STIG ID - BACF1025: Limit Access to PPT Modules

Severity
: 1- High
Some program properties table (PPT) designated program modules have security bypass capabilities. Unauthorized access to the PPT modules could result in the compromise of your organization's operating system environment, external security manager, and customer data.
The organization must ensure that write or greater access to PPT modules is limited to system programmers based upon documented roles performed and that all write or greater access is logged.
This STIG article shows how to review access authorizations to PPT modules, how to limit access to only system programmers, and how to log all activity using
Auditor
.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
  1. Create an
    Auditor
    Batch Script from the
    Auditor
    - SELECT BATCH FUNCTIONS 0.4.2.
    1. Type D for Reporting Option.
    2. Type S for Line command.
    -----------------CA Auditor - SELECT BATCH FUNCTIONS----------------- Specify file used to retain SCRIPT: File name ===> 'your.AUDITOR.R121.BASEPROC' Member name ===> PPT34 (For libraries only) on Volume ===> (If not cataloged) Script Description ===> Overwrite Script ===> NO (YES to overwrite already existing Script) Reporting Option ===>
    D
    (Enter S for Summary) (Enter E for Exception) (Enter D for Detailed) Line command ===>
    S
    (Used with Detail or Exception modes)
    ****** ***************************** Top of Data ****************************** 000001 * A *** CA-Examine BATCH FACILITY SCRIPT *** CREATED: USER002 20.254 000002 OPT FULL S 000003 CMD 3 000004 CMD 6 000005 CMD =X ****** **************************** Bottom of Data ****************************
  2. Run the Batch Script created from the
    Auditor
    function 0.4.3.
  3. Review access to libraries containing PPT modules and ensure the following:
    • Write or greater access is limited to system programmers.
    • Read access to all users as needed.
    • All write or greater access to PPT modules is logged.
    ACF ACCESS DSN('SYS1.LOADLIB') ACCESS Subcommand Results as of 08/03/20-2:20 for: SYS1.LOADLIB $Key: SYS1 Ruleline: LOADLIB UID(*****SYSPROG) READ(A) WRITE(L) ALLOC(L) EXEC(A) ACF
    In this example, the system programmer (SYSPROG) has read, write, and allocate access to SYS1.LOADLIB and all activity is logged.
  4. If write or greater access to libraries containing PPT modules is limited to system programmers and activity is logged,
    your organization does not have an audit finding.
  5. If write or greater access to libraries containing PPT modules is not limited to system programmers or if write access or greater is not logged,
    your organization has an audit finding.
    See Remediate Audit Findings
Remediate Audit Finding
The Information System Security Officer (ISSO) is responsible for ensuring that write or greater access to libraries that contain PPT modules is limited to only system programmers and all activity is logged.
Follow these steps:
  1. Evaluate the impact of correcting the deficiency and develop a plan of action to implement the required changes.
  2. Implement controls to specify only system programmers are authorized to write or greater access to the libraries that contain PPT modules.
    $KEY(SYS1) LOADLIB UID(*****SYSPROG) READ(A) WRITE(L) ALLOC(L) EXEC(A)
    or
    $KEY(SYS1) ROLESET LOADLIB ROLE(ZSYSPROG) READ(A) WRITE(L) ALLOC(L) EXEC(A)
Implementing controls to the libraries containing PPT modules protects your organization's operating system environment, external security manager, and customer data.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology.
CCIs
: CCI-000213, CCI-001499, CCI-002234
CCI
:
CCI-000213
Published Date
:
2009-09-14
Definition
:
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): CM-5
NIST: NIST SP 800-53 Revision 4 (v4): AC-3
NIST: NIST SP 800-53A (v1): AC-3.1
CCI
:
CCI-001499
Published Date
:
2009-09-29
Definition
:
The organization limits privileges to change software resident within software libraries.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): CM-5 (6)
NIST: NIST SP 800-53 Revision 4 (v4): CM-5 (6)
NIST: NIST SP 800-53A (v1): CM-5 (6).1
CCI
:
CCI-002234
Published Date
:
2013-06-24
Definition
:
The information system audits the execution of privileged functions.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): AC-6 (9)