Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
If Certificate Name Filtering is in use, collect documentation describing each active filter rule and written approval from the ISSM to use the rule. Issue the following ACF2 commands to list the certificate name filters defined to ACF2: SET CONTROL(GSO) SHOW CERTMAP If no CERTMAP FILTERING TABLES are present, this not a finding. NOTE: Certificate name filters are only valid when their Status is TRUST. Therefore, you may ignore filters with the NOTRUST status. If CERTMAP FILTERING TABLES are present and certificate name filters have a Status of TRUST, certificate name filtering is in use. If Certificate Name Filtering is in use and filtering rules have been documented and approved by the ISSM, this is not a finding. If Certificate Name Filtering is in use and filtering rules have not been documented and approved by the ISSM, this is a finding.
Define any Certificate Name Filtering rules when required with documentation and approval by the ISSM.
Execute the CA-ACF2 SAFCRRPT using the following as SYSIN input RECORDID(-) DETAIL FIELDS(ISSUER SUBJECT ACTIVE EXPIRE TRUST) If no certificate information is found, this is not a finding. NOTE: Certificates are only valid when their Status is TRUST. Therefore, you may ignore certificates with the NOTRUST status during the following checks. If the digital certificate information indicates that the issuer's distinguished name leads to a DoD PKI Root Certificate Authority or External Certification Authority (ECA), this is not a finding. Reference the DoD Cyber Exchange website for complete information as to which certificates are acceptable (https://cyber.mil/pki-pke/interoperability/). Examples of an acceptable DoD CA are: DoD PKI Class 3 Root CA DoD PKI Med Root CA
If the certificate is a user or device certificate with a status of trust, follow procedures to obtain a new certificate or re-key certificate. If it is an expired CA certificate remove it.
Execute the CA-ACF2 SAFCRRPT using the following as SYSIN input: RECORDID(-) DETAIL FIELDS(ISSUER SUBJECT ACTIVE EXPIRE TRUST) If no certificate information is found, this is not a finding. NOTE: Certificates are only valid when their Status is TRUST. Therefore, you may ignore certificates with the NOTRUST status during the following check. If the digital certificate information indicates that the issuer's distinguished name leads to one of the following, this is not a finding: a) A DOD PKI Root Certification Authority b) An External Root Certification Authority (ECA) c) An approved External Partner PKI's Root Certification Authority The DOD Cyber Exchange website contains information as to which certificates may be acceptable (https://public.cyber.mil/pki-pke/interoperability/ or https://cyber.mil/pki-pke/interoperability/). Examples of an acceptable DOD CA are: DOD PKI Class 3 Root CA DOD PKI Med Root CA
Remove or replace certificates where the issuer's distinguished name does not lead to a DOD PKI Root Certification Authority, External Root Certification Authority (ECA), or an approved External Partner PKI's Root CA.
From the ISPF Command Shell enter "ACF" to enter ACF2 Command shell. Enter "SHOW STATE". If the "GSO OPTS" record show a "MODE= ABORT", this is not a finding.
Configure the GSO Option for "MODE" to equal "ABORT".
From the ISPF Command Shell enter: SET LID SET VERBOSE LIST IF(PPGM) If the number of users granted the special privilege PPGM is strictly controlled and limited to systems programmer and operations personnel, this is not a finding.
Ensure that access to the special privilege PPGM is kept to a minimum and limited to systems programmer and operations personnel.
From the ISPF Command Shell enter: ACF SET LID SET VERBOSE LIST IF(OPERATOR) If the number of users granted the special privilege OPERATOR is strictly controlled and limited to systems programmer and operations personnel, this not a finding. If the number of users granted the special privilege OPERATOR is not strictly controlled and limited to systems programmer and operations personnel, this is a finding.
Ensure that access to the special privilege "OPERATOR" is kept to a minimum and limited to systems programmer, security manager and operations personnel.
From the ISPF Command Shell enter: ACF SET LID SET VERBOSE LIST IF(ACCTPRIV OR CONSOLE OR OPERATOR OR MOUNT) If the number of users granted the special privilege CONSOLE is strictly controlled (issued on an as-needed basis), this is not a finding. If the number of users granted the special privilege CONSOLE is not strictly controlled (issued on an as-needed basis), this is a finding.
Define the CONSOLE attribute with minimum access and it is controlled and documented. Documentation providing justification for access is maintained and filed with the ISSO and that unjustified access is removed.
From the ISPF Command Shell enter: ACF SET LID SET VERBOSE LIST IF(ALLCMDS) If the number of users granted the special privilege ALLCMDS is strictly controlled and access is granted on an as needed basis, this is not a finding. If the number of users granted the special privilege ALLCMDS is not strictly controlled and access is granted on an as needed basis, this is a finding.
Ensure that access to the special privilege ALLCMDS is kept to a minimum and is controlled and documented. Documentation providing justification for access is maintained and filed with the ISSO. Remove any unjustified access.
From a Command input line enter: SET RESOURCE(OPR) SET VERBOSE LIST LIKE(MVS-) NOTE: If CLASMAP defines OPERCMDS as anything other than the default of TYPE(OPR), replace OPR with the appropriate three letters. If the MVS resource is defined to the OPERCMDS class with a default access of PREVENT, and all access logged, i.e., MVS.** is defined with access of PREVENT, this is not finding. If Access to z/OS system commands defined in the table entitled MVS commands, RACF access authorities, and resource names, in the IBM z/OS MVS System Commands manual, is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users) as determined in the Documented site Security Plan, this is not a finding. Note: Display commands and others as deemed by the site IAW site security plan may be allowed for all users with no logging. The (MVS.SEND) Command will not be a finding if used by all.
Configure z/OS Sensitive System Commands to be defined to the OPERCMDS resource class. Only limited number of authorized people are able to issue these commands. All access is logged. Configure the MVS resource to be defined to the OPERCMDS class with a default access of PREVENT, all access is logged, and access is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users). Note: Ensure access to z/OS system commands defined in the MVS commands, RACF access authorities, and resource names, in the IBM z/OS MVS System Commands, is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users). Example for ACF2: $KEY(MVS) TYPE(OPR) ACTIVATE.- UID(sysprgmr) LOG ACTIVATE.- UID(*) PREVENT SET R(OPR) COMPILE 'ACF2.MVA.OPR(MVS)' STORE F ACF2,REBUILD(OPR)
Refer to the table of Sensitive Utilities resources and/or generic equivalent as detailed in the table. If the ACF2 resources are defined with a default access of PREVENT, this is not a finding. If the ACF2 resource access authorizations restrict access to the appropriate personnel according to the site security plan, this not a finding. If the ACF2 resource logging is correctly specified, this is not a finding. Sensitive Utility Controls Program Product Function AHLGTF z/OS System Activity Tracing HHLGTF IHLGTF ICPIOCP z/OS System Configuration IOPIOCP IXPIOCP IYPIOCP IZPIOCP BLSROPTR z/OS Data Management DEBE OS/DEBE Data Management DITTO OS/DITTO Data Management FDRZAPOP FDR Product Internal Modification GIMSMP SMP/E Change Management Product ICKDSF z/OS DASD Management IDCSC01 z/OS IDCAMS Set Cache Module IEHINITT z/OS Tape Management IFASMFDP z/OS SMF Data Dump Utility IND$FILE z/OS PC to Mainframe File Transfer (Applicable only for classified systems) CSQJU003 IBM WebSphereMQ CSQJU004 CSQUCVX CSQ1LOGP CSQUTIL WHOIS z/OS Share MOD to identify user name from USERID. Restricted to data center personnel only.
Refer to the Site Security plan for Sensitive Programs/Utilities for lists the resources, access requirements, and logging requirements for Sensitive Utilities. Configure ACF2 resources to be defined with a default access of PREVENT. Configure ACF2 resource access authorizations to restrict access to the appropriate personnel. Configure ACF2 resource logging to be correctly specified. The following commands are provided as a sample for implementing resource controls: $KEY(AHLGTF) TYPE(PGM) UID(stcg) LOG UID(*) PREVENT F ACF2,REBUILD(PGM)
From the ACF input screen enter: SET CONTROL(GSO) LIST LIKE(NJE-) If the GSO NJE record values conform to the following requirements, this is not a finding. Specifies ACF2 validation options that apply to jobs submitted through a network job entry subsystem (JES2, JES3, RSCS). DFTLID() INHERIT NODEMASK(-) ENCRYPT VALIN(YES) NOVALOUT NOTE: For NJE nodes that are incompatible with the XDES algorithm, discrete NJE records will be created with NOENCRYPT. NOTE: Local changes will be documented in writing with supporting documentation.
Configure ACF2 validation options that apply to jobs submitted through a network job entry subsystem (JES2, JES3, RSCS) as follows: DFTLID() INHERIT NODEMASK(-) ENCRYPT VALIN(YES) NOVALOUT NOTE: For NJE nodes that are incompatible with the XDES algorithm, discrete NJE records will be created with NOENCRYPT. NOTE: Local changes will be justified in writing with supporting documentation.
From a command input screen enter: SET RESOURCE (FAC) SET VERBOSE LIST LIKE (IEAABD-) NOTE: If CLASMAP defines FACILITY as anything other than the default of TYPE(FAC), replace FAC with the appropriate three letters. If the IEAABD. resource and/or generic equivalent is defined with PREVENT access and that access is not available to any user, this is not a finding. If the IEAABD.DMPAUTH. resource and/or generic equivalent is defined and access with SERVICE(READ) is limited to authorized users that have a valid job duties requirement for access, this is not a finding. If the IEAABD.DMPAUTH. resource and/or generic equivalent is defined and access with the SERVICE(UPDATE) or greater is restricted to only systems personnel and that all access is logged, this is not a finding. If the IEAABD.DMPAKEY. resource and/or generic equivalent is defined and all access is restricted to systems personnel and that all access is logged, this is not a finding.
Memory and privileged program dump resources are provided via resources in the FACILITY resource class. Ensure that the following are properly specified in the ACP. (Note: The resource type, resources, and/or resource prefixes identified below are examples of a possible installation. The actual resource type, resources, and/or resource prefixes are determined when the product is actually installed on a system through the product's installation guide and can be site specific.) Below is listed the access requirements for memory and privileged program dump resources. Ensure the guidelines for the resource type, resources, and/or generic equivalent are followed. When protecting the facilities for dumps lists via the FACILITY resource class, ensure that the following items are in effect: IEAABD. IEAABD.DMPAUTH. IEAABD.DMPAKEY. The ACF2 resources are defined with a default access of PREVENT. Ensure that no access is given to IEAABD. resource. Example: $KEY(IEAABD) TYPE(FAC) - UID(*) PREVENT IEAABD.DMPAUTH. READ access is limited to authorized users that have a valid job duties requirement for access. UPDATE access will be restricted to system programming personnel and access will be logged. Example: $KEY(IEAABD) TYPE(FAC) DMPAUTH.- UID(sysprgmr) SERVICE(UPDATE) LOG DMPAUTH.- UID(authusers) SERVICE(READ) DMPAUTH.- UID(*) PREVENT IEAABD.DMPAKEY. access will be restricted to system programming personnel and access will be logged. Example: $KEY(IEAABD) TYPE(FAC) DMPAKEY.- UID(sysprgmr) LOG DMPAKEY.- UID(*) PREVENT
NOTE: If CLASMAP defines TSOAUTH or OPERCMDS as anything other than the default of TYPE(TSO) or TYPE(OPR), replace TSO or OPR below with the appropriate three letters. If the CONSOLE resource is not defined to the TSOAUTH resource class, this is not a finding. At the discretion of the ISSO, users may be allowed to issue z/OS system commands from a TSO session. With this in mind, configure the following for users granted the CONSOLE resource in the TSOAUTH resource class or users assigned the CONSOLE attribute: Logonids are restricted to the INFO level on the AUTH field specified in the OPERPARM segment of the user profile record. Logonids are restricted to READ access to the MVS.MCSOPER.userid resource defined in the OPERCMDS resource class (i.e., resource rules for TYPE(OPR)). If all of the above are true, this is not a finding. If any of the above are untrue, this is a finding.
Configuration should ensure that all users that have access to the CONSOLE resource in the TSOAUTH resource class are properly defined. Ensure the CONSOLE resource is not defined to the TSOAUTH resource class. Example: $KEY(CONSOLE) TYPE(TSO) - UID(*) PREVENT At the discretion of the ISSO, users may be allowed to issue z/OS system commands from a TSO session. With this in mind, ensure the following items are in effect for users granted the CONSOLE resource in the TSOAUTH resource class or users assigned the CONSOLE attribute: Logonids are restricted to the INFO level on the AUTH field specified in the OPERPARM segment of the user profile record. Logonids are restricted to READ access to the MVS.MCSOPER.userid resource defined in the OPERCMDS resource class (i.e., resource rules for TYPE(OPR)). Example: $KEY(MVS) TYPE(OPR) MCSOPER.logonid UID(sysprgmr) SERVICE(READ) ALLOW COMPILE ' ACF2.MVA.OPR(MVS)' STORE F ACF2,REBUILD(OPR)
Ask the system administrator and/or DASD administrator to determine the System Dump data sets. Refer to data sets SYS1.DUMPxx. Dump data sets can be identified by reviewing the logical parmlib concatenation data sets for the current COMMNDxx member. Find the COM= that specifies the DUMPDS NAME (DD NAME=name-pattern) entry. The name-pattern is used to identify additional Dump data sets. If ACF2 data set rules for System Dump data sets do not restrict READ, WRITE, and/or ALLOCATE access to only systems programming personnel, this is a finding. If ACF2 data set rules for all System Dump data sets do not restrict READ access to personnel having justification to review these Dump data sets, this is a finding.
Configure data set rules for access to SYSTEM DUMP data set(s) to be limited to system programmers only, unless a letter justifying access is filed with the ISSO in the site security plan. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to restrict access to these data sets.
Execute a data set list of access for SYS(x).TRACE files. If the ESM data set rule for SYS1.TRACE restricts access to systems programming personnel and started tasks that perform GTF processing, this is not a finding. If the ESM data set rule for SYS1.TRACE restricts access to others as documented and approved by ISSM, this is not a finding.
