17:["$","div",null,{"className":"mx-auto max-w-7xl px-6 py-10","children":[["$","div",null,{"className":"mb-2","children":["$","$L2",null,{"href":"/stigs","className":"text-link text-sm hover:underline","children":"← Back to STIGs"}]}],["$","div",null,{"className":"mb-6 flex flex-wrap items-center gap-3","children":[["$","h1",null,{"className":"font-display text-3xl font-bold","children":"IBM z/OS RACF Security Technical Implementation Guide"}],false,["$","$L21",null,{}]]}],["$","section",null,{"className":"border-border bg-surface mb-8 rounded-lg border p-6","children":[["$","div",null,{"className":"grid grid-cols-2 gap-4 sm:grid-cols-5","children":[["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Version"}],["$","p",null,{"className":"font-semibold","children":["V","9","R","8"]}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Release Date"}],["$","p",null,{"className":"font-semibold","children":"Mar 9, 2026"}]]}],["$","div",null,{"className":"min-w-0","children":[["$","p",null,{"className":"text-text-muted text-xs","children":"SCAP Benchmark ID"}],["$","p",null,{"className":"truncate font-mono text-sm","title":"IBM_zOS_RACF_STIG","children":"IBM_zOS_RACF_STIG"}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Total Checks"}],["$","p",null,{"className":"font-semibold","children":222}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Tags"}],["$","div",null,{"className":"flex flex-wrap gap-1","children":[["$","span","other",{"className":"bg-tag-bg text-tag-text rounded-full px-2 py-0.5 text-xs","children":"other"}]]}]]}]]}],["$","div",null,{"className":"mt-4 flex gap-4","children":[["$","span",null,{"className":"bg-severity-high-bg text-severity-high-text rounded px-3 py-1 text-sm font-medium","children":["CAT I: ",27]}],["$","span",null,{"className":"bg-severity-medium-bg text-severity-medium-text rounded px-3 py-1 text-sm font-medium","children":["CAT II: ",193]}],["$","span",null,{"className":"bg-severity-low-bg text-severity-low-text rounded px-3 py-1 text-sm font-medium","children":["CAT III: ",2]}]]}],["$","p",null,{"className":"text-text-secondary mt-4 text-sm","children":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil."}],["$","div",null,{"className":"mt-4 flex flex-wrap gap-3","children":[["$","a",null,{"href":"/api/export/checklist?stigTitle=IBM%20z%2FOS%20RACF%20Security%20Technical%20Implementation%20Guide&format=ckl","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CKL"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=IBM%20z%2FOS%20RACF%20Security%20Technical%20Implementation%20Guide&format=csv","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CSV"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=IBM%20z%2FOS%20RACF%20Security%20Technical%20Implementation%20Guide&format=json","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export JSON"}],["$","a",null,{"href":"https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_IBM_zOS_Y26M04_STIG.zip","target":"_blank","rel":"noopener noreferrer","className":"bg-link/10 text-link hover:bg-link/20 border-link/30 rounded border px-3 py-1 text-sm font-medium","children":"Download STIG ZIP"}]]}]]}],["$","$L22",null,{"checks":[{"id":"c83b7e79-a17c-4944-b9a0-e10393267845","vulnId":"V-223646","severity":"medium","ruleTitle":"Certificate Name Filtering must be implemented with appropriate authorization and documentation.","description":"To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: \n\nAccesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and\n\nAccesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.","checkContent":"$23","fixText":"Ensure any certificate name filtering rules in use are documented and approved by the ISSM."},{"id":"86b14049-1c9b-47c9-b90d-6182dac8bce7","vulnId":"V-223647","severity":"medium","ruleTitle":"Expired digital certificates must not be used.","description":"The longer and more often a key is used, the more susceptible it is to loss or discovery. This weakens the assurance provided to a relying Party that the unique binding between a key and its named subscriber is valid. Therefore, it is important that certificates are periodically refreshed. This is in accordance with DoD requirement. Expired Certificate must not be in use.","checkContent":"From the ISPF Command Shell enter:\nRACDCERT CERTAUTH LIST\n\nIf no certificate information is found, this is not a finding.\n\nNOTE: Certificates are only valid when their Status is TRUST. Therefore, you may ignore certificates with the NOTRUST status during the following check.\n\nCheck the expiration (End Date) for each certificate with a status of TRUST.\n\nIf the expiration date has passed, this is a finding.","fixText":"If the certificate is a user or device certificate with a status of TRUST, follow procedures to obtain a new certificate or re-key certificate. If it is an expired CA certificate remove it."},{"id":"147cd456-8c9a-4f8a-9e22-270f4ec0094d","vulnId":"V-223648","severity":"medium","ruleTitle":"All digital certificates in use must have a valid path to a trusted certification authority (CA).","description":"The origin of a certificate, or the CA, is crucial in determining if the certificate should be trusted. An approved CA establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted.\n\nSatisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182","checkContent":"From the ISPF Command Shell enter:\nRACDCERT CERT AUTH\n\nIf no certificate information is found, this is not a finding.\n\nNOTE: Certificates are only valid when their Status is TRUST. Therefore, you may ignore certificates with the NOTRUST status during the following check.\n\nIf the digital certificate information indicates that the issuer's distinguished name leads to one of the following, this is not a finding:\na) A DOD PKI Root Certification Authority\nb) An External Root Certification Authority (ECA)\nc) An approved External Partner PKI's Root Certification Authority\n\nThe DOD Cyber Exchange website contains information as to which certificates maybe acceptable (https://public.cyber.mil/pki-pke/interoperability/ or https://cyber.mil/pki-pke/interoperability/).\n\nExamples of an acceptable DOD CA are:\nDOD PKI Class 3 Root CA\nDOD PKI Med Root CA","fixText":"Remove and/or replace certificates with a status of TRUST whose issuer's distinguished name does not lead to a DOD PKI Root Certification Authority, External Root Certification Authority (ECA), or an approved External Partner PKI's Root Certification Authority.\n\nReference the DOD Cyber Exchange website for complete information as to which certificates may be acceptable (https://public.cyber.mil/pki-pke/interoperability/ or https://cyber.mil/pki-pke/interoperability/)."},{"id":"aeb41dab-5a9a-4c0b-87cc-8d09ecba1f9d","vulnId":"V-223649","severity":"high","ruleTitle":"IBM RACF must limit Write or greater access to SYS1.NUCLEUS to system programmers only.","description":"This data set contains a large portion of the system initialization (IPL) programs and pointers to the master and alternate master catalog. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000259-GPOS-00100, SRG-OS-000324-GPOS-00125","checkContent":"Execute a dataset access list for SYS1.NUCLEUS.\n\nIf all of the Following are untrue, this is not a finding.\n\nIf any of the following is true, this is a finding.\n\n-The ACP data set rules for SYS1.NUCLEUS do not restrict WRITE or greater access to only z/OS systems programming personnel.\n-The ACP data set rules for SYS1.NUCLEUS do not specify that all (i.e., failures and successes) WRITE or greater access will be logged.","fixText":"Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect SYS1.NUCLEUS.\n\nConfigure the WRITE or greater access to SYS1.NUCLEUS to be limited to system programmers only and all WRITE or greater access is logged."},{"id":"bbbedc33-2a75-40de-b889-e75ad497aaaa","vulnId":"V-223650","severity":"low","ruleTitle":"IBM RACF must limit Write or greater access to libraries that contain PPT modules to system programmers only.","description":"Specific PPT designated program modules possess significant security bypass capabilities. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000259-GPOS-00100, SRG-OS-000324-GPOS-00125","checkContent":"Review program entries in the IBM Program Properties Table (PPT). You may use a third-party product to examine these entries however, to determine program entries issue the following command from an ISPF command line:\nTSO ISRDDN LOAD IEFSDPPT\nPress Enter.\n\nFor each module identified in the \"eyecatcher\" if all of the following are untrue, this is not a finding.\n\nIf any of the following is true, this is a finding.\n\n-The ACP data set rules for libraries that contain PPT modules do not restrict WRITE or greater access to only z/OS systems programming personnel.\n-The ACP data set rules for libraries that contain PPT modules do not specify that all WRITE or greater access will be logged.","fixText":"Configure the WRITE or greater access to libraries containing PPT modules to be limited to system programmers only and all WRITE or greater access is logged."},{"id":"465a038d-20e2-4791-b45c-b44059fbcb96","vulnId":"V-223652","severity":"medium","ruleTitle":"IBM RACF emergency USERIDs must be properly defined.","description":"$24","checkContent":"$25","fixText":"$26"},{"id":"461bb863-4bc5-4ba6-b9a8-eade7ea55573","vulnId":"V-223653","severity":"medium","ruleTitle":"IBM RACF SETROPTS LOGOPTIONS must be properly configured.","description":"$27","checkContent":"Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:\n\nVerify that the following LOGOPTIONS are specified:\nLOGOPTIONS \"FAILURES\" CLASSES = \nLOGOPTIONS \"NEVER\" CLASSES = NONE\n\nThe other LOGOPTIONS may be site determined.\n\nIf the LOGOPTIONS are not set as described above, this is a finding.","fixText":"Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:\n\nEnsure that the following LOGOPTIONS are specified:\nLOGOPTIONS \"FAILURES\" CLASSES = \nLOGOPTIONS \"NEVER\" CLASSES = NONE\n\nThe other LOGOPTIONS may be site determined."},{"id":"cec49f21-a1ea-4052-a6d5-74052acd0884","vulnId":"V-223654","severity":"medium","ruleTitle":"IBM RACF must protect memory and privileged program dumps in accordance with proper security requirements.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.","checkContent":"Execute a resource access list for the IEAABD. resources.\n\nIf the IEAABD. resource and/or generic equivalent is defined with no access and all access logged, this is not a finding.\n\nIf the IEAABD.DMPAUTH. resource and/or generic equivalent is defined with READ access limited to authorized users, this is not a finding.\n\nIf the IEAABD.DMPAUTH. resource and/or generic equivalent WRITE or greater access is restricted to only systems personnel and all access is logged, this is not a finding.\n\nIf the IEAABD.DMPAKEY resource and/or generic equivalent is defined and all access is restricted to systems personnel and that all access is logged, this is not a finding.","fixText":"$28"},{"id":"a7c1aee2-12fd-47cb-875e-e191e9764855","vulnId":"V-223655","severity":"medium","ruleTitle":"IBM z/OS system commands must be properly protected.","description":"z/OS system commands provide a method of controlling the operating environment. Failure to properly control access to z/OS system commands could result in unauthorized personnel issuing sensitive system commands. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.","checkContent":"From the ISPF Command Shell enter:\nRList OPERCMDS *\n\nIf the MVS.** resource is defined to the OPERCMDS class with an access of NONE and all (i.e., failures and successes) access logged, this is not a finding.\n\nIf the access to z/OS system commands defined in the table entitled MVS commands, RACF access authorities, and resource names, in the IBM z/OS MVS System Commands manual, is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users) as determined in the Documented site Security Plan, this is not a finding.\n\nNote: Display commands and others as deemed by the site IAW site security plan may be allowed for all users with no logging. The (MVS.SEND) Command will not be a finding if used by all.\n\nIf all access (i.e., failures and successes) to specific z/OS system commands is logged as indicated in the table entitled MVS commands, RACF access authorities, and resource names, in the z/OS MVS System Commands, this is not a finding.","fixText":"$29"},{"id":"d3fa39f0-02ac-49a1-b216-b5fc107ee617","vulnId":"V-223656","severity":"medium","ruleTitle":"IBM RACF must properly define users that have access to the CONSOLE resource in the TSOAUTH resource class.","description":"MCS consoles can be used to issue operator commands. Failure to properly control access to MCS consoles could result in unauthorized personnel issuing sensitive operator commands. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.","checkContent":"If the CONSOLE privilege is not defined to the TSOAUTH resource class, this is not a finding.\n\nAt the discretion of the site, users may be allowed to issue z/OS system commands from a TSO session. With this in mind, review the following items for users granted the CONSOLE resource in the TSOAUTH resource class:\n\nIf Userids are restricted to the INFO level on the AUTH parameter specified in the OPERPARM segment of their userid, this is not a finding.\n\nIf Userids are restricted to READ access to the MVS.MCSOPER.userid resource defined in the OPERCMDS resource class, this is not a finding.\n\nIf Userids and/or group IDs are restricted to READ access to the CONSOLE resource defined in the TSOAUTH resource class, this is not a finding.","fixText":"Evaluate the impact of correcting any deficiencies. Develop a plan of action and implement the required changes. \nEnsure the following items are in effect for all MCS consoles:\n\nDefine a profile protecting the use of the CONSOLE command within TSO. A sample command to accomplish this is shown here: RDEF TSOAUTH CONSOLE UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) \n\nPermit only authorized users. A sample command to accomplish this is shown here: PE CONSOLE CL(TSOAUTH) ID()\n\nSet up the OPERPARM segment in corresponding user-class entry. A sample command to accomplish this is shown here: ALU OPERPARM(AUTH(INFO))\n\nUserids are restricted to READ access to the MVS.MCSOPER.userid resource defined in the OPERCMDS resource class. A sample command to accomplish this is shown here using the GLOBAL class: \nRDEF GLOBAL OPERCMDS ADDMEM(MVS.MCSOPER.&RACUID/READ) OWNER(ADMIN)"},{"id":"053c085b-ef1a-4fc6-8115-9a07b1475550","vulnId":"V-223657","severity":"medium","ruleTitle":"The IBM RACF FACILITY resource class must be active.","description":"IBM Provides the FACILITY Class for use in protecting a variety of features/functions/products both IBM and third-party. The FACILITY Class is not dedicated to any one specific use and is intended as a multi-purpose RACF Class. Failure to activate this class will result in unprotected resources. This exposure may threaten the integrity of the operating system environment, and compromise the confidentiality of customer data.","checkContent":"The RACF Command SETR LIST will show the status of RACF Controls including a list of ACTIVE classes. \n\nFrom the ISPF Command Shell enter:\nSETRopts List\n\nIf the FACILITY resource class is active, this is not a finding.","fixText":"Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:\n\nThe RACF Command SETR LIST will show the status of RACF Controls including a list of ACTIVE classes. \n\nThe FACILITY Class is activated with the command SETR CLASSACT(FACILITY).\n\nGeneric profiles and commands should also be enabled with the command SETR GENERIC(FACILITY) GENCMD(FACILITY).\n\nIBM recommends RACLISTing the FACILITY Class which is accomplished with the command SETR RACL(FACILITY)."},{"id":"ed50af84-7582-446e-80c5-b278b5717032","vulnId":"V-223658","severity":"medium","ruleTitle":"The IBM RACF OPERCMDS resource class must be active.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.","checkContent":"The RACF Command SETR LIST will show the status of RACF Controls including a list of ACTIVE classes. \n\nFrom the ISPF Command Shell enter:\nSETRopts List\n\nIf the OPERCMDS resource class is active, this is not a finding.","fixText":"Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:\n\nThe RACF Command SETR LIST will show the status of RACF Controls including a list of ACTIVE classes. \n\nThe OPERCMDS Class is activated with the command SETR CLASSACT(OPERCMDS).\n\nGeneric profiles and commands should also be enabled with the command SETR GENERIC(OPERCMDS) GENCMD(OPERCMDS).\n\nIBM recommends RACLISTing the OPERCMDSClass which is accomplished with the command SETR RACL(OPERCMDS)."},{"id":"389e816c-c238-4d95-85d2-e5de038f20ad","vulnId":"V-223659","severity":"medium","ruleTitle":"The IBM RACF MCS consoles resource class must be active.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.","checkContent":"The RACF Command SETR LIST will show the status of RACF Controls including a list of ACTIVE classes. \n\nFrom the ISPF Command Shell enter:\nSETRopts List\n\nIf the CONSOLE resource class is active, this is not a finding.","fixText":"Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:\n\nThe RACF Command SETR LIST will show the status of RACF Controls including a list of ACTIVE classes. \n\nThe CONSOLE Class is activated with the command SETR CLASSACT(CONSOLE).\n\nGeneric profiles and commands should also be enabled with the command SETR GENERIC(CONSOLE) GENCMD(CONSOLE).\n\nIBM recommends RACLISTing the CONSOLE Class which is accomplished with the command SETR RACL(CONSOLE)."},{"id":"1c4ae301-66e0-4775-b74f-7a1b1fcc906e","vulnId":"V-223660","severity":"medium","ruleTitle":"IBM RACF CLASSACT SETROPTS must be specified for the TEMPDSN class.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.","checkContent":"The RACF Command SETR LIST will show the status of RACF Controls including a list of ACTIVE classes. \n\nFrom the ISPF Command Shell enter:\nSETRopts List\n\nIf the TEMPDSN resource class is ACTIVE, this is not a finding.","fixText":"Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:\n\nThe RACF Command SETR LIST will show the status of RACF Controls including a list of ACTIVE classes. \n\nThe TEMPDSN Class is activated with the command SETR CLASSACT(TEMPDSN).\n\nGeneric profiles and commands should also be enabled with the command SETR GENERIC(TEMPDSN) GENCMD(TEMPDSN).\n\nIBM recommends RACLISTing the TEMPDSN Class which is accomplished with the command SETR RACL(TEMPDSN)."},{"id":"db385ab1-7452-4994-a0e8-304e578d6fa5","vulnId":"V-223661","severity":"medium","ruleTitle":"IBM RACF started tasks defined with the trusted attribute must be justified.","description":"Trusted Started tasks bypass RACF checking. It is vital that this attribute is NOT granted to unauthorized Started Tasks which could then obtain unauthorized access to the system. This could result in the compromise of the confidentiality, integrity, and availability of the operating system, ACP, or customer data.","checkContent":"$2a","fixText":"$2b"},{"id":"e9e9cdbe-8a6b-4073-abb0-638e9d08c527","vulnId":"V-223662","severity":"medium","ruleTitle":"IBM RACF USERIDs possessing the Tape Bypass Label Processing (BLP) privilege must be justified.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.","checkContent":"From the ISPF Command Shell enter:\nRLIST FACILITY ICHBLP AUTHUSER\n\nIf access authorization to the ICHBLP resource is restricted at the userid level to data center personnel (e.g., tape librarian, operations staff, etc.), this is not a finding.\n\nIf no tape management system (e.g., CA-1) is installed the following:\nFrom the ISPF Command Shell enter:\nSETROPTS LIST\n\nIf the TAPEVOL class is active, this is not a finding.","fixText":"Review all USERIDs with the BLP attribute. Ensure documentation providing justification for access is maintained and filed with the ISSO, and that unjustified access is removed.\n\nBLP is controlled thru the FACILITY class profile ICHBLP. Access is removed with the following command:\nPE ICHBLP CL(FACILITY) id() DELETE\na subsequent REFRESH of the FACILITY class may be required via the command: SETR RACL(FACILITY) REFRESH"},{"id":"4d26ca00-b0dc-4466-89fc-777d68c6862c","vulnId":"V-223663","severity":"medium","ruleTitle":"IBM RACF DASD volume-level protection must be properly defined.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.","checkContent":"From the ISPF Command Shell enter:\nRLIST DASDVOL AUTHUSER\n\nIf a profile of \"**\" is defined for the \"DASDVOL\" resource class, this is not finding.\n\nIf access authorization to \"DASDVOL\" profiles is restricted to Storage Management Personnel, Storage Management Batch Userids, and Systems Programmers, this is not a finding.\n\nIf all (i.e., failures and successes) access is logged, this is not a finding.","fixText":"Develop a plan of action to implement the required changed.\n\nDefine profiles in the \"DASDVOL\" class. A sample command is provided here: \nRDEF DASDVOL ** UACC(NONE) OWNER() AUDIT(ALL(READ)).\n\nMore specific \"DASDVOL\" profiles should be defined to protect groups of \"DASDVOLs\". A sample command to create a profile protecting all DASDVOLs beginning with \"SYS\" is provided here: \nRDEF DASDVOL SYS* UACC(NONE) OWNER() AUDIT(ALL(READ)).\n\nPermission can be granted to \"DASDVOL\" profiles. A sample command is provided here: \nPE SYS* CLASS(DASDVOL) ID() ACCESS(ALTER)\n\nIf any profiles are in \"WARN\" mode, they should be reset. A sample command is provided here: \nRALT DASDVOL NOWARN.\n\nNote that the \"GDASDVOL\" class can also be used. See the RACF Security Admin Guide for more information."},{"id":"1ae2e64a-5565-4724-a24b-931a258303e4","vulnId":"V-223664","severity":"medium","ruleTitle":"IBM Sensitive Utility Controls must be properly defined and protected.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.","checkContent":"If the RACF resource access authorizations for the following sensitive utilities restrict access to the appropriate personnel according to the site security plan, this is not a finding.\n\nIf all access for these sensitive utilities is audited, this is not a finding.\n\nSensitive Utility Controls\nProgram Product Function \nAHLGTF z/OS System Activity Tracing \nHHLGTF\nIHLGTF \n\nICPIOCP z/OS System Configuration \nIOPIOCP\nIXPIOCP\nIYPIOCP\nIZPIOCP \n\nBLSROPTR z/OS Data Management \n\nDEBE OS/DEBE Data Management \n\nDITTO OS/DITTO Data Management \n\nFDRZAPOP FDR Product Internal Modification \n\nGIMSMP SMP/E Change Management Product \n\nICKDSF z/OS DASD Management \n\nIDCSC01 z/OS IDCAMS Set Cache Module \n\nIEHINITT z/OS Tape Management \n\nIFASMFDP z/OS SMF Data Dump Utility \n\nIND$FILE z/OS PC to Mainframe File Transfer\n(Applicable only for classified systems) \n\nCSQJU003 IBM WebSphereMQ\nCSQJU004\nCSQUCVX\nCSQ1LOGP\nCSQUTIL \n\nWHOIS z/OS Share MOD to identify user name from USERID. \nRestricted to data center personnel only.","fixText":"$2c"},{"id":"eed4b10b-13e9-4c66-863e-c225450e7754","vulnId":"V-223665","severity":"medium","ruleTitle":"IBM RACF Global Access Checking must be restricted to appropriate classes and resources.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.","checkContent":"$2d","fixText":"Configure Global Access Checking to be appropriately administered.\n\nNote: Special consideration should be followed as indicated in z/OS Security Server RACF Security Administrator's Guide.\n\nEvaluate the impact associated with implementation of the control option. Develop approval documentation and a plan of action to implement the control option as specified in the example below: \n\nRALT GLOBAL class-name\nADDMEM (resourcename)/accesslevel)"},{"id":"17402e42-8cad-4fa1-b1ca-b52d81c7cb8b","vulnId":"V-223666","severity":"high","ruleTitle":"IBM RACF access to the System Master Catalog must be properly protected.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000324-GPOS-00125","checkContent":"Refer to SYSCATxx member of SYS1.NUCLEUS.\n\nMultiple SYSCATxx members may be defined. If so, refer to Master Catalog message for IPL.\n\nIf the member is not found, refer to the appropriate LOADxx member of SYS1.PARMLIB.\n\nIf data set rules for the Master Catalog do not restrict greater than \"READ\" access to only z/OS systems programming personnel, this is a finding.\n\nIf Products or procedures requiring system programmer access for system-level maintenance meet the following specific case, this is not a finding:\n- The batch job or procedure must be documented in the SITE Security Plan. \n- Reside in a data set that is restricted to systems programmers' access only. \n\nIf dataset rules for the Master Catalog do not specify that all (i.e., failures and successes) greater than \"READ\" access will be logged, this is a finding.","fixText":"Review access authorization to critical system files.\n\nEvaluate the impact of correcting the deficiency.\n\nDevelop a plan of action and implement the changes as required to protect the MASTER CATALOG.\n\nConfigure the ESM rules for system catalog to only allow access above \"READ\" to systems programmers and those authorized by the ISSM/ISSO.\n\nConfigure ESM rules for the master catalog to allow access above \"READ\" to systems programmers ONLY.\n\nConfigure ESM rules for the master catalog to allow any products or procedures system programmer access for system-level maintenance that meets the following specific case:\n- The batch job or procedure must be documented in the SITE Security Plan. \n- Reside in a data set that is restricted to systems programmers' access only.\n\nAll greater than read access must be logged."},{"id":"c451a3eb-8e20-4284-a9ba-29102d2f6137","vulnId":"V-223667","severity":"high","ruleTitle":"IBM RACF must limit Write or greater access to SYS1.UADS to system programmers only, and WRITE or greater access must be limited to system programmer personnel and/or security personnel.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000324-GPOS-00125","checkContent":"The ESM data set rules for SYS1.UADS restrict WRITE or Greater access to only z/OS systems programming personnel.\n\nThe ESM data set rules for SYS1.UADS restrict READ and/or UPDATE access to z/OS systems programming personnel and/or security personnel.\n\nThe ESM data set rules for SYS1.UADS restrict READ access to auditors as documented in Security Plan.\n\nThe ESM data set rules for SYS1.UADS specify that all (i.e., failures and successes) data set access authorities (i.e., READ, UPDATE, ALTER, and CONTROL) will be logged.\n\nIf all of the above are untrue, this is not a finding.\n\nIf any of the above is true, this is a finding.","fixText":"Evaluate the impact of correcting any deficiency. Develop a plan of action and implement the changes as required to protect SYS1.UADS.\nSYS1.UADS WRITE or Greater authority is limited to the systems programming staff. \nREAD and/or UPDATE access should be limited to the security staff.\nREAD access is limited to Auditors when included in the site security plan.\nConfigure allocate access to SYS1.UADS to be limited to system programmers only, Read and Update access to SYS1.UADS to be limited to system programmer personnel and/or security personnel, and all dataset access is logged."},{"id":"babe6ccb-3f38-4186-b052-f812b59ea07c","vulnId":"V-223668","severity":"high","ruleTitle":"IBM z/OS must protect dynamic lists in accordance with proper security requirements.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000324-GPOS-00125","checkContent":"$2e","fixText":"$2f"},{"id":"44c2c71a-2ebe-47ea-836d-61c10a34abb6","vulnId":"V-223669","severity":"medium","ruleTitle":"IBM RACF allocate access to system user catalogs must be properly protected.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000324-GPOS-00125","checkContent":"From the ISPF Command Shell enter:\nLISTCat USERCATALOG ALL NOPREFIX\n\nReview the ESM data set rules for each usercatalog defined.\n\nIf the data set rules for User Catalogs do not restrict ALTER access to only z/OS systems programming personnel, this is a finding.\n\nIf Products or procedures requiring system programmer access for system-level maintenance meets the following specific case, this is not a finding:\n- The batch job or procedure must be documented in the SITE Security Plan. \n- Reside in a data set that is restricted to systems programmers' access only. \n\nIf the data set rules for User Catalogs do not specify that all (i.e., failures and successes) ALTER access will be logged, this a finding.