STIG ID - BACF1038: Limit Access to System Page Data Sets

Severity
: 1- High
Paging is the exchange of system page data sets between main memory and overflow. System page data sets hold individual pages of virtual storage when paged out of real storage.
ACF2
data set rules for system page data sets must restrict access to only system programmers. Unauthorized access could result in a compromise of the operating system, environment, and customer data.
The organization must ensure that write or greater access to system page data sets is limited to system programmers and access is logged.
This STIG article shows how to review access authorizations to system page data sets, how to limit write or greater access to only system programmers, and how to log all access.
Identify Audit Finding
Review the following data to determine if you should consider remediation.
Follow these steps
:
  1. Review access to the system page data set and ensure the following:
    • Write or greater access is limited to system programmers
    • All access is logged.
    ACF ACCESS DSN('SYS1.
    COMMON
    ') ACCESS Subcommand Results as of 08/07/20-4:05 for: SYS1.
    COMMON
    $Key: SYS1
    Ruleline:
    COMMON
    UID(*****SYSPROG) READ(L) WRITE(L) ALLOC(L) EXEC(L)
    ACF
    In this example, the system programmer (SYSPROG) has read, write, and allocate access to the SYS1.COMMON system page data set and all activity is logged. In this example, the SYS1.COMMON system page data set holds individual pages of virtual storage when paged out of real storage.
  2. If write or greater access to system page data sets is limited to system programmers and all access is logged,
    your organization does not have an audit finding.
  3. If write or greater access to system page data sets is not limited to system programmers and all access is
    not
    logged,
    your organization has an audit finding.
    See Remediate Audit Findings.
Remediate Audit Finding
The Information System Security Officer (ISSO) is responsible for ensuring that write or greater access to system page data sets are limited to system programmers and all access is logged.
Follow these steps:
  1. Implement controls to specify only system programmers are authorized to write or greater access to system page data sets. In this example, SYS1.
    COMMON
    is the system page data set that holds individual pages of virtual storage when paged out of real storage.
    $KEY(SYS1)
    COMMON
    UID(*****SYSPROG) READ(L) WRITE(L) ALLOC(L) EXEC(L)
  2. Verify that the changes were made to SYS1.COMMON.
    ACF ACCESS DSN('SYS1.
    COMMON'
    ) ACCESS Subcommand Results as of 08/07/20-4:25 for: SYS1.
    COMMON
    $Key: SYS1
    Ruleline:
    COMMON
    UID(*****SYSPROG) READ(L) WRITE(L) ALLOC(L) EXEC(L)
    ACF
Restricting access to
ACF2
system page data sets to system programmers protects the operating system environment, external security manager, and customer data.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG.  For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000213
CCI
:
CCI-000213
Published Date
:
2009-09-14
Definition
:
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AC-3
NIST: NIST SP 800-53 Revision 4 (v4): AC-3
NIST: NIST SP 800-53A (v1): AC-3.1