Configure the ESM access to SYS1.TRACE to be limited to system programmers or started tasks that perform GTF processing. Other user access can be granted as documented and approved by the ISSM.
From the ISPF Command Shell, enter: LISTCat USERCATALOG NAME NOPREFIX Review the ACF2 data set rules for each usercatalog defined. If the data set rules for User Catalogs do not restrict ALLOCATE access to only z/OS systems programming personnel, this is a finding. If products or procedures requiring system programmer access for system-level maintenance meet the following specific case: - The batch job or procedure must be documented in the SITE Security Plan. - Reside in a data set that is restricted to systems programmers' access only. If the above is true, this is not a finding. If the data set rules for User Catalogs do not specify that all (i.e., failures and successes) ALLOCATE access will be logged, this is a finding. Note: If the USER CATALOGS contain SMS managed data sets, READ access is sufficient to allow user operations. If the USER CATALOGS do not contain SMS managed datasets, WRITE access is required for user operation.
Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect USER CATALOGS. Configure ACF2 rules for allocate access to USER CATALOGS, limited to system programmers only, and all allocate access is logged. Configure ACF2 rules for the USER CATALOGS to allow any Products or procedures system programmer access for system-level maintenance that meets the following specific case: - The batch job or procedure must be documented in the SITE Security Plan. - Reside in a data set that is restricted to systems programmers' access only. Note: If the USER CATALOGS contain SMS managed data sets READ access is sufficient to allow user operations. If the USER CATALOGS do not contain SMS managed datasets WRITE access is required for user operation.
From the ISPF Command Shell enter: ACF SET CONTROL(GSO) SHOW CLASMAP If the CLASMAP DEFINITIONS list does not include entries for the FACILITY, SURROGAT, and UNIXPRIV resource classes, this is a finding. NOTE: TYPE CODES values should be unique for each resource. The default TYPE CODE values should be FAC, SUR, and UNI.
Define the CLASMAP DEFINITIONS to include entries for the FACILITY, SURROGAT, and UNIXPRIV resource classes. NOTE: TYPE CODES values should be unique for each resource. The default TYPE CODE values should be FAC, SUR, and UNI. Example: TSO ACF SHOW CLASMAP ACF SET CONTROL(GSO) INSERT CLASMAP.FACILITY RESOURCE(FACILITY) RSRCTYPE(FAC) ENTITYTLN (39)
From the ISPF Command Shell enter: ACF SET LID SET VERBOSE LIST IF(TAPE-LBL OR TAPE-BLP) If the number of users granted the special privileges TAPE-LBL or TAPE-BLP is strictly controlled and limited to systems programmer and operations personnel, this is not a finding. If the number of users granted the special privileges TAPE-LBL or TAPE-BLP is not strictly controlled and limited to systems programmer and operations personnel, this is a finding.
The ISSO will ensure Logonids with the TAPE-LBL or TAPE-BLP are kept to a minimum and are controlled and documented. Review all LOGONIDs with these attributes. Tape label bypass (BLP) privileges will be restricted at the user level. Specify one of the following two logonid privileges to grant a user access to BLP processing: User LID Record: TAPE-LBL TAPE-BLP It is possible to grant selected programs to bypass tape label processing regardless of the BLP related privilege of the logonid executing the program. This capability will not be used due to the requirement that accounting of BLP processing be done at the user level. Do not utilize the GSO BLPPGM record.
Execute a data set list of access for System page data sets (i.e., PLPA, COMMON, and LOCALx). If the ESM data set rules for System page data sets (i.e., PLPA, COMMON, and LOCALx) do not restrict access to only systems programming personnel, this is a finding. If ESM data set rules for system page data sets (PLPA, COMMON, and LOCAL) restrict auditors to READ only, this is not a finding.
Configure the ESM data set rules for system page data sets (PLPA, COMMON, and LOCAL) to restrict access to only systems programming personnel. Auditors may be allowed READ Access as approved by the ISSM.
From a command input screen enter: SET RESOURCE (FAC) SET VERBOSE LIST LIKE (CSV-) NOTE: If CLASMAP defines FACILITY as anything other than the default of TYPE(FAC), replace FAC with the appropriate three letters. If the ACF2 resources and/or generic equivalent are defined with a default access of PREVENT, this is not a finding. If the ACF2 resources and/or generic equivalent identified below will be defined with LOG and SERVICE(UPDATE) access restricted to system programming personnel, this is not a finding. CSVAPF. CSVAPF.MVS.SETPROG.FORMAT.DYNAMIC CSVAPF.MVS.SETPROG.FORMAT.STATIC CSVDYLPA. CSVDYNEX. CSVDYNEX.LIST CSVDYNL. CSVDYNL.UPDATE.LNKLST CSVLLA. If the ACF2 CSVDYNEX.LIST resource and/or generic equivalent will be defined with LOG and SERVICE(UPDATE) access restricted to system programming personnel, this is not a finding. If the ACF2 CSVDYNEX.LIST resource and/or generic equivalent will be defined with SERVICE(READ) access restricted to auditors, this is not a finding. If the products CICS and/or CONTROL-O are on the system, the ACF2 access to the CSVLLA resource and/or generic equivalent will be defined with LOG and SERVICE(UPDATE) access restricted to the CICS and CONTROL-O STC logonids, this is not a finding. If any software product requires access to dynamic LPA updates on the system, the ACF2 access to the CSVDYLPA resource and/or generic equivalent will be defined with LOG and SERVICE(UPDATE) only after the product has been validated with the appropriate STIG or SRG for compliance AND receives documented and filed authorization that details the need and any accepted risks from the site ISSM or equivalent security authority, this is not a finding. Note: In the above, SERVICE(UPDATE) can be substituted with ADD, CONTROL, or LOG/ALLOW. Review the rules definitions in the ACF2 documentation when specifying SERVICE(UPDATE).
Configure the Dynamic List resources to be defined to the IBMFAC resource class and protected. Only system programmers and a limited number of authorized users and Approved authorized Started Tasks are able to issue these commands. All access is logged. Note: The resource class, resources, and/or resource prefixes identified below are examples of a possible installation. The resource class, actual resources, and/or prefixes are determined when the product is actually installed on a system through the product's installation guide and can be site specific. The required CSV-prefixed Facility Class resources are listed below. These resources and/or generic equivalents should be defined and permitted as required with only z/OS systems programmers and logging enabled. Minimum required list of CSV-prefixed resources: CSVAPF.- CSVAPF.MVS.SETPROG.FORMAT.DYNAMIC CSVAPF.MVS.SETPROG.FORMAT.STATIC CSVDYLPA.- CSVDYLPA.ADD.- CSVDYLPA.DELETE.- CSVDYNEX.- CSVDYNEX.LIST CSVDYNL.- CSVDYNL.UPDATE.LNKLST CSVLLA.- Limit authority to those resources to z/OS systems programmers. Restrict to the absolute minimum number of personnel with LOG and SERVICE(UPDATE) access. Sample commands are shown here to accomplish one set of resources: $KEY(CSVAPF) TYPE(FAC) MVS.SETPROG.- UID(sysprgmr) LOG MVS.SETPROG.FORMAT.DYNAMIC.- UID(sysprgmr) LOG MVS.SETPROG.FORMAT.STATIC.- UID(sysprgmr) LOG MVS.SETPROG.FORMAT.- UID(sysprgmr) LOG MVS.SETPROG.FORMAT.- UID(*) PREVENT - UID(sysprgmr) LOG - UID(*) PREVENT SET R(FAC) COMPILE 'ACF2.xxxx.FAC(CSVAPF)' STORE F ACF2,REBUILD(FAC) The CSVDYLPA.ADD resource can be permitted to BMC Mainview, CA 1, and CA Common Services STC logonids with LOG and SERVICE(UPDATE) access. The CSVDYLPA.DELETE resource can be permitted to CA 1 and CA Common Services STC logonids with LOG and SERVICE(UPDATE) access. Sample commands are shown here to accomplish one set of resources: $KEY(CSVDYLPA) TYPE(FAC) ADD.- UID(sysprgmr) LOG SERVICE(UPDATE) ADD.- UID(BMC Mainview STC) LOG SERVICE(UPDATE) ADD.- UID(CA 1 STC) LOG SERVICE(UPDATE) ADD.- UID(CCS STC) LOG SERVICE(UPDATE) DELETE.- UID(sysprgmr) LOG SERVICE(UPDATE) DELETE.- UID(CA 1 STC) LOG SERVICE(UPDATE) DELETE.- UID(CCS STC) LOG SERVICE(UPDATE) - UID(sysprgmr) LOG - UID(*) PREVENT SET R(FAC) COMPILE 'ACF2.xxxx.FAC(CSVDYLPA)' STORE F ACF2,REBUILD(FAC) The CSVDYNEX.LIST resource and/or generic equivalent will be defined with LOG and SERVICE(UPDATE) access restricted to system programming personnel. The CSVDYNEX.LIST resource and/or generic equivalent will be defined with SERVICE(READ) access with ALLOW restricted to auditors. Sample commands are shown here to accomplish this: $KEY(CSVDYNEX) TYPE(FAC) LIST.- UID(sysprgmr) LOG LIST.- UID(auditor) SERVICE(READ) ALLOW - UID(sysprgmr) LOG - UID(*) PREVENT SET R(FAC) COMPILE 'ACF2.xxxx.FAC(CSVDYNEX)' STORE F ACF2,REBUILD(FAC) The CSVLLA resource can be permitted to CICS and CONTROL-O STC logonids with LOG and SERVICE(UPDATE) access. Sample commands are shown here to accomplish one set of resources: $KEY(CSVLLA) TYPE(FAC) - UID(sysprgmr) LOG - UID(CICS STC logonids) LOG SERVICE(UPDATE) - UID(CONTROL-O STC logonid) LOG SERVICE(UPDATE) - UID(*) PREVENT SET R(FAC) COMPILE 'ACF2.xxxx.FAC(CSVLLA)' STORE F ACF2,REBUILD(FAC)
Refer to AXRxx member of PARMLIB For each REXXLIB ADD statement If the ESM data set rules for libraries in the REXXLIB concatenation restrict WRITE or greater access to only z/OS systems programming personnel, this is not a finding. If the ESM data set rules for libraries in the REXXLIB concatenation restrict READ access to the following, this is not a finding. Appropriate Started Tasks Auditors The user-id defined in PARMLIB member AXR00 AXRUSER(user-id) If the ESM data set rules for libraries in the REXXLIB concatenation specify that all (i.e., failures and successes) WRITE or greater access will be logged, this is not a finding.
Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect APF Authorized Libraries. Configure ESM data set rules to limit WRITE or greater access to libraries included in the system REXXLIB concatenation to system programmers only. Configure ESM data set rules allow READ access to only appropriate Started Tasks and Auditors. Configure ESM data set rules to log UPDATE and/or ALTER access (i.e., successes and failures).
The ACF2 data set rules for SYS1.UADS restrict ALLOCATE access to only z/OS systems programming personnel. The ACF2 data set rules for SYS1.UADS restrict READ and/or WRITE access to z/OS systems programming personnel and/or security personnel. The ACF2 data set rules for SYS1.UADS restrict READ access to auditors as documented in the Security Plan. The ACF2 data set rules for SYS1.UADS specify that all (i.e., failures and successes) data set access authorities (i.e., READ, WRITE, ALLOCATE, and CONTROL) will be logged. If all of the above are untrue, this is not a finding. If any of the above is true, this is a finding.
Evaluate the impact of correcting any deficiency. Develop a plan of action and implement the changes as required to protect SYS1.UADS. SYS1.UADS WRITE or Greater authority is limited to the systems programming staff. READ and/or WRITE access should be limited to the security staff. READ access is limited to Auditors when included in the site security plan Configure allocate access to SYS1.UADS to be limited to system programmers only; Read and Update access to SYS1.UADS to be limited to system programmer personnel and/or security personnel and all dataset access is logged.
Refer to the following for the PROCLIB data sets that contain the STCs and TSO logons from the following sources: - MSTJCLxx member used during an IPL. The PROCLIB data sets are obtained from the IEFPDSI and IEFJOBS DD statements. - PROCxx DD statements and JES2 Dynamic PROCLIBs. Where "xx" is the PROCLIB entries for the STC and TSU JOBCLASS configuration definitions. Verify that the accesses to the above PROCLIB data sets are properly restricted. If the following guidance is true, this is not a finding. If the ESM data set access authorizations restrict READ access to all authorized users, this is not a finding. If the ESM data set access authorizations restrict WRITE and/or greater access to systems programming personnel, this is not a finding.