\n\nNote: If the USER CATALOGS contain SMS managed data sets READ access is sufficient to allow user operations. If the USER CATALOGS do not contain SMS managed data sets UPDATE access is required for user operation.","fixText":"Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect USER CATALOGS.\n\nConfigure ESM rules for allocate access to USER CATALOGS, limited to system programmers only, and all allocate access is logged.\n\nConfigure ESM rules for the USER CATALOGS to allow any products or procedures system programmer access for system-level maintenance that meets the following specific case:\n- The batch job or procedure must be documented in the SITE Security Plan. \n- Reside in a data set that is restricted to systems programmers' access only. \n\nNote: If the USER CATALOGS contain SMS managed data sets READ access is sufficient to allow user operations. If the USER CATALOGS do not contain SMS managed data sets UPDATE access is required for user operation."},{"id":"83437393-032f-43f6-9c47-abd735826025","vulnId":"V-223670","severity":"medium","ruleTitle":"IBM RACF must limit WRITE or greater access to System backup files to system programmers and/or batch jobs that perform DASD backups.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000324-GPOS-00125","checkContent":"Collect from the storage management group the identification of the DASD backup files and all associated storage management userids.\n\nIf ESM data set rules for system DASD backup files do not restrict WRITE or greater access to z/OS systems programming and/or batch jobs that perform DASD backups, this is a finding.\n\nIf READ Access to system backup data sets is not limited to auditors and others approved by the ISSM, this is a finding.","fixText":"Obtain the high level indexes to backup data sets names define their access to be restricted by the System's ESM to System Programmers and batch jobs that perform the backups. Define READ Access to system backup data sets to be limited to auditors and others approved by the ISSM."},{"id":"4dd93f6f-ba84-4754-b7f6-284da17ac268","vulnId":"V-223671","severity":"medium","ruleTitle":"IBM RACF must limit access to SYS(x).TRACE to system programmers only.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000324-GPOS-00125","checkContent":"Execute a dataset list of access for SYS(x).TRACE files.\n\nIf the ESM data set rule for SYS1.TRACE restricts access to systems programming personnel and started tasks that perform GTF processing, this is not a finding.\n\nIf the ESM data set rule for SYS1.TRACE restricts access to others as documented and approved by ISSM, this is not a finding.","fixText":"Configure the ESM access to SYS1.TRACE to be limited to system programmers or started tasks that perform GTF processing.\nOther user access can be granted as documented and approved by the ISSM."},{"id":"40fc33f1-0ac6-4668-b72b-7876d3d2c143","vulnId":"V-223672","severity":"medium","ruleTitle":"IBM RACF batch jobs must be properly secured.","description":"Batch jobs that are submitted to the operating system should inherit the USERID of the submitter. This will identify the batch job with a userid for the purpose of accessing resources. BATCHALLRACF ensures that a valid USERID is associated with batch jobs. Jobs that are submitted to the operating system via a scheduling facility must also be identified to the system. Without a batch job having an associated USERID, access to system resources will be limited.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000326-GPOS-00126","checkContent":"Refer to the documentation of the processes used for submission of batch jobs via an automated process (i.e., scheduler or other sources) and each of the associated userids. Determine any other scheduled batch jobs on the system.\n\nFrom an ISPF Command Shell enter:\nRLIST SURROGAT *\n\nIf each batch job userid used for batch submission by a Job Scheduler (e.g., CONTROL-M, CA-7, CA-Scheduler, etc.) is defined as an execution-userid in a SURROGAT resource class profile, this is not a finding.\n\nFrom an ISPF Command Shell enter:\nRLIST SURROGAT ALL\n\nIf the Job Scheduler userids (i.e., surrogate-userid) are permitted surrogate authority to the appropriate SURROGAT profiles, this is not a finding.","fixText":"Configure each batch job userid used for batch submission by a Job Scheduler (e.g., CONTROL-M, CA-7, CA-Scheduler, etc.) is defined as an execution-userid in a SURROGAT resource class profile. For example:\n\nRDEFINE SURROGAT execution-userid.SUBMIT UACC(NONE)\nOWNER(execution-userid)\n\nConfigure Job Scheduler userids (i.e., surrogate-userid) are permitted surrogate authority to the appropriate SURROGAT profiles. For example:\n\nPERMIT execution-userid.SUBMIT CLASS(SURROGAT)\nID(surrogate-userid) ACCESS(READ)"},{"id":"f7fa6067-4bf0-4f5c-9e82-b654852434a5","vulnId":"V-223673","severity":"medium","ruleTitle":"IBM RACF batch jobs must be protected with propagation control.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000326-GPOS-00126","checkContent":"$30","fixText":"Add a PROPCNTL profile for each userid associated with a job scheduler (e.g., CONTROL-M, CA-7, etc.) or a MUSASS able to submit batch jobs (e.g., CA-ROSCOE, etc.). \n\nA sample command is shown here:\nRDEF PROPCNTL controlm UACC(NONE) OWNER(ADMIN)"},{"id":"f26d50e7-4c4f-4ffa-9c1b-c0a9e0c0d1e7","vulnId":"V-223674","severity":"high","ruleTitle":"IBM RACF must limit Write or greater access to SYS1.IMAGELIB to system programmers only.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000259-GPOS-00100","checkContent":"Execute a dataset list of access for SYS1.IMAGELIB.\n\nIf the following guidance is true, this is not a finding.\n\n-The ACP data set rules for SYS1.IMAGELIB do not restrict WRITER or greater access to only systems programming personnel.\n-The ACP data set rules for SYS1.IMAGELIB do not specify that all (i.e., failures and successes) WRITER or greater access will be logged.","fixText":"Configure UPDATE and/or ALLOCATE access to SYS1.IMAGELIB to be limited to system programmers only and all WRITE or greater access is logged.\n\nReview access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect SYS1.IMAGELIB.\n\nSYS1.IMAGELIB is automatically APF-authorized. This data set contains modules, images, tables, and character sets which are essential to system print services."},{"id":"b3cc4ca1-9877-4894-b384-1c9b4b16e5db","vulnId":"V-223675","severity":"high","ruleTitle":"IBM RACF must limit Write or greater access to SYS1.SVCLIB to appropriate authorized users.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000259-GPOS-00100, SRG-OS-000324-GPOS-00125","checkContent":"Execute a dataset list of access for SYS1.SVCLIB.\n\nIf all of the following are true, this is not a finding.\n\nIf any of the following are untrue, this is a finding.\n\n-ESM data set rules for SYS1.SVCLIB restrict WRITE or greater access to only z/OS systems programming personnel.\n-ESM data set rules for SYS1.SVCLIB specify that all (i.e., failures and successes) WRITE or greater access will be logged.","fixText":"Configure Write or greater access to SYS1.SVCLIB to be limited to system programmers only and all WRITE or greater access is logged and reviewed. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes for SYS1.SVCLIB. SYS1.SVCLIB contains SVCs and I/O appendages as such: they are very powerful and will be strictly controlled to avoid compromising system integrity."},{"id":"07ce2e2c-c324-41be-a62a-465c9f839937","vulnId":"V-223676","severity":"high","ruleTitle":"IBM RACF must limit Write or greater access to SYS1.LPALIB to system programmers only.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000259-GPOS-00100, SRG-OS-000324-GPOS-00125","checkContent":"Execute a dataset list of access for SYS1.LPALIB.\n\nIf any of the following is true, this is a finding.\n\n-The ESM data set rules for SYS1.LPALIB do not restrict WRITE or greater access to only z/OS systems programming personnel.\n-The ESM data set rules for SYS1.LPALIB do not specify that all (i.e., failures and successes) WRITE or greater access will be logged.","fixText":"Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect SYS1.LPALIB. \n\nConfigure WRITE or greater access to SYS1.LPALIB to be limited to system programmers only and all WRITE or greater access is logged."},{"id":"3cfcb13e-cd4c-4cba-b543-5962011067d6","vulnId":"V-223677","severity":"high","ruleTitle":"IBM z/OS libraries included in the system REXXLIB concatenation must be properly protected.","description":"Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000259-GPOS-00100, SRG-OS-000324-GPOS-00125","checkContent":"Refer to AXRxx member of PARMLIB, for each REXXLIB ADD statement: \n\nIf the ESM data set rules for libraries in the REXXLIB concatenation restrict WRITE or greater access to only z/OS systems programming personnel, this is not a finding.\n\nIf ESM dataset rules for libraries in the REXXLIB concatenation restrict GLOBAL read access, this is not a finding.\n\nIf ESM data set rules for libraries in the REXXLIB concatenating restrict WRITE or Greater access to z/OS system Programmers, this is not a finding.\n\nIf the ESM data set rules for libraries in the REXXLIB concatenation restrict READ access to the following, this is not a finding.\n\n-Appropriate Started Tasks\n-Auditors\n-User-id defined in PARMLIB member AXR00 AXRUSER(user-id)\n\nIf the ESM data set rules for libraries in the REXXLIB concatenation specify that all (i.e., failures and successes) WRITE or greater access will be logged, this is not a finding.","fixText":"Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect APF Authorized Libraries. \n\nConfigure ESM dataset rules to limit WRITE or greater access to libraries included in the system REXXLIB concatenation to system programmers only.\n\nConfigure ESM dataset rules allow READ access to only appropriate Started Tasks and Auditors.\n\nConfigure ESM dataset rules to log UPDATE and/or ALTER access (i.e., successes and failures)."},{"id":"52fb2a19-c004-4dbf-9ff4-8c8cf037e73a","vulnId":"V-223678","severity":"high","ruleTitle":"IBM RACF must limit write or greater access to all LPA libraries to system programmers only.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000259-GPOS-00100, SRG-OS-000324-GPOS-00125","checkContent":"From Any ISPF input line, enter:\nTSO ISRDDN LPA. \n\nIf any of the following is true, this is a finding.\n\n-The ACP data set rules for LPA libraries do not restrict WRITE or greater access to only z/OS systems programming personnel.\n-The ACP data set rules for LPA libraries do not specify that all (i.e., failures and successes) WRITE or greater access will be logged.","fixText":"Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect LPA Libraries.\n\nConfigure the WRITE or greater access to all LPA libraries to be limited to system programmers only and all WRITE or greater access is logged."},{"id":"a52c5f76-7b50-4df4-adb7-61b78f6421ef","vulnId":"V-223679","severity":"high","ruleTitle":"IBM RACF must limit Write or greater access to libraries containing EXIT modules to system programmers only.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000259-GPOS-00100, SRG-OS-000324-GPOS-00125","checkContent":"Examine the system for active exit modules. The system administrator may have to help for this. Third-party software products can determine standard and dynamic exits loaded in the system.\n\nIf all the exits are found within APF, LPA, and LINKLIST, this is Not Applicable.\n\nIf ESM data set rules for libraries that contain system exit modules restrict WRITE or greater access to only z/OS systems programming personnel, this is not a finding.\n\nIf the ESM data set rules for libraries that contain exit modules specify that all WRITE or greater access will be logged, this is not a finding.","fixText":"Using the ESM, protect the data sets associated with all product exits installed in the z/OS environment. This reduces the potential of a hacker adding a routine to a library and possibly creating an exposure. Confirm that all exits are tracked using a CMP. Develop usermods to include the source/object code used to support the exits. Have systems programming personnel review all z/OS and other product exits to confirm that the exits are required and are correctly installed. \n\nConfigure ESM Dataset rules for all WRITE or greater access to libraries containing z/OS and other system-level exits will be logged using the ACP's facilities. Only systems programming personnel will be authorized to update the libraries containing z/OS and other system-level exits."},{"id":"1d448c7a-5979-4af3-8b80-8c161cc44d6c","vulnId":"V-223680","severity":"medium","ruleTitle":"IBM RACF must limit WRITE or greater access to all system-level product installation libraries to system programmers.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000259-GPOS-00100, SRG-OS-000324-GPOS-00125","checkContent":"Have the systems programmer for z/OS supply the following information:\n\nThe data set name and associated SREL for each SMP/E CSI utilized to maintain this system.\nThe data set name of all SMP/E TLIBs and DLIBs used for installation and production support. A comprehensive list of the SMP/E DDDEFs for all CSIs may be used if valid.\n\nIf the ESM data set rules for system-level product installation libraries (e.g., SMP/E CSIs) do not restrict WRITE or greater access to only z/OS systems programming personnel this is a finding.\n\nIf any of these data sets cannot be identified due to a lack of requested information, this is a finding.","fixText":"Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect System-level product installation libraries.\n\nConfigure allocate access to all system-level product execution libraries to be limited to system programmers only."},{"id":"e1d17a93-16d4-496d-a5ac-23cbabaa3d85","vulnId":"V-223681","severity":"medium","ruleTitle":"IBM RACF must limit access to SYSTEM DUMP data sets to system programmers only.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000259-GPOS-00100, SRG-OS-000324-GPOS-00125","checkContent":"Ask the system administrator and/or DASD administrator to determine the System Dump data sets. \n\nRefer to data sets SYS1.DUMPxx, additionally, Dump data sets can be identified by reviewing the logical parmlib concatenation data sets for the current COMMNDxx member. Find the COM= which specifies the DUMPDS NAME (DD NAME=name-pattern) entry. The name-pattern is used to identify additional Dump data sets.\n\nIf ESM data set rules for System Dump data sets do not restrict READ, UPDATE, and/or ALTER access to only systems programming personnel, this is a finding.\n\nIf ESM data set rules for all System Dump data sets do not restrict READ access to personnel having justification to review these dump data, this is a finding.","fixText":"Configure data set rules for access to SYSTEM DUMP data set(s) to be limited to system programmers only, unless a letter justifying access is filed with the ISSO in the site security plan.\n\nEvaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to restrict access to these data sets."},{"id":"05547f1b-868d-4333-8874-4abb8696a411","vulnId":"V-223682","severity":"high","ruleTitle":"IBM RACF must limit WRITE or greater access to all APF-authorized libraries to system programmers only.","description":"$31","checkContent":"From Any ISPF input line, enter TSO ISRDDN APF. \n\nIf all of the following are untrue, this is not a finding.\n\nIf any of the following are true, this is a finding.\n\n-The ACP data set rules for APF libraries do not restrict WRITE or greater access to only z/OS systems programming personnel.\n-The ACP data set rules for APF libraries do not specify that all (i.e., failures and successes) WRITE or greater access will be logged.","fixText":"Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect APF Authorized Libraries. \n\nConfigure, WRITE, or greater access to all APF-authorized libraries to be limited to system programmers only and all WRITE or greater access is logged."},{"id":"6a99ec7a-aa4a-49f5-9221-88f03b06fe33","vulnId":"V-223683","severity":"medium","ruleTitle":"IBM RACF access to SYS1.LINKLIB must be properly protected.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000259-GPOS-00100, SRG-OS-000324-GPOS-00125, SRG-OS-000362-GPOS-00149","checkContent":"Execute a dataset list of access to SYS1.LINKLIB.\n\nIf the ESM data set rules for SYS1.LINKLIB allow inappropriate (e.g., global READ) access, this is a finding.\n\nIf data set rules for SYS1.LINKLIB do not restrict READ, UPDATE, and ALTER access to only systems programming personnel, this is a finding.\n\nIf data set rules for SYS1.LINKLIB do not restrict READ and UPDATE access to only domain level security administrators, this is a finding.\n\nIf data set rules for SYS1.LINKLIB do not restrict READ access to only system Level Started Tasks, authorized Data Center personnel, and auditors, this is a finding.\n\nIf data set rules for SYS1.LINKLIB do not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged, this is a finding.","fixText":"Configure the ESM rules for SYS1.LINKLIB to limit access to system programmers only and all update and allocate access is logged."},{"id":"9845b0f9-cc8f-4723-8132-32d7dd5be763","vulnId":"V-223684","severity":"high","ruleTitle":"The IBM RACF System REXX IRRPWREX security data set must be properly protected.","description":"$32","checkContent":"Refer to the zOS system REXXLIB concatenation found in SYS1. PARMLIB (AXR) for the data set that contains the REXX for Password exit named IRRPWREX and the defined AXRUSER.\n\nIf the following guidance is true, this is not a finding.\n\n-RACF data set access authorizations restrict READ to AXRUSER, z/OS systems programming personnel, security personnel, and auditors.\n-RACF data set access authorizations restrict UPDATE to security personnel using a documented change management procedure to provide a mechanism for access and revoking of access after use.\n-All (i.e., failures and successes) data set access authorities (i.e., READ, UPDATE, and CONTROL) is logged.\n-RACF data set access authorizations specify UACC(NONE) and NOWARNING.","fixText":"Configure read access to be restricted to security administrators, systems programmers, and auditors.\n\nEstablish a procedure documented with the ISSM that defines a change management process to provide mechanism for granting Update access to security administrators on an exception basis. The process should contain procedures to revoke access when documented update is completed.\n\nConfigure all failures and successes data set access authorities for RACF data set that contains the Password exit to be logged.\n\nExamples:\nad 'sys3.racf.rexxlib.**' uacc(none) owner(sys3) -\naudit(all(read)) \nPermit 'sys3.racf.rexxlib.**' id( AXRUSER) acc(r)\nPermit 'sys3.racf.rexxlib.**' id() acc(u)"},{"id":"246e63b5-3e7d-4e7b-abf1-c68971527eb8","vulnId":"V-223685","severity":"high","ruleTitle":"IBM RACF security data sets and/or databases must be properly protected.","description":"The External Security Manager (ESM) database files contain all access control information for the operating system environment and system resources. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000134-GPOS-00068, SRG-OS-000259-GPOS-00100, SRG-OS-000324-GPOS-00125","checkContent":"If the following accesses to the ESM security data sets and/or databases are properly restricted as detailed below, this is not a finding.\n\n-The ESM data set rules for ESM security data sets and/or databases restrict READ access to auditors and DASD batch.\n-The ESM data set rules for ESM security data sets and/or databases restrict READ and/or greater access to z/OS systems programming personnel, security personnel, and/or batch jobs that perform ESM maintenance.\n\nAll (i.e., failures and successes) data set access authorities (i.e., READ, UPDATE, ALTER, and CONTROL) for ESM security data sets and/or databases are logged.","fixText":"Review access authorization to critical security database files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect the ESM files.\n\nConfigure READ and/or greater access to all ESM files and/or databases are limited to system programmers and/or security personnel, and/or batch jobs that perform ESM maintenance. READ access can be given to auditors and DASD batch. All accesses to ESM files and/or databases are logged."},{"id":"f6d393d4-1a46-48c7-a227-c25ef12c7dd1","vulnId":"V-223686","severity":"medium","ruleTitle":"IBM RACF must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000206-GPOS-00084, SRG-OS-000324-GPOS-00125","checkContent":"Obtain the procedures and collection specifics for SMF datasets and backup.\n\nIf the ESM data set rules for the SMF dump/backup files do not restrict WRITE or greater to authorized DISA and site personnel (e.g., systems programmers and batch jobs that perform SMF processing), this is a finding.\n\nIf the ESM dataset rules for the SMF dump/backup files do not restrict update access as documented in the site security plan, this is a finding.\n\nIf the ESM data set rules for the SMF dump/backup files do not restrict READ access to auditors and others approved by the ISSM, this is a finding.\n\nIf the ESM data set rules for SMF dump/backup files do not specify that all (i.e., failures and successes) WRITE or greater will be logged, this is a finding.","fixText":"Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect datasets used to backup and/or dump SMF collection files.\n\nConfigure data set rules for the SMF dump/backup files to restrict WRITE or greater access to authorized DISA and site personnel (e.g., systems programmers and batch jobs that perform SMF processing).\n\nConfigure data set rules for the SMF dump/backup files to restrict UPDATE access to others approved the ISSM.\n\nConfigure data set rules for the SMF dump/backup files to restrict READ access to authorized auditors and others approved by the ISSM.\n\nEnsure that all WRITE or greater access authority to SMF history files will be logged using the ESM's facilities."},{"id":"de734836-62a0-45b3-ae79-7911843a2802","vulnId":"V-223687","severity":"high","ruleTitle":"IBM RACF must limit all system PROCLIB data sets to system programmers only.","description":"$33","checkContent":"Refer to the following for the PROCLIB data sets that contain the STCs and TSO logons from the following sources:\n\n- MSTJCLxx member used during an IPL. The PROCLIB data sets are obtained from the IEFPDSI and IEFJOBS DD statements.\n\n- PROCxx DD statements and JES2 Dynamic PROCLIBs where 'xx' is the PROCLIB entries for the STC and TSU JOBCLASS configuration definitions. \n\nVerify the accesses to the above PROCLIB data sets are properly restricted. \n\nIf the following guidance is true, this is not a finding.\n\nIf the ESM data set access authorizations restrict READ access to all authorized users, this is not a finding.\n\nIf the ESM data set access authorizations restrict WRITE and/or greater access to systems programming personnel, this is not a finding.","fixText":"$34"},{"id":"7c302356-8f47-42f3-bff8-74c4d8f008f4","vulnId":"V-223688","severity":"medium","ruleTitle":"IBM RACF must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000324-GPOS-00125","checkContent":"Execute a dataset list of access for System page data sets (i.e., PLPA, COMMON, and LOCALx).\n\nIf ESM data set rules for system page data sets (PLPA, COMMON, and LOCAL) restrict access to only systems programming personnel, this is not a finding.\n\nIf ESM data set rules for system page data sets (PLPA, COMMON, and LOCAL) restrict auditors to READ only, this is not a finding.","fixText":"Configure the ESM data set rules for system page data sets (PLPA, COMMON, and LOCAL) to restrict access to only systems programming personnel.\nAuditors may be allowed READ Access as approved by the ISSM."},{"id":"c94a1142-1c83-4738-a8b9-53eb482e7577","vulnId":"V-223689","severity":"medium","ruleTitle":"IBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.","description":"MCS consoles can be used to issue operator commands. Failure to properly control access to MCS consoles could result in unauthorized personnel issuing sensitive operator commands. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.\n\nPreventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nPrivileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000324-GPOS-00125","checkContent":"Verify the CONSOLxx member of SYS1.PARMLIB.console is defined to RACF with a corresponding profile in the CONSOLE resource class.\n\nIf each console is defined to RACF with a corresponding profile in the CONSOLE resource class, this is not a finding.\n\nIf the userid associated with each console has READ access to the corresponding resource defined in the CONSOLE resource class, this is not a finding.\n\nIf access authorization for CONSOLE resources restricts READ access to operations and system programming personnel or authorized personnel, this is not a finding.","fixText":"$35"},{"id":"e728b768-fcd1-4d1d-89fa-7a909a58abf3","vulnId":"V-223690","severity":"medium","ruleTitle":"IBM RACF must limit WRITE or greater access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000259-GPOS-00100, SRG-OS-000324-GPOS-00125","checkContent":"The ESM data set rules for the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) do not restrict WRITE or greater access to only z/OS systems programming personnel.\n\nThe ESM data set rules for the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) allow inappropriate access not documented and approved by ISSO.\n\nIf both of the above are untrue, this is not a finding.\n\nIf either of the above is true, this is a finding.","fixText":"Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect JES2 System datasets (spool, checkpoint, and parmlib datasets).\n\nConfigure WRITE or greater access to JES2 System datasets (spool, checkpoint, and parmlib datasets) to be limited to system programmers only. \n\nAccess other than this should be documented and approved by the ISSO (for example, all SYS1.HASP* data sets)."},{"id":"a9c08aae-3dfb-4fc5-baf1-a758a16c161b","vulnId":"V-223691","severity":"medium","ruleTitle":"The IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements.","description":"Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.","checkContent":"From the ISPF Command Shell enter: \nSearch all Class(Facility) MASK(ieasymup)\n\nFor each entity found enter: \nRL facility \n\nIf RACF resources are defined with a default access of NONE, this is not a finding.\n\nIf RACF resource access authorizations restrict UPDATE and/or greater access to appropriate personnel (i.e., DASD administrators, Tape Library personnel, and system programming personnel), this is not a finding.\n\nIf RACF resource logging requirements are specified for UPDATE and/or greater access, this is not a finding.","fixText":"Ensure that the System level symbolic resources are defined to the FACILITY resource class and protected. UPDATE access to the System level symbolic resources are limited to System Programmers, DASD Administrators, and/or Tape Library personnel. All access is logged. Ensure the guidelines for the resources and/or generic equivalent are followed.\n\nLimit access to the IEASYMUP resources to above personnel with UPDATE and/or greater access.\n\nThe following commands are provided as a sample for implementing resource controls:\n\nrdef facility ieasymup.* uacc(none) owner(admin) -\naudit(all(read)) -\ndata('protected per acp00350')\nrdef facility ieasymup.symbolname uacc(none) owner(admin) -\naudit(all(read)) -\ndata('protected per acp00350')\n\npe ieasymup.symbolname cl(facility) id( CONSECUTIVE UNSUCCESSFUL PASSWORD ATTEMPTS, A USERID WILL BE REVOKED.\" where is either \"1\" or \"2\", this is not a finding.\n\nIf the PASSWORD(REVOKE) value is not enabled and is not set to either \"1\" or \"2\", this is a finding.","fixText":"Ensure that PASSWORD(REVOKE) SETROPTS value is set to \"1\" or \"2\". This specifies the number of consecutive incorrect password attempts RACF allows before it revokes the USERID on the next incorrect attempt. If REVOKE is specified, ensure INITSTATS are in effect.\n\nEvaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:\n\nThe RACF Command SETR LIST will show the status of RACF Controls including PASSWORD REVOKE. \n\nSet the password REVOKE to \"2\" invalid attempts activated with the command SETR PASSWORD(REVOKE(2))."},{"id":"0dadfcff-d035-46c9-b2b2-ff589e27efcd","vulnId":"V-223697","severity":"high","ruleTitle":"IBM z/OS SYS1.PARMLIB must be properly protected.","description":"Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nSYS1.PARMLIB contains the parameters that control audit configuration. