IBM System Display and Search Facility (SDSF) HASPINDX dataset identified in the INDEX parameter must be properly protected.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-224318	SRG-OS-000080	ZISFA002	SV-224318r1141548_rule	2025-09-23	7

Description
IBM SDSF HASPINDX datasets control the execution, configuration, and security of the SDSF products. Failure to properly protect access to these datasets could result in unauthorized access. This exposure may threaten the availability of SDSF and compromise the confidentiality of customer data.

ℹ️ Check
If the z/OS operating system is Release 2.2 or higher, this is not applicable. Refer to the following report produced by the dataset and Resource Data Collection: - SENSITVE.RPT(SDSFRPT). Automated Analysis Refer to the following report produced by the dataset and Resource Data Collection: - PDI(ZISF0002). Verify that the accesses to the IBM SDSF HASPINDX dataset specified on the INDEX control statement in the ISFPARMS statements (identified in the SFSFPARM DD statement of the SDSF stc) are properly restricted. If the following guidance is true, this is not a finding. The ACF2 dataset rules for the datasets restrict READ access to the auditors. The ACF2 dataset rules for the datasets restrict UPDATE access to SDSF Started Tasks. The ACF2 dataset rules for the datasets restrict WRITE and/or greater access to systems programming personnel. Note: If running z/OS V1R11 or above, with the use of a new JES logical log, the HASPINDX, may not exist and may make this vulnerability not applicable (NA). However if used the HASPINDX dataset must be restricted. Note: If running z/OS V1R11 systems or above and NOT using JES logical log, the HASPINDX dataset must be protected.

ℹ️ Check

If the z/OS operating system is Release 2.2 or higher, this is not applicable. Refer to the following report produced by the dataset and Resource Data Collection: - SENSITVE.RPT(SDSFRPT). Automated Analysis Refer to the following report produced by the dataset and Resource Data Collection: - PDI(ZISF0002). Verify that the accesses to the IBM SDSF HASPINDX dataset specified on the INDEX control statement in the ISFPARMS statements (identified in the SFSFPARM DD statement of the SDSF stc) are properly restricted. If the following guidance is true, this is not a finding. The ACF2 dataset rules for the datasets restrict READ access to the auditors. The ACF2 dataset rules for the datasets restrict UPDATE access to SDSF Started Tasks. The ACF2 dataset rules for the datasets restrict WRITE and/or greater access to systems programming personnel. Note: If running z/OS V1R11 or above, with the use of a new JES logical log, the HASPINDX, may not exist and may make this vulnerability not applicable (NA). However if used the HASPINDX dataset must be restricted. Note: If running z/OS V1R11 systems or above and NOT using JES logical log, the HASPINDX dataset must be protected.

✔️ Fix
Ensure that the HASPINDX dataset identified in the INDEX parameter value of ISFPARMS options statement is restricted as described below. The HASPINDX dataset is used by SDSF when building the SYSLOG panel. This dataset contains information related to all SYSLOG jobs and datasets on the spool. Since SDSF dynamically allocates this dataset, explicit user access authorization to this dataset should not be required. Due to the potentially sensitive data in this dataset, access authorization will be restricted. READ access is restricted to the auditors. UPDATE access is restricted to SDSF Started Tasks. WRITE and/or greater access is restricted to systems programming personnel. Note: If running z/OS V1R11 or above, with the use of a new JES logical log, the HASPINDX, may not exist and may make this vulnerability not applicable (N/A). However if used the HASPINDX dataset must be restricted. Note: If running z/OS V1R11 systems or above and NOT using JES logical log, the HASPINDX dataset must be protected. Datasets to be protected may be: SYS1.HASPINDX The following commands are provided as a sample for implementing dataset controls: $KEY(S1H) $PREFIX(SYS1) HASPINDX.- UID(syspaudt) R(A) W(A) A(A) E(A) HASPINDX.- UID(sdsf stc) R(A) W(A) E(A) HASPINDX.- UID(audtaudt) R(A) E(A) SET RULE COMPILE 'ACF2.MVA.DSNRULES(S1H)' STORE

✔️ Fix

Ensure that the HASPINDX dataset identified in the INDEX parameter value of ISFPARMS options statement is restricted as described below. The HASPINDX dataset is used by SDSF when building the SYSLOG panel. This dataset contains information related to all SYSLOG jobs and datasets on the spool. Since SDSF dynamically allocates this dataset, explicit user access authorization to this dataset should not be required. Due to the potentially sensitive data in this dataset, access authorization will be restricted. READ access is restricted to the auditors. UPDATE access is restricted to SDSF Started Tasks. WRITE and/or greater access is restricted to systems programming personnel. Note: If running z/OS V1R11 or above, with the use of a new JES logical log, the HASPINDX, may not exist and may make this vulnerability not applicable (N/A). However if used the HASPINDX dataset must be restricted. Note: If running z/OS V1R11 systems or above and NOT using JES logical log, the HASPINDX dataset must be protected. Datasets to be protected may be: SYS1.HASPINDX The following commands are provided as a sample for implementing dataset controls: $KEY(S1H) $PREFIX(SYS1) HASPINDX.- UID(syspaudt) R(A) W(A) A(A) E(A) HASPINDX.- UID(sdsf stc) R(A) W(A) E(A) HASPINDX.- UID(audtaudt) R(A) E(A) SET RULE COMPILE 'ACF2.MVA.DSNRULES(S1H)' STORE