Configure ESM data set rules to ensure that all WRITE and/or greater access to all PROCLIBs referenced in the Master JCL and JES2 or JES3 procedure for started tasks (STCs) and TSO logons are restricted to systems programming personnel only. Suggestion on how to update system to be compliant with this vulnerability: NOTE: All examples are only examples and may not reflect your operating environment. Obtain only the PROCLIB data sets that contain STC and TSO procedures. The data sets to be reviewed are obtained using the following steps: - All data sets contained in the MSTJCLxx member in the DD statement concatenation for IEFPDSI and IEFJOBS. - The data set in the PROCxx DD statement concatenation that are within the JES2 procedure or identified in the JES2 dynamic PROCLIB definitions. The specific PROCxx DD statement that is used is obtained from the PROCLIB entry for the JOBCLASSes of STC and TSU. The following is what data sets the process will obtain for analysis: MSTJCL00 //MSTJCL00 JOB MSGLEVEL=(1,1),TIME=1440 //EXEC PGM=IEEMB860,DPRTY=(15,15) //STCINRDR DD SYSOUT=(A,INTRDR) //TSOINRDR DD SYSOUT=(A,INTRDR) //IEFPDSI DD DSN=SYS3.PROCLIB,DISP=SHR <<=== //DD DSN=SYS2.PROCLIB,DISP=SHR <<=== //DD DSN=SYS1.PROCLIB,DISP=SHR <<=== //SYSUADS DD DSN=SYS1.UADS,DISP=SHR //SYSLBC DD DSN=SYS1.BRODCAST,DISP=SHR JES2 //JES2 PROC //IEFPROC EXEC PGM=HASJES20,PARM=NOREQ, //DPRTY=(15,15),TIME=1440,PERFORM=9 //ALTPARM DD DISP=SHR, //DSN=SYS1.PARMLIB(JES2BKUP) //HASPPARM DD DISP=SHR, //DSN=SYS1.PARMLIB(JES2PARM) //PROC00 DD DSN=SYS3.PROCLIB,DISP=SHR <<=== //DD DSN=SYS2.PROCLIB,DISP=SHR <<=== //DD DSN=SYS1.PROCLIB,DISP=SHR <<=== //PROC01 DD DSN=SYS4.USERPROC,DISP=SHR //DD DSN=SYS3.PROCLIB,DISP=SHR //DD DSN=SYS2.PROCLIB,DISP=SHR //DD DSN=SYS1.PROCLIB,DISP=SHR //IEFRDER DD SYSOUT=* //HASPLIST DD DDNAME=IEFRDER JES2 initialization parameter JOBCLASS PROCLIB entries JOBCLASS(*) ACCT=NO, /* ACCT # NOT REQUIRED (DEF.)*/ ... PROCLIB=01, /* DEFAULT TO //PROC01 DD (DEF.)*/ ... JOBCLASS(STC) AUTH=ALL, /* ALLOW ALL COMMANDS (DEF.)*/ ... PROCLIB=00, /* USE //PROC00 DD (DEF.)*/ ... JOBCLASS(TSU) AUTH=ALL, /* ALLOW ALL COMMANDS (DEF.)*/ ... PROCLIB=00, /* USE //PROC00 DD (DEF.)*/ ... PROCLIB data set that will be used in the access authorization process: SYS3.PROCLIB SYS2.PROCLIB SYS1.PROCLIB The following PROCLIB data set will NOT be used or evaluated: SYS4.USERPROC Recommendation for sites: The following are recommendations for the sites to ensure only PROCLIB data sets that contain the STC and TSO procedures are protected. - Remove all application PROCLIB data sets from MSTJCLxx and JES2 procedures. The customer will have all JCL changed to use the JCLLIB JCL statement to refer to the application PROCLIB data sets. Example: //USERPROC JCLLIB ORDER=(SYS4.USERPROC) - Remove all access to the application PROCLIB data sets and only authorize system programming personnel WRITE and/or greater access to these data sets. - Document the application PROCLIB data set access for the customers that require WRITE and/or greater access. Use this documentation as justification for the inappropriate access created by the scripts. - Change MSTJCLxx and JES2 procedure to identify STC and TSO PROCLIB data sets separate from application PROCLIB data sets. The following is a list of actions that can be performed to accomplish this recommendation: a. Ensure that MSTJCLxx contains only PROCLIB data sets that contain STC and TSO procedures. b. If an application PROCLIB data set is required for JES2, ensure that the JES2 procedure specifies more than one PROCxx DD statement concatenation or identified in the JES2 dynamic PROCLIB definitions. Identify one PROCxx DD statement data set concatenation that contains the STC and TSO PROCLIB data sets. Identify one or more additional PROCxx DD statements that can contain any other PROCLIB data sets. The concatenation of the additional PROCxx DD statements can contain the same data sets that are identified in the PROCxx DD statement for STC and TSO. The following is an example of the JES2 procedure: //JES2 PROC //IEFPROC EXEC PGM=HASJES20,PARM=NOREQ, //DPRTY=(15,15),TIME=1440,PERFORM=9 //ALTPARM DD DISP=SHR, //DSN=SYS1.PARMLIB(JES2BKUP) //HASPPARM DD DISP=SHR, //DSN=SYS1.PARMLIB(JES2PARM) //PROC00 DD DSN=SYS3.PROCLIB,DISP=SHR //DD DSN=SYS2.PROCLIB,DISP=SHR //DD DSN=SYS1.PROCLIB,DISP=SHR //PROC01 DD DSN=SYS4.USERPROC,DISP=SHR //DD DSN=SYS3.PROCLIB,DISP=SHR //DD DSN=SYS2.PROCLIB,DISP=SHR //DD DSN=SYS1.PROCLIB,DISP=SHR //IEFRDER DD SYSOUT=* //HASPLIST DD DDNAME=IEFRDER c. Ensure that the JES2 configuration file is changed to specify that the PROCLIB entry for the STC and TSU JOBCLASSes point to the proper PROCxx entry within the JES2 procedure or JES2 dynamic PROCLIB definitions that contain the STC and/or TSO procedures. All other JOBCLASSes can specify a PROCLIB entry that uses the same PROCxx or any other PROCxx DD statement identified in the JES2 procedure or identified in the JES2 dynamic PROCLIB definitions. The following is an example of the JES2 initialization parameters: JOBCLASS(*) ACCT=NO, /* ACCT # NOT REQUIRED (DEF.)*/ ... PROCLIB=01, /* DEFAULT TO //PROC01 DD (DEF.)*/ ... JOBCLASS(STC) AUTH=ALL, /* ALLOW ALL COMMANDS (DEF.)*/ ... PROCLIB=00, /* USE //PROC00 DD (DEF.)*/ ... JOBCLASS(TSU) AUTH=ALL, /* ALLOW ALL COMMANDS (DEF.)*/ ... PROCLIB=00, /* USE //PROC00 DD (DEF.)*/ ... d. Ensure that only system programming personnel are authorized WRITE and/or greater access to PROCLIB data sets that contain STC and TSO procedures.
Refer to SYSCATxx member of SYS1.NUCLEUS. Multiple SYSCATxx members may be defined if so refer to Master Catalog message for IPL. If the member is not found, refer to the appropriate LOADxx member of SYS1.PARMLIB. If data set rules for the Master Catalog do not restrict greater than "READ" access to only z/OS systems programming personnel, this is a finding. If Products or procedures requiring system programmer access for system level maintenance meet the following specific case: - The batch job or procedure must be documented in the SITE Security Plan. - Reside in a data set that is restricted to systems programmers' access only. If the above is true, this is not a finding. If data set rules for the Master Catalog do not specify that all (i.e., failures and successes) greater than "READ" access will be logged, this is a finding.
Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect the MASTER CATALOG. Configure the ESM rules for system master catalog to only allow access above "READ" to systems programmers and those authorized by the Site Security Plan. Configure ESM rules for the system master catalog to allow access above "READ" to systems programmers ONLY. Configure ESM rules for the system master catalog to allow any Products or procedures system programmer access for system level maintenance that meet the following specific case: - The batch job or procedure must be documented in the SITE Security Plan. - Reside in a data set that is restricted to systems programmers' access only. All greater than read access must be logged.
Refer to the proper CONSOLxx member of SYS1.PARMLIB. From a ACF Command screen enter: ACF SET RESOURCE(CON) SET VERBOSE LIST LIKE(-) NOTE: If CLASMAP defines CONSOLE as anything other than the default of TYPE(CON), replace CON below with the appropriate three letters. If each console in the CONSOLxx member is defined to ACF2 with a corresponding resource rule for TYPE(CON), this is not a finding. If each TYPE(CON) rule is defined with PREVENT access by default, this is not a finding. If the logonid associated with each console has READ access to the corresponding resource defined in the CONSOLE resource class, this is not a finding. If access authorization for CONSOLE resources restricts READ access to operations and system programming personnel or authorized personnel, this is not a finding.
Configuration should ensure that all MCS consoles are defined to the CONSOLE resource class and READ access is limited to operators and system programmers. Review the MCS console resources defined to z/OS and the ACP, and ensure they conform to those outlined below. Each console defined in the CONSOLxx parmlib members is defined to ACF2 with a corresponding resource rule for TYPE(CON). Each TYPE(CON) rule is defined with PREVENT access by default. The logonid associated with each console has READ access to the corresponding resource defined in the CONSOLE resource class. Access authorization for CONSOLE resources restricts READ access to operations and system programming personnel or authorized personnel. Example: $KEY(MZNC20) TYPE(CON) USERDATA(CONSOLE ID SECURITY) UID(sysprgmr) ALLOW UID(oper) ALLOW UID(MZNC20) ALLOW DATA(MZNC20 CONSOLE LOGONID ACCESS REQUIREMENTS) UID(*) PREVENT SET R(CON) COMPILE 'ACF2.MZN.CON(MZNC20)' STORE F ACF2,REBUILD(CON)
If all of the following are untrue, this is not a finding. If any of the following is true, this is a finding. The ACP data set rules for SYS1.NUCLEUS do not restrict WRITE and/or ALLOCATE access to only z/OS systems programming personnel. The ACP data set rules for SYS1.NUCLEUS do not specify that all (i.e., failures and successes) WRITE and/or ALLOCATE access will be logged.
Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect SYS1.NUCLEUS. Configure the update and allocate access to SYS1.NUCLEUS to be limited to system programmers only and all update and allocate access is logged.
Execute a data set list of access for SYS1.LPALIB. If any of the following is true, this is a finding. - The ACF2 data set rules for SYS1.LPALIB do not restrict WRITE and/or ALLOCATE access to only z/OS systems programming personnel. - The ACF2 data set rules for SYS1.LPALIB do not specify that all (i.e., failures and successes) WRITE and/or ALLOCATE access will be logged.
Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect SYS1.LPALIB. Configure update and allocate access to SYS1.LPALIB to be limited to system programmers only and all update and allocate access is logged.
Execute a data set list of access for SYS1.IMAGELIB. If the following guidance is true, this is not a finding. The ACP data set rules for SYS1.IMAGELIB allow inappropriate access. The ACP data set rules for SYS1.IMAGELIB do not restrict WRITE and/or ALLOCATE access to only systems programming personnel. The ACP data set rules for SYS1.IMAGELIB do not specify that all (i.e., failures and successes) WRITE and/or ALLOCATE access will be logged.
Configure WRITE and/or ALLOCATE access to SYS1.IMAGELIB to be limited to system programmers only and all update and allocate access is logged. Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect SYS1.IMAGELIB. SYS1.IMAGELIB is automatically APF-authorized. This data set contains modules, images, tables, and character sets which are essential to system print services.
Examine the system for active exit modules. You may need system administrator help for this. Third-party software products can determine standard and dynamic exits loaded in the system. If all the exits are found within APF, LPA, and LINKLIST, this is not applicable. If ESM data set rules for libraries that contain system exit modules restrict UPDATE and ALLOCATE access to only z/OS systems programming personnel, this is not a finding. If the ESM data set rules for libraries that contain exit modules specify that all UPDATE and ALLOCATE access will be logged, this is not a finding.
Using the ESM, protect the data sets associated with all product exits installed in the z/OS environment. This reduces the potential of a hacker adding a routine to a library and possibly creating an exposure. See that all exits are tracked using a CMP. Develop usermods to include the source/object code used to support the exits. Have systems programming personnel review all z/OS and other product exits to confirm that the exits are required and are correctly installed. Configure ESM data set rules for all update and alter access to libraries containing z/OS and other system level exits will be logged using the ACP's facilities. Only systems programming personnel will be authorized to update the libraries containing z/OS and other system level exits.
From Any ISPF input line, enter: TSO ISRDDN APF If all of the following are untrue, this is not a finding. If any of the following is true, this is a finding. - The ACP data set rules for APF libraries do not restrict WRITE and/or ALLOCATE access to only z/OS systems programming personnel. - The ACP data set rules for APF libraries do not specify that all (i.e., failures and successes) WRITE and/or ALLOCATE access will be logged.
Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect APF Authorized Libraries. Configure Update and Allocate access to all APF-authorized libraries to be limited to system programmers only and all update and alter access is logged.
From any ISPF input line, enter TSO ISRDDN LPA. If all of the following are untrue, this is not a finding. If any of the following is true, this is a finding. The ACP data set rules for LPA libraries do not restrict WRITE and/or ALLOCATE access to only z/OS systems programming personnel. The ACP data set rules for LPA libraries do not specify that all (i.e., failures and successes) WRITE and/or ALLOCATE access will be logged.
Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect LPA Libraries. Configure the update and allocate access to all LPA libraries to be limited to system programmers only and all update and allocate access is logged.
From any ISPF input line, enter TSO ISRDDN LINKLIST If all of the following are untrue, this is not a finding. If any of the following is true, this is a finding. The ACP data set rules for LINKLIST libraries do not restrict WRITE and/or ALLOCATE access to only z/OS systems programming personnel. The ACP data set rules for LINKLIST libraries do not specify that all (i.e., failures and successes) WRITE and/or ALLOCATE access will be logged.
Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect the LINKLIST libraries. Configure the update and allocate access to LINKLIST libraries to be limited to system programmers only and all update and allocate access is logged.
Have the systems programmer for z/OS supply the following information: - The data set name and associated SREL for each SMP/E CSI used to maintain this system. - The data set name of all SMP/E TLIBs and DLIBs used for installation and production support. A comprehensive list of the SMP/E DDDEFs for all CSIs may be used if valid. The ACF2 data set rules for system-level product installation libraries (e.g., SMP/E CSIs) do not restrict WRITE and/or ALLOCATE access to only z/OS systems programming personnel. If all of the above are untrue, this is not a finding. If any of the above is true, or if these data sets cannot be identified due to a lack of requested information, this is a finding.
Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect System-level product installation libraries. Configure allocate access to all system-level product execution libraries to be limited to system programmers only.
Execute a data set list of access for SYS1.SVCLIB. If all of the following are true, this is not a finding. If any of the following are untrue, this is a finding. ACF2 data set rules for SYS1.SVCLIB restrict WRITE and/or ALLOCATE access to only z/OS systems programming personnel. ACF2 data set rules for SYS1.SVCLIB specify that all (i.e., failures and successes) WRITE and/or ALLOCATE access will be logged.
Configure update and allocate access to SYS1.SVCLIB to be limited to system programmers only and all Update and Allocate access is logged and reviewed. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes for SYS1.SVCLIB. SYS1.SVCLIB contains SVCs and I/O appendages as such: they are very powerful and will be strictly controlled to avoid compromising system integrity.