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.\n\nSatisfies: SRG-OS-000063-GPOS-00032, SRG-OS-000080-GPOS-00048, SRG-OS-000259-GPOS-00100, SRG-OS-000324-GPOS-00125, SRG-OS-000337-GPOS-00129, SRG-OS-000362-GPOS-00149","checkContent":"Execute a dataset list of access to SYS1.PARMLIB.\n\nIf the ESM data set rules for SYS1.PARMLIB allow inappropriate (e.g., global READ) access, this is a finding.\n\nIf data set rules for SYS1.PARMLIB do not restrict READ, WRITE or greater access to only systems programming personnel, this is a finding.\n\nIf data set rules for SYS1.PARMLIB do not restrict READ and UPDATE access to only domain level security administrators, this is a finding.\n\nIf data set rules for SYS1.PARMLIB do not restrict READ access to only system Level Started Tasks, authorized Data Center personnel, and auditors, this is a finding.\n\nIf data set rules for SYS1.PARMLIB do not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged, this is a finding.","fixText":"Configure access rules for SYS1.PARMLIB as follows:\n\nSystems programming personnel will be authorized to WRITE or greater the SYS1.PARMLIB concatenation.\n\nDomain level security administrators can be authorized to update the SYS1.PARMLIB concatenation.\n\nSystem Level Started Tasks, authorized Data Center personnel, and auditor can be authorized read access by the information system security officer (ISSO).\n\nAll WRITE or greater access is logged."},{"id":"073104db-3ddf-4458-a6b3-6f90ac475a22","vulnId":"V-223699","severity":"medium","ruleTitle":"The IBM RACF SETROPTS SAUDIT value must be specified.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"From the ISPF Command Shell enter:\nSETROPTS LIST\n\nIf the SAUDIT value is listed as one of the ATTRIBUTES, this is not a finding.\n\nIf the NOSAUDIT value is listed as one of the ATTRIBUTES, this is a finding.","fixText":"Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:\n\nNote: that in order to set or list the SAUDIT value, the RACF AUDITOR attribute is required. Reference the documentation for the SETROPTS command in the RACF Command Language Reference. \n\nThe RACF Command SETR LIST will show the status of RACF Controls including the value for SAUDIT. \n\nSAUDIT is activated and set to the required value by issuing the command SETR SAUDIT."},{"id":"cc1b06c6-238a-42c9-82e7-71c06d6a1bd4","vulnId":"V-223700","severity":"medium","ruleTitle":"The IBM RACF REALDSN SETROPTS value must be specified.","description":"Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event.","checkContent":"From the ISPF Command Shell enter:\nSETRopts list\n\nIf the REALDSN is enabled then the message \"REAL DATA SET NAMES OPTION IS ACTIVE\" will be displayed, this is not a finding.\n\nIf the message \"REAL DATA SET NAMES OPTION IS INACTIVE\" is displayed, this is a finding.","fixText":"Evaluate the impact associated with implementation of the control option. Configure control option as specified in the example below:\n\nThe RACF Command SETR LIST will show the status of RACF Controls including the value for the REALDSN Option. \n\nREALDSN is ACTIVATED by issuing the command SETR REALDSN."},{"id":"0c9dfe24-c2dc-46c1-8f27-89f08be715ad","vulnId":"V-223701","severity":"medium","ruleTitle":"IBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing.","description":"SMF data collection is the system activity journaling facility of the z/OS system. Unauthorized access could result in the compromise of logging and recording of the operating system environment, ESM, and customer data.\n\nUnauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000256-GPOS-00097, CCI-001494, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000080-GPOS-00048, SRG-OS-000206-GPOS-00084, SRG-OS-000324-GPOS-00125","checkContent":"Refer to the SMFPRMxx member in SYS1.PARMLIB. Determine the SMF and/or Logstream dataset name.\n\nIf the following statements are true, this is not a finding.\n\nThe ESM data set rules for the SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) restrict ALTER or greater access to only z/OS systems programming personnel.\n\nThe ESM data set rules for the SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) restrict UPDATE or greater access to z/OS systems programming staff and/or batch jobs that perform SMF dump processing and others approved by the ISSM.\n\nThe ESM data set rules for the SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) restrict READ access to auditors and others approved by the ISSM.\n\nThe ESM data set rules for SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) specify that all (i.e., failures and successes) UPDATE and/or ALTER accesses are logged.","fixText":"Configure ALTER access to SMF collection files to be limited to only z/OS systems programming staff. \n\nConfigure UPDATE or greater access to z/OS system programming staff /or batch jobs that perform SMF dump processing. Access can be granted to others as determined by the ISSM.\n\nConfigure READ access to be limited to auditors. READ access may be granted to others as determined by the ISSM.\n\nAccess to other users specified must be documented in a security plan.\n\nEnsure the accesses are being logged."},{"id":"317fc263-3029-4f19-83c4-e12471a92cae","vulnId":"V-223702","severity":"medium","ruleTitle":"IBM RACF SETROPTS RVARYPW values must be properly set.","description":"Failure to provide logical access restrictions associated with changes to system configuration may have significant effects on the overall security of the system.\n\nWhen dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the operating system can have significant effects on the overall security of the system.\n\nAccordingly, only qualified and authorized individuals should be allowed to obtain access to operating system components for the purposes of initiating changes, including upgrades and modifications.\n\nLogical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).","checkContent":"From the ISPF Command Shell enter:\n\nSETROPTS LIST\n\nIf the \"INSTALLATION DEFINED RVARY PASSWORD IS IN EFFECT\" message for both the SWITCH and STATUS functions, this is not a finding.","fixText":"Configure RACF ensure that the RVARYPW passwords are specified and conform to password requirements documented in RACF0460. The ISSO will evaluate the impact associated with implementation of the control option and develop a plan of action to implement the control option as required.\n\nA sample command for setting both the SWITCH and STATUS passwords are shown here:\n\nSETR RVARYPW(SWITCH(Wxy$8Pqu) STATUS(pbZ0@wL2))"},{"id":"ce549823-1642-44e1-8411-3688a4fa2ae8","vulnId":"V-223703","severity":"high","ruleTitle":"IBM RACF must define WARN = NO on all profiles.","description":"Failure to restrict system access to authenticated users negatively impacts operating system security.","checkContent":"Review all Dataset and resource profiles in the RACF database.\n\nIf any are not defined with WARN = NO, this is a finding.","fixText":"Define each dataset and resource profile with WARN = NO"},{"id":"1db41b4a-7d45-43a9-81fd-8c67742f1233","vulnId":"V-223704","severity":"high","ruleTitle":"The IBM RACF PROTECTALL SETROPTS value specified must be properly set.","description":"Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.","checkContent":"From the ISPF Command Shell enter:\nSETROPTS LIST\n\nIf the SETROPTS values for PROTECTALL is ACTIVE and set to FAIL, this is not a finding.\n\nIf the SETROPTS PROTECTALL parameter is set to NOPROTECTALL or PROTECTALL(WARNING), this is a finding.\n\nAdditional analysis may be required to determine whether this finding should be downgraded to a Category II or remain a Category I.\n\nExample of a Category I finding where not a further analysis is required:\n\nControl Options: SETROPTS NOPROTECTALL\n\nExample of a possible Category I finding requiring additional analysis:\n\nControl Options: SETROPTS PROTECTALL(WARNING)\n\nPROTECTALL(WARNING) allows access to a data set only if it is not at protected by a profile in the DATASET resource class. Therefore if all sensitive data sets are properly protected by profiles in the DATASET resource class, PROTECTALL(WARNING) will not at allow unauthorized access. This situation allows for a downgrade to a Category II.","fixText":"Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:\n\nThe RACF Command SETR LIST will show the status of RACF Controls including the value for the PROTECTALL Option. \n\nPROTECTALL is ACTIVATED and set to FAIL by issuing the command SETR PROTECTALL(FAIL)."},{"id":"522e379f-b3aa-464b-80df-529d690ff543","vulnId":"V-223705","severity":"medium","ruleTitle":"The IBM RACF GRPLIST SETROPTS value must be set to ACTIVE.","description":"Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.","checkContent":"From the ISPF Command Shell enter:\nSETROPTS LIST\n\nIf the GRPLIST is enabled then the message \"LIST OF GROUPS ACCESS CHECKING IS ACTIVE.\" will be displayed, this is not a finding.\n\nIf the message indicates that LIST OF GROUPS is NOT ACTIVE, this is a finding.","fixText":"Configure the GRPLIST SETROPTS value to be set to ACTIVE. \n\nEvaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:\n\nThe RACF Command SETR LIST will show the status of RACF Controls including a status of GRPLIST. \n\nList of Groups Checking is activated with the command SETR GRPLIST."},{"id":"ffd29919-492f-42e6-a8bc-bb154053ab01","vulnId":"V-223706","severity":"medium","ruleTitle":"The IBM RACF RETPD SETROPTS value specified must be properly set.","description":"Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.","checkContent":"From the ISPF Command Shell enter:\nSETROPTS LIST\n\nIf the RETPD is enabled then the message \"SECURITY RETENTION PERIOD IN EFFECT IS NEVER-EXPIRES DAYS\" will be displayed, this is not a finding.\n\nIf the RETPD value is not set to \"NEVER-EXPIRES\", this is a finding.","fixText":"Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:\n\nThe RACF Command SETR LIST will show the status of RACF Controls including the value for the RETPD (Retention Period) Option. \n\nRETPD is activated and set to the required value by issuing the command SETR RETPD(99999)."},{"id":"cdfc1ba7-dc10-4b71-9b9f-77af85a6a099","vulnId":"V-223707","severity":"medium","ruleTitle":"The IBM RACF TAPEDSN SETROPTS value specified must be properly set.","description":"Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.","checkContent":"From the ISPF Command Shell enter:\nSETROPTS LIST\n\nIf the TAPEDSN is enabled then the message \"TAPE DATA SET PROTECTION IS ACTIVE\" will be displayed, this is not a finding.\n\nNOTE 1: TAPEDSN should be active for domains without a tape management product.\n\nNOTE 2: For domains running CA 1, Computer Associates recommends that TAPEDSN be active and CA 1 parameter OCEOV be set to OFF.\n\nIf the TAPEDSN value is set to INACTIVE, this is a finding.","fixText":"Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:\n\nThe RACF Command SETR LIST will show the status of RACF Controls including the value for the TAPEDSN Option. \n\nTAPEDSN is ACTIVATED by issuing the command SETR TAPEDSN."},{"id":"02755e6f-d9ae-422b-b0ce-eceffc78a403","vulnId":"V-223708","severity":"medium","ruleTitle":"The IBM RACF WHEN(PROGRAM) SETROPTS value specified must be active.","description":"Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.","checkContent":"From the ISPF Command Shell enter:\nSETROPTS LIST\n\nIf the WHEN(PROGRAM) value is listed as one of the ATTRIBUTES, this is not a finding.\n\nIf the NOWHEN(PROGRAM) value is listed as one of the ATTRIBUTES, this is a finding.","fixText":"Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:\n\nThe RACF Command SETR LIST will show the status of RACF Controls including the value for the WHEN(PROGRAM) Option. \n\nWHEN(PROGRAM) is ACTIVATED by issuing the command SETR WHEN(PROGRAM)."},{"id":"2c5d8d7f-bbc5-4a71-8ee7-766a4a4bec4f","vulnId":"V-223709","severity":"medium","ruleTitle":"IBM RACF use of the AUDITOR privilege must be justified.","description":"Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.","checkContent":"From the ISPF Command Shell enter:\nListUser *\n\nIf authorization to the SYSTEM AUDITOR attribute is restricted to auditing and/or security personnel, this is not a finding.\n\nIf at minimum, any users connected to sensitive system dataset HLQ (e.g., SYS1, SYS2, etc.) groups or general resource owning groups with the Group-AUDITOR attribute are Auditor and/or Security personnel, this is not a finding.\n\nOtherwise, Group-AUDITOR is allowed.","fixText":"Review all USERIDs with the AU (Manual) - Review all USERIDs with the AUDITOR attribute. Ensure documentation providing justification for access is maintained and filed with the ISSO, and that unjustified access is removed.\n\nThe AUDITOR attribute is removed from a user with the command: ALU NOAUDITOR.\n\nTo remove the Group-Auditor attribute:\n\nCO GROUP() NOAUDITOR"},{"id":"465d9b00-a5e8-4ee1-861f-3a0fcc8bea86","vulnId":"V-223710","severity":"medium","ruleTitle":"The IBM RACF database must be on a separate physical volume from its backup and recovery datasets.","description":"Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.","checkContent":"Execute the RACDST report from DSMON Utility using 'RACF PRIMARY' and 'RACF BACKUP' as selection criteria.\n\nIf the security database and its backup exist on the same volume, this is a finding.","fixText":"Identify the ACP database(s), backup database(s), and recovery data set(s). Develop a plan to keep these data sets on different physical volumes. Implement the movement of these critical ACP files."},{"id":"67ce8d51-aeb4-4ed6-9cd8-fc8a16eba45a","vulnId":"V-223711","severity":"medium","ruleTitle":"The IBM RACF database must be backed up on a scheduled basis.","description":"Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.","checkContent":"Ask the system administrator to determine that procedures exist to back up the security data base and files. Have the system administrator identify the dataset names and frequency of the backups.\n\nIf, based on the information provided, it can be determined that the ESM database is being backed up on a regularly scheduled basis, this is not a finding.\n\nIf it cannot be determined that the ESM database is being backed up on a regularly scheduled basis, this is a finding.","fixText":"Develop procedures to back up all ACP files needed for recovery on a scheduled basis.\n\nIdentify the ACP database and ensure that documented processes are in place to back up its contents on a regularly scheduled basis.\n\nAt a minimum, this should include nightly backup of the ACP databases and of other critical security files (such as the ACP parameter file). More frequent backups (two or three times daily) will reduce the time necessary to effect recovery. The ISSO will verify that the backup job(s) run successfully."},{"id":"48ddfed8-c7e1-4edb-a4c3-15ec923ebb1e","vulnId":"V-223712","severity":"medium","ruleTitle":"IBM z/OS Batch job user IDs must be properly defined.","description":"Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.","checkContent":"Refer to the documentation of the processes used for submission of batch jobs via an automated process (i.e., scheduler or other sources) and each of the associated user IDs.\n\nFrom the ISPF COMMAND INPUT screen enter:\nLISTUSER(each identified batch job)\n\nThe following USERID record fields/attributes must be specified:\n\nNAME\nPROTECTED\n\nNo USERID has the LAST-ACCESS field set to UNKNOWN.\n\nIf both of the above are true, this is not a finding.\n\nIf either of the USERID record fields/attributes (NAME and/or PROTECTED) are blank and/or the LAST ACCESS field is set to unknown, this is a finding.","fixText":"Ensure the following:\n\nAssociated USERIDs are defined for all batch jobs and documentation authorizing access to system resources is maintained and implemented.\n\nSet up the userids with the RACF PROTECTED attribute. A sample RACF command to accomplish is shown here: ALU NOPASSWORD NOOIDCARD."},{"id":"a2e31765-6b1b-4af1-88ea-21263f46aa4f","vulnId":"V-223713","severity":"medium","ruleTitle":"IBM RACF use of the RACF SPECIAL Attribute must be justified.","description":"The organization must perform a periodic scan/review of the application (as required by CCI-000384) and disable functions, ports, protocols, and services deemed to be unneeded or non-secure.","checkContent":"From the ISPF Command Shell enter:\nListUser *\n\nIf authorization to the SYSTEM SPECIAL attribute is restricted to key systems personnel such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is not a finding.\n\nIf any users connected to sensitive system dataset HLQ (e.g., SYS1, SYS2, ETC) groups with the Group-SPECIAL are key systems personnel, such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is a finding.\n\nOtherwise, Group-SPECIAL is allowed.","fixText":"Review all USERIDs with the SPECIAL attribute. Ensure documentation providing justification for access is maintained and filed with the ISSO, and that unjustified access is removed.\n\nFor the SYSTEM SPECIAL attribute:\n\nA sample command for removing the SPECIAL attribute is shown here: ALU NOSPECIAL.\n\nFor the GROUP SPECIAL attribute:\n\nCO GROUP() NOSPECIAL"},{"id":"e26eb852-1e8e-4f6c-808c-196f67ec9586","vulnId":"V-223714","severity":"medium","ruleTitle":"IBM RACF assignment of the RACF OPERATIONS attribute to individual userids must be fully justified.","description":"This requirement is intended to cover both traditional interactive logons to information systems and general accesses to information systems that occur in other types of architectural configurations (e.g., service-oriented architectures).","checkContent":"From the ISPF Command Shell enter:\nListUser *\n\nIf authorization to the SYSTEM OPERATIONS attribute is restricted to key systems personnel such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is not a finding.\n\nIf any users connected to sensitive system dataset HLQ (e.g., SYS1, SYS2, ETC) groups with the Group-OPERATIONS are key systems personnel, such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is a finding.\n\nOtherwise, Group-OPERATIONS is allowed.","fixText":"Review all USERIDs with the OPERATIONS attribute. Ensure documentation providing justification for access is maintained and filed with the ISSO, and that unjustified access is removed.\n\nA sample command to remove the OPERATIONS attribute from a userid is shown here: \n\nALU NOOPERATIONS\n\nTo remove the Group-Operations attribute:\n\nCO GROUP() NOOPERATIONS"},{"id":"572413ca-f6d8-40bb-a90b-dfe017e272cf","vulnId":"V-223715","severity":"medium","ruleTitle":"IBM z/OS must properly configure CONSOLxx members.","description":"$36","checkContent":"Review each CONSOLxx parmlib member. \n\nIf the following guidance is true, this is not a finding. \n\nThe \"DEFAULT\" statement for each CONSOLxx member specifies \"LOGON(REQUIRED)\" or \"LOGON(AUTO)\".\n\nThe \"CONSOLE\" statement for each console assigns a unique name using the \"NAME\" parameter.\n\nThe \"CONSOLE\" statement for each console specifies \"AUTH(INFO)\". Exceptions are the \"AUTH\" parameter is not valid for consoles defined with \"UNIT(PRT)\" and specifying \"AUTH(MASTER)\" is permissible for the system console.\n\nNote: The site should be able to determine the system consoles. However, it is imperative that the site adhere to the \"DEFAULT\" statement requirement.","fixText":"Configure the \"DEFAULT\" statement to specify \"LOGON(REQUIRED)\" so that all operators are required to log on prior to entering z/OS system commands. At the discretion of the ISSO, \"LOGON(AUTO)\" may be used. If \"LOGON(AUTO)\" is used assure that the console userids are defined with minimal access. See ACP00292.\n\nConfigure each \"CONSOLE\" statement to specify an explicit console NAME. And that \"AUTH(INFO)\" is specified, this also including extended MCS consoles. \"AUTH(MASTER)\" may be specified for systems console.\n\nNote: The site should be able to determine the system consoles. However, it is imperative that the site adhere to the \"DEFAULT\" statement requirement."},{"id":"50074d76-f4d7-4d91-a828-6ca8b2c72380","vulnId":"V-223716","severity":"medium","ruleTitle":"IBM z/OS must properly protect MCS console userid(s).","description":"$37","checkContent":"$38","fixText":"$39"},{"id":"3494e260-0de4-456a-a20d-3f4dca1323b0","vulnId":"V-223717","severity":"medium","ruleTitle":"IBM RACF users must have the required default fields.","description":"Ensure that Every USERID is uniquely identified to the system. Within the USERID record, the user's name, default group, the owner, and the user's passdate or phrasedate fields are completed. This will uniquely identify each user. If these fields are not completed for each user, user accountability will become lost.","checkContent":"From a z/OS command screen enter:\nListUser *\n\nExamine each user entry verify every user is fully identified with all of the following conditions:\n-A completed NAME field that can either be traced back to a current DD2875 or a Vendor Requirement (example: A Started Task). \n-The presence of the DEFAULT-GROUP and OWNER fields. \n-The PASSDATE field or the PHRASEDATE field accordingly is not set to N/A excluding users with the PROTECTED attribute. \n\nIf all of the above are true, this is not a finding. \n\nIf any of above is untrue, this is a finding.","fixText":"$3a"},{"id":"a67ed55e-b4f2-425a-9703-79c4c11ffee9","vulnId":"V-223719","severity":"medium","ruleTitle":"IBM z/OS Started Tasks must be properly identified and defined to RACF.","description":"Started procedures have system generated job statements that do not contain the user, group, or password statements. To enable the started procedure to access the same protected resources that users and groups access, started procedures must have an associated USERID. If a USERID is not associated with the started procedure, the started procedure will not have access to the resources.\n\nTo ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.","checkContent":"$3b","fixText":"Define a RACF STARTED Class profile for each Started Proc that maps the proc to a unique userid, or STC userids will be unique per product and function if supported by vendor documentation. This can be accomplished with the sample command:\nRDEF STARTED .** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) STDATA(USER() GROUP() TRACE(YES))\n\nA corresponding USERID must be defined with appropriate authority. The \"groupname\" should be a valid STC group with no interactive users."},{"id":"395a7d6e-15ee-4fb1-a3ef-63c0b8013fea","vulnId":"V-223721","severity":"medium","ruleTitle":"The IBM RACF Automatic Data Set Protection (ADSP) SETROPTS value must be set to NOADSP.","description":"To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: \n\n1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and\n\n2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.","checkContent":"From the ISPF Command Shell enter:\nSETROPTS LIST\n\nIf the ADSP value is NOT IN EFFECT, this is not a finding.\n\nNote: NOADSP is the required setting. In the SETROPTS LIST output this will display as AUTOMATIC DATASET PROTECTION IS NOT IN EFFECT.\n\nIf the ADSP value is IN EFFECT, this is a finding.","fixText":"Configure ADSP SETROPTS value to be set to NOADSP.\n\nEvaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:\n\nNOADSP is set with the command SETR NOADSP."},{"id":"d39e2d5c-377d-465e-b996-2de8f9f57b50","vulnId":"V-223722","severity":"medium","ruleTitle":"IBM RACF user accounts must uniquely identify system users.","description":"$3c","checkContent":"Obtain a list of all userids that are shared among multiple users (i.e., not uniquely identified system users).\n\nIf there are no shared userids on this domain, this is not a finding.\n\nIf there are shared userids on this domain, this is a finding.","fixText":"Identify user accounts defined to the ESM that are being shared among multiple users. This may require interviews with appropriate system-level support personnel. Remove the shared user accounts from the ESM."},{"id":"91922a37-f1cd-4bcb-84f6-1c4983895dcc","vulnId":"V-223723","severity":"medium","ruleTitle":"The IBM RACF INACTIVE SETROPTS value must be set to 35 days.","description":"Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.\n\nOperating systems need to track periods of inactivity and disable application identifiers after 35 days of inactivity.","checkContent":"From a z/OS command input screen enter:\nList SETRopts\n\nIf the INACTIVE value is set properly In the message \"INACTIVE USERIDS ARE BEING AUTOMATICALLY REVOKED AFTER xxx DAYS.\", where xxx is a value \"35\" or less, this is not a finding.","fixText":"Configure the INACTIVE SETROPTS value to a value that is \"35\" or less. INACTIVE specifies the number of days that a USERID can remain unused and still be considered valid."},{"id":"442bb3bd-cf17-4a9e-9375-12701ce726b2","vulnId":"V-223724","severity":"medium","ruleTitle":"IBM RACF PASSWORD(RULEn) SETROPTS value(s) must be properly set.","description":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.\n\nSatisfies: SRG-OS-000069-GPOS-00037, SRG-OS-000078-GPOS-00046","checkContent":"From the ISPF Command Shell enter:\nSETRopts\n\nIf the following options are specified, this is not a finding.\n\nEvery PASSWORD(RULE) under \"INSTALLATION PASSWORD SYNTAX RULES\" is defined with the values shown below:\n\nRULE n LENGTH(8) xxxxxxxx\n\nThe following options are in effect under \"PASSWORD PROCESSING OPTIONS\":\n\n\"MIXED CASE PASSWORD SUPPORT IS IN EFFECT\"\n\"SPECIAL CHARACTERS ARE ALLOWED.\"","fixText":"Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:\n\nFor z/OS release 1.13 and 1.14 PTF UA90720 must be applied.\nFor z/OS Release 2.1 PTF UA90721 must be applied.\n\nThe RACF Command SETR LIST will show the status of RACF Controls including PASSWORD SYNTAX RULEs.\n\nSetting the password syntax to all Mixed Case Alphanumeric and Special Characters is activated with the commands:\n\nsetr password(mixedcase)\nsetr password(specialchars)\nsetr password(rulen(length(8) mixedall(1:8))"},{"id":"247d4929-ec0d-4a0b-a062-8040c7b30251","vulnId":"V-223725","severity":"medium","ruleTitle":"IBM RACF exit ICHPWX01 must be installed and properly configured.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nSatisfies: SRG-OS-000070-GPOS-00038, SRG-OS-000071-GPOS-00039, SRG-OS-000072-GPOS-00040, SRG-OS-000266-GPOS-00101, SRG-OS-000480-GPOS-00225","checkContent":"$3d","fixText":"$3e"},{"id":"62fc25c6-6055-43f6-ac6a-a418a867835b","vulnId":"V-223726","severity":"medium","ruleTitle":"The IBM RACF SETROPTS PASSWORD(MINCHANGE) value must be set to 1.","description":"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.","checkContent":"From the ISPF Command Shell enter:\nSETRopts List\n\nIf the PASSWORD(MINCHANGE) value shows PASSWORD MINIMUM CHANGE INTERVAL IS <1> DAYS, this is not a finding.","fixText":"Configure PASSWORD(MINCHANGE) SETROPTS value number to \"1\". This specifies the number of days that must pass before a user can change their password.\n\nEvaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:\n\nThe RACF Command SETR LIST will show the status of RACF Controls including PASSWORD MINCHANGE. Use the following command as an example command:\nSETROPTS PASSWORD(MINCHANGE(1))"},{"id":"8ddca028-44a1-4a1f-b389-796b7520bb00","vulnId":"V-223727","severity":"medium","ruleTitle":"IBM RACF SETROPTS PASSWORD(INTERVAL) must be set to 60 days.","description":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. INTERVAL specifies the maximum number of days that each user's password is valid. When a user logs on to the system, RACF compares the system password interval value specified in the user profile. RACF uses the lower of the two values to determine if the users password has expired.","checkContent":"From the ISPF Command Shell enter:\nSETRopts List\n\nIf the PASSWORD(INTERVAL) value is set properly and the message is PASSWORD CHANGE INTERVAL IS 060 DAYS, this is not a finding.","fixText":"Configure PASSWORD(INTERVAL) SETROPTS value to \"060\" days. This specifies the maximum number of days that each user's password is valid.\n\nEvaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:\n\nThe RACF Command SETR LIST will show the status of RACF Controls including PASSWORD INTERVAL. \n\nSetting the password interval to 60 days is activated with the command SETR PASSWORD(INTERVAL(60))."