ROSCOE STC datasets are not properly protected.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-224337	SRG-OS-000259	ZROSA001	SV-224337r1141626_rule	2025-09-27	7

Description
ROSCOE STC datasets provide the capability to use privileged functions and/or have access to sensitive data. Failure to properly restrict access to their datasets could result in violating the integrity of the base product which could result in compromising the operating system or sensitive data.

ℹ️ Check
Refer to the following report produced by the dataset and Resource Data Collection: - SENSITVE.RPT(ROSSTC). Automated Analysis Refer to the following report produced by the dataset and Resource Data Collection: - PDI(ZROS0001). Verify that access to the ROSCOE STC datasets is properly restricted. The datasets in this group are the datasets identified in the ROSACTxx (if used), ROSLIBxx, and SYSAWSx DD statements of the STC or batch JCL. If the following guidance is true, this is not a finding. The ACF2 dataset rules for the datasets restrict WRITE and/or greater access to systems programming personnel. The ACF2 dataset rules for the datasets restrict WRITE and/or greater access to the product STC(s) and/or batch job(s).

ℹ️ Check

Refer to the following report produced by the dataset and Resource Data Collection: - SENSITVE.RPT(ROSSTC). Automated Analysis Refer to the following report produced by the dataset and Resource Data Collection: - PDI(ZROS0001). Verify that access to the ROSCOE STC datasets is properly restricted. The datasets in this group are the datasets identified in the ROSACTxx (if used), ROSLIBxx, and SYSAWSx DD statements of the STC or batch JCL. If the following guidance is true, this is not a finding. The ACF2 dataset rules for the datasets restrict WRITE and/or greater access to systems programming personnel. The ACF2 dataset rules for the datasets restrict WRITE and/or greater access to the product STC(s) and/or batch job(s).

✔️ Fix
The ISSO will ensure that WRITE and/or greater access to the ROSCOE started task or batch job datasets is limited to systems programmers and the started task only, and all WRITE and/or greater access is logged. The ISSO will ensure that all other accesses to the ROSCOE started task or batch job datasets are properly restricted and all required accesses are properly logged. Datasets to be protected will be: SYS3.ROSCOE.SYS SYS3.ROSCOE.ROSLIB Example: SET RULE $KEY(SYS3) ROSCOE.SYS- UID(syspudt) R(A) W(L) A(L) E(A) ROSCOE.SYS- UID(stc roscoe) R(A) W(L) A(L) E(A) ROSCOE.ROSLIB- UID(syspudt) R(A) W(L) A(L) E(A) ROSCOE.ROSLIB- UID(stc roscoe) R(A) W(L) A(L) E(A)

✔️ Fix

The ISSO will ensure that WRITE and/or greater access to the ROSCOE started task or batch job datasets is limited to systems programmers and the started task only, and all WRITE and/or greater access is logged. The ISSO will ensure that all other accesses to the ROSCOE started task or batch job datasets are properly restricted and all required accesses are properly logged. Datasets to be protected will be: SYS3.ROSCOE.SYS** SYS3.ROSCOE.ROSLIB** Example: SET RULE $KEY(SYS3) ROSCOE.SYS- UID(syspudt) R(A) W(L) A(L) E(A) ROSCOE.SYS- UID(stc roscoe) R(A) W(L) A(L) E(A) ROSCOE.ROSLIB- UID(syspudt) R(A) W(L) A(L) E(A) ROSCOE.ROSLIB- UID(stc roscoe) R(A) W(L) A(L) E(A)