Execute a data set list of access to SYS1.LINKLIB. If the ESM data set rules for SYS1.LINKLIB allow inappropriate (e.g., global READ) access, this is a finding. If data set rules for SYS1.LINKLIB do not restrict READ, UPDATE and ALTER access to only systems programming personnel, this is a finding. If data set rules for SYS1.LINKLIB do not restrict READ and UPDATE access to only domain level security administrators, this is a finding. If data set rules for SYS1.LINKLIB do not restrict READ access to only system Level Started Tasks, authorized Data Center personnel, and auditors, this is a finding. If data set rules for SYS1.LINKLIB do not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged this is a finding.
Configure the ESM rules for SYS1.LINKLIB limit access to system programmers only and all update and allocate access is logged.
Obtain the procedures and collection specifics for SMF data sets and backup. If the ESM data set rules for the SMF dump/backup files do not restrict WRITE or greater access to authorized site personnel (e.g., systems programmers and batch jobs that perform SMF processing), this is a finding. If the ESM dataset rules for the SMF dump/backup files do not restrict update access as documented in the site security plan, this is a finding. If the ESM data set rules for the SMF dump/backup files do not restrict READ access to auditors and others approved by the ISSM, this is a finding. If the ESM data set rules for the SMF dump/backup files do not specify that all (i.e., failures and successes) WRITE or greater access will be logged, this is a finding.
Define WRITE or greater access to data sets used to back up and/or dump SMF collection files to be limited to system programmers and/or batch jobs that perform SMF dump processing. Ensure that all data set access is logged. Define data set rules for the SMF dump/backup files to restrict UPDATE access to others approved by the ISSM. Define READ Access to data sets used to back up and/or dumpSMF collection files to be limited to auditors and others approved by the ISSM. Ensure that all WRITE or greater access authority to SMF history files will be logged using the ESM's facilities. Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect data sets used to back up and/or dump SMF Collection Files. In z/OS systems, SMF data is the ultimate record of system activity. Therefore, SMF data is of the most sensitive and critical nature. While the length of time for which SMF data will be retained is not specifically regulated, it is imperative that the information is available for the longest possible time period in case of subsequent investigations. The statute of limitations varies according to the nature of a crime. It may vary by jurisdiction, and some crimes are not subject to a statute of limitations. Apply the following guidelines to the retention of SMF data for all DOD systems: (a) Retain at least two (2) copies of the SMF data. (b) Maintain SMF data for a minimum of one year. (c) All WRITE or greater access authority to SMF history files will be logged using the ACP's facilities. Only systems programming personnel and batch jobs that perform SMF functions will be authorized to update the SMF files.
Ask the system administrator to provide a list of all emergency userids available to the site along with the associated function of each. If SYS1.UADS userids are limited and reserved for emergency purposes only, this is not a finding.
Configure the SYS1.UADS entries to ensure LOGONIDs defined include only those users required to support specific functions related to system recovery. Evaluate the impact of accomplishing the change.
From the ACF Command screen enter: SET RESOURCE(FAC) LIST IEASYMUP If the accesses for IEASYMUP resources and/or generic equivalent are properly restricted, this is not a finding. The ACF2 resources are defined with a default access of PREVENT. The ACF2 resource access authorizations specify SERVICE(UPDATE) and/or greater access to only DASD administrators, Tape Library personnel, and system programming personnel. The ACF2 resource access authorizations specify logging.
Configure the System level symbolic resources to be defined to the FACILITY resource class and protected. UPDATE access to the System level symbolic resources are limited to System Programmers, DASD Administrators, and/or Tape Library personnel. All access is logged. Ensure the guidelines for the resources and/or generic equivalent are followed. Limit access to the IEASYMUP resources to the above personnel with LOG and SERVICE(UPDATE) and/or greater access. The following commands are provided as a sample for implementing resource controls: $KEY(IEASYMUP) TYPE(FAC) - UID(<dasd>) SERVICE(UPDATE) LOG - UID(<sysprgmr>) SERVICE(UPDATE) LOG - UID(<tape librarian>) SERVICE(UPDATE) LOG - UID(*) PREVENT SET R(FAC) COMPILE 'ACF2.FAC(IEASYMUP)' STORE F ACF2,REBUILD(FAC)
Collect from the storage management group the identification of the DASD backup files and all associated storage management userids/LIDs/ACIDs. If ESM data set rules for system DASD backup files do not restrict UPDATE and ALLOCATE access to z/OS systems programming and/or batch jobs that perform DASD backups, this is a finding. If READ Access to system backup data sets is not limited to auditors and others approved by the ISSM, this is a finding.
Obtain the high level indexes to backup data sets names define their access to be restricted by the System's ESM to System Programmers and batch jobs that perform the backups. Define READ Access to system backup data sets to be limited to auditors and others approved by the ISSM.
From the ACF command screen enter: SET CONTROL(GSO) LIST LIKE(PPGM-) Refer to the table of Sensitive Utilities resources and/or generic equivalent as detailed in the table. If all applicable programs or their generic equivalent referenced below are represented by GSO PPGM record values, this is not a finding. Sensitive Utility Controls Program Product Function AHLGTF z/OS System Activity Tracing HHLGTF IHLGTF ICPIOCP z/OS System Configuration IOPIOCP IXPIOCP IYPIOCP IZPIOCP BLSROPTR z/OS Data Management DEBE OS/DEBE Data Management DITTO OS/DITTO Data Management FDRZAPOP FDR Product Internal Modification GIMSMP SMP/E Change Management Product ICKDSF z/OS DASD Management IDCSC01 z/OS IDCAMS Set Cache Module IEHINITT z/OS Tape Management IFASMFDP z/OS SMF Data Dump Utility IND$FILE z/OS PC to Mainframe File Transfer (Applicable only for classified systems) CSQJU003 IBM WebSphereMQ CSQJU004 CSQUCVX CSQ1LOGP CSQUTIL WHOIS z/OS Share MOD to identify user name from USERID. Restricted to data center personnel only.
Configure the PPGM GSO value indicating protected programs that are only executed by privileged users in the table below. Sensitive Utility Controls Program Product Function AHLGTF z/OS System Activity Tracing HHLGTF IHLGTF ICPIOCP z/OS System Configuration IOPIOCP IXPIOCP IYPIOCP IZPIOCP BLSROPTR z/OS Data Management DEBE OS/DEBE Data Management DITTO OS/DITTO Data Management FDRZAPOP FDR Product Internal Modification GIMSMP SMP/E Change Management Product ICKDSF z/OS DASD Management IDCSC01 z/OS IDCAMS Set Cache Module IEHINITT z/OS Tape Management IFASMFDP z/OS SMF Data Dump Utility IND$FILE z/OS PC to Mainframe File Transfer (Applicable only for classified systems) CSQJU003 IBM WebSphereMQ CSQJU004 CSQUCVX CSQ1LOGP CSQUTIL WHOIS z/OS Share MOD to identify user name from USERID. Restricted to data center personnel only. Define protected programs that can only be executed by privileged users. PGM MASK(pgm mask1, ...,pgm-mask255) Example: SET C(GSO) INSERT PPGM PGM-MASK(<program name or generic equivalent>) F ACF2,REFRESH(PPGM)
From an ACF command screen enter: SET CONTROL(GSO) SHOW PSwdopts If "MAXTRY" is set to "3", this is not a finding. If "PASSLMT" is set to "3", this is not a finding.
Configure the GSO option "MAXTRY" to equal "3". Configure the GSO option "PASSLMT" to equal "3".
Execute a data set list of access to SYS1.PARMLIB. If the ESM data set rules for SYS1.PARMLIB allow inappropriate (e.g., global READ) access. If data set rules for SYS1.PARMLIB do not restrict READ, UPDATE, and ALTER access to only systems programming personnel, this is a finding. If data set rules for SYS1.PARMLIB do not restrict READ and UPDATE access to only domain level security administrators, this is a finding. If data set rules for SYS1.PARMLIB do not restrict READ access to only system Level Started Tasks, authorized Data Center personnel, and auditors, this is a finding. If data set rules for SYS1.PARMLIB do not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged, this is a finding.
Configure access rules for SYS1.PARMLIB as follows: Systems programming personnel will be authorized to update and alter the SYS1.PARMLIB concatenation. Domain level security administrators can be authorized to update the SYS1.PARMLIB concatenation. System Level Started Tasks, authorized Data Center personnel, and auditor can be authorized read access by the information system security officer (ISSO). All update and alter access is logged.
Refer to the active tasks on the system. You can use IBM SDSF or the system Log. If CA-ACF2 is active, this is not a finding.
Assure that CA-ACF2 is active on the system.
The ACF2 data set rules for the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) do not restrict WRITE and/or ALLOCATE access to only z/OS systems programming personnel. The ACF2 data set rules for the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) allow inappropriate access not documented and approved by the ISSO. If both of the above are untrue, this is not a finding. If either of the above are true, this is a finding.
Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect System-level product installation libraries. Configure allocate access to all system-level product execution libraries to be limited to system programmers only. Access other than this should be documented and approved by the ISSO.
Review program entries in the IBM Program Properties Table (PPT). You may use a third-party product to examine these entries however, to determine program entries issue the following command from an ISPF command line: TSO ISRDDN LOAD IEFSDPPT Press Enter For each module identified in the 'eyecatcher' : If all of the following are untrue, this is not a finding. If any of the following is true, this is a finding. -The ESM data set rules for libraries that contain PPT modules do not restrict UPDATE and ALLOCATE access to only z/OS systems programming personnel. -The ESM data set rules for libraries that contain PPT modules do not specify that all UPDATE and ALLOCATE access will be logged.
Configure the Update and Allocate access to libraries containing PPT modules to be limited to system programmers only and all Update and Allocate access is logged.
From the ACF Command enter: SET CONTROL(GSO) LIST LIKE(EXIT-) If the GSO EXITS record values conform to the following requirements, this is not a finding. Specifies the module names of site written ACF2 exit routines. NOTE: The DSNPOST exit is optional and is not required to be specified in the GSO EXITS record. DSNPOST(module) SEVPRE(SEVPRE01) SEVPOST(SEVPST01) NOTE: No other exits are authorized at this time. NOTE: Local changes will be documented in writing with supporting documentation. If there is any deviation from the above requirements in the GSO EXITS record values, this is a finding.
Configure the EXITS GSO value to specify the module names of site written ACF2 exit routines. Specifies the module names of site written ACF2 exit routines. NOTE: The DSNPOST exit is optional and is not required to be specified in the GSO EXITS record. DSNPOST(module) SEVPRE(SEVPRE01) SEVPOST(SEVPST01) Example: SET C(GSO) INSERT EXITS DSNPOST(module) SEVPRE(SEVPRE01) SEVPOST(SEVPST01) F ACF2,REFRESH(EXITS) NOTE: No other exits are authorized at this time. NOTE: Local changes will be justified in writing with supporting documentation.
From the ACF Command screen enter: SET LID LIST IF(REFRESH) If procedures exist to utilize the logonid with the REFRESH attribute to refresh ACF2 global options, this is not a finding. Example of a suggested procedure follows: When the ISSO determines it necessary to refresh the ACF2 global options, the ISSO will do the following: -Activate the REFRESH ID with the following setting(s): NOSUSPEND NOPSWD EXP PASSWORD(new password) -Instruct Operations to perform the REFRESH. -Deactivate the REFRESH ID with the following setting: SUSPEND If no procedures exist in accordance with the STIG requirements to utilize the logonid with the REFRESH attribute to refresh ACF2 global options, this is a finding.
Review security procedures for defining LOGONIDs and develop documentation of requirements for the LOGONID associated with the REFRESH attribute. Example of a suggested procedure follows: When the ISSO determines it necessary to refresh the ACF2 global options, the ISSO will do the following: -Activate the required REFRESH ID with the following setting(s): NOSUSPEND NOPSWD EXP PASSWORD(new password) -Instruct Operations to perform the REFRESH using the newly activated REFRESH ID. -After refresh is completed. -Deactivate the REFRESH ID with the following setting: SUSPEND This procedure should be documented in the Site Security Plan.
From the ACF Command screen enter: SET CONTROL(GSO) LIST TSO If the GSO TSO record values conform to the following requirements, this is not a finding. ACCOUNT(1) BYPASS(#) CHAR(BS) CMDLIST() NOIKJEFLD1 LINE(ATTN) LOGONCK PERFORM(0) PROC(site defined) NOQLOGON REGION(site defined) SUBCLSS() SUBHOLD() SUBMSG() TIME(0) TSOSOUT(A) UNIT(SYSDA) WAITIME(1-60)
Configure the GSO TSO record values to conform to the following requirements. ACCOUNT(1) BYPASS(#) CHAR(BS) CMDLIST() NOIKJEFLD1 LINE(ATTN) LOGONCK PERFORM(0) PROC(site defined) NOQLOGON REGION(site defined) SUBCLSS() SUBHOLD() SUBMSGC() TIME(0) TSOSOUT(A) UNIT(SYSDA) WAITIME(1-60) Example: SET C(GSO) INSERT TSO ACCOUNT(1) BYPASS(#) CHAR(BS) CMDLIST() NOIKJEFLD1 LINE(ATTN) LOGONCK PERFORM(0) PROC(IKJACCNT) NOQLOGON REGION(4,096) SUBCLSS() SUBHOLD() SUBMSGC() TIME(0) TSOGNAME() TSOSOUT(A) UNIT(SYSDA) WAITIME(60) F ACF2,REFRESH(TSO)
From the ACF Command line enter: SET LID LIST IF(READALL) If procedures are in place to ensure logonids with the READALL attribute are used and controlled in accordance with the DISA requirements, this is not a finding. The READALL privilege is available for actual auditing of system data. It gives the capability of looking at every data set on the system despite the data set rules. Its use is strongly discouraged. Always grant access through the use of standard data set access rules. Under no circumstances will the privilege be used as a convenience to the person maintaining the rule sets. Only use this privilege when absolutely necessary, and only give it to auditors. Remove the privilege once the audit is complete. Fully document the granting and revoking of the access.