},{"id":"cae98f30-0d2f-42dc-9537-a91a54bda506","vulnId":"V-223728","severity":"medium","ruleTitle":"The IBM RACF PASSWORD(HISTORY) SETROPTS value must be set to five or more.","description":"Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. HISTORY specifies the number of previous passwords that RACF saves for each USERID and compares with an intended new password. If there is a match with one of the previous passwords, or with the current password, RACF rejects the intended new password.","checkContent":"From the ISPF Command Shell enter:\nSETRopts List\n\nIf the PASSWORD(HISTORY) value is set properly then the message x GENERATIONS OF PREVIOUS PASSWORDS BEING MAINTAINED, where x is a minimum of \"5\", this is not a finding.","fixText":"Configure the PASSWORD(HISTORY) SETROPTS value is set to a minimum of \"5\". This specifies the number of previous passwords that RACF saves for each USERID and compares with an intended new password. If there is a match with one of the previous passwords, or with the current password, RACF rejects the intended new password.\n\nEvaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:\n\nThe RACF Command SETR LIST will show the status of RACF Controls including PASSWORD HISTORY. \n\nSetting the password history to 10 generations is activated with the command SETR PASSWORD(HISTORY(10))."},{"id":"d568be93-a664-4a3a-bc90-122d67750cf2","vulnId":"V-223729","severity":"high","ruleTitle":"NIST FIPS-validated cryptography must be used to protect passwords in the security database.","description":"Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nOperating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. \n\nSatisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000074-GPOS-00042, SRG-OS-000120-GPOS-00061","checkContent":"From the ISPF Command Shell enter:\nSETRopts List\n\nIf the following is specified under PASSWORD PROCESSING OPTIONS: THE ACTIVE PASSWORD ENCRYPTION ALGORITHM IS KDFAES, this is not a finding.","fixText":"Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified below:\n\nFor z/OS release 1.12 through z/OS release 2.1 APARs OA43998 and OA43999 must be applied.\n\nSet the passwords option for algorithm to KDFAES.\n\nSample syntax to activate:\nSETRopts PASSWORD(ALGORITHM(KDFAES))"},{"id":"be5fd013-33ea-48bf-932d-47b71eb05b36","vulnId":"V-223731","severity":"medium","ruleTitle":"The IBM RACF ERASE ALL SETROPTS value must be set to ERASE(ALL) on all systems.","description":"$3f","checkContent":"From the ISPF Command Shell enter:\nSETRopts List\n\nFor all systems, if the ERASE values are set as follows, this is not a finding. \n\nERASE-ON-SCRATCH IS ACTIVE, CURRENT OPTIONS: \nERASE-ON-SCRATCH FOR ALL DATA SETS IS IN EFFECT","fixText":"Configure the ERASE SETROPTS value to ERASE(ALL) this allows DASD datasets to be erased when deleted.\n\nEvaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:\n\n-Issue the RACF Command SETR LIST to show the status of RACF Controls including the status of the ERASE options.\n\n-Take the appropriate actions to ensure that the SETR ERASE(ALL) has been issued to enable Erase On Scratch for all datasets."},{"id":"ab01f3a1-613d-46a1-8f25-1896dca4f7ff","vulnId":"V-223732","severity":"medium","ruleTitle":"IBM RACF DASD Management USERIDs must be properly controlled.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.","checkContent":"$40","fixText":"Note: This applies to non-SMS volumes. Refer to the System Managed Storage group (i.e., ZSMSnnnn) for requirements for System managed Storage.\nEvaluate the impact of accomplishing the change. Develop a plan of action and implement the change as required.\n\nEnsure that storage management userids do not possess the \"OPERATIONS\" attribute. A sample command to accomplish this is shown here: \n\nALU NOOPERATIONS\n\nEnsure that storage management userids possess the \"PROTECTED\" attribute. A sample command to accomplish this is shown here: \n\nALU NOPASS NOOIDCARD\n\nEnsure that storage management userids are permitted to the appropriate \"STGADMIN\" profiles in the \"FACILITY\" class for SMS-managed volumes.\n\nEnsure that storage management userids are permitted to appropriate \"DASDVOL\" profiles for non-SMS-managed volumes."},{"id":"760b9561-d532-41fb-aefa-8d545299f9ef","vulnId":"V-223733","severity":"medium","ruleTitle":"IBM z/OS SMF recording options for the FTP Server must be configured to write SMF records for all eligible events.","description":"The FTP Server can provide audit data in the form of SMF records. The SMF data produced by the FTP Server provides transaction information for both successful and unsuccessful FTP commands. Failure to collect and retain audit data may contribute to the loss of accountability and hamper security audit activities.\n\nSatisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000392-GPOS-00172","checkContent":"If FTPDATA is configured with the following SMF statements, this is not a finding.\n\nFTP.DATA Configuration Statements\nSMF TYPE119\nSMFJES TYPE119\nSMFSQL TYPE119\nSMFAPPE [Not coded or commented out]\nSMFDEL [Not coded or commented out]\nSMFEXIT [Not coded or commented out]\nSMFLOGN [Not coded or commented out]\nSMFREN [Not coded or commented out]\nSMFRETR [Not coded or commented out]\nSMFSTOR [Not coded or commented out]","fixText":"Configure SMF options to conform to the specifications in the FTPDATA Configuration Statements below:\n\nSMF TYPE119\nSMFJES TYPE119\nSMFSQL TYPE119\nSMFAPPE [Not coded or commented out]\nSMFDEL [Not coded or commented out]\nSMFEXIT [Not coded or commented out]\nSMFLOGN [Not coded or commented out]\nSMFREN [Not coded or commented out]\nSMFRETR [Not coded or commented out]\nSMFSTOR [Not coded or commented out]\n\nThe FTP Server can provide audit data in the form of SMF records. SMF record type 119, the TCP/IP Statistics record, can be written with the following subtypes:\n\n70 - Append\n70 - Delete and Multiple Delete\n72 - Invalid Logon Attempt\n70 - Rename\n70 - Get (Retrieve) and Multiple Get\n70 - Put (Store and Store Unique) and Multiple Put\n\nSMF data produced by the FTP Server provides transaction information for both successful and unsuccessful FTP commands. This data may provide valuable information for security audit activities. Type 119 records use a more standard format and provide more information."},{"id":"3e7f8282-680b-4e64-88a7-8a45d495fed0","vulnId":"V-223734","severity":"medium","ruleTitle":"IBM RACF permission bits and user audit bits for HFS objects that are part of the FTP server component must be properly configured.","description":"MVS data sets of the FTP Server provide the configuration and operational characteristics of this product. Failure to properly secure these data sets may lead to unauthorized access resulting in the compromise of the integrity and availability of customer data and some system services.","checkContent":"$41","fixText":"$42"},{"id":"984753a8-98cb-48e2-b6e0-8c4b0f2d88bc","vulnId":"V-223735","severity":"medium","ruleTitle":"IBM z/OS data sets for the FTP server must be properly protected.","description":"MVS data sets of the FTP Server provide the configuration and operational characteristics of this product. Failure to properly secure these data sets may lead to unauthorized access resulting in the compromise of the integrity and availability of customer data and some system services.","checkContent":"$43","fixText":"Review the data set access authorizations defined to the ACP for the FTP.DATA and FTP.BANNER files. Configure these data sets to be protected as follows:\n\nThe data set containing the FTP.DATA configuration file allows read access to all authenticated users and all other access is restricted to systems programming personnel.\n\nAll Write and Allocate access to the data set containing the FTP.DATA configuration file is logged.\n\nThe data set containing the FTP banner file allows read access to all authenticated users and all other access is restricted to systems programming personnel."},{"id":"ec5fecee-5d86-4983-a9f5-f2f356e1e54f","vulnId":"V-223736","severity":"medium","ruleTitle":"IBM z/OS FTP.DATA configuration statements must indicate a BANNER statement with the proper content.","description":"$44","checkContent":"$45","fixText":"$46"},{"id":"5031b2f2-ab1c-4b60-99cf-6e1278d6a362","vulnId":"V-223737","severity":"medium","ruleTitle":"IBM z/OS FTP.DATA configuration statements for the FTP server must specify the BANNER statement.","description":"$47","checkContent":"Refer to the Data configuration file specified on the SYSFTPD DD statement in the FTP started task JCL.\n\nIf the BANNER statement is coded, this is not a finding.","fixText":"Configure the FTP configuration to include the BANNER statement."},{"id":"2fa31fee-ff57-4592-b859-302a5ae99104","vulnId":"V-223739","severity":"medium","ruleTitle":"IBM z/OS FTP.DATA configuration statements for the FTP Server must be specified in accordance with requirements.","description":"This requirement is intended to cover both traditional interactive logons to information systems and general accesses to information systems that occur in other types of architectural configurations (e.g., service-oriented architectures).","checkContent":"Refer to the Data configuration file specified on the SYSFTPD DD statement in the FTP started task JCL.\n\nIf the UMASK statement is coded with a value of 077, this is not a finding.","fixText":"Configure the FTP configuration to include the UMASK statement with a value of 077. \n\nIf the FTP Server requires a UMASK value less restrictive than 077, requirements should be justified and documented with the ISSO."},{"id":"e78951bf-922a-4655-8d63-3836f756ce98","vulnId":"V-223741","severity":"medium","ruleTitle":"IBM z/OS user exits for the FTP server must not be used without proper approval and documentation.","description":"$48","checkContent":"Refer to the Data configuration file specified on the SYSFTPD DD statement in the FTP started task JCL.\n\nRefer to the file(s) allocated by the STEPLIB DD statement in the FTP started task JCL.\n\nRefer to the libraries specified in the system Linklist and LPA.\n\nIf any FTP Server exits are in use, identify them and validate that they were reviewed for integrity and approved by the site AO.\n\nIf the following items are in effect for FTP Server user exits, this is not a finding:\n\nThe FTCHKCMD, FTCHKIP, FTCHKJES, FTCHKPWD, FTPSMFEX, and FTPOSTPR modules are not located in the FTP daemon's STEPLIB, Linklist, or LPA.\n\nNOTE: The ISPF ISRFIND utility can be used to search the system Linklist and LPA for specific modules.","fixText":"Review the configuration statements in the FTP.DATA file. Review the FTP daemon STEPLIB, system Linklist, and Link Pack Area libraries. If FTP Server exits are enabled or present, and have not been approved by the site ISSM and not securely written and implemented by the site systems programmer, they should not be installed. Verify that none of the following exits are installed unless they have met the requirements listed above:\nFTCHKCMD\nFTCHKIP\nFTCHKJES\nFTCHKPWD\nFTPOSTPR\nFTPSMFEX"},{"id":"ae0de9b5-321b-4515-82b3-739bdb15823f","vulnId":"V-223742","severity":"medium","ruleTitle":"The IBM z/OS FTP server daemon must be defined with proper security parameters.","description":"The FTP Server daemon requires special privileges and access to sensitive resources to provide its system services. Failure to properly define and control the FTP Server daemon could lead to unauthorized access. This exposure may result in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.","checkContent":"From z/OS command screen enter: \nListUser FTPD OMVS (FTPD is usual name of the FTP daemon)\n\nIf all of the following are true, this is not a finding.\n\nIf either of the following is untrue, this is a finding.\n\n-The FTPD userid is defined as a PROTECTED userid.\n-The FTPD userid has the following z/OS UNIX attributes: UID(0), HOME directory '/', shell program /bin/sh.\n\nFrom z/OS command screen enter:\nRList STARTED FTPD\n\nIf a matching entry in the STARTED resource class exists enabling the use of the standard userid and appropriate group, this is not a finding.","fixText":"Define the FTP daemon userid and a matching entry in the STARTED resource class enabling the use of the standard userid and an appropriate group. \n\nDefine the FTPD userid as a PROTECTED userid. \n\nDefine the FTPD userid with the following z/OS UNIX attributes: UID(0), HOME directory '/', shell program /bin/sh. \n\nSample commands to accomplish these requirements are shown here:\nAdd the FTPD userid:\n\nAU FTPD NAME('STC, FTP Daemon') NOPASSWORD NOOIDCARD DFLTGRP(STCTCPX) OWNER(STCTCPX) OMVS(UID(0) HOME('/') PROGRAM('/bin/sh'))\n\nRDEF STARTED FTPD.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) STDATA(USER(=MEMBER) GROUP(STCTCPX) TRACE(YES))\n\nAdditional permissions may be required. See SYS1.TCPIP.SEZAINST(EZARACF) or IBM Comm Server: IP Config Guide."},{"id":"7185a5c2-fc67-4691-b454-3a688a881ebd","vulnId":"V-223743","severity":"medium","ruleTitle":"IBM FTP.DATA configuration for the FTP server must have the INACTIVE statement properly set.","description":"Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. \n\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.","checkContent":"Refer to the Data configuration file specified on the SYSFTPD DD statement in the FTP started task JCL.\n\nIf the INACTIVE statement is coded with a value between 1 and 900 (seconds), this is not a finding.","fixText":"Configure the FTP configuration to include an Inactive statement with a value between 1 and 900 (seconds)."},{"id":"2f569524-bc2a-488f-84e0-f66e15e0a6a2","vulnId":"V-223744","severity":"medium","ruleTitle":"IBM z/OS startup parameters for the FTP server must have the INACTIVE statement properly set.","description":"To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.","checkContent":"Refer to the FTPD started task procedure.\n\nIf the SYSTCPD and SYSFTPD DD statements specify the TCP/IP Data and FTP Data configuration files respectively, this is not a finding.\n\nIf the ANONYMOUS keyword is not coded on the PARM parameter on the EXEC statement, this is not a finding.\n\nIf the ANONYMOUS=logonid combination is not coded on the PARM parameter on the EXEC statement, this is not a finding.\n\nIf the INACTIVE keyword is not coded on the PARM parameter on the EXEC statement, this is not a finding.","fixText":"$49"},{"id":"75efe42a-8897-4ad3-a6b8-f699f9debf47","vulnId":"V-223745","severity":"medium","ruleTitle":"IBM z/OS RJE workstations and NJE nodes must be defined to the FACILITY resource class.","description":"Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.","checkContent":"Refer to SYS1.PARMLIB (JES2PARM)\nFor each node entry\n\nIf all JES2 defined NJE nodes and RJE workstations have a profile defined in the FACILITY resource class, this is not a finding.\n\nNotes: Nodename is the NAME parameter value specified on the NODE statement. Review the JES2 parameters for NJE node definitions by searching for NODE( in the report.\nWorkstation is RMTnnnn, where nnnn is the number on the RMT statement. Review the JES2 parameters for RJE workstation definitions by searching for RMT( in the report.\nNJE.* and RJE.* profiles will force userid and password protection of all NJE and RJE connections respectively. This method is acceptable in lieu of using discrete profiles.","fixText":"Configure associated PROFILEs TO exist for all RJE/NJE sources and review the authorizations for these remote facilities."},{"id":"96427191-4a2a-498c-94d8-88c704e9a9b7","vulnId":"V-223746","severity":"medium","ruleTitle":"IBM z/OS JES2 input sources must be controlled in accordance with the proper security requirements.","description":"$4a","checkContent":"$4b","fixText":"$4c"},{"id":"fc06ea10-a46a-42f0-8bbf-0df7ccbfbfe2","vulnId":"V-223747","severity":"medium","ruleTitle":"IBM z/OS JES2 input sources must be properly controlled.","description":"$4d","checkContent":"From the ISPF Command Shell enter:\nRL JESINPUT *\n\nIf the RACF resources and/or generic equivalent identified below are defined with access restricted to the appropriate personnel, this is not a finding.\n\nINTRDR\nnodename\nOFFn.*\nOFFn.JR\nOFFn.SR\nRnnnn.RDm\nRDRnn\nSTCINRDR\nTSUINRDR and/or TSOINRDR\n\nNote: Examples of appropriate might be access to the offload input sources is limited to systems personnel (e.g., operations staff) as directed by site operations and the site security plan.","fixText":"Configure access for resources defined to the JESINPUT resource class to restrict to the appropriate personnel.\n\nGrant read access to authorized users for each of the following input sources:\n\nINTRDR\nnodename\nOFFn.*\nOFFn.JR\nOFFn.SR\nRnnnn.RDm\nRDRnn\nSTCINRDR\nTSUINRDR and/or TSOINRDR\n\nThe resource definition will be generic if all of the resources of the same type have identical access controls (e.g., if all off load receivers are equivalent)."},{"id":"d209ea44-6e22-4d96-a315-16c9e43561f8","vulnId":"V-223748","severity":"medium","ruleTitle":"IBM z/OS JES2 output devices must be controlled in accordance with the proper security requirements.","description":"$4e","checkContent":"$4f","fixText":"$50"},{"id":"8b3e3ff5-f2ba-49d2-9d09-6a1474b4bd5e","vulnId":"V-223749","severity":"medium","ruleTitle":"IBM z/OS JES2 output devices must be properly controlled for classified systems.","description":"$51","checkContent":"From the ISPF Command Shell enter:\nRL WRITER *\n\nIf the RACF resources and/or generic equivalent identified below are defined with access restricted to the appropriate personnel, this is not a finding.\n\nJES2.LOCAL.devicename\nJES2.LOCAL.OFFn.*\nJES2.LOCAL.OFFn.JT\nJES2.LOCAL.OFFn.ST\nJES2.LOCAL.PRTn\nJES2.LOCAL.PUNn\nJES2.NJE.nodename\nJES2.RJE.devicename\n\nNote: Examples of appropriate restriction might be access to the offload input sources is limited to systems personnel (e.g., operations staff) as directed by site operations and the site security plan.","fixText":"Configure access authorization for resources defined to the WRITER resource class to be restricted to the operators and system programmers on a classified system only.\n\nDefine resources in the ACP's respective WRITER class for each of the following output destinations:\n\nJES2.LOCAL.devicename\nJES2.LOCAL.OFFn.*\nJES2.LOCAL.OFFn.JT\nJES2.LOCAL.OFFn.ST\nJES2.LOCAL.PRTn\nJES2.LOCAL.PUNn\nJES2.NJE.nodename\nJES2.RJE.devicename"},{"id":"f59559aa-04c9-48de-9df9-07a1abf394d0","vulnId":"V-223750","severity":"medium","ruleTitle":"IBM z/OS JESSPOOL resources must be protected in accordance with security requirements.","description":"$52","checkContent":"From the ISPF Command Shell enter:\nSETRopt list\n\nIf the JESSPOOL resource class is active, this is not a finding.","fixText":"Configure the JESSPOOL resource class to be active:\n\nUse the RACF Command: SETROPTS CLASSACT(JESSPOOL)."},{"id":"80b91445-7c14-4f6e-b36f-6e0bee82dd4c","vulnId":"V-223751","severity":"medium","ruleTitle":"IBM z/OS JESNEWS resources must be protected in accordance with security requirements.","description":"$53","checkContent":"From the ISPF Command Shell enter:\nRL OPERCMS *\n\nJES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem.\n\nIf the JES2.UPDATE.JESNEWS resource is defined to the OPERCMDS resource class, this is not a finding. \n\nIf access authorization to the JES2.UPDATE.JESNEWS resource in the OPERCMDS class restricts CONTROL access to the appropriate personnel (i.e., users responsible for maintaining the JES News data set), this is not a finding.\n\nIf all access to the JES2.UPDATE.JESNEWS resource is logged, this is not a finding.","fixText":"Refer to \"Protecting JESNEWS\" in Chapter 7 of the JES2 Init & Tuning Guide.\n\na) Ensure the following items are in effect:\n\n1) The JES2.UPDATE.JESNEWS resource is defined to the OPERCMDS resource class with a default access of NONE and all access is logged.\n\nNOTE: JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem.\n\n2) Access authorization to the JES2.UPDATE.JESNEWS resource in the OPERCMDS class restricts CONTROL access to the appropriate personnel (i.e., users responsible for maintaining the JES News data set) and all access is logged.\n\nExamples of setting up proper protection are shown here:\n\nRDEF OPERCMDS JES2.UPDATE.JESNEWS UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('COMPLY WITH ZJES0042')\n\nPERMIT JES2.UPDATE.JESNEWS CLASS(OPERCMDS) ID() ACCESS(CONTROL)"},{"id":"02d98250-84ff-45e7-ba34-48abf2e9d947","vulnId":"V-223752","severity":"medium","ruleTitle":"IBM z/OS JESTRACE and/or SYSLOG resources must be protected in accordance with security requirements.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.","checkContent":"$54","fixText":"$55"},{"id":"e872dc55-8685-4dbd-b59c-67b89e49439a","vulnId":"V-223753","severity":"medium","ruleTitle":"IBM z/OS JES2 spool resources must be controlled in accordance with security requirements.","description":"$56","checkContent":"$57","fixText":"$58"},{"id":"708cd16a-d051-486e-899c-f3f6bb630d24","vulnId":"V-223754","severity":"medium","ruleTitle":"IBM z/OS JES2 system commands must be protected in accordance with security requirements.","description":"$59","checkContent":"From the ISPF Command Shell enter:\nRList OPERCMDS *\n\nIf the JES2.** resource is defined to the OPERCMDS class with an access of NONE and all access is logged, this is not a finding.\n\nIf access to JES2 system commands defined in the IBM z/OS JES2 Commands is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users), as determined in the documented site Security Plan, this is not a finding.\n\nIf access to specific JES2 system commands is logged as indicated in the documented site Security Plan, this is not a finding.\n\nNote: Display commands and others as deemed by the site IAW site security plan may be allowed for all users with no logging.","fixText":"$5a"},{"id":"8a1acedd-2cf2-4dda-bdb6-9885acd216ca","vulnId":"V-223755","severity":"medium","ruleTitle":"IBM z/OS surrogate users must be controlled in accordance with proper security requirements.","description":"$5b","checkContent":"From the ISPF Command Shell enter:\nRList SURROGAT *\n\nIf no executionuserid.SUBMIT resources are defined to the SURROGAT resource class, this is Not Applicable.\n\nFor each executionuserid.SUBMIT resource defined to the SURROGAT resource class, if the following items are in true regarding surrogate controls, this is not a finding.\n\n-All executionuserid.SUBMIT resources defined to the SURROGAT resource class specify a default access of NONE.\n-All resource access is logged; at the discretion of the ISSM/ISSO scheduling tasks may be exempted.\n\nAccess authorization is restricted to scheduling tools, started tasks, or other system applications required for running production jobs.\n\nOther users may have minimal access required for running production jobs with documentation properly approved and filed with the site security official (ISSM or equivalent).","fixText":"$5c"},{"id":"38980332-e0c4-4c3c-9680-66e3a867a873","vulnId":"V-223756","severity":"medium","ruleTitle":"IBM z/OS RJE workstations and NJE nodes must be controlled in accordance with security requirements.","description":"Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.","checkContent":"$5d","fixText":"$5e"},{"id":"26e838d1-d878-49e2-97c6-c41fd576a634","vulnId":"V-223757","severity":"medium","ruleTitle":"IBM z/OS must configure system wait times to protect resource availability based on site priorities.","description":"$5f","checkContent":"$60","fixText":"$61"},{"id":"1b0df06e-a422-409b-b8a0-64977ffc0085","vulnId":"V-223758","severity":"medium","ruleTitle":"The IBM z/OS BPX.SMF resource must be properly configured.","description":"Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best.\n\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).","checkContent":"Review the FACILITY resource class for BPX.SMF. \n\nIf the RACF rules are as follows this is not a finding.\n\nBPX.SMF.119.94 - READ allowed for users running the ssh, sftp, or scp client commands.\nBPX.SMF.119.96 - READ allowed for users running the scp or sftp-server server commands.\nBPX.SMF.119.97 - READ allowed for users running the scp or sftp client commands.\n\nThe following profile grants the permitted users the authority to write or test for any SMF record being recorded. Access should be permitted as follows:\n\nBPX.SMF - READ access only when documented and justified in Site Security Plan. Documentation should include a reason why a more specific profile is not acceptable.","fixText":"Configure Facility resource class for BPX.SMF as follows:\nBPX.SMF.119.94 - READ allowed for users running the ssh, sftp, or scp client commands.\nBPX.SMF.119.96 - READ allowed for users running the scp or sftp-server server commands.\nBPX.SMF.119.97 - READ allowed for users running the scp or sftp client commands.\n\nThe following profile grants the permitted users the authority to write or test for any SMF record being recorded. Access should be permitted as follows:\n\nBPX.SMF - READ access only when documented and justified in Site Security Plan. Documentation should include a reason why a more specific profile is not acceptable."},{"id":"2891542a-613c-4b62-9fd0-fbf5c50154a9","vulnId":"V-223759","severity":"medium","ruleTitle":"IBM z/OS SMF recording options for the TN3270 Telnet Server must be properly specified.","description":"The TN3270 Telnet Server can provide audit data in the form of SMF records. The SMF data produced provides information about individual sessions. This data includes the VTAM application, the remote and local IP addresses, and the remote and local IP port numbers. Failure to collect and retain audit data may contribute to the loss of accountability and hamper security audit activities.\n\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000032-GPOS-00013","checkContent":"Refer to the Profile configuration file specified on the PROFILE DD statement in the TCPIP started task JCL.\n\nIf the following configuration statement settings are in effect in the TCP/IP Profile configuration data set, this is not a finding.\n\nNOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration data set, the data set specified on this statement must be checked for the following items as well.\n\nThe TELNETPARMS SMFINIT statement is coded with the TYPE119 operand within each TELNETPARMS statement block.\n\nThe TELNETPARMS SMFTERM statement is coded with the TYPE119 operand within each TELNETPARMS statement block.\n\nNote: The SMFINIT and SMFTERM statement can appear in both TELNETGLOBAL and TELNETPARM statement blocks. If duplicate statements appear in the TELNETGLOBALS, TELNETPARMS, Telnet uses the last valid statement that was specified.","fixText":"Configure the TELNETPARMS SMFINIT and SMFTERM statements in the PROFILE.TCPIP file to conform to the requirements specified below.\n\nNOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well.\n\nThe TELNETPARMS SMFINIT statement is coded with the TYPE119 operand within each TELNETPARMS statement block.\n\nThe TELNETPARMS SMFTERM statement is coded with the TYPE119 operand within each TELNETPARMS statement block.\n\nNote: The SMFINIT and SMFTERM statement can appear in both TELNETGLOBAL and TELNETPARM statement blocks. If duplicate statements appear in the TELNETGLOBALS, TELNETPARMS, Telnet uses the last valid statement that was specified."},{"id":"fc004487-3e2c-45ba-a006-03defee03979","vulnId":"V-223760","severity":"high","ruleTitle":"IBM RACF must be installed and active on the system.","description":"Enterprise environments make account management for operating systems challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other errors. IBM z/OS requires an external security manager to assure proper account management.","checkContent":"Refer to IEASYS00 member in SYS1.PARMLIB Concatenation. Determine proper IEFSSnxx member.\n\nIf RACF is defined in the SubSystem member, this is not a finding.","fixText":"Refer to the IBM Security Server RACF System Programmer Guide and the IBM Security Server RACF Security Administrator guide to properly implement RACF on the system."},{"id":"df0143cc-aeed-40d7-862c-809dcfbb49d0","vulnId":"V-223761","severity":"medium","ruleTitle":"The IBM z/OS system administrator (SA) must develop a process to disable emergency accounts after the crisis is resolved or 72 hours.","description":"$62","checkContent":"Ask the SA for the documented process to disable emergency accounts. \n\nIf there is no documented process, this is a finding.