{"stig":{"title":"z/OS CL/SuperSession for TSS Security Technical Implementation Guide","version":"7","release":"2"},"checks":[{"vulnId":"V-224649","ruleId":"SV-224649r1145864_rule","severity":"medium","ruleTitle":"CL/SuperSession profile options are set improperly.","description":"Product configuration/parameters control the security and operational characteristics of products. If these parameter values are improperly specified, security and operational controls may be weakened. This exposure may threaten the availability of the product applications, and compromise the confidentiality of customer data.","checkContent":"The following steps are necessary for reviewing the CL/SuperSession options:\n\nRequest online access from the site administrator to view CL/SuperSession parameter settings.\nOnce access to the CL/SuperSession Main Menu has been obtained, select the option for the ADMINISTRATOR menu.\nFrom the ADMINISTRATOR menu, select the option for the PROFILE SELECTION menu.\nFrom the PROFILE SELECTION menu, select the View GLOBAL Profile option.\nAfter selection of the View GLOBAL Profile option, the Update GLOBAL Profile menu appears. From this menu select the profile to be reviewed:\n\n- To view the Common profile, select: _Common\n- To view the SUPERSESSION profile, select: _SupSess\n\nAutomated Analysis\nRefer to the following report produced by the z/OS Data Collection:\n\n- PDI(ZCLS0040).\n\nCompare the security parameters as specified in the Required CL/SuperSession Common Profile Options and Required CL/SuperSession Profile Options Tables in the z/OS STIG Addendum against the settings in CL/SuperSession.\n\nIf all options as specified in the Required CL/SuperSession Common Profile Options and Required CL/SuperSession Profile Options Tables in the z/OS STIG Addendum are in effect, this is not a finding.","fixText":"The systems programmer and ISSO will review all session manager security parameters and control options for compliance with the requirements of the z/OS STIG Addendum Required CL/SuperSession Common Profile Options and Required CL/SuperSession Profile Options Tables. Verify that the options are set properly.","ccis":["CCI-000057","CCI-000381"]},{"vulnId":"V-224650","ruleId":"SV-224650r1145866_rule","severity":"medium","ruleTitle":"CL/SuperSession must be properly configured to generate SMF records for audit trail and accounting reports.","description":"Product configuration/parameters control the security and operational characteristics of products. If these parameter values are improperly specified, security and operational controls may be weakened. This exposure may threaten the availability of the product applications and compromise the confidentiality of customer data.","checkContent":"Version 3 of CL/SuperSession\nReview the member KLKINNAF in the TLVPARM DD statement concatenation of the CL/SuperSession STC procedure to determine SMF number. (This member is located in SYS3.OMEGAMON.qualifier.RLSPARM.)\n\nVersion 2 of CL/SuperSession\nReview the member KLVINNAF in the TLVPARM DD statement concatenation of the CL/SuperSession STC procedure to determine SMF number. (This member is located in SYS3.OMEGAMON.qualifier.RLSPARM.)\n\nRefer to the following report produced by the z/OS Data Collection:\n\n- EXAM.RPT(SMFOPTS).\n\nAutomated Analysis\nRefer to the following report produced by the z/OS Data Collection:\n\n- PDI(ZCLS0041).\n\nIf the SMF= field specifies an SMF record number and the SMFOPTS report specifies that SMF is writing the record number specified by SMF=, this is not a finding.","fixText":"Ensure that the Session Manager generates SMF records for audit trail and accounting reports.