ACP00260 - Memory and privileged program dumps must be protected in accordance with proper security requirements.

Release : 16.0

Component : CA Top Secret for z/OS

STIG ID - BTSS0017: Protect Memory and Privileged Program DumpsSeverity: 2- MediumAccess to memory and privileged program dumps running Trusted Control Block (TCB) key 0 to 7 may hold passwords,encryption keys, or other sensitive data that must remain secure. Failure to control access to these facilities could resultin unauthorized personnel modifying sensitive z/OS lists. This exposure may threaten the integrity and availability of theoperating system environment and compromise the confidentiality of customer data.The organization must ensure that memory and privileged program dumps running TCB key 0 to 7 are protected inaccordance with proper security requirements.This STIG article shows how to ensure that access to memory and privileged program dumps running TCB key 0 to 7 arerestricted to appropriate system tasks and/or system programming personnel.Identify Audit FindingComplete these steps to determine if you should consider remediation:

Follow these steps:

1. Determine which ACIDs have access to memory and privileged program dumps (IEAABD):

TSS WHOHAS IBMFAC(IEAABD.)

2. The product produces output showing all ACIDs with access to memory and privileged program dumps.Example output: In this example, ACID XYZ4321 is a z/OS system programmer, and ABC1234 is an authorizedapplication programmer/user.

IBMFAC = IEAABD.          OWNER(SYSDEPT )

XAUTH = IEAABD.DMPAUTH    ACID(XYZ4321 )

ACCESS = UPDATE

ACTION = AUDIT

XAUTH = IEAABD.DMPAUTH    ACID(ABC1234 )

ACCESS = READ

XAUTH = IEAABD.DMPAKEY    ACID(XYZ4321 )

ACCESS = READ

ACTION = AUDIT

2. Determine if default protection (DEFPROT) is part of the definition for IBMFAC:

     TSS LIST(RDT) RESCLASS(IBMFAC)

The product produces output showing the resource definitions.

Example output:

ACCESSORID = *RDT* NAME = RESOURCE DEFINITIONS  

RESOURCE CLASS = IBMFAC

RESOURCE CODE = X'086' POSIT = 8

ATTRIBUTE = NOMASK,MAXOWN(08),MAXPERMIT(039),ACCESS,PRIVPGM,DEFPROT

   ACCESS = NONE(0000),CONTROL(6400),UPDATE(6000),READ(4000)

   ACCESS = WRITE(2000),ALL(FFFF)

   DEFACC = READ

3. Review the output to verify that all access to memory and privileged program dumps running TCB key 0 to 7 isrestricted to appropriate system tasks and/or system programming personnel.
4. If the DEFPROT attribute is specified for the IBMFAC resource class in the RDT and/or that IEAABD. resource and/orgeneric equivalent is owned, your organization does not have an audit finding.

5. If the IEAABD.DMPAUTH. resource and/or generic equivalent access of READ is limited to authorized users, yourorganization does not have an audit finding.

6. If the IEAABD.DMPAUTH. resource and/or generic equivalent UPDATE or greater access is restricted to only systemspersonnel and all access is logged, your organization does not have an audit finding

.7. If IEAABD.DMPAKEY. resource and/or generic equivalent specifies that all access is restricted to systems personneland that all access is logged, your organization does not have an audit finding.

8. If any of the previous guidance is not true, your organization has an audit finding. See Remediate Audit Finding

Remediate Audit Finding
Limit all access to change control options to time frames of approved changes and reduce to view only outside of  approved change windows.

Follow these steps:

1. Restrict access to program dump resources and/or their generic equivalent:

TSS ADDTO(deptacid) IBMFAC(IEAABD.)

          The product confirms your change.

2. Set DEFPROT (default protection) for IBMFAC:
   NOTE

While setting DEFPROT for IBMFAC is a best practice, other undefined IBMFAC resources may not be protected or granted. After you turn on DEFPROT, all resources are protected whether ownership is defined or not. Ensure that review, planning, and non-production test groups are informed prior to setting DEFPROT in production systems.

  TSS REPLACE(RDT) RESCLASS(IBMFAC) ATTR(DEFPROT)

3. Restrict READ access to IEAABD.DMPAUTH to authorized users that have a valid job duties requirement for access:

 TSS PERMIT(authorized_users) IBMFAC(IEAABD.DMPAUTH) ACCESS(READ)

4. Restrict UPDATE access to IEAABD.DMPAUTH to authorized system programming personnel and log access:

TSS PERMIT(authorized_system_programmers) IBMFAC(IEAABD.DMPAUTH) ACCESS(UPDATE) ACTION(AUDIT)

5. Restrict access to IEAABD.DMPAKEY. to authorized system programming personnel and log access:

TSS PERMIT(authorized_system_programmers) IBMFAC(IEAABD.DMPAKEY) ACCESS(READ) ACTION(AUDIT)

6. Create documentation that provides justification for access, file the documentation with the Information SystemSecurity Officer (ISSO) for the organization, and include documenation in the mainframe system security plan (SSP).