\n\nExamine the process, if it does not include procedures to disable emergency accounts after the crisis is resolved or 72 hours, this is a finding.","fixText":"Develop a process to disable emergency accounts after the crisis is resolved or 72 hours."},{"id":"9ba0d296-8818-474a-9d7d-9050f2eb923a","vulnId":"V-223762","severity":"medium","ruleTitle":"The IBM z/OS system administrator (SA) must develop a process to notify appropriate personnel when accounts are created.","description":"Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create a new account. Notification of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of operating system user accounts and notifies SAs and information system security officers (ISSOs) that it exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.\n\nTo address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.","checkContent":"Ask the system Administrator for the documented process to notify appropriate personnel when accounts are created.\n\nIf there is no documented process, this is a finding.","fixText":"Develop a documented develop a process to notify appropriate personnel when accounts are created."},{"id":"9d328a7b-3c09-42bf-a436-59622db428e7","vulnId":"V-223763","severity":"medium","ruleTitle":"The IBM z/OS system administrator (SA) must develop a process to notify appropriate personnel when accounts are modified.","description":"Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.","checkContent":"Ask the SA for the documented process to notify appropriate personnel when accounts are modified.\n\nIf there is no documented process, this is a finding.","fixText":"Develop a documented develop a process to notify appropriate personnel when accounts are modified."},{"id":"869975f9-3548-41ea-b767-3e8bbd988782","vulnId":"V-223764","severity":"medium","ruleTitle":"The IBM z/OS system administrator (SA) must develop a process to notify appropriate personnel when accounts are deleted.","description":"Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.","checkContent":"Ask the SA for the documented process to notify appropriate personnel when accounts are deleted.\n\nIf there is no documented process, this is a finding.","fixText":"Develop a documented develop a process to notify appropriate personnel when accounts are deleted."},{"id":"bafe1708-6a15-4a86-8166-85f42de2382e","vulnId":"V-223765","severity":"medium","ruleTitle":"The IBM z/OS system administrator (SA) must develop a process to notify appropriate personnel when accounts are removed.","description":"When operating system accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual operating system users or for identifying the operating system processes themselves. Sending notification of account removal events to the SAs and information system security officers (ISSOs) is one method for mitigating this risk. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.","checkContent":"Ask the SA for the documented process to notify appropriate personnel when accounts are removed.\n\nIf there is no documented process, this is a finding.","fixText":"Develop a documented develop a process to notify appropriate personnel when accounts are removed."},{"id":"6cf6b0f4-4afe-4100-bed9-88a8cef0440b","vulnId":"V-223766","severity":"medium","ruleTitle":"The IBM z/OS system administrator (SA) must develop a process to notify information system security officers (ISSOs) of account enabling actions.","description":"Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable an existing disabled account. Sending notification of account enabling actions to the SAs and ISSOs is one method for mitigating this risk. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.\n\nIn order to detect and respond to events that affect user accessibility and application processing, operating systems must audit account enabling actions and, as required, notify the appropriate individuals so they can investigate the event.\n\nTo address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.","checkContent":"Ask the SA for the documented processes to notify the ISSOs of account enabling actions.\n\nIf there is no documented process, this is a finding.","fixText":"Develop a documented process to notify the ISSOs of account enabling actions."},{"id":"df521c63-8252-4039-ab9e-fdd5122b8563","vulnId":"V-223767","severity":"medium","ruleTitle":"IBM z/OS required SMF data record types must be collected.","description":"$63","checkContent":"$64","fixText":"$65"},{"id":"14083633-5a0d-4493-ab10-f29bdbceda78","vulnId":"V-223768","severity":"medium","ruleTitle":"IBM z/OS must employ a session manager to manage display of the Standard Mandatory DoD Notice and Consent Banner.","description":"Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. All methods of gaining access to the system must comply with this requirement to assure that regulations are upheld.","checkContent":"Verify that any session manger in use displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.\n\nIf the session manager does not display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system, this is a finding.","fixText":"Configure any session manger in use to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system."},{"id":"ca2c547e-f8d8-48b2-ad16-338373c909a6","vulnId":"V-223769","severity":"medium","ruleTitle":"IBM z/OS must specify SMF data options to assure appropriate activation.","description":"SMF data collection is the basic unit of tracking of all system functions and actions. Included in this tracking data are the audit trails from each of the ACPs. If the control options for the recording of this tracking are not properly maintained, then accountability cannot be monitored, and its use in the execution of a contingency plan could be compromised.\n\nSatisfies: SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000269-GPOS-00103","checkContent":"$66","fixText":"$67"},{"id":"3aefcb8d-2c2f-437d-bf47-d04a3cae86de","vulnId":"V-223770","severity":"medium","ruleTitle":"IBM z/OS SMF collection files (system MANx datasets or LOGSTREAM DASD) must have storage capacity to store at least one weeks worth of audit data.","description":"In order to ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocate audit record storage capacity.\n\nThe task of allocating audit record storage capacity is usually performed during initial installation of the operating system.","checkContent":"Review the SMF dump procedure in there system.\n\nIf the output datasets in the procedure have storage capacity to store at least one week's worth of audit data, this is not a finding.","fixText":"Make sure output file and dump procedures allow storage capacity to store one week's worth of audit data."},{"id":"cb80849c-7fad-4039-8c29-fe517a7764a9","vulnId":"V-223771","severity":"medium","ruleTitle":"IBM z/OS system administrators must develop an automated process to collect and retain SMF data.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.","checkContent":"Ask the system administrator if there is an automated process is in place to collect and retain all SMF data produced on the system.\n\nIf, based on the information provided, it can be determined that an automated process is in place to collect and retain all SMF data produced on the system, this is not a finding.\n\nIf it cannot be determined this process exists and is being adhered to, this is a finding.","fixText":"The ISSO will ensure that an automated process is in place to collect SMF data.\n\nReview SMF data collection and retention processes. Develop processes are automatically started to dump SMF collection files immediately upon their becoming full.\n\nTo ensure that all SMF data is collected in a timely manner, and to reduce the risk of data loss, the site will ensure that automated mechanisms are in place to collect and retain all SMF data produced on the system. Dump the SMF files (MANx) in systems based on the following guidelines:\n\n-Dump each SMF file as it fills up during the normal course of daily processing\n-Dump all remaining SMF data at the end of each processing day or \n-Establish a process using Audit logging"},{"id":"f28edc03-8fbe-4eb7-8a7d-9ba3a9764b52","vulnId":"V-223772","severity":"medium","ruleTitle":"IBM z/OS BUFUSEWARN in the SMFPRMxx must be properly set.","description":"It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.\n\nSatisfies: SRG-OS-000343-GPOS-00134, SRG-OS-000344-GPOS-00135, SRG-OS-000046-GPOS-00022","checkContent":"Refer to IEASYS00 member in SYS1.PARMLIB Concatenation. Determine proper SMFPRMxx member in SYS1.PARMLIB.\n\nIf BUFUSEWARN is set for \"75\" (75%) or less, this is not a finding.","fixText":"Configure the BUFUSEWARN statement in SMFPRMxx to \"75\" (75%) or less."},{"id":"262feff1-f79c-447d-8d82-a59034d25144","vulnId":"V-223773","severity":"medium","ruleTitle":"IBM z/OS NOBUFFS in SMFPRMxx must be properly set (default is MSG).","description":"$68","checkContent":"Refer to IEASYS00 member in SYS1.PARMLIB Concatenation. Determine proper SMFPRMxx member in SYS1.PARMLIB.\n\nIf NOBUFFS is set to \"HALT\", this is not a finding.\n\nNote: If availability is an overriding concern NOBUFFS can be set to MSG.","fixText":"Configure NOBUFFS to \"HALT\" unless availability is an overriding concern then NOBUFFS can be set to MSG."},{"id":"91eda9fb-4acb-44ea-bba0-8746b5672439","vulnId":"V-223774","severity":"medium","ruleTitle":"The IBM z/OS system must use a time protocol that syncs with an authoritative external time source.","description":"Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.\n\nOrganizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).","checkContent":"Verify the operating system, for networked systems, compares internal information system clocks at least every 24 hours with a server synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). \n\nIf it does not, this is a finding.","fixText":"Coordinate with system staff to determine the best time protocols available for the z/OS systems at the site. SNT is one protocol available.\nObtain a copy of this sample procedure from SEZAINST and store it in one of the PROCLIB concatenation data sets.\n\nPerform the following to start SNTPD as a procedure:\nInvoke the procedure using the system operator start command. The following sample, SEZAINST(SNTPD), shows how to start SNTPD as a procedure:\n//*\n//* Sample procedure for the Simple Network Time Protocol (SNTP)\n//*\n//* z/OS Communications Server Version 1 Release 13\n//* SMP/E Distribution Name: SEZAINST(EZASNPRO)\n//*\n//* Copyright: Licensed Materials - Property of IBM\n//* 5650-ZOS\n//* Copyright IBM Corp. 2002, 2015\n//*\n//* Status: CSV2R2\n//*\n//SNTPD EXEC PGM=SNTPD,REGION=4096K,TIME=NOLIMIT,\n//PARM='/ -d'\n//SYSPRINT DD SYSOUT=*,DCB=(RECFM=F,LRECL=132,BLKSIZE=132)\n//SYSIN DD DUMMY\n//SYSERR DD SYSOUT=*\n//SYSOUT DD SYSOUT=*,DCB=(RECFM=F,LRECL=132,BLKSIZE=132)\n//CEEDUMP DD SYSOUT=*\n//SYSABEND DD SYSOUT=*"},{"id":"47f8bc85-7e08-4de5-9f44-6dd0f219d461","vulnId":"V-223775","severity":"medium","ruleTitle":"IBM z/OS Time Protocol must be properly configured.","description":"Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time, a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.\n\nOrganizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).","checkContent":"Any Time Protocol must be configured to restrict access and/or control to appropriate personnel. \n\nConfigure SNTP as shown below:\n\nFrom the ISPF Command Shell, enter:\ncd /usr/sbin\nls -al\n\nIf the following file permission and user audit bits are true, this is not a finding.\n\n/usr/sbin/sntpd 1740 faf\n\nThe following represents a hierarchy for permission bits from least restrictive to most restrictive:\n\n7 rwx (least restrictive)\n6 rw-\n3 -wx\n2 -w-\n5 r-x\n4 r--\n1 --x\n0 --- (most restrictive)\n\nThe possible audit bits settings are as follows:\nf log for failed access attempts\na log for failed and successful access\n- no auditing","fixText":"Whichever Time Protocol is used, consult the system programmer for configuration information. If using SNTP with the assistance of a systems programmer with UID(0) and/or SUPERUSER access, configure the Unix permission bits and user audit bits on the SNTPD to conform to the specifications below:\n\n/usr/sbin/sntpd 1740 faf"},{"id":"721eaa4a-4832-47ec-9434-81dcd7efbb83","vulnId":"V-223776","severity":"medium","ruleTitle":"IBM z/OS PARMLIB CLOCKxx must have the Accuracy PARM properly coded.","description":"Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events.\n\nSynchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider setting time periods for different types of systems (e.g., financial, legal, or mission-critical systems).\n\nOrganizations should also consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). This requirement is related to the comparison done every 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the time difference.","checkContent":"Refer to the CLOCKxx member of PARMLIB.\n\nIf the ACCURACY parm is not coded, this is a finding.\n\nIf the ACCURACY parm is coded to \"1000\", this is not a finding.","fixText":"Define the CLOCKxx statement to include the ACCURACY parm set to \"1000\"."},{"id":"fa941a16-d21c-43a9-9336-4df6f677c835","vulnId":"V-223777","severity":"high","ruleTitle":"IBM RACF must define UACC of NONE on all profiles.","description":"The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.","checkContent":"Review all Dataset and resource profiles in the RACF database.\n\nIf any are not defined with UACC NONE, this is a finding. \n\nThere is an exception when evaluating the UACC for DIGTCERT and NODES resource classes.\n\nThe universal access (UACC) for DIGTCERT profiles:\nFor profiles in classes other than DIGTCERT, the valid values are NONE, READ, EXECUTE, UPDATE, CONTROL, and ALTER. For DIGTCERT profiles, the valid values are TRUST, NOTRUST, and HIGHTRST. \nIf DIGTCERT Profiles are defined with other than UACC NONE, this is not a finding.\n\nThe universal access (UACC) for NODES:\nA UACC of NONE fails the inbound job.\nIf NODES profiles are defined with other than UACC NONE, this is not a finding.","fixText":"Define each dataset and resource profile with UACC(NONE), excluding the exceptions of NODES and DIGTCERT profiles."},{"id":"0121ef1f-530c-4248-b48a-9358459ae24a","vulnId":"V-223778","severity":"medium","ruleTitle":"IBM z/OS PASSWORD data set and OS passwords must not be used.","description":"Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.","checkContent":"Ask the system administrator to determine if the system PASSWORD data set and OS passwords are being used.\n\nIf, based on the information provided, it can be determined that the system PASSWORD data set and OS passwords are not used, this is not a finding.\n\nIf it is evident that OS passwords are utilized, this is a finding.","fixText":"System programmers will ensure that the old OS Password Protection is not used and any data protected by the old OS Password technology is removed and protection is replaced by the ACP.\n\nReview the contents of the PASSWORD data set. Ensure that any protections it provides are provided by the ACP and delete the PASSWORD data set.\n\nAccess to data sets on z/OS systems can be protected using the OS password capability of MVS. This capability has been available in MVS for many years, and its use is commonly found in data centers. Since the advent of ACPs, the use of OS passwords for file protection has diminished, and is commonly considered archaic and of little use. The use of z/OS passwords is not supported by all the ACPs."},{"id":"758d0529-48af-448d-b13f-c4661c13aaf9","vulnId":"V-223780","severity":"medium","ruleTitle":"The IBM z/OS Policy Agent must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.","description":"Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data.","checkContent":"Examine the policy agent policy statements. \n\nIf it can be determined that the policy agent employs a deny-all, allow-by exception firewall policy for allowing connections to other systems this is not a finding.","fixText":"Develop a policy application and policy agent to employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems."},{"id":"50864c98-a80d-4c66-8328-82b7bf3a3e10","vulnId":"V-223781","severity":"high","ruleTitle":"Unsupported system software must not be installed and/ or active on the system.","description":"Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system level.\n\nSome of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline.\n\nMethods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles).","checkContent":"This check applies to all products that meet the following criteria:\n\n- Uses authorized and restricted z/OS interfaces by utilizing Authorized Program Facility (APF) authorized modules or libraries.\n- Requires access to system datasets or sensitive information or requires special or privileged authority to run.\n\nFor the products in the above category, refer to the Vendor's support lifecycle information for current versions and releases. \n\nIf the software products currently running on the reviewed system are at a version greater than or equal to the products listed in the vendor's Support Lifecycle information, this is not a finding.","fixText":"For all products that meet the following criteria:\n\n- Uses authorized and restricted z/OS interfaces by utilizing Authorized Program Facility (APF) authorized modules or libraries.\n- Requires access to system datasets or sensitive information or requires special or privileged authority to run.\n\nThe ISSO will ensure that unsupported system software for the products in the above category is removed or upgraded prior to a vendor dropping support.\n\nAuthorized software that is NO longer supported is a CAT I vulnerability. The customer and site will be given six months to mitigate the risk, develop a supported solution, or obtain a formal letter approving such risk/software."},{"id":"60f3c8e9-5957-4d3a-86f3-ba90a1d89e17","vulnId":"V-223782","severity":"medium","ruleTitle":"IBM z/OS must not allow nonexistent or inaccessible LINKLIST libraries.","description":"Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system level.\n\nSome of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline.\n\nMethods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles).","checkContent":"From and ISPF Command line enter:\nTSO ISRDDN LINKLIST\n\nReview the list, if there are any DUMMY entries i.e., inaccessible LINKLIST libraries, this is a finding.","fixText":"$69"},{"id":"2f85ac5a-8f2a-49c4-8edf-b6a785b906f1","vulnId":"V-223783","severity":"medium","ruleTitle":"IBM z/OS must not allow nonexistent or inaccessible Link Pack Area (LPA) libraries.","description":"Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system level.\n\nSome of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline.\n\nMethods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles).","checkContent":"From and ISPF Command line enter:\nTSO ISRDDN LPA\n\nReview the list, if there are any DUMMY entries i.e., inaccessible LPA libraries, this is a finding.","fixText":"$6a"},{"id":"d7d9b813-ef4c-4702-9224-f5a0f751b2bb","vulnId":"V-223784","severity":"medium","ruleTitle":"IBM z/OS must not have inaccessible APF libraries defined.","description":"It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.","checkContent":"Refer to IEASYS00 member in SYS1.PARMLIB Concatenation. Determine proper APF and/or PROG member.\n\nExamine each entry and verify that it exists on the specified volume. \n\nIf inaccessible APF libraries exist, this is a finding.\n\nISRDDN APF","fixText":"Review the entire list of APF authorized libraries and remove those which are no longer valid designations."},{"id":"f74da938-0547-460b-b3c5-e82c15d2658e","vulnId":"V-223785","severity":"medium","ruleTitle":"IBM zOS inapplicable PPT entries must be invalidated.","description":"It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.\n\nInvalid or inapplicable PPT entries exist, a venue is provided for the introduction of trojan horse modules with security bypass capabilities.","checkContent":"$6b","fixText":"$6c"},{"id":"46b22f16-06ab-4b68-ab19-494d5e050227","vulnId":"V-223786","severity":"medium","ruleTitle":"IBM z/OS LNKAUTH=APFTAB must be specified in the IEASYSxx member(s) in the currently active parmlib data set(s).","description":"Failure to specify LINKAUTH=APFTAB allows libraries other than those designated as APF to contain authorized modules which could bypass security and violate the integrity of the operating system environment. This expanded authorization list inhibits the ability to control inclusion of these modules.","checkContent":"Refer to IEASYS00 member in SYS1.PARMLIB Concatenation.\n\nIf LNKAUTH=APFTAB is not specified, this is a finding.","fixText":"Configure LNKAUTH=APFTAB in the IEASYS00 member of PARMLIB."},{"id":"a65cef64-728a-45bb-bad7-fc4a8f4c1132","vulnId":"V-223787","severity":"low","ruleTitle":"IBM z/OS must not have duplicated sensitive utilities and/or programs existing in APF libraries.","description":"Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources.","checkContent":"From an ISPF Command line enter:\nTSO ISRDDN APF\n\nAn APF List results\n\nOn the command line enter:\nDUPlicates (make sure there is appropriate access; if there is not you may receive insufficient access errors)\n\nIf any of the list of Sensitive Utilities exist in the duplicate APF modules return, this is a finding.\n\nThe following list contains Sensitive Utilities that will be checked.\n\nAHLGTF AMASPZAP AMAZAP AMDIOCP AMZIOCP\nBLSROPTR CSQJU003 CSQJU004 CSQUCVX CSQUTIL\nCSQ1LOGP DEBE DITTO FDRZAPOP GIMSMP\nHHLGTF ICKDSF ICPIOCP IDCSC01 IEHINITT\nIFASMFDP IGWSPZAP IHLGTF IMASPZAP IND$FILE\nIOPIOCP IXPIOCP IYPIOCP IZPIOCP WHOIS\nL052INIT TMSCOPY TMSFORMT TMSLBLPR TMSMULV\nTMSREMOV TMSTPNIT TMSUDSNB","fixText":"Review and ensure that duplicate sensitive utility(ies) and/or program(s) do not exist in APF-authorized libraries. Identify all versions of the sensitive utilities contained in APF-authorized libraries listed in the above check. In cases where duplicates exist, ensure no exposure has been created and written justification has been filed with the ISSO.\n\nComparisons among all the APF libraries will be done to ensure that an exposure is not created by the existence of identically named modules. Address any sensitive utility concerns so that the function can be restricted as required."},{"id":"4cfe8e98-bc47-4d2b-a414-0a7bcb71c466","vulnId":"V-223788","severity":"high","ruleTitle":"The IBM z/OS systems requiring data-at-rest protection must properly employ IBM DS8880 or equivalent hardware solutions for full disk encryption.","description":"$6d","checkContent":"Determine if IBM's DS8880 Disks or equivalent hardware solutions are in use.\n\nIf they are not in use for systems that require data at rest, this is a finding.","fixText":"Employ IBM's DS8880 hardware or equivalent hardware solutions to ensure full disk encryption."},{"id":"3d4c2d8e-9bb8-407f-a703-ecfaf03713ca","vulnId":"V-223792","severity":"medium","ruleTitle":"The IBM z/OS Policy Agent must contain a policy that protects against or limits the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.","description":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.","checkContent":"Examine the Policy Agent policy statements. \n\nIf it can be determined that policy that protects against or limits the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces, this is not a finding.","fixText":"Develop Policy application and policy agent to protect against or limit the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces."},{"id":"9a3ec94e-8ebb-47e5-b808-7fae7aeee045","vulnId":"V-223793","severity":"medium","ruleTitle":"The IBM z/OS Policy Agent must contain a policy that manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.","description":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.","checkContent":"Examine the Policy Agent policy statements. \n\nIf it can be determined that there are policy statements that manages excess capacity, this is not a finding.","fixText":"Develop Policy application and Policy agent to manage excess capacity."},{"id":"e7dd423d-2175-4780-97e3-95dc6e8f3e82","vulnId":"V-223794","severity":"medium","ruleTitle":"The IBM z/OS must employ a session manager that conceals, via the session lock, information previously visible on the display with a publicly viewable image.","description":"A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined. The operating system session lock event must include an obfuscation of the display screen so as to prevent other users from reading what was previously displayed.\n\nPublicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information.","checkContent":"Ask the system administrator for the configuration parameters for the session manager in use.\n\nIf there is no session manager in use, this is a finding.\n\nIf the session manager is not configure to conceal, via the session lock, information previously visible on the display with a publicly viewable image, this is a finding.","fixText":"Configure the session manager to conceal, via the session lock, information previously visible on the display with a publicly viewable image."},{"id":"9631d783-506f-44b7-aff2-683aa5ec3e6f","vulnId":"V-223795","severity":"medium","ruleTitle":"IBM z/OS must employ a session manager to manage session lock after a 15-minute period of inactivity.","description":"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.","checkContent":"Ask the system administrator for the configuration parameters for the session manager in use.\n\nIf there is no session manager in use, this is a finding.\n\nIf the session manager is not configured to initiate session lock after a 15-minute period of inactivity, this is a finding.","fixText":"Configure the session manager to initiate a session lock after a 15-minute period of inactivity."},{"id":"db033d6d-16ef-428c-81c1-f415f647f435","vulnId":"V-223796","severity":"medium","ruleTitle":"IBM z/OS must employ a session for users to directly initiate a session lock for all connection types.","description":"A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, operating systems need to provide users with the ability to manually invoke a session lock so users may secure their session should the need arise for them to temporarily vacate the immediate physical vicinity.","checkContent":"Ask the system administrator for the configuration parameters for the session manager in use.\n\nIf there is no session manager in use, this is a finding.\n\nIf the session manager in use does not allow users to directly initiate a session lock for all connection types, this is a finding.","fixText":"Develop a procedure to offload SMF files to a different system or media than the system being audited."},{"id":"a3359a3f-ab6c-4b0d-9da8-c18cdd9dbd47","vulnId":"V-223797","severity":"medium","ruleTitle":"IBM z/OS must employ a session manager to manage retaining a users session lock until that user reestablishes access using established identification and authentication procedures.","description":"A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined.\n\nRegardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system.","checkContent":"Ask the system administrator for the configuration parameters for the session manager in use.\n\nIf there is no session manager in use this is a finding.\n\nIf the session manager is not configured to retain a user's session lock until that user reestablishes access using established identification and authentication procedures, this is a finding.","fixText":"Configure the session manager to retain a user's session lock until that user reestablishes access using established identification and authentication procedures."},{"id":"c8b6af8f-6b56-43c9-9d7f-be143ae77f6a","vulnId":"V-223798","severity":"medium","ruleTitle":"IBM z/OS system administrator must develop a procedure to remove or disable temporary user accounts after 72 hours.","description":"$6e","checkContent":"Ask the system administrator (SA) for the procedure to automatically remove or disable temporary user accounts after 72 hours.\n\nIf there is no procedure, this is a finding.","fixText":"Develop a procedure to automatically remove or disable temporary user accounts after 72 hours."},{"id":"fb54169f-34f2-4ded-8bea-c667096287ec","vulnId":"V-223800","severity":"medium","ruleTitle":"IBM z/OS system administrator must develop a procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner.","description":"Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.","checkContent":"Ask the system administrator for the procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner.