Hi Peter, Follow the rule of the attached STIG:
SYS1.PARMLIB is not limited to only system programmers. Overview Finding IDVersionRule IDIA ControlsSeverity V-108 ACP00010 SV-108r2_rule DCCS-1 <https://www.stigviewer.com/controls/8500/DCCS-1>DCCS-2 <https://www.stigviewer.com/controls/8500/DCCS-2>DCSL-1 <https://www.stigviewer.com/controls/8500/DCSL-1>ECAR-1 <https://www.stigviewer.com/controls/8500/ECAR-1>ECAR-2 <https://www.stigviewer.com/controls/8500/ECAR-2>ECAR-3 <https://www.stigviewer.com/controls/8500/ECAR-3> High Description SYS1.PARMLIB contains the parameters which control system IPL, configuration characteristics, security facilities, and performance. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data. STIGDate z/OS RACF STIG <https://www.stigviewer.com/stig/zos_racf/2019-12-12/> 2019-12-12 Details Check Text ( C-676r1_chk ) a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(PARMRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00010) ___ The ACP data set rules for SYS1.PARMLIB allow inappropriate (e.g., global READ) access. ___ The ACP data set rules for SYS1.PARMLIB do not restrict READ, UPDATE and ALTER access to only systems programming personnel. ___ The ACP data set rules for SYS1.PARMLIB do not restrict READ and UPDATE access to only domain level security administrators. ___ The ACP data set rules for SYS1.PARMLIB do not restrict READ access to only system Level Started Tasks, authorized Data Center personnel, and auditors. ___ The ACP data set rules for SYS1.PARMLIB do not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged. b) If all of the above are untrue, there is NO FINDING. c) If any of the above is true, this is a FINDING. Fix Text (F-25790r1_fix) The IAO will ensure that update and alter access to SYS1.PARMLIB is limited to system programmers only and all update and alter access is logged. Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required The IAO will implement controls to specify the valid users authorized to update the SYS1.PARMLIB concatenation. All update and alter access to libraries in the concatenation will be logged using the ACP's facilities. 1. That systems programming personnel will be authorized to update and alter the SYS1.PARMLIB concatenation. 2. That domain level security administrators can be authorized to update the SYS1.PARMLIB concatenation. 3. That System Level Started Tasks, authorized Data Center personnel, and auditor can be authorized read access by the IAO. 4. That all update and alter access is logged. *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* On Fri, Feb 4, 2022 at 1:51 AM Farley, Peter x23353 < 0000031df298a9da-dmarc-requ...@listserv.ua.edu> wrote: > That was my question -- what possible attack vector can be derived form > PARMLIB entries? I cannot see any such vector coming out of anything I > know about PARMLIB, but I probably don’t know enough, which is why I am > asking here. > > No passwords, no information that Mark Zelden's IPLINFO can’t retrieve > anyway from a running system, so what's the issue? > > Peter > > -----Original Message----- > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf > Of Matt Hogstrom > Sent: Thursday, February 3, 2022 6:43 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: What is the audit basis to prevent read access to z/OS > PARMLIB's? > > I would suspect that it exposes potential attack vectors for the system. > Ideally the system should be secure but loose lips sink ships. > > Matt Hogstrom > m...@hogstrom.org > > “To my Ph.D. supervisor, for whom no thanks is too much.” > > > On Feb 3, 2022, at 6:12 PM, Farley, Peter x23353 < > 0000031df298a9da-dmarc-requ...@listserv.ua.edu> wrote: > > > > I'll be the first to admit that I know just enough of what is in > SYS1.PARMLIB to be dangerous, BUT . . . > > > > What information could possibly be gleaned from reading PARMLIB that > would require a knowledgeable auditor to insist on restricting read access > (other than security by obscurity and sysprog/auditor job security)? > > > > Just curious, I don't plan on hacking anything. > -- > > > This message and any attachments are intended only for the use of the > addressee and may contain information that is privileged and confidential. > If the reader of the message is not the intended recipient or an authorized > representative of the intended recipient, you are hereby notified that any > dissemination of this communication is strictly prohibited. If you have > received this communication in error, please notify us immediately by > e-mail and delete the message and any attachments from your system. > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