\n\nTo provide an audit trail of user activity in CL/SuperSession, configure the Network Accounting Facility (NAF) to require SMF recording of accounting and audit data. Accounting to the journal data set is optional at the discretion of the site. To accomplish this for version 3 of CL/SuperSession, configure the following NAF startup parameters in the KLKINNAF member of the RLSPARM initialization parameter library as follows:\n\nDSNAME= dsname - Name of the NAF journal data set. Required only if the site is collecting accounting and audit data in the journal data set in addition to the SMF data.\n\nMOD - If the journal data set is used, this parameter should be set to ensure that logging data in the data set is not overwritten.\n\nSMF=nnn - SMF record number. This field is mandatory to ensure that CL/SuperSession data is always written to the SMF files.","ccis":["CCI-000172","CCI-000381","CCI-003938"]},{"vulnId":"V-224651","ruleId":"SV-224651r1145869_rule","severity":"medium","ruleTitle":"CL/SuperSession Install data sets must be properly protected.","description":"CL/SuperSession Install data sets provide the capability to use privileged functions and/or have access to sensitive data. Failure to properly restrict access to their data sets could result in violating the integrity of the base product which could result in compromising the operating system or sensitive data.","checkContent":"Refer to the following report produced by the Data Set and Resource Data Collection:\n\n- SENSITVE.RPT(KLSRPT).\n\nAutomated Analysis:\nRefer to the following report produced by the Data Set and Resource Data Collection:\n\n- PDI(ZCLS0000).\n\nVerify that access to the CL/SuperSession Install data sets are properly restricted. If the following guidance is true, this is not a finding.\n\nThe TSS data set rules for the data sets restrict WRITE and/or greater access to systems programming personnel.\n\nThe TSS data set rules for the data sets specify that all (i.e., failures and successes) WRITE and/or greater access will be logged.","fixText":"Ensure that WRITE and/or greater access to CL/SuperSession install data sets are limited to systems programmers only, and all WRITE and/or greater access is logged.\n\nThe installing systems programmer will identify and document the product data sets and categorize them according to who will have WRITE and/or greater access and if required that all WRITE and/or greater access is logged. The installing systems programmer will identify if any additional groups have UPDATE access for specific data sets and, once documented, will work with the ISSO to ensure they are properly restricted to the ACP (Access Control Program ) active on the system.\n\nThe following are an example of data sets to be protected:\nsys2.omegamon. \nsys2.omegamon.*.tlsload\nsys2.omegamon.*.tlvload\nsys3.omegamon.\nsys3.omegamon.rlsload\n\nThe following commands are provided as an example for implementing data set controls: \nTSS PERMIT(syspaudt) DSN(sys2.omegamon.) ACCESS(r)\nTSS PERMIT(syspaudt) DSN(sys2.omegamon.) ACCESS(all) ACTION(audit)\nTSS PERMIT(syspaudt) DSN(sys2.omegamon.*.tlsload) ACCESS(r)\nTSS PERMIT(syspaudt) DSN(sys2.omegamon.*.tlsload) ACCESS(all) ACTION(audit)\nTSS PERMIT(syspaudt) DSN(sys2.omegamon.*.tlvload) ACCESS(r)\nTSS PERMIT(syspaudt) DSN(sys2.omegamon.*.tlvload) ACCESS(all) ACTION(audit)\nTSS PERMIT(syspaudt) DSN(sys3.omegamon.) ACCESS(r)\nTSS PERMIT(syspaudt) DSN(sys3.omegamon.) ACCESS(all) ACTION(audit)\nTSS PERMIT(syspaudt) DSN(sys3.omegamon.*.rlsload) ACCESS(r)\nTSS PERMIT(syspaudt) DSN(sys3.omegamon.*.rlsload) ACCESS(all) ACTION(audit)","ccis":["CCI-001499","CCI-002234"]},{"vulnId":"V-224652","ruleId":"SV-224652r1146313_rule","severity":"medium","ruleTitle":"CL/SuperSession STC data sets must be properly protected.","description":"CL/SuperSession STC data sets provide the capability to use privileged functions and/or have access to sensitive data. Failure to properly restrict access to their data sets could result in violating the integrity of the base product which could result in compromising the operating system or sensitive data.","checkContent":"Refer to the following report produced by the Data Set and Resource Data Collection:\n\n- SENSITVE.RPT(KLSSTC).