ACF2/CICS parameter datasets are not protected in accordance with the proper security requirements.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-224308 | SRG-OS-000259 | ZCICA011 | SV-224308r1141393_rule | 2025-09-23 | 7 |
| Description |
|---|
| CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Unauthorized access to ACF2/CICS parameter datasets (i.e., product, security) could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data. |
| ℹ️ Check |
|---|
| Refer to the following report produced by the ACF2 Data Collection: - SENSITVE.RPT(CICSRPT). Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. WRITE and/or greater access to the ACF2/CICS parameter dataset, specified on the ACF2PARM DD statement, is restricted to systems programming personnel and security personnel. If this guidance is true, this is not a finding. |
| ✔️ Fix |
|---|
| The ISSO will ensure that WRITE and/or greater access to the ACF2/CICS parameter dataset is limited to systems programmers and security personnel. Review the access authorizations for CICS system datasets. WRITE and/or greater access to the ACF2/CICS parameter dataset, specified on the ACF2PARM DD statement, is restricted to systems programming personnel and security personnel. Example: $KEY(S3C) $PREFIX(SYS3) CICSTS.SYSIN UID(syspaudt) R(A) W(L) A(L) E(A) CICSTS.SYSIN UID(secaaudt) R(A) W(L) A(L) E(A) CICSTS.SYSIN UID(*) PREVENT SET RULE COMPILE 'ACF2.MVA.DSNRULES(S3C)' STORE |