Develop procedures to control Logonids with the READALL attribute. The READALL privilege is available for actual auditing of system data. It gives the capability of looking at every data set on the system despite the data set rules. Its use is strongly discouraged. Always grant access through the use of standard data set access rules. Under no circumstances will the privilege be used as a convenience to the person maintaining the rule sets. Only use this privilege when absolutely necessary, and only give it to auditors. Remove the privilege once the audit is complete. Fully document the granting and revoking of the access.
From the ACF Command screen enter: SET LID LIST IF(SECURITY) If all logonids with the SECURITY attribute also have the RULEVLD and RSRCVLD attributes specified, this not a finding. If any logonid with the SECURITY attribute does not have the RULEVLD and/or RSRCVLD attributes specified, this is a finding.
Configure Logonids with the SECURITY attribute to have the RULEVLD and RSRCVLD attributes specified. If a logonid is granted the SECURITY privilege, it is mandatory that RULEVLD and RSRCVLD attributes will also be specified for the logonid. Example: SET LID CHANGE logonid RULEVLD RSRCVLD
From the ACF Command Screen enter: SET LID LIST IF(AUDIT) If all logonids with the attributes AUDIT and/or CONSULT also do not have the SCPLIST attribute specified properly according to job function and areas of responsibility, this is a finding. NOTE: SCPLST attributes are not required for Logonids with the attributes AUDIT or CONSULT if the security ISSM/ISSO determines it requires ability to view the entire ACF2 environment. SCPLST attributes are not required for Auditors, Domain Level Security Admin Logonids, and BATCH Logonids that review the entire ACF2 environment to include GSO records, data set and resource rules, etc. or run audit reports.
Configure logonids with the AUDIT or CONSULT attributes are restricted by a SCPLIST attribute that restricts authority based on job function and area of responsibility. The following user attributes allow viewing of the ACF2 databases for the purpose of inspecting users, data set access rules, and Infostorage records. When granted to a logonid, restrict the scope of the following attributes using an associated SCPLIST (scope list) record: AUDIT CONSULT NOTE: SCPLST attributes are not required for Logonids with the attributes AUDIT or CONSULT if the security ISSM/ISSO determines it requires ability to view the entire ACF2 environment. SCPLST attributes are not required for Auditors, Domain Level Security Admin Logonids, and BATCH Logonids that review the entire ACF2 environment to include GSO records, data set and resource rules, etc. or run audit reports.
From the ACF Command screen enter: SET LID LIST IF(ACCTPRIV) If logonids with the ACCTPRIV attribute specified are not assigned to the security administrator, this is a finding.
Configure logonids with the ACCTPRIV attribute to be only reserved for use by the Security manager. The ACCTPRIV attribute cannot be scoped, and will be restricted exclusively to a site security administrator: Example: SET LID CHANGE logonid ACCTPRIV
From the ACF command screen enter: SET LID SET VERBOSE LIST IF(RESTRICT) If the logonids that are associated with batch jobs have the RESTRICT attribute, then the logonids must also have the PGM(xxxxxxxx) and SUBAUTH attributes, or the SOURCE(xxxxxxxx) attribute specified. If all restricted logonids have the PGM(xxxxxxxx) and SUBAUTH attributes, and/or the SOURCE(xxxxxxxx) attribute, this is not a finding. If the PGM(xxxxxxxx) and SUBAUTH attributes or the SOURCE(xxxxxxxx) attribute is not specified for any restricted logonids, this is a finding.
All batch jobs scheduled via an automation process will use the //*LOGONID xxxxxxxx card in the JCL stream to identify the userid. Use restricted logonids with the following parameter coded: RESTRICT One or both of the following will also be specified: PGM(xxxxxxxx) and SUBAUTH SOURCE(xxxxxxxx) The use of default IDs prevents the identification of tasks with individual users as mandated by policy, and prevents adequate accountability. Default IDs for batch processing will not be used. The use of USER= can also be used in the jobcard to identify the userid to be used for a job's processing.
From the ACF Command enter: SET CONTROL(GSO) LIST RULEOPTS If the following options are defined, this is not a finding. NO$NOSORT CENTRAL CHANGE DECOMP(AUDIT SECURITY) | DECOMP(AUDIT) | DECOMP(SECURITY) The other RULEOPTS values should be assigned carefully as they affect the Rules and Infostorage databases.
Configure the GSO RULEOPTS record values to conform to the following requirements. NO$NOSORT CENTRAL CHANGE DECOMP(AUDIT SECURITY) | DECOMP(AUDIT) | DECOMP(SECURITY) The other RULEOPTS values should be assigned carefully as they affect the Rules and Infostorage databases. Example: SET C(GSO) INSERT RULEOPTS NO$NOSORT CENTRAL CHANGE NOCOMPDYN DECOMP(AUDIT SECURITY) F ACF2,REFRESH(RULEOPTS)
From the ACF Command enter: SET CONTROL(GSO) LIST OPTS If the GSO OPTS record values conform to the following requirements, this is not a finding. BLPLOG NOCMDREC CONSOLE(NOROLL) CPUTIME(LOCAL) DATE(MDY) NODDB DFTLID() DFTSTC() INFOLIST(none | AUDIT | SECURITY | SECURITY, AUDIT) JOBCK MAXVIO(10) NOTIFY RPTSCOPE SHRDASD STAMPSMF STC TAPEDSN TEMPDSN NOUADS NOVTAMOPEN
Define the global options available to the system. BLPLOG NOCMDREC CONSOLE(NOROLL) CPUTIME(LOCAL) DATE(MDY) NODDB DFTLID() DFTSTC() INFOLIST(none | AUDIT | SECURITY | SECURITY, AUDIT) JOBCK MAXVIO(10) NOTIFY RPTSCOPE SHRDASD STAMPSMF STC TAPEDSN TEMPDSN NOUADS NOVTAMOPEN Example: SET C(GSO) INSERT OPTS BLPLOG NOCMDREC CONSOLE(NOROLL) CPUTIME(LOCAL) DATE(MDY) NODDB DFTLID() DFTSTC() INFOLIST(SECURITY, AUDIT) JOBCK MAXVIO(10) MODE(ABORT) NOTIFY RPTSCOPE SHRDASD STAMPSMF STC TAPEDSN TEMPDSN NOUADS NOVTAMOPEN F ACF2,REFRESH(OPTS)
From the ISPF Command Shell enter: ACF to enter ACF2 Command shell enter SHOW STATE If "PSWDRSV = NO", this is a finding. If "PSWDRSVW = NO", this is a finding. SHOW PSwdopts Reserved Words and Prefixes APPL APR ASDF AUG BASIC CADAM DEC DEMO FEB FOCUS GAME IBM JAN JUL JUN LOG MAR MAY NET NEW NOV OCT PASS ROS SEP SIGN SYS TEST TSO VALID VTAM XXX 1234
Configure the GSO record to include PSWDRSV and PSWDRSVW.
From the ACF Command screen, enter: SET CONTROL(GSO) SHOW DDSN Exexute the ISPF Data Set List Utility for each dataset listed to determine the volume. If the ACF2 database is not located on the same volume as either its alternate or backup file, this is not a finding. If the ACF2 database is collocated with either its alternate or backup, this is a finding.
Configure the placement of ACF2 files are on a separate volume from its backup and recovery data sets to provide backup and recovery in the event of physical damage to a volume. Identify the ACF2 database(s), backup database(s), and recovery data set(s). Develop a plan to keep these data sets on different physical volumes. Implement the movement of these critical ACF2 files. File location is an often overlooked factor in system integrity. It is important to ensure that the effects of hardware failures on system integrity and availability are minimized. Avoid collocation of files such as primary and alternate databases. For example, the loss of the physical volume containing the ACF2 database should not also cause the loss of the ACF2 backup database as a result of their collocation. Files that will be segregated from each other on separate physical volumes include, but are not limited to, the ACF2 database and its alternate or backup file.
From the ACF Command enter: SET CONTROL(GSO) SHOW SYSTEMS If based on the information provided, it can be determined that the ESM database is being backed up on a regularly scheduled basis, this is not a finding. If it cannot be determined that the ESM database is being backed up on a regularly scheduled basis, this is a finding.
Configure ACF2 GSO option to ensure that procedures are in place to back up all ACP files needed for recovery on a scheduled basis. At a minimum, this means nightly backup of the ACP databases and of other critical security files (such as the ACP parameter file). More frequent backups (two or three times daily) will reduce the time necessary to effect recovery. The ISSO will verify that the backup job(s) run successfully.
From the ACF Command screen enter: SET LID LIST IF(REFRESH) If logonids exist with the REFRESH attribute not assigned to a site security administrator, this is a finding.
Define any logonid with the REFRESH attribute to be assigned to a site security administrator only. Example: SET LID CHANGE logonid REFRESH
From the ACF Command screen enter: SET LID LIST IF(MAINT) SET CONTROL(GSO) LIST LIKE(MAINT-) If every maintenance logonid has a corresponding GSO MAINT record, this is not a finding.
Ensure that an associated GSO maintenance record exists for each special user logonid identifying the program(s) that it is permitted to access and the library where the program(s) resides. Define associated GSO MAINT record for each special user logonid, identifying the program(s) that it is permitted to access and the library where the program(s) resides. Every maintenance logonid has a corresponding GSO MAINT record. Example: SET C(GSO) INSERT MAINT.DFSMSHSM LIBRARY(SYS1.LINKLIB) LID(HSMDFDSS) PGM(ADRDSSU) F ACF2,REFRESH(MAINT)
From the ACF command screen enter: SET LID SET VERBOSE LIST IF(NON-CNCL) If only logonids associated with trusted STCs have the NON-CNCL attribute specified, this is not a finding. TRUSTED STCs: STCs that are listed as z/OS started tasks and address spaces in the IBM z/OS MVS Initialization and Tuning Reference. Guidelines for reference: Assign the TRUSTED attribute when one of the following conditions applies: -The started procedure or address space creates or accesses a wide variety of unpredictably named data sets within your installation. -Insufficient authority to an accessed resource might risk an unsuccessful IPL or other system problem. -Avoid assigning TRUSTED to a z/OS started procedure or address space unless it is listed here or you are instructed to do so by the product documentation. Additionally external security managers are candidates for trusted attribute. Any other started tasks not listed or not covered by the guidelines are a finding unless approval by the Authorizing Official AO.
Review all LOGONIDs with the NON-CNCL attribute. Ensure that only STCs in the trusted list in the IBM z/OS MVS Initialization and Tuning Reference have been granted this authority. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes. Trusted STCs: While the actual list may vary based on local site requirements and software configuration, the started tasks listed in the IBM z/OS MVS Initialization and Tuning Reference is an approved list of started tasks that may be considered trusted started procedures. Guidelines for reference: Assign the TRUSTED attribute when one of the following conditions applies: -The started procedure or address space creates or accesses a wide variety of unpredictably named data sets within your installation. -Insufficient authority to an accessed resource might risk an unsuccessful IPL or other system problem. -Avoid assigning TRUSTED to a z/OS started procedure or address space unless it is listed here or you are instructed to do so by the product documentation. Additionally external security managers are candidates for trusted attribute. Any other started tasks not listed or not covered by the guidelines are a finding unless approval by the Authorizing Official AO. These STCs will be given the following attribute to facilitate access while logging any accesses they would not ordinarily be granted by the access rule sets: NON-CNCL Example: SET LID CHANGE logonid STC NON-CNCL
From the ACF command screen enter: SET LID LIST IF(ACCOUNT) LIST IF(LEADER) LIST IF(SECURITY) Review all logonids for specific groups with the attributes ACCOUNT, LEADER, or SECURITY. If each has the SCPLIST attribute specified properly according to job function and areas of responsibility, this is not a finding. NOTE: SCPLST attributes are not required for Domain Level Security Admin Logonids and BATCH Logonids that administer and modify the entire ACF2 environment to include GSO records, data set and resource rules, etc. or run audit reports.
The following user attributes allow update of the ACF2 databases for administering users, data set access rules, and Infostorage records. When granted to a logonid, restrict the scope of the following attributes using an associated SCPLIST (scope list) record: ACCOUNT LEADER SECURITY NOTE: SCPLST attributes are not required for Domain Level Security Admin Logonids and BATCH Logonids that administer and modify the entire ACF2 environment to include GSO records, data set and resource rules, etc. or run audit reports.
From the ACF command screen enter: SET LID SET VERBOSE LIst IF(MUSASS & STC) If any started task logonid that has the MUSASS attribute and the requirement to submit jobs on behalf of its users does not have the JOBFROM attribute, this is a finding.
Ensure that if MUSASS has the requirement to submit jobs on behalf of its users, the STC logonid has the JOBFROM attribute specified. If the MUSASS has the requirement to submit jobs on behalf of its users, the STC logonid will also have the following attribute: JOBFROM Example: SET LID CHANGE logonid STC JOBFROM
Refer to the site security plan, the system administrator, and system libraries to determine list of stated tasks available on the system. From the ACF command screen enter: SET LID SET VERBOSE LIST IF(STC) If all logonids identified as started tasks have the STC attribute specified, this is not a finding.
All started tasks will be assigned an individual logonid. The logonid for a Started Task Control (STC) will be granted the minimum privileges necessary for the STC to function. In addition to the default LID field settings, all STC logonids will have the following field setting: STC Example: SET LID INSERT logonid STC
From the ACF Command screen enter: SET LID LIST IF(REFRESH) If the logonid is an emergency logonid and the REFRESH attribute is not in SUSPEND status, this is a finding.
The emergency logonids with the REFRESH attribute must be in SUSPEND status unless actually in use. Example: SET LID CHANGE logonid SUSPEND
From the ACF command screen enter: SET CONTROL(GSO) LIST LIKE(BACKUP-) If the GSO BACKUP record values conform to the following requirements, this is not a finding. Example: CPUID() PRISPACE(5) SECSPACE(5) STRING(S ACFBKUP) TIME(00:01) WORKUNIT(VIO) If there is any deviation from the above requirements in the GSO BACKUP record values, this is a finding.