\n\nAutomated Analysis\nRefer to the following report produced by the Data Set and Resource Data Collection:\n\n- PDI(ZCLS0001).\n\nVerify that the accesses to the CL/SuperSession STC data sets are properly restricted. If the following guidance is true, this is not a finding.\n\nThe TSS data set access authorizations restrict READ access to auditors and authorized users.\n\nThe TSS data set access authorizations restrict WRITE and/or greater access to systems programming personnel.\n\nThe TSS data set rules for the data sets restrict WRITE and/or greater access to the product STC(s) and/or batch job(s).","fixText":"Ensure that WRITE and/or greater access to CL/SuperSession STC data sets are limited to systems programmers and CL/SuperSession STC only. READ access can be given to auditors and authorized users.\n\nThe installing systems programmer will identify and document the product data sets and categorize them according to who will have WRITE and/or greater access and if required that all WRITE and/or greater access is logged. The installing systems programmer will identify if any additional groups have WRITE and/or greater access for specific data sets, and once documented will work with the ISSO to ensure they are properly restricted to the Access Control Program (ACP) active on the system.\n\nNote: The data sets and/or data set prefixes identified below are examples of a possible installation. The actual data sets and/or prefixes are determined when the product is actually installed on a system through the product's installation guide and can be site specific. \n\nThe following are an example of data sets to be protected:\nSYS3.OMEGAMON.RLSNAF\nSYS3.OMEGAMON.RLSNAM\nSYS3.OMEGAMON.RLSTDB\nSYS3.OMEGAMON.RLSVLOG\n\nThe following commands are provided as an example for implementing data set controls: \n\nTSS PERMIT(syspaudt) DSN(sys3.omegamon.rlsnaf) ACCESS(ALL)\nTSS PERMIT(kls) DSN(sys3.omegamon.rlsnaf) ACCESS(ALL)\nTSS PERMIT(audtaudt) DSN(sys3.omegamon.rlsnaf) ACCESS(READ)\nTSS PERMIT(all) DSN(sys3.omegamon.rlsnaf) ACCESS(READ)\n\nTSS PERMIT(syspaudt) DSN(sys3.omegamon.rlsnam) ACCESS(ALL)\nTSS PERMIT(kls) DSN(sys3.omegamon.rlsnam) ACCESS(ALL)\nTSS PERMIT(audtaudt) DSN(sys3.omegamon.rlsnam) ACCESS(READ)\nTSS PERMIT(all) DSN(sys3.omegamon.rlsnam) ACCESS(READ)\n\nTSS PERMIT(syspaudt) DSN(sys3.omegamon.rlstdb) ACCESS(ALL)\nTSS PERMIT(kls) DSN(sys3.omegamon.rlstdb) ACCESS(ALL)\nTSS PERMIT(audtaudt) DSN(sys3.omegamon.rlstdb) ACCESS(READ)\nTSS PERMIT(all) DSN(sys3.omegamon.rlstdb) ACCESS(READ)\n\nTSS PERMIT(syspaudt) DSN(sys3.omegamon.rlsvlog) ACCESS(ALL)\nTSS PERMIT(kls) DSN(sys3.omegamon.rlsvlog) ACCESS(ALL)\nTSS PERMIT(audtaudt) DSN(sys3.omegamon.rlsvlog) ACCESS(READ)\nTSS PERMIT(all) DSN(sys3.omegamon.rlsvlog) ACCESS(READ)","ccis":["CCI-001499"]},{"vulnId":"V-224653","ruleId":"SV-224653r1145875_rule","severity":"medium","ruleTitle":"CL/SuperSession Started Task name is not properly identified/defined to the system ACP.","description":"CL/SuperSession requires a started task that will be restricted to certain resources, data sets, and other system functions. Defining the started task as a userid to the system ACP allows the ACP to control the access and authorized users that require these capabilities. Failure to properly control these capabilities could compromise the operating system environment, ACP, and customer data.","checkContent":"Refer to the following report produced by the TSS Data Collection:\n\n- TSSCMDS.RPT(@ACIDS).\n\nReview the CL/SuperSession STC/Batch ACID(s). If the following attributes are defined, this is not a finding.\n\nFACILITY(STC, BATCH)\nPASSWORD(xxxxxxxx,0)\nSOURCE(INTRDR)\nNOSUSPEND\nMASTFAC(KLS)","fixText":"The Systems Programmer and ISSO will ensure that the started task for CL/SuperSession is properly defined.