\n\nIf there is no procedure, this is a finding.","fixText":"Develop a procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner."},{"id":"d648cb3d-5ea5-4de1-b58b-3aff3dc60312","vulnId":"V-223801","severity":"medium","ruleTitle":"IBM z/OS system administrator must develop a procedure to provide an audit reduction capability that supports on-demand reporting requirements.","description":"The ability to generate on-demand reports, including after the audit data has been subjected to audit reduction, greatly facilitates the organization's ability to generate incident reports as needed to better handle larger-scale or more complex security incidents.\n\nAudit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. The report generation capability provided by the application must support on-demand (i.e., customizable, ad hoc, and as-needed) reports.","checkContent":"Ask the system administrator for the procedure to provide an audit reduction capability that supports on-demand reporting requirements.\n\nIf there is no procedure, this is a finding.","fixText":"Develop a procedure to provide an audit reduction capability that supports on-demand reporting requirements."},{"id":"b0e60cf7-af37-4cc5-965a-3b891d890d75","vulnId":"V-223803","severity":"medium","ruleTitle":"IBM z/OS system administrator must develop a procedure to remove all software components after updated versions have been installed.","description":"Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.","checkContent":"Ask the system administrator for the procedure to remove all software components after updated versions have been installed.\n\nIf there is no procedure, this is a finding.","fixText":"Develop a procedure to remove all software components after updated versions have been installed."},{"id":"67319444-6748-4219-906a-0f8630158459","vulnId":"V-223804","severity":"medium","ruleTitle":"IBM z/OS must shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered.","description":"If anomalies are not acted upon, security functions may fail to secure the system. \n\nSecurity function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nNotifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights.\n\nThis capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection.","checkContent":"Ask the system administrator for the procedure to shut down the information system, restart the information system, and/or notify the system administrator when anomalies occur.\n\nIf a procedure does not exist, this is a finding.\n\nIf the procedure does not properly shut down the information system, restart the information system, and/or notify the system administrator when anomalies occur, this is a finding.","fixText":"Develop a procedure to shut down the information system, restart the information system, and/or notify the system administrator when anomalies occur."},{"id":"7e6444cb-a314-4aa5-adaa-21425006b2e2","vulnId":"V-223805","severity":"medium","ruleTitle":"IBM z/OS system administrator must develop a procedure to offload SMF files to a different system or media than the system being audited.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.","checkContent":"Ask the system administrator for the procedure to offload SMF files to a different system or media than the system being audited.\n\nIf the procedure does not exist, this is a finding.","fixText":"Develop a procedure to offload SMF files to a different system or media than the system being audited."},{"id":"57763c63-7f6e-48f1-a3b4-4884584826e7","vulnId":"V-223806","severity":"medium","ruleTitle":"IBM z/OS SMF recording options for the SSH daemon must be configured to write SMF records for all eligible events.","description":"SMF data collection is the basic unit of tracking of all system functions and actions. Included in this tracking data are the audit trails from each of the ACPs. If the control options for the recording of this tracking are not properly maintained, then accountability cannot be monitored, and its use in the execution of a contingency plan could be compromised.\n\nSatisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000392-GPOS-00172","checkContent":"Locate the SSH daemon configuration file, which may be found in /etc/ssh/ directory.\n\nAlternately:\nFrom UNIX System Services ISPF Shell navigate to ribbon select tools.\nSelect option 1 - Work with Processes.\n\nIf SSH Daemon is not active, this is not a finding.\n\nExamine SSH daemon configuration file. \n\nIf ServerSMF is not coded with ServerSMF TYPE119_U83 or is commented out, this is a finding.","fixText":"Configure the SERVERSMF statement in the SSH Daemon configuration file to TYPE119_U83."},{"id":"8b51048c-469d-4262-8782-33d076273787","vulnId":"V-223807","severity":"high","ruleTitle":"The IBM RACF SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm to protect confidential information and remote access sessions.","description":"Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Cryptographic modules must adhere to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nRemote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.","checkContent":"Locate the SSH daemon configuration file, which may be found in /etc/ssh/ directory.\n\nAlternately:\nFrom the Unix System Services ISPF Shell, navigate to ribbon select tools.\nSelect option 1 - Work with Processes.\n\nIf SSH Daemon is not active, this is not a finding.\n\nExamine SSH daemon configuration file. \nsshd_config\n\nIf there are no \"Ciphers\" lines, or the ciphers list contains any cipher not starting with \"aes\", this is a finding.\n\nIf the MACs line is not configured to \"hmac-sha1\" or greater this is a finding.\n\nExamine the z/OS-specific sshd server systemwide configuration: \nzos_sshd_config\n\nIf any of the following is untrue, this is a finding.\n\nFIPSMODE=YES\nCiphersSource=ICSF\nMACsSource=ICSF","fixText":"Edit the SSH daemon configuration and remove any ciphers not starting with \"aes\". If necessary, add a \"Ciphers\" line using FIPS 140-2 compliant algorithms.\n\nConfigure for message authentication to MACs \"hmac-sha1\" or greater.\n\nEdit the z/OS-specific sshd server systemwide configuration file configuration as follows:\nFIPSMODE=YES\nCiphersSource=ICSF\nMACsSource=ICSF"},{"id":"9b58de61-0793-4999-93b1-9120000d60b0","vulnId":"V-223809","severity":"medium","ruleTitle":"The SSH daemon must be configured with the Standard Mandatory DoD Notice and Consent Banner.","description":"$6f","checkContent":"$70","fixText":"$71"},{"id":"7c9a9c90-63fb-4731-b5a6-7a71375fb4ca","vulnId":"V-223810","severity":"high","ruleTitle":"IBM z/OS SSH daemon must be configured to only use the SSHv2 protocol.","description":"$72","checkContent":"Locate the SSH daemon configuration file, which may be found in /etc/ssh/ directory.\n\nAlternately:\nFrom UNIX System Services ISPF Shell navigate to ribbon select tools.\nSelect option 1 - Work with Processes.\n\nIf SSH Daemon is not active, this is not a finding.\n\nExamine SSH daemon configuration file. If the variables \"Protocol 2,1\" or \"Protocol 1\" are defined on a line without a leading comment, this is a finding.","fixText":"Edit the sshd_config file and set the \"Protocol\" setting to \"2\"."},{"id":"6b4c690f-93ed-4975-b115-2fe66b0e7820","vulnId":"V-223811","severity":"medium","ruleTitle":"IBM z/OS, for PKI-based authentication, must use the ICSF or ESM for key management.","description":"Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.","checkContent":"Any keys or Certificates must be managed in ICSF or the external security manager and not in UNIX files.\n\nFrom the ISPF Command Shell enter:\nOMVS\nenter\nfind / -name *.kdb\nand\nfind / -name *.jks\n\nIf any files are present, this is a finding.","fixText":"Define all Keys/Certificates to ICSF or the security database.\n\nRemove all .kdb and .jks key files."},{"id":"501930aa-aa14-4e29-927f-c99dac792a74","vulnId":"V-223812","severity":"medium","ruleTitle":"IBM z/OS permission bits and user audit bits for HFS objects that are part of the Syslog daemon component must be properly configured.","description":"HFS directories and files of the Syslog daemon provide the configuration and executable properties of this product. Failure to properly secure these objects could lead to unauthorized access. This exposure may result in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.","checkContent":"$73","fixText":"$74"},{"id":"81c12868-582f-4c21-b01d-878958486d74","vulnId":"V-223813","severity":"medium","ruleTitle":"The IBM z/OS Syslog daemon must be started at z/OS initialization.","description":"To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: \n\n1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and\n\n2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.","checkContent":"SYSLOGD may be started from the shell, a cataloged procedure (STC), or the BPXBATCH program. Additionally, other mechanisms (e.g., a job scheduler) may be used to automatically start the Syslog daemon. To thoroughly analyze this requirement you may need to view the OS SYSLOG using SDSF, find the last IPL, and look for the initialization of SYSLOGD.\n\nIf the Syslog daemon SYSLOGD is started automatically during the initialization of the z/S/ system, this is not a finding.","fixText":"Review the files used to initialize tasks during system IPL (e.g., /etc/rc, SYS1.PARMLIB, any job scheduler definitions) configure the Syslog daemon to start automatically during z/OS system initialization.\n\nIt is important that syslogd be started during the initialization phase of the z/OS system to ensure that significant messages are not lost. As with other z/OS UNIX daemons, there is more than one way to start SYSLOGD. It can be started as a process in the /etc/rc file or as a z/OS started task."},{"id":"8c85e89a-6c06-43a4-ad72-9ef4119cef90","vulnId":"V-223814","severity":"medium","ruleTitle":"The IBM z/OS Syslog daemon must be properly defined and secured.","description":"$75","checkContent":"From z/OS command screen enter: \nListUser SYSLOGD OMVS (SYSLOGD is usual name of the SYSLOG daemon)\n\nIf all of the following are true, this is not a finding.\n\nIf either of the following is untrue, this is a finding.\n\n-The SYSLOGD userid is defined as a PROTECTED userid.\n-The SYSLOGD userid has the following z/OS Unix attributes: UID(0), HOME directory '/', shell program /bin/sh.\n\nFrom z/OS command screen enter:\nRList STARTED SYSLOGD\n\nIf a matching entry in the STARTED resource class exists enabling the use of the standard userid and appropriate group, this is not a finding.","fixText":"The Syslog daemon userid is SYSLOGD.\nDefine the SYSLOGD userid as a PROTECTED userid.\nDefine the SYSLOGD userid has UID(0), HOME('/'), and PROGRAM('/bin/sh') specified in the OMVS segment.\n\nTo set up and use as an MVS Started Proc, the following sample commands are provided:\n\nAU SYSLOGD NAME('stc, tcpip') NOPASSWORD NOOIDCARD DFLTGRP(STC) -\nOWNER(STC) DATA('Reference ISLG0020 for proper setup ')\nALU SYSLOGD DFLTGRP(stctcpx) \nALU SYSLOGD OMVS(UID(0) HOME('/') PROGRAM('/bin/sh')) \nCO SYSLOGD GROUP(stctcpx) OWNER(stctcpx)\n\nA matching entry mapping the SYSLOGD started proc to the SYSLOGD userid is in the STARTED resource class.\n\nRDEF STARTED SYSLOGD.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) STDATA(USER(SYSLOGD) GROUP(STC)) \n\nIf /etc/rc is used to start the Syslog daemon, ensure that the _BPX_JOBNAME and _BPX_ USERID environment variables are assigned a value of SYSLOGD."},{"id":"44e2f97c-4f12-44fa-9afb-85a92e7f8f7f","vulnId":"V-223815","severity":"medium","ruleTitle":"IBM z/OS DFSMS Program Resources must be properly defined and protected.","description":"$76","checkContent":"Refer to the load modules residing in the following Load libraries to determine program resource definitions:\n SYS1.DGTLLIB for DFSMSdfp/ISMF\n SYS1.DGTLLIB for DFSMSdss/ISMF\n SYS1.DFQLLIB for DFSMShsm\n\nIf the installation moves these modules to another load library, the installation-defined load library must be used in the program protection.\n\nIf the RACF resources are defined with a default access of NONE, this is not a finding.\n\nIf the RACF resource access authorizations restrict access to the appropriate personnel, this is not a finding. \n\n(Refer to the chapter titled \"Protecting the Storage Management Subsystem\" in the IBM z/OS DFSMSdfp Storage Administration Guide to assist with guidance on appropriate access.)","fixText":"$77"},{"id":"7346603a-b931-4116-85b3-8b9dfa2e8aeb","vulnId":"V-223816","severity":"medium","ruleTitle":"IBM z/OS DFSMS control data sets must be protected in accordance with security requirements.","description":"$78","checkContent":"Review the logical parmlib data sets, example: SYS1.PARMLIB(IGDSMSxx), to identify the fully qualified file names for the following SMS data sets:\n\nSource Control Data Set (SCDS)\nActive Control Data Set (ACDS)\nCommunications Data Set (COMMDS)\nAutomatic Class Selection Routine Source Data Sets (ACS)\nACDS Backup\nCOMMDS Backup\n\nIf the RACF data set rules for the SCDS, ACDS, COMMDS, and ACS data sets restrict WRITE or greater access to only systems programming personnel, this is not a finding.\n\nIf the RACF data set rules for the SCDS, ACDS, COMMDS, and ACS data sets do not restrict WRITE or greater access to only systems programming personnel, this is a finding.\n\nNote: At the discretion of the ISSM, DASD administrators are allowed UPDATE access to the control datasets.","fixText":"Review the SYS1.PARMLIB(IGDSMS00) data set to identify the fully qualified file names for the following SMS data sets:\n\nSource Control Data Set (SCDS)\nActive Control Data Set (ACDS)\nCommunications Data Set (COMMDS)\nAutomatic Class Selection Routine Source Data Sets (ACS)\nACDS Backup\nCOMMDS Backup\n\nConfigure the RACF data set rules for the SCDS, ACDS, COMMDS, and ACS data sets to restrict WRITE or greater access to only z/OS systems programming personnel.\n\nNote: At the discretion of the ISSM, DASD administrators are allowed UPDATE access to the control datasets.\n\nSome example commands to implement the proper controls are shown here:\n\nAD 'sys3.dfsms.mmd.commds.**' UACC(NONE) OWNER(SYS3) AUDIT(ALL(READ)) DATA('PROTECTED PER ZSMS0020')\n\nPE 'sys3.dfsms.mmd.commds.**' ID() ACC(A)"},{"id":"4e7eec98-3004-46cc-b1e6-c3157ad381e3","vulnId":"V-223817","severity":"medium","ruleTitle":"IBM z/OS DFSMS-related RACF classes must be active.","description":"$79","checkContent":"From an ISPF Command Shell enter:\nSETRopts list\n\nIf ACTIVE CLASSES lists the MGMTCLAS, STORCLAS, PROGRAM, and FACILITY resources classes, this is not a finding.","fixText":"Configure SETRopts to include MGMTCLAS, STORCLAS, PROGRAM, and FACILITY resources classes as ACTIVE.\n\nThe classes can be activated with the command:\nSETR CLASSACT(MGMTCLAS STORCLAS PROGRAM FACILITY)\n\nThe classes can be RACLISTED with the command:\nSETR RACL(MGMTCLAS STORCLAS)"},{"id":"d8c5da68-23ce-40d4-a3a2-b140ef8cd039","vulnId":"V-223818","severity":"medium","ruleTitle":"IBM z/OS DFSMS resources must be protected in accordance with the proper security requirements.","description":"$7a","checkContent":"$7b","fixText":"$7c"},{"id":"92bd2315-907a-43bc-8c95-711b562475e7","vulnId":"V-223819","severity":"medium","ruleTitle":"IBM z/OS using DFSMS must properly specify SYS(x).PARMLIB(IGDSMSxx), SMS parameter settings.","description":"Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.","checkContent":"Review the logical parmlib data sets, example: SYS1.PARMLIB(IGDSMSxx), for the following SMS parameter settings:\n\nParameter Key\nSMS\nACDS(ACDS data set name)\nCOMMDS(COMMDS data set name)\n\nIf the required parameters are defined, this is not a finding.","fixText":"Configure the DFSMS-related PDS members and statements specified in the system parmlib concatenation as outlined below:\n\nParameter Key\nSMS\nACDS(ACDS data set name)\nCOMMDS(COMMDS data set name)"},{"id":"563a888b-ed04-48c3-8759-50cf59e62094","vulnId":"V-223820","severity":"medium","ruleTitle":"IBM z/OS PROFILE.TCPIP configuration statements for the TCP/IP stack must be coded properly.","description":"Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best.\n\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).","checkContent":"Refer to the Profile configuration file specified on the PROFILE DD statement in the TCPIP started task JCL.\n\nIf the following items are in effect for the configuration statements specified in the TCP/IP Profile configuration file, this is not a finding.\n\nNOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well.\n\nThe SMFPARMS statement is not coded or commented out.\nThe DELETE statement is not coded or commented out for production systems.\nThe SMFCONFIG statement is coded with (at least) the FTPCLIENT and TN3270CLIENT operands.\nThe TCPCONFIG and UDPCONFIG statements are coded with (at least) the RESTRICTLOWPORTS operand.\nIf the TCPCONFIG does not have the TTLS statement coded, this is a finding.\n\nNOTE: If the INCLUDE statement is coded, the data set specified will be checked for access authorization compliance.","fixText":"$7d"},{"id":"ac8c2292-c148-4eb7-965b-85fb585cbd64","vulnId":"V-223821","severity":"medium","ruleTitle":"IBM z/OS must be configured to restrict all TCP/IP ports to ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.","description":"Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.\n\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nOperating system functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).","checkContent":"Refer the TCP/IP PROFILE DD statement to determine the TCP/IP Ports. If the PROFILE DD statement is not supplied, use the default search order to find the PROFILE data set. \n\nSee the IP Configuration Guide for a description of the search order for PROFILE.TCPIP. \n\nIf the all the Ports included in the configuration are restricted to the ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments, this is not a finding.","fixText":"Configure TCP/IP PROFILE port definitions to adhere to ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments."},{"id":"e35a9191-d6fc-41a8-a55e-aae0dafe4808","vulnId":"V-223822","severity":"medium","ruleTitle":"IBM z/OS permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be properly configured.","description":"HFS directories and files of the Base TCP/IP component provide the configuration, operational, and executable properties of IBMs TCP/IP system product. Failure to properly secure these objects may lead to unauthorized access resulting in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.","checkContent":"From the ISPF Command Shell enter:\nomvs\n\nAt the input line enter:\ncd /etc\nenter\nls -alW\n\nIf the following file permission and user Audit Bits are true, this is not a finding.\n\n/etc/hosts 0744 faf\n/etc/protocol 0744 faf\n/etc/resolv.conf 0744 faf\n/etc/services 0740 faf\n\ncd /usr\nls -alW\n\nIf the following file permission and user Audit Bits are true, this is not a finding.\n\n/usr/lpp/tcpip/sbin 0755 faf\n/usr/lpp/tcpip/bin 0755 faf\n\nNotes: Some of the files listed above are not used in every configuration. The absence of a file is not considered a finding.\n\nThe following represents a hierarchy for permission bits from least restrictive to most restrictive:\n\n7 rwx (least restrictive)\n6 rw-\n3 -wx\n2 -w-\n5 r-x\n4 r--\n1 --x\n0 --- (most restrictive)\n\nThe possible audit bits settings are as follows:\n\nf log for failed access attempts\na log for failed and successful access\n- no auditing","fixText":"$7e"},{"id":"bfe7794f-92d7-4443-bec7-cba95e745de0","vulnId":"V-223823","severity":"medium","ruleTitle":"IBM z/OS TCP/IP resources must be properly protected.","description":"$7f","checkContent":"$80","fixText":"$81"},{"id":"15f39946-bc28-4270-9abf-f325733355e7","vulnId":"V-223824","severity":"medium","ruleTitle":"The IBM RACF SERVAUTH resource class must be active for TCP/IP resources.","description":"IBM Provides the SERVAUTH Class for use in protecting a variety of TCP/IP features/functions/products both IBM and third-party. Failure to activate this class will result in unprotected resources. This exposure may threaten the integrity of the operating system environment, and compromise the confidentiality of customer data.","checkContent":"From a command input screen enter:\nSETROPTS LIST\n\nIf there are TCP/IP resources defined and the SERVAUTH resource class is not active, this is a finding.","fixText":"Configure RACF SETROPTS to have the SERVAUTH resource class is active.\n\nEvaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: \n\nThe RACF Command SETR LIST will show the status of RACF Controls including a list of ACTIVE classes. \n\nThe SERVAUTH Class is activated with the command SETR CLASSACT (SERVAUTH).\n\nGeneric profiles and commands should also be enabled with the command SETR GENERIC(SERVAUTH) GENCMD(SERVAUTH)."},{"id":"3709bc7f-b423-4d45-9b26-d62cf3b2fc8c","vulnId":"V-223826","severity":"medium","ruleTitle":"IBM z/OS data sets for the Base TCP/IP component must be properly protected.","description":"$82","checkContent":"$83","fixText":"$84"},{"id":"b6dfbd1f-d917-4f26-85fd-a48d4ee52729","vulnId":"V-223827","severity":"medium","ruleTitle":"IBM z/OS Configuration files for the TCP/IP stack must be properly specified.","description":"Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.","checkContent":"Refer to the procedure libraries defined to JES2 and locate the TCPIP JCL member.\n\nNote:\nIf GLOBALTCPIPDATA is specified, any TCPIP.DATA statements contained in the specified file or data set take precedence over any TCPIP.DATA statements found using the appropriate environment's (native MVS or z/OS UNIX) search order.\n\nIf GLOBALTCPIPDATA is not specified, the appropriate environment's (Native MVS or z/OS UNIX) search order is used to locate TCPIP.DATA.\n\nIf the PROFILE and SYSTCPD DD statements specify the TCP/IP Profile and Data configuration files respectively, this not a finding.\n\nIf the RESOLVER_CONFIG variable on the EXEC statement is set to the same file name specified on the SYSTCPD DD statement, this is not a finding.","fixText":"$85"},{"id":"72adc48c-2443-4e06-8b1a-f7286d72655a","vulnId":"V-223831","severity":"medium","ruleTitle":"IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.","description":"During the SSL connection process a mutually acceptable encryption algorithm is selected by the server and client. This algorithm is used to encrypt the data that subsequently flows between the two. However, the level or strength of encryption can vary greatly. Certain configuration options can allow no encryption to be used and others can allow a relatively weak 40-bit algorithm to be used. Failure to properly enforce adequate encryption strength could result in the loss of data privacy.\n\nSatisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223, SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190, SRG-OS-000478-GPOS-00223","checkContent":"Refer to the Profile configuration file specified on the PROFILE DD statement in the TCPIP started task JCL.\n\nIf the following items are in effect for the configuration specified in the TCP/IP Profile configuration file, this is not a finding.\n\nNOTE: If an INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well.\n\nNOTE: FIPS 140-2 minimum encryption is the accepted level of encryption and will override this requirement if greater.\n\nThe TELNETGLOBALS block that specifies an ENCRYPTION statement states one or more of the below cipher specifications.\n\nEach TELNETPARMS block that specifies the SECUREPORT statement, specifies an ENCRYPTION statement states one or more of the below cipher specifications. And the TELNETGLOBALS block does or does not specify an ENCRYPTION statement.\n\nCipher Specifications\nSSL_3DES_SHA\nSSL_AES_256_SHA\nSSL_AES_128_SHA","fixText":"Configure the SECUREPORT and TELNETPARMS ENCRYPTION statements and/or the TELNETGLOBALS statement in the PROFILE.TCPIP file to conform to the requirements specified below.\n\nThe TELNETGLOBALS block may specify an ENCRYPTION statement that specifies one or more of the below cipher specifications.\n\nEach TELNETPARMS block that specifies the SECUREPORT statement, an ENCRYPTION statement is coded with one or more of the below cipher specifications. And the TELNETGLOBALS block does or does not specify an ENCRYPTION statement.\n\nTo prevent the use of non FIPS 140-2 encryption, the TELNETGLOBALS block and/or each TELNETPARMS block that specifies an ENCRYPTION statement will specify one or more of the following cipher specifications:\n\nCipher Specifications\nSSL_3DES_SHA\nSSL_AES_256_SHA\nSSL_AES_128_SHA\n\nNote: Always check for the minimum allowed in FIPS 140-2."},{"id":"d669c5b3-539b-4b92-b677-18c3136c7ee3","vulnId":"V-223833","severity":"medium","ruleTitle":"The IBM z/OS warning banner for the TN3270 Telnet server must contain the proper content of the Standard Mandatory DoD Notice and Consent Banner.","description":"System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.","checkContent":"$86","fixText":"$87"},{"id":"b7a8942a-1dfd-4cf9-8ea1-87be9a26d2a2","vulnId":"V-223834","severity":"medium","ruleTitle":"IBM z/OS VTAM session setup controls for the TN3270 Telnet server must be properly specified.","description":"Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.","checkContent":"$88","fixText":"$89"},{"id":"aaaa0354-3753-46ae-8e59-b14d15ab0a14","vulnId":"V-223835","severity":"medium","ruleTitle":"The IBM z/OS PROFILE.TCPIP configuration for the TN3270 Telnet server must have the INACTIVE statement properly specified.","description":"Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.","checkContent":"Refer to the Profile configuration file specified on the PROFILE DD statement in the TN3270 started task JCL.\n\nNote: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well.\n\nTELNETGLOBAL Block (only one defined)\n\nTELNETPARMS Block (one defined for each port the server is listening to, typically ports 23 and 992)\n\nIf the TELNETPARMS INACTIVE statement is coded either in the TELNETGLOBALS or within each TELNETPARMS statement block and specifies a value between \"1\" and \"900\", this is not a finding.","fixText":"Configure the configuration statements in the PROFILE.Tn3270 to conform to the specifications below:\n\nNOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well.\n\nThe TELNETPARMS INACTIVE statement is coded either within the TELNETGLOBALS OR within each TELNETPARMS statement block and specifies a value between \"1\" and \"900\"."},{"id":"6cb051c1-5223-41fb-abed-f6224389b9c7","vulnId":"V-223836","severity":"medium","ruleTitle":"IBM Z/OS TSOAUTH resources must be restricted to authorized users.","description":"$8a","checkContent":"From the ISPF Command Shell enter:\nRLIST SURROGAT * \n\nEnsure that all TSOAUTH resources and/or generic equivalent are properly protected according to the requirements specified. \n\nIf the following guidance is true, this is not a finding.\n\nThe ACCT authorization is restricted to security personnel.\n\nThe CONSOLE authorization is restricted to authorized systems personnel (e.g., systems programming personnel, operations staff, etc.) and READ access may be given to all user when SDSF in install at the ISSOs discretion.\n\nThe MOUNT authorization is restricted to DASD batch users only.\n\nThe OPER authorization is restricted to authorized systems personnel (e.g., systems programming personnel, operations staff, etc.).\n\nThe PARMLIB authorization is restricted to only z/OS systems programming personnel and READ access may be given to auditors.\n\nThe TESTAUTH authorization is restricted to only z/OS systems programming personnel.","fixText":"$8b"},{"id":"8c69e00d-c7b8-4c8a-a48c-57bafbba8720","vulnId":"V-223837","severity":"high","ruleTitle":"IBM RACF LOGONIDs must not be defined to SYS1.UADS for non-emergency use.","description":"Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.","checkContent":"Ask the system administrator to provide a list of all emergency userids available to the site along with the associated function of each.\n\n If SYS1.UADS userids are limited and reserved for emergency purposes only, this is not a finding.","fixText":"Configure the SYS1.UADS entries to ensure LOGONIDs defined include only those users required to support specific functions related to system recovery. Evaluate the impact of accomplishing the change."