MVS datasets for the WebSphere Application Server are not protected in accordance with the proper security requirements.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-224349	SRG-OS-000080	ZWAS0010	SV-224349r1141669_rule	2025-09-26	7

Description
MVS datasets provide the configuration, operational, and executable properties of the WebSphere Application Server (WAS) environment. Failure to properly protect these datasets may lead to unauthorized access. This exposure could compromise the integrity and availability of system services, applications, and customer data.

ℹ️ Check
Refer to the following reports produced by the dataset and Resource Data Collection: - SENSITVE.RPT(HTTPRPT). - SENSITVE.RPT(WASRPT). If the following dataset controls are in effect for WAS, this is not a finding. The ACP dataset rules restrict WRITE and/or greater access to HTTP product datasets (i.e., SYS1.IMW.AIMW and SYS1.IMW.SIMW) is restricted to systems programming personnel. Note: If the HTTP server is not used with WAS, this check can be ignored. The ACP dataset rules restrict WRITE and/or greater access to WAS product datasets and associated product datasets are restricted to systems programming personnel. SYS.EJS.V3500108.* (WebSphere 3.5) SYS.WAS.V401.* (WebSphere 4.0.1) SYS.OE.* (Java) SYS.JAVA* (Java) SYS.DB2.V710107.* (DB2) SYS.GLD.* (LDAP) SYS1.LE.** (Language Environment)

ℹ️ Check

Refer to the following reports produced by the dataset and Resource Data Collection: - SENSITVE.RPT(HTTPRPT). - SENSITVE.RPT(WASRPT). If the following dataset controls are in effect for WAS, this is not a finding. The ACP dataset rules restrict WRITE and/or greater access to HTTP product datasets (i.e., SYS1.IMW.AIMW** and SYS1.IMW.SIMW**) is restricted to systems programming personnel. Note: If the HTTP server is not used with WAS, this check can be ignored. The ACP dataset rules restrict WRITE and/or greater access to WAS product datasets and associated product datasets are restricted to systems programming personnel. SYS*.EJS.V3500108.** (WebSphere 3.5) SYS*.WAS.V401.** (WebSphere 4.0.1) SYS*.OE.** (Java) SYS*.JAVA** (Java) SYS*.DB2.V710107.** (DB2) SYS*.GLD.** (LDAP) SYS1.LE.** (Language Environment)

✔️ Fix
The ISSO will ensure that WebSphere server datasets restrict WRITE and/or greater access to systems programming personnel. Ensure the following dataset controls are in effect for WAS: WRITE and/or greater access to HTTP product datasets (i.e., SYS1.IMW.AIMW and SYS1.IMW.SIMW) are restricted to systems programming personnel. Note: If the HTTP server is not used with WAS, this check can be ignored. WRITE and/or greater access to WAS product datasets and associated product datasets are restricted to systems programming personnel. SYS.EJS.V3500108.* (WebSphere 3.5) SYS.WAS.V401.* (WebSphere 4.0.1) SYS.OE.* (Java) SYS.JAVA* (Java) SYS.DB2.V710107.* (DB2) SYS.GLD.* (LDAP) SYS1.LE.** (Language Environment)

✔️ Fix

The ISSO will ensure that WebSphere server datasets restrict WRITE and/or greater access to systems programming personnel. Ensure the following dataset controls are in effect for WAS: WRITE and/or greater access to HTTP product datasets (i.e., SYS1.IMW.AIMW** and SYS1.IMW.SIMW**) are restricted to systems programming personnel. Note: If the HTTP server is not used with WAS, this check can be ignored. WRITE and/or greater access to WAS product datasets and associated product datasets are restricted to systems programming personnel. SYS*.EJS.V3500108.** (WebSphere 3.5) SYS*.WAS.V401.** (WebSphere 4.0.1) SYS*.OE.** (Java) SYS*.JAVA** (Java) SYS*.DB2.V710107.** (DB2) SYS*.GLD.** (LDAP) SYS1.LE.** (Language Environment)