\n\nReview all session manager security parameters and control options for compliance. Develop a plan of action and implement the changes as specified.\n\nDefine the started task userid KLS for CL/SuperSession.\n\nExample:\n\nTSS CRE(KLS) DEPT(Dept) NAME('CL/SuperSession STC') -\n  FAC(STC) MASTFAC(KLS) PASSWORD(password,0) -\n  SOURCE(INTRDR) NOSUSPEND","ccis":["CCI-000764"]},{"vulnId":"V-224654","ruleId":"SV-224654r1145878_rule","severity":"medium","ruleTitle":"CL/SuperSession Started task(s) must be properly defined to the Started Task Table ACID for Top Secret.","description":"Access to product resources should be restricted to only those individuals responsible for the application connectivity and who have a requirement to access these resources. Improper control of product resources could potentially compromise the operating system, ACP, and customer data.","checkContent":"Refer to the following report produced by the TSS Data Collection:\n\n- TSSCMDS.RPT(#STC).\n\nAutomated Analysis\nRefer to the following report produced by the TSS Data Collection:\n\n- PDI(ZCLS0032).\n\nIf the CL/SuperSession started task(s) is (are) defined in the TSS STC record, this is not a finding.","fixText":"The CL/SuperSession systems programmer and the ISSO will ensure that a product's started task(s) is (are) properly identified and/or defined to the system ACP. \n\nA unique ACID must be assigned for the CL/SuperSession started task(s) through a corresponding STC table entry.\n\nThe following sample set of commands is shown here as a guideline:\n\nTSS ADD(STC) PROCNAME(KLS) ACID(KLS)","ccis":["CCI-000764"]},{"vulnId":"V-224655","ruleId":"SV-224655r1145880_rule","severity":"medium","ruleTitle":"CL/SuperSession is not properly defined to the Facility Matrix Table for Top Secret.","description":"Improperly defined security controls for the Product could result in the compromise of the network, operating system, and customer data.","checkContent":"Refer to the following reports produced by the TSS Data Collection:\n\n- TSSCMDS.RPT(FACLIST) - Preferred report containing all control option values in effect including default values.\n- TSSCMDS.RPT(TSSPRMFL) - Alternate report containing only control option values explicitly coded at TSS startup.\n\nIf the CL/SuperSession Facility Matrix table is defined as stated below, this is not a finding.\n\n*KLS\tCL/SUPERSESSION\nFACILITY(USERxx=NAME=KLS)\nFACILITY(KLS=MODE=FAIL,ACTIVE,SHRPRF)\nFACILITY(KLS=PGM=KLV,NOASUBM,NOABEND,NOXDEF)\nFACILITY(KLS=ID=xx,MULTIUSER,RES,LUMSG,STMSG,WARNPW,SIGN(M))\nFACILITY(KLS=NOINSTDATA,NORNDPW,AUTHINIT,NOPROMPT,NOAUDIT)\nFACILITY(KLS=NOTSOC,LOG(INIT,SMF,MSG,SEC9))","fixText":"Define the CT/Engine started task name KLS as a Facility to TOP SECRET in the Facility Matrix Table using the following example:\n\n*KLS\tCL/SUPERSESSION\nFACILITY(USERxx=NAME=KLS)\nFACILITY(KLS=MODE=FAIL,ACTIVE,SHRPRF)\nFACILITY(KLS=PGM=KLV,NOASUBM,NOABEND,NOXDEF)\nFACILITY(KLS=ID=xx,MULTIUSER,RES,LUMSG,STMSG,WARNPW,SIGN(M))\nFACILITY(KLS=NOINSTDATA,NORNDPW,AUTHINIT,NOPROMPT,NOAUDIT)\nFACILITY(KLS=NOTSOC,LOG(INIT,SMF,MSG,SEC9))","ccis":["CCI-000764"]},{"vulnId":"V-224656","ruleId":"SV-224656r1145883_rule","severity":"medium","ruleTitle":"CL/SuperSession's Resouce Class is not defined or active in the ACP.","description":"Failure to use a robust ACP to control a product could potentially compromise the integrity and availability of the MVS operating system and user data.","checkContent":"Refer to the following report produced by the TSS Data Collection:\n\n- TSSCMDS.RPT(#RDT).