Configure the BACKUP GSO value to specify a time field and Time(00:00 ) is not specified unless the database is shared and backed up on another system. CPUID() PRISPACE(5) SECSPACE(5) STRING(S ACFBKUP) TIME(00:01) WORKUNIT(VIO) Example: SET C(GSO) INSERT BACKUP CPUID() PRISPACE(5) SECSPACE(5) STRING(S ACFBKUP) TIME(00:01) WORKUNIT(VIO) F ACF2,REFRESH(BACKUP)
From the ACF Command screen enter: SET CONTROL(GSO) LIST LIKE(APPLDEF-) If the GSO APPLDEF record does not exist, this is not a finding. If the GSO APPLDEF record does exist and no supporting documentation is available, this is a finding.
For any APPLDEF GSO record used, it must have supporting documentation indicating the reason it was used. The APPLDEF record is optional.
From the ACF Command screen enter: SET CONTROL(GSO) LIST LIKE(MAINT-) If the GSO MAINT record values conform to the following requirements, this is not a finding. Specifies the logonid, program, and library combinations used for system maintenance functions. NOTE: For logonids that match environments described in records, no SMF logging records will be created. NOTE: Entries will be restricted to production storage management user accounts and programs. If there is any deviation from the above requirements in the GSO MAINT record values, this is a finding.
Configure the MAINT GSO value to be specified as restricted to production storage management user accounts and programs. Specifies the logonid, program, and library combinations used for system maintenance functions. NOTE: For logonids that match environments described in records, no SMF logging records will be created. NOTE: Entries will be restricted to production storage management user accounts and programs.
From the ACF Command screen enter: SET CONTROL(GSO) LIST LINKLST If the GSO LINKLST record values conform to the following requirements, this is not a finding. Specifies one or more partitioned data sets considered part of the system link (SYS1.LINKLIB) during data set access validation. Only trusted system data sets will be listed. Application libraries will never be included. Example: LIBRARY(SYS1.LINKLIB SYS2A.FDR.LOADLIB) If there is any deviation from the above requirements in the GSO LINKLST record values, this is a finding.
Configure the LINKLIST GSO value if specified only contains trusted system data sets. Specifies one or more partitioned data sets considered part of the system link (SYS1.LINKLIB) during data set access validation. Only trusted system data sets will be listed. Application libraries will never be included. Example: SET C(GSO) INSERT LINKLST LIBRARY(SYS1.LINKLIB SYS2A.FDR.LOADLIB) F ACF2,REFRESH(LINKLST)
Refer to IEASYS00 to determine the correct CONSOLxx member. Examine the CONSOLxx member. Verify that the MCS console logonids are properly restricted. If the following guidance is true, this is not a finding. Each console defined in the currently active CONSOLxx parmlib member is associated with a valid ACF2 logonid. Each console logonid has no special privileges and/or attributes (e.g., ACCOUNT, SECURITY, etc.). Each console logonid has no accesses to interactive online facilities (e.g., TSO, CICS, etc., excluding VTAM SMCS consoles). Each console logonid will be restricted from accessing all data sets and resources except MVS.MCSOPER.consolename in the OPERCMDS resource class and consolename in the CONSOLE resource class. NOTE: If LOGON(AUTO) is specified in the currently active CONSOLxx parmlib member, additional access may be required. Permissions for the console logonids may be given with SERVICE(READ) to MVS.CONTROL, MVS.DISPLAY, MVS.MONITOR, and MVS.STOPMN OPERCMDS resources. NOTE: Execute the JCL in CNTL(ACFRPTRX) using the ACF2 console userids in the LID statements in the SYSIN input. This report lists all occurrences of these userids within the ACF2 database, including data set and resource access lists.
Define all consoles identified in the currently active CONSOLxx parmlib member in EXAM.RPT(PARMLIB) to be defined to the ESM. Review the MCS console resources defined to z/OS and the ESM and ensure they conform to those outlined below. Each console defined in the currently active CONSOLxx parmlib member is associated with a valid ACF2 logonid. Each console logonid has no special privileges and/or attributes (e.g., ACCOUNT, SECURITY, etc., excluding VTAM SMCS consoles). Each console logonid has no accesses to interactive online facilities (e.g., TSO, CICS, etc.). Each console logonid will be restricted from accessing all data sets and resources except MVS.MCSOPER.consolename in the OPERCMDS resource class and consolename in the CONSOLE resource class. NOTE: If LOGON(AUTO) is specified in the currently active CONSOLxx parmlib member, additional access may be required. Permissions for the console logonids may be given with SERVICE(READ) to MVS.CONTROL, MVS.DISPLAY, MVS.MONITOR, and MVS.STOPMN OPERCMDS resources. NOTE: If LOGON(AUTO) is specified in the currently active CONSOLxx parmlib member, additional access may be required. Permissions for the console logonids may be given with SERVICE(READ) to MVS.CONTROL, MVS.DISPLAY, MVS.MONITOR, and MVS.STOPMN OPERCMDS resources. Example: INSERT MVAC20 NAME(MVA CONSOLE C20) PASSWORD(xxxxxxxx) $KEY(MVS) TYPE(OPR) MCSOPER.- UID(MVAC20) SERVICE(READ) ALLOW CONTROL.- UID(MVAC20) SERVICE(READ) ALLOW DATA(FOR LOGON(AUTO)) MONITOR.- UID(MVAC20) SERVICE(READ) ALLOW DATA(FOR LOGON(AUTO)) STOPMN.- UID(MVAC20) SERVICE(READ) ALLOW DATA(FOR LOGON(AUTO)) DISPLAY.- UID(*) SERVICE(READ) ALLOW - UID(*) PREVENT SET R(OPR) COMPILE ' ACF2.MVA.OPR(MVS)' STORE F ACF2,REBUILD(OPR) $KEY(consname) TYPE(CON) UID(MVAC20) SERVICE(READ) ALLOW SET R(CON) COMPILE ' ACF2.MVA.CON(consname)' STORE F ACF2,REBUILD(CON)
From the ISPF Command Shell enter: ACF SET CONTROL(GSO) LIST BLPPGM If the BLPPGM record is defined, this is a finding.
The BLPPGM GSO value indicates that ACF2 does not control the programs authorized to use tape bypass label processing (BLP). Delete the BLPPGM from GSO options.
From the ACF command screen enter: SET PROFILE(USER) DIVISION(OMVS) SET VERBOSE LIST LIKE(-) If UID(0) is assigned only to system tasks such as the z/OS/ UNIX kernel (i.e., OMVS), z/OS UNIX daemons (e.g., inetd, syslogd, ftpd), and other system software daemons, this is not a finding. If UID(0) is assigned to security administrators who create or maintain user account definitions; and to systems programming accounts dedicated to maintenance (e.g., SMP/E) of HFS-based components, this is not a finding. NOTE: The assignment of UID(0) confers full time superuser privileges. This is not appropriate for personal user accounts. Access to the BPX.SUPERUSER resource is used to allow personal user accounts to gain short-term access to superuser privileges. If UID(0) is assigned to non-systems or non-maintenance accounts, this is a finding.
Assure that UID(0) is defined as specified below: UID(0) is assigned only to system tasks such as the z/OS UNIX kernel (i.e., OMVS), z/OS UNIX daemons (e.g., inetd, syslogd, ftpd), and other system software daemons. UID(0) is assigned to security administrators who create or maintain user account definitions; and to systems programming accounts dedicated to maintenance (e.g., SMP/E) of HFS-based components. NOTE: The assignment of UID(0) confers full time superuser privileges, this is not appropriate for personal user accounts. Access to the BPX.SUPERUSER resource is used to allow personal user accounts to gain short-term access to superuser privileges.
From the ISPF Command Shell enter: ACF SET LID SET VERBOSE LIST OMVS SECTION(ALL) PROFILE(OMVS) If OMVS is defined as follows, this is not a finding. No access to interactive on-line facilities (e.g., TSO, CICS, etc). Default group specified as OMVSGRP or STCOMVS UID(0) HOME directory specified as "/" Shell program specified as "/bin/sh" If OMVS is not defined as specified in above, this is a finding.
Define the OMVS (IBM default name for USS Kernel), as specified below: No access to interactive on-line facilities (e.g., TSO, CICS, etc.) Default group specified as OMVSGRP or STCOMVS UID(0) HOME directory specified as "/" Shell program specified as "/bin/sh"
RMFGAT is the userid for the Resource Measurement Facility (RMF) Monitor III Gatherer. If RMFGAT is not define, this is Not Applicable. From the ISPF Command Shell enter: ACF SET LID SET VERBOSE LIST RMFGAT SECTION(ALL) PROFILE(OMVS) If RMFGAT is defined as follows, this is not a finding: Default group specified as OMVSGRP or STCOMVS A unique, non-zero UID HOME directory specified as "/" Shell program specified as "/bin/sh"
Define the RMFGAT user account as specified below: Default group specified as OMVSGRP or STCOMVS A unique, non-zero UID HOME directory specified as "/" Shell program specified as "/bin/sh"
From an ACF Command Screen enter: SET LID LIST * If the below listed fields are complete for all logonids, this is not a finding. NAME User's name UID-String All fields defined in the ACFFDR @UID macro NOTE: A completed NAME field that can either be traced back to a current DD Form 2875 or a Vendor Requirement (example: A Started Task). NOTE: A user may be required to have more than one logonid but users must not share userids.
Define every user to ACF2 with a unique userid. (ACF2 calls this a logonid.) To ACF2, a user is an individual, a started task, or a batch job. Every user will be fully identified within ACF2. Complete the following fields for every logonid: NAME - User's name UID-String - All fields defined in the ACFFDR @UID macro All fields that comprise the standard UID string will be filled out for each user as a logonid is added. Example: SET LID INSERT logonid UID(uid string) NAME(user name)
Obtain a list of all userids that are shared among multiple users (i.e., not uniquely identified system users). If there are no shared userids on this domain, this is not a finding. If there are shared userids on this domain, this is a finding. NOTE: Userids should be able to be traced back to a current DD Form 2875 or a Vendor Requirement (example: A Started Task).
Identify user accounts defined to the ESM that are being shared among multiple users. This may require interviews with appropriate system-level support personnel. Remove the shared user accounts from the ESM.
From the ISPF Command Shell enter: ACF If every user shows an ACC-DATE=mm/dd/yy within the past 35 days, this is not a finding. NOTE: VALID FOR INTERACTIVE USERIDS, NOT VALID FOR STARTED TASK USERIDS AND BATCH USERIDS.
Develop a procedure to check all userids for inactivity more than 35 days. If found, the information system security officer (ISSO) must suspend an account, but not delete it until it is verified by the local ISSO that the user no longer requires access. If verification is not received within 60 days, the account may be deleted.
From the ISPF Command Screen enter: ACF SET CONTROL(GSO) LIST PWPHRASE If the following options are in effect, this is not a finding. If any of the options deviate from the following, this is a finding. The GSO PWPHRASE record will conform to the following requirements. ALPHA(1 or greater) HISTORY(10-32) MAXDAYS(1-60) MINDAYS(1) MINLEN(15-100) NUMERIC(1 or greater) SPECIAL(1 or greater) SPECLIST(character list) WARNDAYS(1-10) Note: The SPECLIST special characters will be specified at a minimum. Characters will conform to the allowable list defined in CA ACF2 for z/OS Administration Guide.
Configure the PWPHRASE GSO values to be set to the values specified. Ensure the GSO PWPHRASE record values conform to the following requirements: ALPHA(1 or greater) HISTORY(10-32) MAXDAYS(1-60) MINDAYS(1) MINLEN(15-100) NUMERIC(1 or greater) SPECIAL(1 or greater) SPECLIST(character list) WARNDAYS(1-10) Note: The SPECLIST special characters will be specified at a minimum. Characters will conform to the allowable list defined in CA ACF2 for z/OS Administration Guide. Example: SET C(GSO) INSERT PWPHRASE NOALLOW ALPHA(1) HISTORY(10) MAXDAYS(60) MINDAYS(1) MINLEN(15) NUMERIC(1) SPECIAL(1) SPECLIST(& * =) WARNDAYS(10) F ACF2,REFRESH(PWPHRASE)
From an ACF command screen enter: SET CONTROL(GSO) LIST PSWD If PSWDPLST is coded as defined in CA ACF2 for z/OS Administration Guide, this is not a finding.
Configure Password option PSWDPLST as defined in CA ACF2 for z/OS Administration Guide.
From the ISPF Command Shell enter: ACF to enter ACF2 Command shell enter SET CONTROL(GSO) LIST PSWD If NOPSWDUC is listed, this is a finding.
Configure the GSO option "PSWDUC" to "YES".
From an ACF command screen enter: SET CONTROL(GSO) LIST PSWD If "PSWDALPH" is coded, this is not a finding.
Configure the Password options to include "PSWDALPH".
From the ISPF Command Shell enter: ACF to enter ACF2 Command shell enter SET CONTROL(GSO) LIST PSWD If "NOPSWDLC" is listed, this is a finding.
Configure the GSO option "PSWDLC" to "YES".
From an ACF command screen enter: SET CONTROL(GSO) LIST PSWD If "PSWDSIM" is set to "4", this is not a finding.
Configure the Password option "PSWDSIM" to "4".
From an ACF command screen enter: SET CONTROL(GSO) LIST PSWD If the "GSO PSWD" record option "PSWDENCT" is set to "XDES" or null, this is a finding. SET MSYSID(-) LIST PSWD For CA-ACF2 R16 and above: If option "NOONEPWALG" is specified, and there is no transition plan with a definite completion date filed with the information system security manager (ISSM), this is a finding.
Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified below: Configure the "GSO PSWD" record option "PSWDENCT" to "AES1". For CA-ACF2 Release16 and above: Configure "GSO PSWD" record option "PSWDENCT" to "AES1" or "AES2". Configure the "GSO PSWD" to "ONEPWALG". Note: If you are using VM Database Synchronization you cannot use "ONEPWALG". VM does not support the AES algorithms. Develop a transition plan with a definite completion date for z/VM; file with the ISSM. If all systems that are sharing the logonid or infostorage databases are not running with the same "PSWDENCT" value you cannot use "ONEPWALG". Develop a transition plan that contains a definite completion date to migrate all logonid and infostorage databases to one "PSWDENCT" value; file with the ISSM. Consult the CA-ACF2 administration guide for converting to "AES1" or "AES2" and using "ONEPWALG".