},{"id":"90fb1d94-3a89-4748-ac9c-84e7118159aa","vulnId":"V-223838","severity":"high","ruleTitle":"The IBM z/OS UNIX SUPERUSER resources must be protected in accordance with guidelines.","description":"$8c","checkContent":"From the ISPF Command Shell enter:\nRL UNIXPRIV * AUTHUSER\n\nIf the RACF rules for the SUPERUSER resource specify a default access of NONE, this is not a finding.\n\nIf there are no RACF rules that allow access to the SUPERUSER resource, this is not a finding.\n\nIf there is no RACF rule for CHOWN.UNRESTRICTED defined, this is not a finding.\n\nIf the RACF rules for each of the SUPERUSER resources listed in the z/OS UNIX System Services Planning, Establishing UNIX security, specify a default access of NONE, this is not a finding.\n\nIf the RACF rules for each of the SUPERUSER resources listed in the z/OS UNIX System Services Planning, Establishing UNIX security, restrict access to appropriate system tasks or systems programming personnel, this is not a finding.","fixText":"Configure all SUPERUSER resources for the UNIXPRIV resource class to be restricted to appropriate system tasks and/or system programming personnel.\n\n-The RACF rules for the SUPERUSER resource specify a default access of NONE.\n-There are no RACF rules that allow access to the SUPERUSER resource.\n-There is no RACF rule for CHOWN.UNRESTRICTED defined.\n-The RACF rules for each of the SUPERUSER resources listed in the z/OS UNIX System Services Planning, Establishing UNIX security, specify a default access of NONE.\n-The RACF rules for each of the SUPERUSER resources listed in the z/OS UNIX System Services Planning, Establishing UNIX security, restrict access to appropriate system tasks or systems programming personnel.\n\nSample Commands:\nRDEF UNIXPRIV SUPERUSER.** UACC(NONE) OWNER(ADMIN) DATA('REFERENCE ZUSS0023') AUDIT(ALL(READ))\n/* do not permit any users/groups to this resource */\n\nSR CLASS(UNIXPRIV) MASK(CHOWN.UNRESTRICTED)\n/* delete if found */\n\nPE SUPERUSER.FILESYS.** CL(UNIXPRIV) ID()"},{"id":"c939d9dd-1a82-41e2-b499-c686fb79cf13","vulnId":"V-223839","severity":"medium","ruleTitle":"IBM z/OS BPX resource(s) must be protected in accordance with security requirements.","description":"$8d","checkContent":"From the ISPF Command Shell enter:\nRL FACILITY * AUTHUSER\n\nIf the RACF rules for the BPX.** resource specify a default access of NONE, this is not a finding.\n\nIf there are no RACF user access to the BPX.** resource, this is not a finding.\n\nIf there is no RACF rule for BPX.SAFFASTPATH defined, this is not a finding.\n\nIf the RACF rules for each of the BPX resources listed in the z/OS UNIX System Services Planning, Establishing UNIX security, restrict access to appropriate system tasks or systems programming personnel, this is not a finding.","fixText":"$8e"},{"id":"b4cc78fe-1652-42b0-a778-cb06bb286fe7","vulnId":"V-223840","severity":"medium","ruleTitle":"IBM z/OS UNIX MVS HFS directories with other write permission bit set must be properly defined.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.","checkContent":"$8f","fixText":"$90"},{"id":"2c1bd115-b309-4868-b792-e125727640c5","vulnId":"V-223842","severity":"medium","ruleTitle":"IBM z/OS UNIX security parameters in etc/profile must be properly specified.","description":"Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.","checkContent":"From the ISPF Command Shell enter:\nISHELL\n/etc/profile\n\nIf the final or only instance of the UMASK command in /etc/profile is specified as \"umask 077\", this is not a finding.\n\nIf the LOGNAME variable is marked read-only (i.e., \"readonly LOGNAME\") in /etc/profile, this is not a finding.","fixText":"Configure the etc/profile to specify the UMASK command is executed with a value of 077, the LOGNAME variable is marked read-only for the /etc/profile file, and exceptions are documented with the ISSO."},{"id":"eef34489-c2ed-42fe-b06d-e4f69408d55c","vulnId":"V-223843","severity":"medium","ruleTitle":"IBM z/OS UNIX security parameters in /etc/rc must be properly specified.","description":"Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.","checkContent":"$91","fixText":"$92"},{"id":"474d7b09-986d-4d89-a275-2cf33413edd9","vulnId":"V-223844","severity":"medium","ruleTitle":"IBM z/OS UNIX resources must be protected in accordance with security requirements.","description":"$93","checkContent":"From the ISPF Command Shell enter:\nRL SURROGAT BPX.SRV AUTHUSER \n\nIf the RACF rules for all BPX.SRV.user SURROGAT resources specify a default access of NONE, this is not a finding.\n\nIf the RACF rules for all BPX.SRV.user SURROGAT resources restrict access to system software processes (e.g., web servers) that act as servers under z/OS UNIX, this is not a finding.\n\nIf the RACF rules for all BPX.SRV.user SURROGAT resources restrict access to authorized users identified in the Site Security Plan, this is not a finding.","fixText":"SURROGAT class BPX resources are used in conjunction with server applications that are performing tasks on behalf of client users that may not supply an authenticator to the server. This can be the case when clients are otherwise validated or when the requested service is performed from userids representing groups.\n\nConfigure the default access for each BPX.SRV.userid resource must be no access. Access can be permitted only to system software processes that act as servers under z/OS UNIX (e.g., web servers) and users whose access and approval are identified in the Site Security Plan.\n\nA sample is provided here:\n\nRDEF SURROGAT BPX.SRV.user UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ))\n\n-RACF rules for all BPX.SRV.user SURROGAT resources must restrict access to system software processes (e.g., web servers) that act as servers under z/OS UNIX.\n\nRDEF SURROGAT BPX.SRV.user UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ))\nPE BPX.SRV.user CL(SURROGAT) ID()"},{"id":"034080d0-b3f0-498b-bd5e-d27c23655020","vulnId":"V-223845","severity":"medium","ruleTitle":"IBM z/OS UNIX MVS data sets or HFS objects must be properly protected.","description":"$94","checkContent":"Refer to the proper BPXPRMxx member in SYS1.PARMLIB \n\nIf the ESM data set rules for the data sets referenced in the ROOT and the MOUNT statements in BPXPRMxx restrict update access to the z/OS UNIX kernel (i.e., OMVS or OMVSKERN), this is not a finding.\n\nIf the ESM data set rules for the data set referenced in the ROOT and the MOUNT statements in BPXPRMxx restrict update and/or allocate access to systems programming personnel, this is not a finding.","fixText":"Review the access authorizations defined in the ACP for the MVS data sets that contain operating system components and for the MVS data sets that contain HFS file systems and ensure that they conform to the specifications below Review the UNIX permission bits on the HFS directories and files and ensure that they conform to the specifications below:\n\nDefine ESM data set rules for the data sets referenced in the ROOT and the MOUNT statements in BPXPRMxx to restrict update access to the z/OS UNIX kernel (i.e., OMVS or OMVSKERN).\n\nDefine ESM data set rules for the data set referenced in the ROOT and the MOUNT statements in BPXPRMxx to restrict update and/or allocate access to systems programming personnel."},{"id":"b2ab2ec3-4b26-49b8-9dd8-e9649ff1ced6","vulnId":"V-223846","severity":"medium","ruleTitle":"IBM z/OS UNIX MVS data sets WITH z/OS UNIX COMPONENTS must be properly protected.","description":"$95","checkContent":"Execute an access list for MVS DATA SETS WITH z/OS UNIX COMPONENTS.\n\nIf the ESM data set rules for each of the data sets listed in the table below restrict UPDATE and ALLOCATE access to systems programming personnel, this is not a finding.\n\nMVS DATA SETS WITH z/OS UNIX COMPONENTS\nDATA SET NAME/MASK MAINTENANCE TYPE FUNCTION\nSYS1.ABPX* Distribution IBM z/OS UNIX ISPF panels, messages, tables, clists\nSYS1.AFOM* Distribution IBM z/OS UNIX Application Services\nSYS1.BPA.ABPA* Distribution IBM z/OS UNIX Connection Scaling Process Mgr.\nSYS1.CMX.ACMX* Distribution IBM z/OS UNIX Connection Scaling Connection Mgr.\nSYS1.SBPX* Target IBM z/OS UNIX ISPF panels, messages, tables, clists\nSYS1.SFOM* Target IBM z/OS UNIX Application Services\nSYS1.CMX.SCMX* Target IBM z/OS UNIX Connection Scaling Connection Mgr.","fixText":"$96"},{"id":"58b498ff-e16e-4fc6-b88a-3c2bd6ba0946","vulnId":"V-223847","severity":"medium","ruleTitle":"IBM z/OS UNIX HFS permission bits and audit bits for each directory must be properly protected.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000259-GPOS-00100","checkContent":"$97","fixText":"$98"},{"id":"dd02783b-fd06-47e0-a04c-77cbe5e05f91","vulnId":"V-223848","severity":"medium","ruleTitle":"IBM z/OS UNIX SYSTEM FILE SECURITY SETTINGS must be properly protected or specified.","description":"If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000259-GPOS-00100","checkContent":"$99","fixText":"$9a"},{"id":"b5c1c373-3475-4fe7-838c-479177932f6c","vulnId":"V-223849","severity":"medium","ruleTitle":"IBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected.","description":"$9b","checkContent":"Refer to the pathname from the STEPLIBLIST line in BPXPRMxx member of PARMLIB.\n\nFrom the ISPF Command Shell enter:\nISHELL\n\nOn the command line:\non the path name line enter:\n/etc/ \n\nFrom the resulting display scroll down to the from BPXPRMxx parm.\nEnter B for browse on that line.\n\nIf ESM data set rules for libraries specified restrict WRITE or greater access to only systems programming personnel, this is not a finding.\n\nIf the ESM data set rules for libraries specify that all (i.e., failures and successes) WRITE or greater access will be logged, this is not a finding.","fixText":"Configure WRITE or greater access to libraries residing in the /etc/steplib to be limited to system programmers only."},{"id":"c47c7f44-8a6e-4e38-aefe-0c459fef1666","vulnId":"V-223850","severity":"medium","ruleTitle":"The IBM RACF classes required to properly secure the z/OS UNIX environment must be ACTIVE.","description":"In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by the organizations.","checkContent":"From the ISPF Command Shell enter:\nSETRopts list\n\nIf the ACTIVE CLASSES list includes entries for the FACILITY, SURROGAT, and UNIXPRIV resource classes, this is not a finding.\n\nIf either of the above resource classes is missing, this is a finding.","fixText":"Define the ACTIVE CLASS Parameter in SETROPTS to include the FACILITY, SURROGAT and UNIXPRIV resource classes.\n\nEXAMPLES:\nSETR CLASSACT(FACILITY SURROGAT UNIXPRIV) \n\nSETR GENERIC(FACILITY SURROGAT UNIXPRIV)\nSETR GENCMD(FACILITY SURROGAT UNIXPRIV)\n\nSETR RACL(FACILITY SURROGAT UNIXPRIV)"},{"id":"9b4d5d2f-4c6d-4037-9576-e92a4c098da8","vulnId":"V-223851","severity":"medium","ruleTitle":"IBM z/OS UNIX OMVS parameters in PARMLIB must be properly specified.","description":"Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.","checkContent":"Refer to the IEASYS00 member of SYS1.PARMLIB.\n\nIf the parameter is specified as OMVS=xx or OMVS=(xx,xx,...) in the IEASYSxx member, this is not a finding.\n\nIf the OMVS statement is not specified, OMVS=DEFAULT is used. In minimum mode there is no access to permanent file systems or to the shell, and IBM's Communication Server TCP/IP will not run.","fixText":"Configure the settings in PARMLIB and /etc for z/OS UNIX security parameters with values that conform to the specifications below:\n\nThe parameter is specified as OMVS=xx or OMVS=(xx,xx,...) in the IEASYSxx member.\n\nNote: If the OMVS statement is not specified, OMVS=DEFAULT is used. In minimum mode there is no access to permanent file systems or to the shell, and IBM's Communication Server TCP/IP will not run."},{"id":"0a93a75d-8e10-4ac3-8127-da35ae5f3f73","vulnId":"V-223852","severity":"medium","ruleTitle":"IBM z/OS UNIX BPXPRMxx security parameters in PARMLIB must be properly specified.","description":"Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.","checkContent":"Refer to the BPXPRM00 member of SYS1.PARMLIB.\n\nIf the required parameter keywords and values are defined as detailed below, this is not a finding.\n\nParameter Keyword Value\nSUPERUSER BPXROOT\nTTYGROUP TTY\nSTEPLIBLIST /etc/steplib\nUSERIDALIASTABLE Will not be specified.\nROOT SETUID will be specified\nMOUNT NOSETUID\nSETUID (for Vendor-provided files)SECURITY\nSTARTUP_PROC OMVS","fixText":"Define the settings in PARMLIB member BPXPRMxx for z/OS UNIX security parameters values to conform to the specifications below:\nParameter Keyword Value\nSUPERUSER BPXROOT\nTTYGROUP TTY\nSTEPLIBLIST /etc/steplib\nUSERIDALIASTABLE Will not be specified.\nROOT SETUID will be specified\nMOUNT NOSETUIDSETUID (for Vendor-provided files)SECURITY\nSTARTUP_PROC OMVS"},{"id":"85206f1b-bb60-4240-8ea5-fc4eac098708","vulnId":"V-223853","severity":"medium","ruleTitle":"IBM z/OS default profiles must be defined in the corresponding FACILITY Class Profile for classified systems.","description":"Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.","checkContent":"If the system is not classified, this is Not Applicable.\n\nFrom a command input screen enter:\n\nRLIST FACILITY (BPX.UNIQUE.USER) ALL\nExamine APPLICATION DATA for userid\n\nIf system is classified and a userid is are not defined in the Application Data field in the BPX.UNIQUE.USER resource in the FACILITY report, this is not a finding.","fixText":"If system is classified a userid should not be defined in the application data field of the FACILITY report.\n\nThe sample commands below show the required security parameters required for the default user:\n\nAU OEDFLTU DFLTGRP(OEDFLTG) NAME('OE DEFAULT USER') NOPASS -\nOMVS(UID(99999) HOME('/u/oeflt') PROGRAM('/bin/echo')) - \nDATA('DEFAULT OMVSUSERID ADDED WITH SOER5') \n\nRDEF FACILITY BPX. UNIQUE.USER APPLDATA() - \nDATA('ADDED TO SUPPORT THE DEFAULT USER') UACC(NONE) OWNER(ADMIN) \n\nSETR RACLIST(FACILITY) REFRESH"},{"id":"f794797b-0d54-4718-af5d-6866e6e3a8fe","vulnId":"V-223854","severity":"medium","ruleTitle":"IBM z/OS UNIX HFS MapName files security parameters must be properly specified.","description":"Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources.\n\nThe organization must perform a periodic scan/review of the application (as required by CCI-000384) and disable functions, ports, protocols, and services deemed to be unneeded or non-secure.","checkContent":"Refer to the logical parmlib data sets, example: SYS1.PARMLIB(BPXPRMxx), for the following FILESYSTYPE entry:\n\nFILESYSTYPE TYPE(AUTOMNT) ENTRYPOINT(BPXTAMD)\n\nIf the above entry is not found or is commented out in the BPXPRMxx member(s), this is Not Applicable.\n\nFrom the ISPF Command Shell enter:\nOMVS\ncd /etc\ncat auto.master\nperform a contents list for the file identified \nExample:\ncat u.map\nNote: The /etc/auto.master HFS file (and the use of Automount) is optional. If the file does not exist, this is not applicable.\n\nNote: The setuid parameter and the security parameter have a significant security impact. For this reason these parameters must be explicitly specified and not allowed to default.\n\nIf each MapName file specifies the \"setuid No\" and \"security Yes\" statements for each automounted directory, this is not a finding.\n\nIf there is any deviation from the required values, this is a finding.","fixText":"Review the settings in /etc/auto.master and /etc/mapname for z/OS UNIX security parameters and configure the values to conform to the specifications below.\n\nThe /etc/auto.master HFS file (and the use of Automount) is optional. \n\nThe setuid parameter and the security parameter have a significant security impact. For this reason these parameters must be explicitly specified and not be allowed to default.\n\nEach MapName file will specify the \"setuid NO\" and \"security YES statements for each automounted directory.\n\nIf there is a deviation from the required values, documentation must exist for the deviation.\n\nSecurity NO disables security checking for file access. Security NO is only allowed on test and development domains.\n\nSetuid YES allows a user to run under a different UID/GID identity. Justification documentation is required to validate the use of setuid YES."},{"id":"7455bb2d-9659-4bcb-a854-5424f6482a83","vulnId":"V-223855","severity":"medium","ruleTitle":"IBM z/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf must be properly specified.","description":"$9c","checkContent":"From the UNIX System Services ISPF Shell, enter:\n\n/etc/inetd.conf\n\nIf any Restricted Network Services that are listed below are specified or specified but not commented out, this is a finding.\n\nRESTRICTED NETWORK SERVICES/PORTS\nService Port\nChargen 19\nDaytime 13\nDiscard 9\nEcho 7\nExec 512\nfinger 79\nshell 514\ntime 37\nlogin 513\nsmtp 25\ntimed 525\nnameserver 42\nsystat 11\nuucp 540\nnetstat 15\ntalk 517\nqotd 17","fixText":"Review the settings in the /etc/inetd.conf file determine if every entry in the file represents a service in use. Services that are not in use must be disabled to reduce potential security exposures.\n\nThe following services must be disabled in /etc/inetd.conf unless justified and documented with the information system security officer (ISSO):\n\nRESTRICTED NETWORK SERVICES\n\nService Port\nChargen 19\nDaytime 13\nDiscard 9\nEcho 7\nExec 512\nfinger 79\nshell 514\ntime 37\nlogin 513\nsmtp 25\ntimed 525\nnameserver 42\nsystat 11\nuucp 540\nnetstat 15\ntalk 517\nqotd 17\n\nThe /etc/inetd.conf file is used by the INETD daemon. It specifies how INETD is to handle service requests on network sockets. Specifically, there is one entry in inetd.conf for each service. Each service entry specifies several parameters. The login_name parameter is of special interest. It specifies the userid under which the forked daemon is to execute. This userid is defined to the ACP and it may require a UID(0) (i.e., superuser authority) value."},{"id":"2350a465-9e69-4735-9bc6-5c8d4fef27f8","vulnId":"V-223856","severity":"high","ruleTitle":"IBM z/OS UID(0) must be properly assigned.","description":"To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: \n\n1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and\n\n2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.","checkContent":"From a z/OS command screen enter:\nSR CLASS(USER) UID(0) \n\n If UID(0) is assigned only to system tasks such as the z/OS/ UNIX kernel (i.e., OMVS), z/OS UNIX daemons (e.g., inetd, syslogd, ftpd), and other system software daemons, this is not a finding.\n\n If UID(0) is assigned to security administrators who create or maintain user account definitions; and to systems programming accounts dedicated to maintenance (e.g., SMP/E) of HFS-based components, this not a finding.\n\nNOTE: The assignment of UID(0) confers full time superuser privileges. This is not appropriate for personal user accounts. Access to the BPX.SUPERUSER resource is used to allow personal user accounts to gain short-term access to superuser privileges.\n\n If UID(0) is assigned to non-systems or non-maintenance accounts, this is a finding.","fixText":"Assign UID(0) as specified below:\nUID(0) is assigned only to system tasks such as the z/OS UNIX kernel (i.e., OMVS), z/OS UNIX daemons (e.g., inetd, syslogd, ftpd), and other system software daemons.\n\nUID(0) is assigned to security administrators who create or maintain user account definitions; and to systems programming accounts dedicated to maintenance (e.g., SMP/E) of HFS-based components.\n\nNOTE: The assignment of UID(0) confers full time superuser privileges, this is not appropriate for personal user accounts. Access to the BPX.SUPERUSER resource is used to allow personal user accounts to gain short-term access to superuser privileges."},{"id":"fba68240-16c5-4b6e-acc8-65e9fa810807","vulnId":"V-223857","severity":"medium","ruleTitle":"IBM z/OS UNIX groups must be defined with a unique GID.","description":"To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. RACF userid groups, and started tasks that use z/OS UNIX facilities are defined to an ACP with attributes including UID and GID. If these attributes are not correctly defined, data access or command privilege controls could be compromised.","checkContent":"From ISPF Command Shell enter:\nListgrp * OMVS\n\nIf each group is defined with a unique GID, this is not a finding.\n\nNote: A site can choose to have both an OMVSGRP group and an STCOMVS group or combine the groups under one of these names.\n\nIf OMVSGRP and/or STCOMVS groups are defined and have a unique GID in the range of 1-99, this is not a finding.","fixText":"Define each UNIX group with a unique GID.\n\nDefine the OMVSGRP group and/or the STCOMVS group to the security database with a unique GID in the range of 1-99.\n\nOMVSGRP is the name suggested by IBM for all the required userids. STCOMVS is the standard name used at some sites for the userids that are associated with z/OS UNIX started tasks and daemons. These groups can be combined at the site's discretion."},{"id":"864bc563-4857-492f-a1ed-f8a37fe75605","vulnId":"V-223859","severity":"medium","ruleTitle":"The IBM z/OS user account for the UNIX kernel (OMVS) must be properly defined to the security database.","description":"To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.","checkContent":"If OMVS userid is defined to the ESM as follows, this is not a finding.\n\nNo access to interactive on-line facilities (e.g., TSO, CICS, etc.)\nDefault group specified as OMVSGRP or STCOMVS\nUID(0)\nHOME directory specified as \"/\"\nShell program specified as \"/bin/sh\"","fixText":"Define OMVS userid to the ESM as specified below:\n\nNo access to interactive on-line facilities (e.g., TSO, CICS, etc.)\nDefault group specified as OMVSGRP or STCOMVS\nUID(0)\nHOME directory specified as \"/\"\nShell program specified as \"/bin/sh\""},{"id":"fd4dfae0-bbcd-4343-886f-17455600cdac","vulnId":"V-223860","severity":"medium","ruleTitle":"The IBM z/OS user account for the z/OS UNIX SUPERUSER userid must be properly defined.","description":"To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: \n\n1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and\n\n2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.","checkContent":"Refer to system PARMLIB member BPXPRMxx (xx is determined by OMVS entry in IEASYS00.) \n\nDetermine the user ID identified by the SUPERUSER parameter. (BPXROOT is the default).\n\nFrom a command input screen enter:\nLISTUSER (superuser userid) TSO CICS OMVS\n\nIf the SUPERUSER userid is defined as follows, this is not a finding:\n\n-No access to interactive on-line facilities (e.g., TSO, CICS, etc.)\n-Default group specified as OMVSGRP or STCOMVS\n-UID(0)\n-HOME directory specified as \"/\"\n-Shell program specified as \"/bin/sh\"","fixText":"Define the user ID identified in the BPXPRM00 SUPERUSER parameter as specified below:\n\n-No access to interactive on-line facilities (e.g., TSO, CICS, etc.)\n-Default group specified as OMVSGRP or STCOMVS\n-UID(0)\n-HOME directory specified as \"/\"\n-Shell program specified as \"/bin/sh\""},{"id":"2b29cf7f-5be3-4133-a25e-f5defb67a902","vulnId":"V-223861","severity":"medium","ruleTitle":"The IBM z/OS user account for the UNIX (RMFGAT) must be properly defined.","description":"To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: \n\n1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and\n\n2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.","checkContent":"RMFGAT is the userid for the Resource Measurement Facility (RMF) Monitor III Gatherer. \n\nIf RMFGAT is not defined, this is Not Applicable.\n\nFrom a command input screen enter:\nLISTUSER (RMFGAT) OMVS\n\nIf RMFGAT is defined as follows, this is not a finding.\n\nDefault group specified as OMVSGRP or STCOMVS\nA unique, non-zero UID\nHOME directory specified as \"/\"\nShell program specified as \"/bin/sh\"","fixText":"Define the RMFGAT user account as specified below:\n\nDefault group specified as OMVSGRP or STCOMVS\nA unique, non-zero UID\nHOME directory specified as \"/\"\nShell program specified as \"/bin/sh\""},{"id":"4f9c98c5-196a-4779-89e5-3fc214bc53d2","vulnId":"V-223862","severity":"medium","ruleTitle":"IBM z/OS UNIX user accounts must be properly defined.","description":"To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: \n\n1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and\n\n2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.","checkContent":"From a z/OS command screen enter:\nLISTUSER * OMVS NORACF\n\nNOTE: This check only applies to users of z/OS UNIX (i.e., users with an OMVS profile defined).\n\nIf each user account with an OMVS segment is defined as follows, this is not a finding.\n\n-A unique UID number (except for UID(0) users).\n-A unique HOME directory (UID(0), other system task accounts, and tasks approved by the ISSM are excluded from this rule).\n-Shell program specified as \"/bin/sh\", \"/bin/tcsh\", \"/bin/echo\", or \"/bin/false\".\n\nNOTE: The shell program must have one of the specified values. The HOME directory must have a value (i.e., not be allowed to default; this does not include tasks that are excluded from above).","fixText":"Define users of z/OS UNIX (i.e., users with an OMVS profile defined) as follows:\n\n-A unique UID number (except for UID(0) users).\n-A unique HOME directory (UID(0), other system task accounts, and tasks approved by the ISSM are excluded from this rule).\n-Shell program specified as \"/bin/sh\", \"/bin/tcsh\", \"/bin/echo\", or \"/bin/false\".\n\nNOTE: The shell program must have one of the specified values. The HOME directory must have a value (i.e., not be allowed to default; this does not include tasks that are excluded from above)."},{"id":"49a982c6-7340-4d20-b3ce-c5f64a491033","vulnId":"V-223863","severity":"medium","ruleTitle":"IBM z/OS attributes of UNIX user accounts used for account modeling must be defined in accordance with security requirements.","description":"To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: \n\n1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and\n\n2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.","checkContent":"If this is a Classified system, and there is an account used for modeling, this is a finding.\n\nFrom a command input screen enter:\nRLIST FACILITY (BPX.UNIQUE.USER) ALL\nExamine APPLICATION DATA for userid\n\nEnter:\nList User ()\n\nNote: This check applies to any user id used to model OMVS access on the mainframe. This includes the OMVS default user and BPX.UNIQUE.USER. If the OMVS default user or BPX.UNIQUE.USER is not defined in the FACILITY report, this is Not Applicable.\n\nIf user account used for OMVS account modeling is defined as follows, this is not a finding:\n\nA non-writable HOME directory:\nShell program specified as \"/bin/echo\" or \"/bin/false\"\n\nNote: The shell program must have one of the specified values. The HOME directory must have a value (i.e., not be allowed to default).","fixText":"Use of the OMVS default UID will not be allowed on any Classified system. This is not an issue when using BPX.UNIQUE.USER.\n\nDefine user id used for OMVS account modeling with a non-0 UID, a nonwritable home directory, such as \"\\\" root, and a nonexecutable, but existing, binary file, \"/bin/false\" or \"/bin/echo.\""},{"id":"0746fe40-6af7-4284-b1c5-064497bd5fae","vulnId":"V-223864","severity":"medium","ruleTitle":"The IBM z/OS startup user account for the z/OS UNIX Telnet Server must be properly defined.","description":"The PROFILE.TCPIP configuration file provides system operation and configuration parameters for the TN3270 Telnet Server. Several of these parameters have potential impact to system security. Failure to code the appropriate values could result in unexpected operations and degraded security. This exposure may result in unauthorized access impacting data integrity or the availability of some system services.","checkContent":"From the ISPF Command Shell enter:\nomvs\ncd /etc\ncat inetd.conf\n\nIf the otelnetd command specifies any user other than OMVS or OMVSKERN, this is a finding.","fixText":"The user account used at the startup of otelnetd is specified in the inetd configuration file. This account is used to perform the identification and authentication of the user requesting the session. Because the account is only used until user authentication is completed, there is no need for a unique account for this function. The z/OS UNIX kernel account can be used."