\n\nIf the resource class of KLS is defined in the Resource Definition Table (RDT), this is not a finding.","fixText":"Add the resource KLS to the TOP SECRET RDT using the following TSS command example:\n \nTSS ADD(RDT) RESCLASS(KLS) RESCODE(xx)\n\n(where xx is an unused hex value)","ccis":["CCI-000336","CCI-002358"]},{"vulnId":"V-224657","ruleId":"SV-224657r1145885_rule","severity":"medium","ruleTitle":"CL/SuperSession KLVINNAM member must be configured in accordance with security requirements.","description":"CL/SuperSession configuration/parameters control the security and operational characteristics of products. If these parameter values are improperly specified, security and operational controls may be weakened. This exposure may threaten the availability of the product applications and compromise the confidentiality of customer data.","checkContent":"Version 3 of CL/SuperSession\nReview the member KLKINNAM in the TLVPARM DD statement concatenation of the CL/SuperSession STC procedure. (This member is located in SYS3.OMEGAMON.qualifier.RLSPARM.)\n\nVersion 2 of CL/SuperSession\nReview the member KLVINNAM in the TLVPARM DD statement concatenation of the CL/SuperSession STC procedure. (This member is located in SYS3.OMEGAMON.qualifier.RLSPARM.)\n\nAutomated Analysis\nRefer to the following report produced by the z/OS Data Collection:\n\n- PDI(ZCLS0042).\n\nIf one of the following configuration settings is specified for each control point defined in the KLKINNAM member for version 3 of CL/SuperSession or KLVINNAM member for version 2 of CL/SuperSession, this is not a finding.\n\nDEFAULT DSNAME(SYS3.OMEGAMON.qualifier.RLSNAM) -\nRACF -\nCLASSES=APPCLASS -\nNODB -\nEXIT=KLSTSNEV\n\n(The following is for z/OS CAC logon processing)\nDEFAULT DSNAME(SYS3.OMEGAMON.qualifier.RLSNAM) -\nSAF -\nCLASSES=APPCLASS -\nNODB -\nEXIT=KLSNFPTX or KLSTSPTX","fixText":"Ensure that the parameter options for member KLKINNAM for version 3 of CL/SuperSession or KLVINNAM for version 2 CL/SuperSession are coded to the specifications below.\n\n(Note: The data set identified below is an example of a possible installation. The actual data set is determined when the product is actually installed on a system through the product's installation guide and can be site specific.)\n\nReview the member KLKINNAM or KLVINNAM in the TLVPARM DD statement concatenation of the CL/SuperSession STC procedure. (This member is located in SYS3.OMEGAMON.qualifier.RLSPARM.) Ensure all session manager security parameters and control options are in compliance according to the following: \n\nDEFAULT DSNAME(SYS3.OMEGAMON.qualifier.RLSNAM) -\n      RACF -\n      CLASSES=APPCLASS -\n      NODB -\n      EXIT=KLSTSNEV\n\n(The following is for z/OS CAC logon processing)\nDEFAULT DSNAME(SYS3.OMEGAMON.qualifier.RLSNAM) -\n      SAF -\n      CLASSES=APPCLASS -\n      NODB -\n      EXIT=KLSNFPTX or KLSTSPTX","ccis":["CCI-000381"]},{"vulnId":"V-224658","ruleId":"SV-224658r1145887_rule","severity":"medium","ruleTitle":"CL/SuperSession APPCLASS member is not configured in accordance with the proper security requirements.","description":"Product configuration/parameters control the security and operational characteristics of products. If these parameter values are improperly specified, security and operational controls may be weakened. This exposure may threaten the availability of the product applications, and compromise the confidentiality of customer data.","checkContent":"Review the member APPCLASS in the TLVPARM DD statement concatenation of the CL/Supersession STC procedure. (This member is located in SYS3.OMEGAMON.qualifier.RLSPARM.)\n\nAutomated Analysis\nRefer to the following report produced by the z/OS Data Collection:\n\n- PDI(ZCLS0043).\n\nIf the parameters for the member APPCLASS are configured as follows, this is not a finding.\n\n\tVGWAPLST EXTERNAL=KLS","fixText":"The systems programmer and ISSO will ensure that the parameter options for member APPCLASS are coded to the below specifications.\n\nReview the member APPCLASS in the TLVPARM DD statement concatenation of the CL/SuperSession STC procedure. (This member is located in SYS3.OMEGAMON.qualifier.RLSPARM.) Ensure all session manager security parameters and control options are in compliance according to the following: \n\nVGWAPLST EXTERNAL=KLS","ccis":["CCI-000381"]}]}