From an ACF command screen enter: SET CONTROL(GSO) LIST PSWD If "PSWDMAX" is set to "60", this is not a finding.
Configure Password option "PSWDMAX" to "60" days.
From an ACF command screen enter: SET CONTROL(GSO) LIST PSWD If "PSWDMIN" is set "1", this is not a finding.
Configure Password option "PSWDMIN" to minimum of "1" day.
From an ACF command screen enter: SET CONTROL(GSO) LIST PSWD If "PSWDXHIST" is not specified, this is a finding. If "PSWDXHIST#" is set to "5" or greater, this is not a finding.
Configure Password option "PSWXHST" is coded and "PSWXHST#" is "5" or greater.
From the ISPF Command Shell enter: ACF <enter> SET CONTROL(GSO) LIST TSOTWX If the GSO TSOTWX record values conform to the following requirements, this is not a finding. CR(15) IDLE(17) LENGTH(8) M1(X) M2(N) M3(Z) M4(M) STRING()
Define a cross out mask to obliterate the logon password on TWX devices. CR(15) IDLE(17) LENGTH(8) M1(X) M2(N) M3(Z) M4(M) STRING() Example: SET C(GSO) INSERT TSOTWX CR(15) IDLE(17) LENGTH(8) M1(X) M2(N) M3(Z) M4(M) STRING() F ACF2,REFRESH(TSOTWX)
From the ISPF Command Shell enter: ACF SET CONTROL(GSO) <enter> LIST TSOCRT If the GSO TSOCRT record values conform to the following requirements, this is not a finding. STRING(A12FA11C1A270C0D)
Define a clear string used to obliterate the logon to ASCII CRT devices. STRING(A12FA11C1A270C0D) Example: SET C(GSO) INSERT TSOCRT STRING(A12FA11C1A270C0D) F ACF2,REFRESH(TSOCRT)
From the ISPF Command Shell enter: ACF <enter> SET CONTROL(GSO) LIST TSO2741 If the GSO TSO2741 record values conform to the following requirements, this is not a finding. BS(16) LENGTH(8) M1(X) M2(N) M3(Z) M4(M) STRING()
Define a cross out string used to obliterate the logon password on 2741 devices. Ensure the GSO TSO2741 record values conform to the following requirements. BS(16) LENGTH(8) M1(X) M2(N) M3(Z) M4(M) STRING() Example: SET C(GSO) INSERT TSO2741 BS(16) LENGTH(8) M1(X) M2(N) M3(Z) M4(M) STRING() F ACF2,REFRESH(TSO2741)
From an ACF command screen enter: SET CONTROL(GSO) LIST SECVOLS If the GSO SECVOLS record values conform to the following requirements, this is not a finding. VOLMASK() NOTE: Local changes will be documented in writing with supporting documentation. If there is any deviation from the above requirements in the GSO SECVOLS record values, this is a finding.
Define the GSO SECVOLS record values to conform to the following requirements. VOLMASK() Example: SET C(GSO) INSERT SECVOLS VOLMASK() F ACF2,REFRESH(SECVOLS)
From an ACF command screen, enter: SET CONTROL(GSO) LIST RESVOLS If the GSO RESVOLS record values conform to the following requirements, this is not a finding. VOLMASK(-) NOTE: Local changes will be documented in writing with supporting documentation. If there is any deviation from the above requirements in the GSO RESVOLS record values, this is a finding.
Define the GSO RESVOLS record values to conform to the following requirements. VOLMASK(-) Example: SET C(GSO) INSERT RESVOLS VOLMASK(-) F ACF2,REFRESH(SECVOLS)
Determine all associated ACF2 security data sets and/or databases. If the ACF2 data set rules for ACF2 security data sets and/or databases restrict READ access to auditors and DASD batch, this is not a finding. If the ACF2 data set rules for ACF2 security data sets and/or databases restrict READ and/or greater access to z/OS systems programming personnel, security personnel, and/or batch jobs that perform ACP maintenance, this is not a finding. If all (i.e., failures and successes) data set access authorities (i.e., READ, WRITE, ALLOCATE, and CONTROL) for ACP security data sets and/or databases are logged, this is not a finding.
Configure ACF2 READ and/or greater access rules for ACF2 files and/or databases as limited to system programmers and/or security personnel, and/or batch jobs that perform ACP maintenance. READ access can be given to auditors and DASD batch. All accesses to ACP files and/or databases are logged.
From an ACF Command screen enter: SET CONTROL(GSO) LIST AUTOERAS If the GSO AUTOERAS record values conform to the following requirements, this is not a finding. All Systems: NON-VSAM VSAM VOLS(-)
Configure the AUTOERASE GSO value to indicate that ACF2 is controlling the automatic physical erasure of VSAM or non VSAM data sets. Example: SET C(GSO) INSERT AUTOERAS NON-VSAM VSAM VOLS(-) F ACF2,REFRESH(AUTOERAS)
Refer to the FTP.DATA file specified on the SYSFTPD DD statement in the FTP started task JCL. The SYSFTPD DD statement is optional. The search order for FTP.DATA is: /etc/ftp.data SYSFTPD DD statement jobname.FTP.DATA SYS1.TCPPARMS(FTPDATA) tcpip.FTP.DATA If FTPDATA is configured with the following SMF statements, this is not a finding. FTP.DATA Configuration Statements SMF TYPE119 SMFJES TYPE119 SMFSQL TYPE119 SMFAPPE [Not coded or commented out] SMFDEL [Not coded or commented out] SMFEXIT [Not coded or commented out] SMFLOGN [Not coded or commented out] SMFREN [Not coded or commented out] SMFRETR [Not coded or commented out] SMFSTOR [Not coded or commented out]
Configure SMF options to conform to the specifications in the FTPDATA Configuration Statements below or that they are commented out. SMF TYPE119 SMFJES TYPE119 SMFSQL TYPE119 SMFAPPE [Not coded or commented out] SMFDEL [Not coded or commented out] SMFEXIT [Not coded or commented out] SMFLOGN [Not coded or commented out] SMFREN [Not coded or commented out] SMFRETR [Not coded or commented out] SMFSTOR [Not coded or commented out] The FTP Server can provide audit data in the form of SMF records. SMF record type 119, the TCP/IP Statistics record, can be written with the following subtypes: 70 - Append 70 - Delete and Multiple Delete 72 - Invalid Logon Attempt 70 - Rename 70 - Get (Retrieve) and Multiple Get 70 - Put (Store and Store Unique) and Multiple Put SMF data produced by the FTP Server provides transaction information for both successful and unsuccessful FTP commands. This data may provide valuable information for security audit activities. Type 119 records use a more standard format and provide more information.
Refer to the FTP server Started task (usually FTPD). Refer to the data set defined on the SYSFTPD DD statement. If the WRITE and ALLOCATE access to the data set containing the FTP Data configuration file is restricted to systems programming personnel, this is not a finding. NOTE: READ access to all authenticated users is permitted. If WRITE and ALLOCATE access to the data set containing the FTP Data configuration file is logged, this is not a finding. Refer to the BANNER statement in the FTP Data configuration file. If the BANNER statement refers to an MVS data set and WRITE and ALLOCATE access to the data set containing the FTP banner file is restricted to systems programming personnel, this is not a finding. If READ access to the data set containing the FTP banner file is permitted to all authenticated users, this is not a finding. NOTES: The MVS data sets mentioned above are not used in every configuration. Absence of a data set will not be considered a finding.
Review the data set access authorizations defined to the ESM for the FTP.DATA and FTP.BANNER files. Configure these data sets to be protected as follows: The data set containing the FTP.DATA configuration file allows read access to all authenticated users and all other access is restricted to systems programming personnel. All write and allocate access to the data set containing the FTP.DATA configuration file is logged. The data set containing the FTP banner file allows read access to all authenticated users and all other access is restricted to systems programming personnel.
From the ISPF Command shell enter: omvs At the input line enter: cd /usr/sbin/ enter ls -alW If the following file permission and user Audit Bits are true, this is not a finding. /usr/sbin/ftpd 1740 fff /usr/sbin/ftpdns 1755 fff /usr/sbin/tftpd 0644 faf cd ls -alW If the following file permission and user Audit Bits are true, this is not a finding. /etc/ftp.data 0744 faf /etc/ftp.banner 0744 faf NOTES: Some of the files listed above are not used in every configuration. The absence of a file is not considered a finding. The /usr/sbin/ftpd and /usr/sbin/ftpdns objects are symbolic links to /usr/lpp/tcpip/sbin/ftpd and /usr/lpp/tcpip/sbin/ftpdns respectively. The permission and user audit bits on the targets of the symbolic links must have the required settings. The /etc/ftp.data file may not be the configuration file the server uses. It is necessary to check the SYSFTPD DD statement in the FTP started task JCL to determine the actual file. The TFTP Server does not perform any user identification or authentication, allowing any client to connect to the TFTP Server. Due to this lack of security, the TFTP Server will not be used. The TFTP Client is not secured from use. The permission bits for /usr/sbin/tftpd should be set to "644". The /etc/ftp.banner file may not be the banner file the server uses. It is necessary to check the BANNER statement in the FTP Data configuration file to determine the actual file. Also, the permission bit setting for this file must be set as indicated in the table above. A more restrictive set of permissions is not permitted. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing
Ensure the UNIX permission bits and user audit bits on the HFS directories and files for the FTP Server conform to the specifications in the table below: FTP Server HFS Object Security Settings File Permission Bits User Audit Bits /usr/sbin/ftpd 1740 fff /usr/sbin/ftpdns 1755 fff /usr/sbin/tftpd 0644 faf /etc/ftp.data 0744 faf /etc/ftp.banner 0744 faf The /usr/sbin/ftpd and /usr/sbin/ftpdns objects are symbolic links to /usr/lpp/tcpip/sbin/ftpd and /usr/lpp/tcpip/sbin/ftpdns respectively. The permission and user audit bits on the targets of the symbolic links must have the required settings. The TFTP Server does not perform any user identification or authentication, allowing any client to connect to the TFTP Server. Due to this lack of security, the TFTP Server will not be used. The TFTP Client is not secured from use. The /etc/ftp.data file may not be the configuration file the server uses. It is necessary to check the SYSFTPD DD statement in the FTP started task JCL to determine the actual file. The /etc/ftp.banner file may not be the banner file the server uses. It is necessary to check the BANNER statement in the FTP Data configuration file to determine the actual file. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing Some of the files listed above (e.g., /etc/ftp.data) are not used in every configuration. While the absence of a file is generally not a security issue, the existence of a file that has not been properly secured can often be an issue. Therefore, all files that do exist should have the specified permission and audit bit settings. The following commands can be used (from a user account with an effective UID(0)) to update the permission bits and audit bits: chmod 1740 /usr/lpp/tcpip/sbin/ftpd chaudit rwx=f /usr/lpp/tcpip/sbin/ftpd chmod 1755 /usr/lpp/tcpip/sbin/ftpdns chaudit rwx=f /usr/lpp/tcpip/sbin/ftpdns chmod 0744 /etc/ftp.data chaudit w=sf,rx+f /etc/ftp.data chmod 0744 /etc/ftp.banner chaudit w=sf,rx+f /etc/ftp.banner
Refer to the FTP.DATA file specified on the SYSFTPD DD statement in the FTP started task JCL. The SYSFTPD DD statement is optional. The search order for FTP.DATA is: /etc/ftp.data SYSFTPD DD statement jobname.FTP.DATA SYS1.TCPPARMS(FTPDATA) tcpip.FTP.DATA Examine the BANNER statement. If the BANNER statement in the FTP Data configuration file specifies an HFS file or data set that contains a logon banner as specified below this is not a finding. The below banner is mandatory and deviations are not permitted except as authorized in writing by the DoD Chief Information Officer. The thrust of this new policy is to make it clear that there is no expectation of privacy when using DoD information systems and all use of DoD information systems is subject to searching, auditing, inspecting, seizing, and monitoring, even if some personal use of a system is permitted: STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
Ensure the BANNER statement in the FTP Data configuration file specifies an HFS file or z/OS data set that contains a logon banner. The below banner is mandatory and deviations are not permitted except as authorized in writing by the DoD Chief Information Officer. The thrust of this new policy is to make it clear that there is no expectation of privacy when using DoD information systems and all use of DoD information systems is subject to searching, auditing, inspecting, seizing, and monitoring, even if some personal use of a system is permitted: STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.
Refer to the Data configuration file specified on the SYSFTPD DD statement in the FTP started task JCL. If the BANNER statement is coded, this is not a finding.
Configure the FTP.DATA CONFIGURATION STATEMENT to include the following: BANNER [An HFS file, e.g., /etc/ftp.banner]
Provide a list(s) of the locations for all FTP Control cards within a given application/AIS, ensuring no FTP control cards are within in-stream JCL, JCL libraries or any open access data sets. The list must indicate which application uses the PDS, and access requirements for those PDSes (who and what level of access). Lists/spreadsheet used for documenting the meeting of this requirement must be maintained by the responsible Application/AIS Team, available upon request and not maintained by Mainframe ISSO. Obtain the list/spreadsheet from the Application/AIS Team. Access to FTP scripts and/or data files located on host system(s) that contain FTP userid and or password will be restricted to those individuals responsible for the application connectivity and who have a legitimate requirement to know the userid and password on a remote system. FTP Control Cards within In-stream JCL, within JCL libraries or open access libraries/data sets is a finding. If there is anyone not listed within the spreadsheet by userid that has access of Read or greater to the FTP control cards, this is a finding.
Create a list or spreadsheet of the locations where FTP control cards are stored, who should have access to those libraries, and which applications the FTP control cards are for. Add Columns for all people permitted access to the secured PDS. Make sure that the FTP control Cards for each FTP are stored in a secure PDS and that they are not placed in the JCL libraries or in the in-stream JCL for each FTP.