},{"id":"1b435a15-e2c7-4bed-8ff8-6fc025164344","vulnId":"V-223865","severity":"medium","ruleTitle":"IBM z/OS HFS objects for the z/OS UNIX Telnet Server must be properly protected.","description":"HFS directories and files of the z/OS UNIX Telnet Server provide the configuration and executable properties of this product. Failure to properly secure these objects may lead to unauthorized access resulting in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000259-GPOS-00100","checkContent":"From the ISPF Command Shell enter:\nomvs\nAt the input line enter\ncd /usr\nenter\nls -alW\n\nIf the following File permission and user Audit Bits are true, this is not a finding.\n\n/usr/sbin/otelnetd 1740 fff\n\ncd /etc\nls -alW\n\nIf the following file permission and user Audit Bits are true, this is not a finding.\n\n/etc/banner 0744 faf\n\nThe following represents a hierarchy for permission bits from least restrictive to most restrictive:\n\n7 rwx (least restrictive)\n6 rw-\n3 -wx\n2 -w-\n5 r-x\n4 r--\n1 --x\n0 --- (most restrictive)\n\nThe possible audit bits settings are as follows:\n\nf log for failed access attempts\na log for failed and successful access\n- no auditing","fixText":"$9d"},{"id":"a3438507-f1de-40b1-be31-4a29fc86a745","vulnId":"V-223866","severity":"medium","ruleTitle":"The IBM z/OS UNIX Telnet Server etc/banner file must have the Standard Mandatory DoD Notice and Consent Banner.","description":"A logon banner can be used to inform users about the environment during the initial logon. Logon banners are used to warn users against unauthorized entry and the possibility of legal action for unauthorized users, and advise all users that system use constitutes consent to monitoring. Failure to display a logon warning banner without this type of information could adversely impact the ability to prosecute unauthorized users and users who abuse the system.\n\nSatisfies: SRG-OS-000024-GPOS-00007, SRG-OS-000023-GPOS-00006","checkContent":"$9e","fixText":"$9f"},{"id":"ad5b11a8-adf2-4bc0-a949-c96af21759d1","vulnId":"V-223867","severity":"medium","ruleTitle":"IBM z/OS UNIX Telnet server Startup parameters must be properly specified.","description":"The z/OS UNIX Telnet Server (i.e., otelnetd) provides interactive access to the z/OS UNIX shell. During the initialization process, startup parameters are read to define the characteristics of each otelnetd instance. Some of these parameters have an impact on system security. Failure to specify the appropriate command options could result in degraded security. This exposure may result in unauthorized access impacting data integrity or the availability of some system services.","checkContent":"From the ISPF Command Shell enter:\nISHELL\n\nEnter /etc/ for a pathname - you may need to issue a CD /etc/\nselect FILE NAME inetd.conf\n\nIf Option -D login is included on the otelnetd command, this is not a finding.\n\nIf Option -c 900 is included on the otelnetd command, this is not a finding.\n\nNOTE: \"900\" indicates a session timeout value of \"15\" minutes and is currently the maximum value allowed.","fixText":"Configure the startup parameters in the inetd.conf file for otelnetd to conform to the specifications below.\n\nThe otelnetd startup command includes the options -D login and -c 900, where:\n\n-D login indicates that messages should be written to the syslogd facility for login and logout activity.\n\n-c 900 indicates that the Telnet session should be terminated after \"15\" minutes of inactivity.\n\nNOTE: \"900\" is the maximum value; any value between \"1\" and \"900\" is acceptable."},{"id":"0d439290-8fd3-41ba-80a6-ae7f478c58ec","vulnId":"V-223868","severity":"medium","ruleTitle":"The IBM z/OS UNIX Telnet server warning banner must be properly specified.","description":"Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.","checkContent":"From the ISPF Command Shell enter:\nISHELL\n\nEnter /etc/ for a pathname - you may need to issue a CD /etc/\nselect FILE NAME inetd.conf\n\nIf Option -h is included on the otelnetd command, this is a finding.","fixText":"Configure the startup parameters in the inetd.conf file for otelnetd to exclude option -h.\nNote: -h indicates that the logon banner should not be displayed."},{"id":"a04f9445-8907-420c-b16b-3b579b686983","vulnId":"V-223869","severity":"medium","ruleTitle":"IBM z/OS System datasets used to support the VTAM network must be properly secured.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000259-GPOS-00100","checkContent":"Determine data set names containing all VTAM start options, configuration lists, network resource definitions, commands, procedures, exit routines, all SMP/E TLIBs, and all SMP/E DLIBs used for installation and in development/production VTAM environments.\n\nIf RACF data set rules for all VTAM system data sets restrict access to only network systems programming staff, this is not a finding.\n\nIf RACF data set rules for all VTAM system data sets all READ access to auditors only, this is not a finding.","fixText":"$a0"},{"id":"758e3112-f280-47a0-b344-6a1ef0eadbf9","vulnId":"V-223870","severity":"medium","ruleTitle":"IBM z/OS VTAM USSTAB definitions must not be used for unsecured terminals.","description":"If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.","checkContent":"Ask the system administrator to supply the following information:\n\n- Documentation regarding terminal naming standards.\n- Documentation of all procedures controlling terminal logons to the system.\n- A complete list of all USS commands used by terminal users to log on to the system.\n- Members and data set names containing USSTAB and LOGAPPL definitions of all terminals that can log on to the system (e.g., SYS1.VTAMLST).\n- Members and data set names containing logon mode parameters.\n\nIf USSTAB definitions are only used for secure terminals (e.g., terminals that are locally attached to the host or connected to the host via secure leased lines), this is not a finding.\n\nIf USSTAB definitions are used for any unsecured terminals (e.g., dial up terminals or terminals attached to the Internet such as TN3270 or KNET 3270 emulation), this is a finding.","fixText":"Configure USSTAB definitions to be only used for secure terminals.\n\nOnly terminals that are locally attached to the host or connected to the host via secure leased lines located in a secured area. Only authorized personnel may enter the area where secure terminals are located. \n\nUSSTAB or LOGAPPL definitions are used to control logon from secure terminals. These terminals can log on directly to any VTAM application (e.g., TSO, CICS, etc.) of their choice and bypass Session Manager services. Secure terminals are usually locally attached to the host or connected to the host via a private LAN without access to an external network. Only authorized personnel may enter the area where secure terminals are located."},{"id":"c6251643-1829-4227-bd39-1477438f4a21","vulnId":"V-230209","severity":"medium","ruleTitle":"The IBM RACF System REXX IRRPHREX security data set must be properly protected.","description":"$a1","checkContent":"Refer to the zOS system REXXLIB concatenation found in SYS1. PARMLIB (AXR) for the data set that contains the REXX for Password exit named IRRPHREX and the defined AXRUSER.\n\nIf the following guidance is true, this is not a finding.\n\n-RACF data set access authorizations restrict READ to AXRUSER, z/OS systems programming personnel, security personnel, and auditors.\n-RACF data set access authorizations restrict UPDATE to security personnel using a documented change management procedure to provide a mechanism for access and revoking of access after use.\n-All (i.e., failures and successes) data set access authorities (i.e., READ, UPDATE, and CONTROL) is logged.\n-RACF data set access authorizations specify UACC(NONE) and NOWARNING.","fixText":"Configure read access to be restricted to security administrators, systems programmers, and auditors.\n\nEstablish a procedure documented with the ISSM that defines a change management process to provide mechanism for granting Update access to security administrators on an exception basis. The process should contain procedures to revoke access when documented update is completed.\n\nConfigure all failures and successes data set access authorities for RACF data set that contains the Password exit to be logged.\n\nExamples:\nad 'sys3.racf.rexxlib.**' uacc(none) owner(sys3) -\naudit(all(read)) \nPermit 'sys3.racf.rexxlib.**' id( AXRUSER) acc(r)\nPermit 'sys3.racf.rexxlib.**' id() acc(u)"},{"id":"1fa645ff-0567-4412-bb96-1850d594c05e","vulnId":"V-230210","severity":"medium","ruleTitle":"IBM RACF exit ICHPWX11 for password phrases must be installed and properly configured.","description":"Use of a complex password phrase helps to increase the time and resources required to compromise the password. Password phrase complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword phrase complexity is one factor of several that determines how long it takes to crack a password. The more complex the password phrase, the greater the number of possible combinations that need to be tested before the password is compromised.","checkContent":"$a2","fixText":"$a3"},{"id":"2b5fddb2-9a88-437a-ba3c-b08c8c307d2f","vulnId":"V-235033","severity":"medium","ruleTitle":"IBM RACF must limit WRITE or greater access to LINKLIST libraries to system programmers only.","description":"The primary function of the LINKLIST is to serve as a single repository for commonly used system modules. Failure to ensure that the proper set of libraries is designated for LINKLIST can impact system integrity, performance, and functionality. For this reason, controls must be employed to ensure that the correct set of LINKLIST libraries is used. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.\n\nSatisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000259-GPOS-00100, SRG-OS-000324-GPOS-00125","checkContent":"From Any ISPF input line, enter:\nTSO ISRDDN LINKLIST\n\nIf all of the following are untrue, this is not a finding.\n\nIf any of the following is true, this is a finding.\n\n-The ACP data set rules for LINKLIST libraries do not restrict WRITE or greater access to only z/OS systems programming personnel.\n-The ACP data set rules for LINKLIST libraries do not specify that all (i.e., failures and successes) WRITE or greater access will be logged.","fixText":"Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect the LINKLIST libraries.\n\nConfigure the WRITE or greater access to LINKLIST libraries to be limited to system programmers only and all WRITER or greater access is logged."},{"id":"8e5a7384-23e4-489e-a418-8a9fb920b8ae","vulnId":"V-245536","severity":"medium","ruleTitle":"The IBM z/OS TCPIP.DATA configuration statement must contain the DOMAINORIGIN or DOMAIN specified for each TCP/IP defined.","description":"If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records could have been removed which would result in query failure or denial of service. Data origin authentication verification must be performed to thwart these types of attacks.\n\nEach client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching Domain Name System (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations.\n\nThis is not applicable if DNSSEC is not implemented on the local network.","checkContent":"Refer to the Data configuration file specified on the SYSTCPD DD statement in the TCPIP started task JCL.\n\nNote:\nIf GLOBALTCPIPDATA is specified, any TCPIP.DATA statements contained in the specified file or data set take precedence over any TCPIP.DATA statements found using the appropriate environment's (native MVS or z/OS UNIX) search order.\n\nIf GLOBALTCPIPDATA is not specified, the appropriate environment's (Native MVS or z/OS UNIX) search order is used to locate TCPIP.DATA.\n\nIf the DOMAINORIGIN/DOMAIN (the DOMAIN statement is functionally equivalent to the DOMAINORIGIN statement) is specified in the TCP/IP Data configuration file, this is not a finding.","fixText":"Configure the TCPIP.DATA file to include the DOMAINORIGIN/DOMAIN (the DOMAIN statement is functionally equivalent to the DOMAINORIGIN statement). \n\nNote:\nIf GLOBALTCPIPDATA is specified, any TCPIP.DATA statements contained in the specified file or data set take precedence over any TCPIP.DATA statements found using the appropriate environment's (native MVS or z/OS UNIX) search order.\n\nIf GLOBALTCPIPDATA is not specified, the appropriate environment's (Native MVS or z/OS UNIX) search order is used to locate TCPIP.DATA."},{"id":"c8a22003-7312-4bbe-a2ed-d74c76220ca1","vulnId":"V-251107","severity":"medium","ruleTitle":"IBM z/OS sensitive and critical system data sets must not exist on shared DASDs.","description":"$a4","checkContent":"Check HMC, VM, and z/OS on how to validate and determine a DASD volume(s) is shared.\n\nNote: In VM issue the command \"QUEUE DASD SYSTEM\" this display will show shared volume(s) and indicates the number of systems sharing the volume.\n\nValidate all machines that require access to these shared volume(s) have the volume(s) mounted.\n\nObtain a map or list VTOC of the shared volume(s).\n\nCheck if shared volume(s) contain any critical or sensitive data sets.\n\nIdentify shared and critical or sensitive data sets on the system being audited. These data sets can be APF, LINKLIST, LPA, Catalogs, etc, as well as product data sets.\n\nIf all of the critical or sensitive data sets identified on shared volume(s) are protected and justified to be on shared volume(s), this is not a finding.\n\nList critical or sensitive data sets are possible security breaches, if not justified and not protected on systems having access to the data set(s) and on shared volume(s).","fixText":"Configure all identified volumes of shared DASD to be valid within the following.\n\nHMC\nVM\nz/OS\n\nIf the shared volume(s) are valid and systems having access to these shared volume(s) are valid, map disk/VTOC list to obtain data sets on the shared volume(s). From this list obtain a list of sensitive and critical system data sets that are found on the shared volume(s). Ensure that the data sets are justified to be shared on the system and to reside on the shared volume(s).\n\nThe ISSO will review all access requirements to validate that sensitive and critical system data sets are protected from unauthorized access across all systems that have access to the shared volume(s), protecting the data set(s) whether the data set(s) are used or not used on the systems that have the shared volume(s) available to them."},{"id":"638a45bb-d87e-4b46-b6d8-574ea7323257","vulnId":"V-252553","severity":"medium","ruleTitle":"IBM z/OS TCP/IP AT-TLS policy must be properly configured in Policy Agent.","description":"$a5","checkContent":"Use the z/OS UNIX pasearch -t command to query information from the z/OS UNIX Policy Agent. \n\nThe command is issued from the UNIX System Services shell.\n\nExamine the results for AT-TLS initiation and control statements.\n\nIf there are no AT-TLS initiation and controls statements this is a finding.\n\nVerify the statements specify a FIPS 140-2 compliant value. If none of the following values are present, this is a finding\n\nECDHE_ECDSA_AES_128_CBC_SHA256\nECDHE_ECDSA_AES_256_CBC_SHA384\nECDHE_RSA_AES_128_CBC_SHA256\nECDHE_RSA_AES_256_CBC_SHA384\nTLS_RSA_WITH_3DES_EDE_CBC_SHA\nTLS_RSA_WITH_AES_128_CBC_SHA\nTLS_RSA_WITH_AES_128_CBC_SHA256\nTLS_RSA_WITH_AES_256_CBC_SHA\nTLS_RSA_WITH_AES_256_CBC_SHA256","fixText":"Develop a plan of action to implement the required changes. Ensure the following items are in effect for TCP/IP resources.\n\nDevelop AT-TLS policy. Install in the policy agent.\n\nEnsure that the statements specify a FIPS 140-2 compliant value of the following values.\n\nECDHE_ECDSA_AES_128_CBC_SHA256\nECDHE_ECDSA_AES_256_CBC_SHA384\nECDHE_RSA_AES_128_CBC_SHA256\nECDHE_RSA_AES_256_CBC_SHA384\nTLS_RSA_WITH_3DES_EDE_CBC_SHA\nTLS_RSA_WITH_AES_128_CBC_SHA\nTLS_RSA_WITH_AES_128_CBC_SHA256\nTLS_RSA_WITH_AES_256_CBC_SHA\nTLS_RSA_WITH_AES_256_CBC_SHA256"},{"id":"25f65efb-89ac-4338-9cce-65ec794c5b43","vulnId":"V-255935","severity":"medium","ruleTitle":"IBM Integrated Crypto Service Facility (ICSF) Configuration parameters must be correctly specified.","description":"IBM Integrated Crypto Service Facility (ICSF) product has the ability to use privileged functions and/or have access to sensitive data. Failure to properly configure parameter values could potentially the integrity of the base product which could result in compromising the operating system or sensitive data.","checkContent":"$a6","fixText":"$a7"},{"id":"bd3d1627-cda4-4f8a-afa5-01ba060b83cd","vulnId":"V-255936","severity":"medium","ruleTitle":"IBM Integrated Crypto Service Facility (ICSF) install data sets are not properly protected.","description":"IBM Integrated Crypto Service Facility (ICSF) product has the ability to use privileged functions and/or have access to sensitive data. Failure to properly restrict access to their data sets could result in violating the integrity of the base product which could result in compromising the operating system or sensitive data.","checkContent":"If the ESM dataset rules for the IBM Integrated Crypto Service Facility (ICSF) install data sets does not restrict UPDATE and/or ALTER access to systems programming personnel this is a finding.\n\nIf the ESM data set rules for IBM Integrated Crypto Service Facility (ICSF) install data set does not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged this is a finding.","fixText":"$a8"},{"id":"89a6295a-3ab9-4fbe-92ed-d1bc23f1306b","vulnId":"V-255937","severity":"medium","ruleTitle":"IBM Integrated Crypto Service Facility (ICSF) Started Task name is not properly identified / defined to the system ACP.","description":"IBM Integrated Crypto Service Facility (ICSF) requires a started task that will be restricted to certain resources, datasets and other system functions. By defining the started task as a userid to the system ACP, It allows the ACP to control the access and authorized users that require these capabilities. Failure to properly control these capabilities, could compromise of the operating system environment, ACP, and customer data.","checkContent":"From the ISPF Command Shell-\n enter ListUser\n\nIf the userid(s) for the IBM Integrated Crypto Service Facility (ICSF) started task is not defined to the security database, this is a finding.","fixText":"Ensure that the started task for IBM Integrated Crypto Service Facility (ICSF) Started Task(s) is properly Identified / defined to the System ESM.\n\nIf the product requires a Started Task, verify that it is properly defined to the System ACP with the proper attributes.\n\nMost installation manuals will indicate how the Started Task is identified and any additional attributes that must be specified. Define the started task userid CSFSTART for IBM Integrated Crypto Service Facility (ICSF).\n\nExample:\n\nAU CSFSTART NAME('STC, ICSF') NOPASS -\n\tOWNER(STC) DFLTGRP(STC) -\n\t DATA('START ICSF')"},{"id":"7677fbd7-f18c-46ca-9dd2-065917a0e642","vulnId":"V-255938","severity":"medium","ruleTitle":"IBM Integrated Crypto Service Facility (ICSF) Started task(s) must be properly defined to the STARTED resource class for RACF.","description":"Access to product resources should be restricted to only those individuals responsible for the application connectivity and who have a requirement to access these resources. Improper control of product resources could potentially compromise the operating system, ACP, and customer data.","checkContent":"Execute the RACF DSMON report for RACSPT\n\nif the IBM Integrated Crypto Service Facility (ICSF) started task(s) is (are) not defined to the STARTED resource class profile and/or ICHRIN03 table entry this is a finding","fixText":"Ensure that a product's started task(s) is (are) properly identified and/or defined to the System ACP. \n\nA unique userid must be assigned for the IBM Integrated Crypto Service Facility (ICSF) started task(s) thru a corresponding STARTED class entry.\n\nThe following sample set of commands is shown here as a guideline:\n\nrdef started CSFSTART.** uacc(none) owner(admin) audit(all(read)) stdata(user(CSFSTART) group(stc))\n\nsetr racl(started) ref"},{"id":"547d40e3-99f3-460e-80bd-8b9d83f55a02","vulnId":"V-255939","severity":"medium","ruleTitle":"IBM Integrated Crypto Service Facility (ICSF) STC data sets must be properly protected.","description":"IBM Integrated Crypto Service Facility (ICSF) STC data sets have the ability to use privileged functions and/or have access to sensitive data. Failure to properly restrict access to their data sets could result in violating the integrity of the base product which could result in compromising the operating system or sensitive data.","checkContent":"Verify that access to the IBM Integrated Crypto Service Facility (ICSF) STC data sets are properly restricted. The data sets to be protected are identified in the data set referenced in the CSFPARM DD statement of the ICSF started task(s) and/or batch job(s); the entries for CKDSN and PKDSN specify the data sets.\n\nIf the RACF data set access authorizations do not restrict READ access to auditors, this is a finding\n\nIf the RACF data set access authorizations do not restrict WRITE and/or greater access to systems programming personnel, this is a finding.\n\nIf the RACF data set access authorizations do not restrict WRITE and/or greater access to the product STC(s) and/or batch job(s), this is a finding.","fixText":"$a9"},{"id":"efad8541-1e07-4c1e-9a7b-71e1a22dd320","vulnId":"V-257135","severity":"medium","ruleTitle":"IBM Passtickets must be configured to be KeyEncrypted.","description":"Passwords such as IBM Passtickets need to be protected at all times, and encryption is the standard method for protecting such passwords. If passwords are not encrypted, they may be plainly read (i.e., clear text) and easily compromised.","checkContent":"From the ISPF Command Shell enter:\n\nRList PTKTDATA * SSIGNON NORACF\n\nIf any profile is not defined as KEYENCRYPTED, this is a finding.","fixText":"Ensure that all Passticket profiles are configured to be KeyEncrypted."},{"id":"156b0716-2b3b-4c27-9497-91bb5e4448ca","vulnId":"V-272875","severity":"medium","ruleTitle":"IBM z/OS FTP Control cards must be properly stored in a secure PDS file.","description":"Configuring the operating system to implement organizationwide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DOD that reflects the most restrictive security posture consistent with operational requirements.","checkContent":"$aa","fixText":"Create a list or spreadsheet of the locations where FTP control cards are stored, who should have access to those libraries, and which applications use the FTP control cards.\n\nAdd columns for users permitted access to the secured PDS.\n\nMake sure the FTP control Cards for each FTP are stored in a secure PDS and that they are not placed in the JCL libraries or in the in-stream JCL for each FTP."},{"id":"3024d97c-cb8c-409b-b15c-037861450388","vulnId":"V-272877","severity":"medium","ruleTitle":"IBM z/OS started tasks for the Base TCP/IP component must be defined in accordance with security requirements.","description":"To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: \n\n1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and\n\n2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.","checkContent":"Refer to system Proclibs to determine the TCPIP address space(s).\n\nFrom the ISPF Command Shell, enter:\nLISTUSER OMVS\n\nFor each TCPIP:\n-Named TCPIP or, in the case of multiple instances, prefixed with TCPIP.\n-Has the STC facility. \n\n-z/OS Unix attributes: \nUID(0), HOME directory '/', shell program /bin/sh \nIf all of the following items are true, this is not a finding.\n\nIf any item is untrue, this is a finding.\n\nFrom the ISPF Command Shell, enter:\nLISTUSER EZAZSSI OMVS\nIf EZAZSSI STC has the STC facility, this is not finding.\n\nEnsure the following items are in effect for the USERID assigned to the EZAZSSI started task: \n-Named EZAZSSI. \n-Has the STC facility.","fixText":"$ab"},{"id":"198f2371-ee4a-4684-b317-548cb05b84ed","vulnId":"V-272879","severity":"medium","ruleTitle":"IBM z/OS DFSMS control data sets must reside on separate storage volumes","description":"Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.","checkContent":"Review the logical parmlib data sets, for example SYS1.PARMLIB(IGDSMSxx), to identify the fully qualified file names for the following SMS data sets:\nActive Control Data Set (ACDS)\nCommunications Data Set (COMMDS)\n\nIf the COMMDS and ACDS SMS data sets identified above reside on different volumes, this is not a finding.\n\nIf the COMMDS and ACDS SMS data sets identified above are collocated on the same volume, this is a finding.","fixText":"Allocate the primary and backup SMS Control data sets on separate volumes.\n\nSource Control Data Set (SCDS) contains an SMS configuration, which defines a storage management policy.\n\nActive Control Data Set (ACDS) contains a copy of the most recently activated configuration. All systems in an SMS complex use this configuration to manage storage.\n\nCommunications Data Set (COMMDS) contains the name of the ACDS containing the currently active storage management policy, the current utilization statistics for each system managed volume, and other system information.\n\nThe ACDS data set will reside on a different volume than the COMMDS data set.\n\nAllocate backup copies of the ADCS and COMMDS data sets on a different shared volume from the primary ACDS and COMMDS data sets."},{"id":"5b7e9105-3568-40aa-a994-b30f30e6d34f","vulnId":"V-275952","severity":"medium","ruleTitle":"zOSMF resource class(es) must be active in accordance with security requirements.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.","checkContent":"From the ISPF command shell enter:\nSETRopts list\n\nIf the ACTIVE CLASSES list the EJBROLE, LOGSTRM, SERVER, TSOPROC, ZMFAPLA, and ZMFCLOUD, this is not a finding.","fixText":"Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:\n\nThe RACF Command SETRopts LIST will show the status of RACF Controls including a list of ACTIVE classes. \n\nThe above Classes are activated with the command:\nSETRopts CLASSACT(EJBROLE, LOGSTRM, SERVER, TSOPROC, ZMFAPLA, and ZMFCLOUD)."},{"id":"61d24f2a-e340-4dee-bfc9-457791470c41","vulnId":"V-275953","severity":"medium","ruleTitle":"The ICSF resource class(es) must be active in accordance with security requirements.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.","checkContent":"From the ISPF command shell, enter:\nSETRopts list\n\nIf the ACTIVE CLASSES list the CRYPTOZ, CSFKEYS, CSFSERV, GCSFKEYS , GXCSFKEY, and XCSFKEY resource classes, this is not a finding.","fixText":"Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:\n\nThe RACF Command SETRopts LIST will show the status of RACF Controls including a list of ACTIVE classes. \n\nThe above Classes are activated with the command:\nSETRopts CLASSACT(CRYPTOZ, CSFKEYS, CSFSERV, GCSFKEYS, GXCSFKEY, XCSFKEY"},{"id":"6508b643-45f2-4bfc-9b03-50892edaeb2f","vulnId":"V-275954","severity":"medium","ruleTitle":"ICSF resources must be protected in accordance with security requirements.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.","checkContent":"From the ISPF command shell, for each following resource classes:\n{CRYPTOZ, CSFKEYS, CSFSERV, GCSFKEYS , GXCSFKEY, and XCSFKEY}\nenter\n\nRL * AUTHUSER\n\nConsult the ISCF Administrator, security administrator and the site security plan for appropriate user access.\n\nIf RACF access rules for each resource are restricted to appropriate users, this is not a finding.","fixText":"Configure access for resources in accordance with the site security plan."},{"id":"485dfe2c-a33a-4148-a3a6-3ed296ef907c","vulnId":"V-275956","severity":"medium","ruleTitle":"zOSMF resources must be protected in accordance with security requirements.","description":"To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.","checkContent":"From the ISPF command shell, for each appropriate resource class enter:\nRL * AUTHUSER\nFor EJBROLE, LOGSTRM, SERVER, TSOPROC, ZMFAPLA AND ZMFCLOUD resources class.\n\nReview Appendix A in the zOSMF Configuration Guide: Security Structures for z/OSMF Requirements for the Security Configuration tables.\n\nIf RACF access rules for each resource are restricted to appropriate users, this is not a finding.","fixText":"Review the access requirements in the Appendix A in the zOSMF Configuration Guide: Security Structures for z/OSMF Requirements for the Security Configuration tables.\n\nConfigure access for resources in accordance with the site security plan."}]}]]}]

IBM z/OS RACF Security Technical Implementation Guide

Checks (222)