STIG ID - BACF1016: Limit Permissions to SYS1.PARMLIB

Severity
: 1 - High
SYS1.PARMLIB contains the parameters that control system IPL, configuration characteristics, performance, and security facilities. Unauthorized access to SYS1.PARMLIB can result in the compromise of the operating system environment,
ACF2
, and customer data.
Your organization will ensure that update or greater access to SYS1.PARMLIB is limited to system programmers and is logged.
This STIG article shows how to review access authorizations to SYS1.PARMLIB, how to limit access to only system programmers, and how to log all activity.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. Review the SYS1.PARMLIB to ensure the following:
    • Write or greater access is limited to system programmers and domain level security administrators.
    • Read access is assigned to system level started tasks, authorized data center personnel, and auditors.
    • All write or greater access to SYS1.PARMLIB is logged.
    ACF ACCESS DSN('SYS1.PARMLIB') ACCESS Subcommand Results as of 07/29/20-15:22 for: SYS1.PARMLIB Key: SYS1 Ruleline: PARMLIB UID(*****SYSPROG ) READ(A) WRITE(L) ALLOC(L) EXEC(A) Ruleline: - UID(*) READ(A) EXEC(A) Lids: All logonids ACF
    In this example, the system programmer (SYSPROG) has read, write, and allocate access to SYS1.PARMLIB and all activity is logged.
  2. Review the output ensuring the following:
    • Only started tasks that require read access have read access.
    • Only system programmers have write or greater access.
    • All access greater than read is logged.
  3. If write or greater access to SYS1.PARMLIB is limited to system programmers, activity is logged, and read access is limited to started tasks that require the access, auditors, and authorized data center personnel,
    your organization does not have an audit finding.
  4. If write or greater access to SYS1.PARMLIB is NOT limited to system programmers, access greater than read is not logged or read access is not limited to started tasks that require the access, auditors, and authorized data center personnel,
    your organization has an audit finding.
    See Remediate Audit Findings
Remediate Audit Finding
The Information System Security Officer (ISSO) is responsible for ensuring that write or greater access to SYS1.PARMLIB is limited to only system programmers and is logged and read access is limited to started tasks with valid read requirement, auditors, and authorized data center personnel.
Follow these steps:
  1. Implement controls to specify that only system programmers are authorized to update SYS1.PARMLIB:
    $KEY(SYS1) PARMLIB UID(*****SYSPROG ) READ(A) WRITE(L) ALLOC(L) EXEC(A)
    or,
    $KEY(SYS1) ROLESET PARMLIB ROLE(ZSYSPROG) READ(A) WRITE(L) ALLOC(L) EXEC(A)
  2. Implement controls to specify the system level started tasks, authorized data center personnel, and auditor can be authorized read access by the ISSO.
    $KEY(SYS1) PARMLIB UID(*****STC) READ(A)
  3. Implement controls to ensure that update and alter activity to the SYS1PARMLIB is logged.
    SET CONTROL(GSO) CONTROL INSERT LOGPGM PGMS(
    SYS1.PARMLIB
    )
  4. Verify the GSO LOGPGM record was defined:
    SET CONTROL(GSO) CONTROL LIST LOGPGM XXXX / LOGPGM LAST CHANGED BY SYSPGM1 ON 7/5/20-09:20 PGSM(
    SYS1.PARMLIB
    ) CONTROL
    System programmers are now authorized to update SYS1.PARMLIB and all activity is logged.
Implementing controls to the SYS1.PARMLIB protects your organization's operating system environment,
ACF2
, and customer data.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000213, CCI-001499, CCI-002234
CCI
:
CCI-000213
Published Date
:
2009-09-14
Definition
:
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): CM-5 (6)
NIST: NIST SP 800-53 Revision 4 (v4): AC-3
NIST: NIST SP 800-53A (v1): AC-3.1
CCI
:
CCI-001499
Published Date
:
2009-09-29
Definition
:
The organization limits privileges to change software resident within software libraries.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): CM-5 (6)
NIST: NIST SP 800-53 Revision 4 (v4): CM-5 (6)
NIST: NIST SP 800-53A (v1): CM-5 (6).1
CCI
:
CCI-002234
Published Date
:
2013-06-24
Definition
:
The information system audits the execution of privileged functions.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): AC-6 (9)