumes, all catalogs on the shared DASD volumes and all DASD volume level protections are in place across all systems sharing those shared DASD volumes,your organization does not have an audit finding.
- If any of the items listed in item 6 are not true,your organization has an audit finding. See Remediate Audit Finding.
Remediate Audit Finding
The z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) are responsible for reviewing the list of shared DASD and validating with the storage administrators that identified volumes of shared DASD are still valid within VM, HMC, and z/OS systems. The z/OS Security Team is responsible to ensure all access controls are implemented across all systems sharing the resources based upon least privilege access requirements and role based access controls.
- ISSO reviews all access requirements to validate that the sensitive and critical system data sets found during the Identify Audit Finding steps are protected from unauthorized access across all systems that have access to the shared volumes and shared resources.
- Protect the shared DASD volumes, shared catalogs, and shared data sets across all systems the shared DASD volumes are defined.
- Protect shared DASD volumes. Configure the GSO RESVOLS record VOLMASK field to the default (-), which signifies all DASD volumes are protected at the data set name level:SET CONTROL(GSO) CONTROLCHANGE RESVOLS VOLMASK(-)F ACF2,REFRESH(RESVOLS) CONTROL
- VOLMASKSpecifies 1 to 255 volume serial masks up to six characters each. A dash represents all valid volumes that begin with the specified characters that precede the dash or all volumes if the dash is used alone.
- Verify the GSO RESVOLS record was changed:ACF SHOW STATE . . . RUNNING CA ACF2 REL 16 /MVS SP7.2.4; WITH MODE = ABORT OPTIONS IN EFFECT: ....... -- DSNAME PROTECTED VOLUMES --- ******** --- VOLSER PROTECTED VOLUMES --- None SpecifiedIn this example, all data sets and DASD volumes are protected.
The shared DASD volumes and data sets are now protected.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs: CCI-000099, CCI-001090, CCI-001414
The information system enforces information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.
NIST: NIST SP 800-53 (v3): AC-21(1)
NIST: NIST SP 800-53 Revision 4 (v4): AC-21 (1)
NIST: NIST SP 800-53A (v1): AC-21 (1).1
The information system prevents unauthorized and unintended information transfer via shared system resources.
NIST: NIST SP 800-53 (v3): SC-4
NIST: NIST SP 800-53 Revision 4 (v4): SC-4
NIST: NIST SP 800-53A (v1): SC-4.1
NIST: NIST SP 800-53 (v3): AC-4
NIST: NIST SP 800-53 Revision 4 (v4): AC-4
NIST: NIST SP 800-53A (v1): AC-4.1 (iii)