STIG ID - BACF1028: Limit Access to Master Catalog

Severity: 1 - High
A catalog is a data set that contains information about other data sets. The master catalog for a system contains entries for all the user catalogs that are used on the system and the aliases pointing to them. During a system initialization, the master catalog is read so that system data sets and catalogs can be located. System catalogs are the basis for locating all files on the system. Unauthorized access could result in the compromise of the operating system environment, the external security manager, and customer data.
The organization must ensure that read or greater access to the system and master catalogs is limited to system programmers or those authorized by the Information Systems Security Officer (ISSO) and all access must be logged.
This STIG article shows how to review access authorizations to the master catalog, how to limit read or greater access to only system programmers and those authorized by the Information Systems Security Officer (ISSO), and how to log all activity.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. Review access to the system and master catalog and ensure the following:
    • Write or greater access is limited to system programmers or those authorized by the ISSO.
    • All write or greater access is logged.
    ACF ACCESS DSN('
    MstrCatalog
    ') ACCESS Subcommand Results as of 08/04/20-2:20 for:
    MstrCatalog
    $Key: SYS1 Ruleline:
    MstrCatalog
    UID(*****SYSPROG) READ(A) WRITE(L) ALLOC(L) EXEC(A) ACF
    In this example, the system programmer (SYSPROG) has read, write, and allocate access to the master catalog data set and all activity is logged.
  2. Review the output, ensuring the following:
    • Only system programmers or those authorized by the ISSO have write or greater access.
    • All write or greater access is logged.
  3. If write or greater access to system or master catalogs data sets are limited to system programmers and write or greater access is logged,
    your organization does not have an audit finding.
  4. If write or greater access to system or master catalogs data sets is not limited to system programmers and write or greater is not logged,
    your organization has an audit finding.
    See Remediate Audit Findings.
Remediate Audit Finding
The Information System Security Officer (ISSO) is responsible for ensuring that read or greater access to system and master catalogs is limited to only system programmers or those authorized by the ISSO and all activity is logged.
Follow these steps:
  1. Evaluate the impact of correcting the deficiency and develop a plan of action to implement the required changes.
  2. Implement controls to specify only system programmers are authorized to read or greater access and auditors and DASD batch is limited to read access of the
    ACF2
    database files:
    $KEY(SYS1)
    MstrCatalog
    UID(*****SYSPROG) READ(A) WRITE(L) ALLOC(L) EXEC(A)
    or
    $KEY(SYS1)
    MstrCatalog
    ROLE(ZSYSPROG) READ(A) WRITE(L) ALLOC(L) EXEC(A)
    The SYSPROG is now authorized to update and alter the master catalog and auditors and DASD batch is limited to read access of the
    ACF2
    database files.
Implementing controls to the
ACF2
database files protects your organization's operating system environment, external security manager, and customer data.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000213, CCI-001499, CCI-002234
CCI
:
CCI-000213
Published Date
:
2009-09-14
Definition
:
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AC-3
NIST: NIST SP 800-53 Revision 4 (v4): AC-3
NIST: NIST SP 800-53A (v1): AC-3.1
CCI
:
CCI-001499
Published Date
:
2009-09-29
Definition
:
The organization limits privileges to change software resident within software libraries.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): CM-5 (6)
NIST: NIST SP 800-53 Revision 4 (v4): CM-5 (6)
NIST: NIST SP 800-53A (v1): CM-5 (6).1
CCI
:
CCI-002234
Published Date
:
2013-06-24
Definition
:
The information system audits the execution of privileged functions.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): AC-6 (9)