STIG ID - BACF1030: Limit Access to System-Level Product Installation Libraries

Severity: 1 - High
System-level product installation libraries make up the majority of the systems software libraries. Unauthorized access could result in the compromise of the operating system environment, the external security manager, and customer data. Therefore, write or greater access to all system-level product execution libraries is limited to system programmers. General users normally do not have read access to software data sets, but limited access to specific data sets within product data sets can be required in order to perform their role. General users should not have read access to CSI, TLIB, or DLIB software installation data sets.
The organization must ensure that write or greater access to all system-level product execution libraries are limited to system programmers only and all access must be logged. Additionally, ensure that least privilege access principals are being followed for general users.
This STIG article shows how to review access authorizations to the system-level product execution libraries, how to limit write or greater access to only system programmers and how to log all activity.
Identify Audit Finding
The security team working together with and system programmers should review the following data to determine if remediation is required.
Follow these steps
:
  1. Review the following to ensure that only system programmers have write or greater access and access is logged:
    • Identify the data set name and associated SREL for each SMP/E CSI that maintains your systems. Identify the data set name of all SMP/E TLIBs and DLIBs used for installation and production support. A comprehensive list of the SMP/E DDDEFs for all CSIs may be used if valid.
    • Identify the data set names for all of the system and third-party system software, specifically those ending with “CSI”, “CSI.DATA” and “CSI.INDEX”.
    • Review who has access to those data sets and installation software data sets.
      ACF ACCESS DSN('SYS2.ACF2.R16.CSI') ACCESS Subcommand Results as of 08/05/20-2:20 for: SYS2.ACF2.R16.CSI $Key: SYS2 Ruleline: ACF2 CSI UID(*****SYSPROG) READ(A) WRITE(L) ALLOC(L) EXEC(A) ACF
      In this example, the system programmer (SYSPROG) has read, write, and allocate access to the SMP/E CSI.
  2. If write or greater access to
    ACF2
    data set rules for system-level product installation libraries is limited to system programmers,
    your organization does not have an audit finding.
  3. If write or greater access to
    ACF2
    data set rules for system-level product installation libraries is
    not
    limited to system programmers,
    your organization has an audit finding.
    See Remediate Audit Findings.
Remediate Audit Finding
The Information System Security Officer (ISSO) is responsible for ensuring that write or greater access to
ACF2
data set rules for system-level product installation libraries is limited to only system programmers.
Follow these steps:
  1. Evaluate the impact of correcting the deficiency and develop a plan of action to implement the required changes.
  2. Implement controls to specify only system programmers are authorized to write or greater access to
    ACF2
    data set rules for system-level product installation libraries:
    $KEY(SYS2) ACF2.R16.CSI UID(*****SYSPROG) READ(A) WRITE(L) ALLOC(L) EXEC(A)
    or
    $KEY(SYS2) ACF2.R16.CSI ROLE(*****ZSYSPROG) READ(A) WRITE(L) ALLOC(L) EXEC(A)
The SYSPROG is now authorized to update and alter
ACF2
data set rules for system-level product installation libraries.
Implementing controls to the
ACF2
data set rules for system-level product installation libraries protects your organization's operating system environment, external security manager, and customer data.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000213, CCI-002234
CCI
:
CCI-000213
Published Date
:
2009-09-14
Definition
:
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AC-3
NIST: NIST SP 800-53 Revision 4 (v4): AC-3
NIST: NIST SP 800-53A (v1): AC-3.1
CCI
:
CCI-001499
2009-09-29
Definition
:
The organization limits privileges to change software resident within software libraries
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): CM-5 (6)
NIST: NIST SP 800-53 Revision 4 (v4): CM-5 (6)
NIST: NIST SP 800-53A (v1): CM-5 (6): 1
CCI
:
CCI-002234
Published Date
:
2013-06-24
Definition
:
The information system audits the execution of privileged functions.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): AC-6 (9)