From the ACF Command screen enter: SET CONTROL(GSO) LIST LIKE(PPGM-) If Programs TFTPD and EZATD are not defined in the GSO PPGM record, this is a finding. From the ACF Command screen enter: SET RESOURCE(PGM) LIST LIKE(-) If Program resources TFTPD and EZATD are not defined in the PROGRAM resource class, this is a finding. If No access to the program resources TFTPD and EZATD is permitted, this is not a finding.
Configure the resource controls for the TFTP Server programs TFTPD and EZATD and ensure all access is restricted. Evaluate the impact of implementing the following change. Develop a plan of action and implement the change as required. Configure the resource controls for the TFTP Server programs TFTPD and EZATD and ensure all access is restricted. Examples: SET CONTROL(GSO) CHANGE PPGM PGM-MASK(TFTPD EZATD) ADD F ACF2,REFRESH(PPGM) $KEY(TFTPD) TYPE(PGM) UID(*) PREVENT SET R(PGM) COMPILE 'ACF2.MVA.PGM(TFTPD)' STORE F ACF2,REBUILD(PGM) $KEY(EZATD) TYPE(PGM) UID(*) PREVENT SET R(PGM) COMPILE 'ACF2.MVA.PGM(EZATD)' STORE F ACF2,REBUILD(PGM)
From the ISPF Command enter: ACF SET LID LIST LIKE(FTP-) SECTION(ALL) PROFILE(OMVS) NOTE: The JCL member is typically named FTPD. If all of the following are true, this is not a finding. If any of the following is untrue, this is a finding. The FTP daemon logonid is FTPD. The FTPD logonid is defined with the STC attribute. The FTPD logonid has the following z/OS UNIX attributes: UID(0), HOME directory '/', shell program /bin/sh.
Define the FTP daemon to run under its own user account. Specifically, it does not share the account defined for the z/OS UNIX kernel. Define the FTP Server daemon account, privileges, and access authorizations to the ACP using the requirements below. The following commands can be used to create the user account that is required for the FTP daemon: SET LID INSERT FTPD NAME(FTPD) GROUP(STCTCPX) STC SET PROFILE(USER) DIVISION(OMVS) INSERT FTPD UID(0) HOME(/) PROGRAM(/bin/sh) F ACF2,REBUILD(USR),CLASS(P)
Refer to the Profile configuration file specified on the PROFILE DD statement in the TCPIP started task JCL. If all the items below are true, this is not a finding. If any of the items below are untrue, this is a finding. The following items are in effect for the FTP daemon's started task JCL: The SYSTCPD and SYSFTPD DD statements specify the TCP/IP Data and FTP Data configuration files respectively. The ANONYMOUS keyword is not coded on the PARM parameter on the EXEC statement. The ANONYMOUS=logonid combination is not coded on the PARM parameter on the EXEC statement. The INACTIVE keyword is not coded on the PARM parameter on the EXEC statement. The AUTOLOG statement block can be configured to have TCP/IP start the FTP Server. The FTP entry (e.g., FTPD) can include the PARMSTRING parameter to pass parameters to the FTP procedure when started. NOTE: Parameters passed on the PARMSTRING parameter override parameters specified in the FTP procedure. If an FTP entry is configured in the AUTOLOG statement block in the TCP/IP Profile configuration file, ensure the following items are in effect: The ANONYMOUS keyword is not coded on the PARMSTRING parameter. The ANONYMOUS=logonid combination is not coded on the PARMSTRING parameter. The INACTIVE keyword is not coded on PARMSTRING parameter.
Review the FTP daemon's started task JCL. Ensure that the ANONYMOUS and INACTIVE startup parameters are not specified and configuration file names are specified on the appropriate DD statements. The FTP daemon program can accept parameters in the JCL procedure that is used to start the daemon. The ANONYMOUS and ANONYMOUS= keywords are designed to allow anonymous FTP connections. The INACTIVE keyword is designed to set the timeout value for inactive connections. Control of these options is recommended through the configuration file statements rather than the startup parameters. The systems programmer responsible for supporting ICS will ensure that the startup parameters for the FTP daemon does not include the ANONYMOUS, ANONYMOUS=, or INACTIVE keywords. During initialization the FTP daemon searches multiple locations for the TCPIP.DATA and FTP.DATA files according to fixed sequences. In the daemon's started task JCL, Data Definition (DD) statements will be used to specify the locations of the files. The SYSTCPD DD statement identifies the TCPIP.DATA file and the SYSFTPD DD statement identifies the FTP.DATA file. The systems programmer responsible for supporting ICS will ensure that the FTP daemon's started task JCL specifies the SYSTCPD and SYSFTPD DD statements for configuration files.
Refer to the Data configuration file specified on the SYSFTPD DD statement in the FTP started task JCL. If the INACTIVE statement is coded with a value between 1 and 900 (seconds) this is not a finding.
Configure the FTP.DATA CONFIGURATION STATEMENT to include the following: INACTIVE [A value between 1 and 900]
From the ACF command screen enter: Set RESOURCE(SPL) List like(localnodeid-) If the following resources in the JESSPOOL resource class (i.e., TYPE(SPL)) are configured as noted below, this is not a finding. localnodeid.JES2.$TRCLOG.taskid.-.JESTRACE localnodeid.+MASTER+.SYSLOG.jobid.-.SYSLOG or localnodeid.+BYPASS+.SYSLOG.jobid.-.SYSLOG NOTE: These resource rules may be more generic as long as they pertain directly to the JESTRACE and SYSLOG data sets. For example: localnodeid.JES2.-.-.-.JESTRACE localnodeid.+MASTER+.-.-.-.SYSLOG or localnodeid.+BYPASS+.-.-.-.SYSLOG NOTE: To determine the localnodeid by searching for OWNNODE in the NJEDEF statement, and then searching for NODE(nnnn) (where nnnn is the value specified by OWNNODE). The NAME parameter value specified on this NODE statement is the localnodeid. Another method is to issue the JES2 command $D NODE,NAME,OWNNODE=YES to obtain the NAME of the OWNNODE. If access authorization for the resources mentioned above is restricted to the following, this is not a finding. Logonid(s) associated with external writer(s) can have complete access. NOTE: An external writer is an STC that removes data sets from the JES spool. In this case, it is responsible for archiving the JESTRACE and SYSLOG data sets. The STC default name is XWTR and the external writer program is called IASXWR00. Systems personnel and security administrators responsible for diagnosing JES2 and z/OS problems can have complete access. Application Development and Application Support personnel responsible for diagnosing application problems can have READ access to the SYSLOG resource.
NOTE: If CLASMAP defines JESSPOOL as anything other than TYPE(SPL), replace SPL below with the appropriate three letters. Configure the following resources in the JESSPOOL resource class (i.e., TYPE(SPL)): localnodeid.JES2.$TRCLOG.taskid.-.JESTRACE localnodeid.+MASTER+.SYSLOG.jobid.-.SYSLOG or localnodeid.+BYPASS+.SYSLOG.jobid.-.SYSLOG NOTE: These resource rules may be more generic as long as they pertain directly to the JESTRACE and SYSLOG data sets. For example: localnodeid.JES2.-.-.-.JESTRACE localnodeid.+MASTER+.-.-.-.- or localnodeid.+BYPASS+.-.-.-.- NOTE: To determine the localnodeid by searching for OWNNODE in the NJEDEF statement, and then searching for NODE(nnnn) (where nnnn is the value specified by OWNNODE). The NAME parameter value specified on this NODE statement is the localnodeid. Another method is to issue the JES2 command $D NODE,NAME,OWNNODE=YES to obtain the NAME of the OWNNODE. Configure access authorization for the resources mentioned above is restricted to the following: Logonid(s) associated with external writer(s) can have complete access. NOTE: An external writer is a STC that removes data sets from the JES spool. In this case, it is responsible for archiving the JESTRACE and SYSLOG data sets. The STC default name is XWTR and the external writer program is called IASXWR00. Systems personnel and security administrators responsible for diagnosing JES2 and z/OS problems can have complete access. Application Development and Application Support personnel responsible for diagnosing application problems can have READ access to the SYSLOG resource. Example: SET R(SPL) $KEY(localnodeid) TYPE(SPL) -.SYSLOG.-.-.- UID(sysprgmr) ALLOW -.SYSLOG.-.-.- UID(seca) ALLOW -.SYSLOG.-.-.- UID(appdudt) SERVICE(READ) ALLOW -.SYSLOG.-.-.- UID(apps) SERVICE(READ) ALLOW -.$TRCLOG.-.-.- UID(sysprgmr) ALLOW -.$TRCLOG.-.-.- UID(seca) ALLOW - UID(*) PREVENT
From the ACF command screen enter: SET CONTROL(GSO) LIST LIKE(CLASMAP-) {to determine the resource class for JESSPOOL} NOTE: If CLASMAP defines JESSPOOL as anything other than TYPE(SPL), replace SPL below with the appropriate three letters. SET RESOURCE(SPL) LIST LIKE(-) If the following resources are defined to the JESSPOOL resource class (i.e., TYPE(SPL)) with a default access of PREVENT, this is not a finding. localnodeid.- localnodeid.JES2.$TRCLOG.taskid.-.JESTRACE localnodeid.+MASTER+.SYSLOG.jobid.-.SYSLOG These resource rules may be more generic as long as they pertain directly to the JESTRACE and SYSLOG data sets. For example: localnodeid.JES2.-.-.-.JESTRACE localnodeid.+MASTER+.-.-.-.- Review the JES2 parameters to determine the localnodeid by searching for OWNNODE in the NJEDEF statement, and then searching for NODE(nnnn) (where nnnn is the value specified by OWNNODE). The NAME parameter value specified on this NODE statement is the localnodeid. If the following resource is defined to the JESSPOOL resource class (i.e., TYPE(SPL)) with a default access of READ, this is not a finding. localnodeid.jesid.$JESNEWS.taskid.Dnewslvl.JESNEWS jesid The logonid associated with your JES2 system. NOTE: This resource rule may be more generic as long as it pertains directly to the JESNEWS data set. For example: localnodeid.jesid.$JESNEWS.-.-.JESNEWS
NOTE: If CLASMAP defines JESSPOOL as anything other than TYPE(SPL), replace SPL below with the appropriate three letters. Configure the CLASMAP record to define the JESSPOOL resource class. Example: SHOW CLASMAP The following resources are defined to the JESSPOOL resource class (i.e., TYPE(SPL)) with a default access of PREVENT: localnodeid.- localnodeid.JES2.$TRCLOG.taskid.-.JESTRACE localnodeid.+MASTER+.SYSLOG.jobid.-.SYSLOG Example: $KEY(localnodeid) TYPE(SPL) - UID(*) PREVENT These resource rules may be more generic as long as they pertain directly to the JESTRACE and SYSLOG data sets. For example: localnodeid.JES2.-.-.-.JESTRACE localnodeid.+MASTER+.-.-.-.- Review the JES2 parameters to determine the localnodeid by searching for OWNNODE in the NJEDEF statement, and then searching for NODE(nnnn) (where nnnn is the value specified by OWNNODE). The NAME parameter value specified on this NODE statement is the localnodeid. The following resource is defined to the JESSPOOL resource class (i.e., TYPE(SPL)) with a default access of READ: localnodeid.jesid.$JESNEWS.taskid.Dnewslvl.JESNEWS jesid The logonid associated with your JES2 system. This resource rule may be more generic as long as it pertains directly to the JESNEWS data set. For example: localnodeid.jesid.$JESNEWS.-.-.JESNEWS
From the ACF command screen enter: SET RESOURCE(OPR) LIST LIKE(JES-) If the JES2.UPDATE.JESNEWS resource is defined to the OPERCMDS resource class with a default access of PREVENT, this is not a finding. NOTE: JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem. If access authorization to the JES2.UPDATE.JESNEWS resource in the OPERCMDS class restricts DELETE service to the appropriate personnel (i.e., users responsible for maintaining the JES News data set) and all access is logged, this is not a finding.
Configure the resource rules for the OPERCMDS resource class (i.e., TYPE(OPR)) and ensure the following items are in effect: 1) The JES2.UPDATE.JESNEWS resource is defined to the OPERCMDS resource class with a default access of PREVENT. 2) Access authorization to the JES2.UPDATE.JESNEWS resource in the OPERCMDS class restricts DELETE service to the appropriate personnel (i.e., users responsible for maintaining the JES News data set) and all access is logged. Example: $KEY(JES2) TYPE(OPR) UPDATE.JESNEWS UID(SYSPROG) SERVICE(READ,UPDATE) LOG UPDATE.JESNEWS UID(*) PREVENT
NOTE: If CLASMAP defines OPERCMDS as anything other than TYPE(OPR), replace OPR below with the appropriate three letters. From the ACF command screen enter: SET RESOURCE(OPR) LIST LIKE(JES-) If the JES2.- resource is defined to the OPERCMDS class with a default access of PREVENT and all access is logged, this is not a finding. If access to JES2 system commands defined in the table in the IBM JES2 Initialization and Tuning Guide titled "JES2 commands with profile names and minimum required authority" is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users), this is not a finding. If all elevated access to JES2 system commands is logged, this is not a finding.
Review the GSO definitions. If CLASMAP defines OPERCMDS as anything other than TYPE(OPR), replace OPR below with the appropriate three letters. Review resource rules for TYPE(OPR). Define the JES2.- resource is defined to the OPERCMDS class with a default access of PREVENT and all access is logged. Define access to JES2 system commands defined in the JES2 system commands defined in the table in the IBM JES2 Initialization and Tuning Guide entitled 'JES2 commands with profile names and minimum required authority' is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users). Define access to specific JES2 system commands is logged as indicated in the table JES2 system commands defined in the table in the IBM JES2 Initialization and Tuning Guide titled "JES2 commands with profile names and minimum required authority". Assure that elevated access is logged. Some ACF2 Examples: $KEY(JES2) TYPE(OPR) CANCEL.BAT UID(oper) SERVICE(READ,UPDATE) LOG DISPLAY.JOB UID(*) SERVICE(READ) LOG START.INITIATOR UID(oper) SERVICE(DELETE) LOG START.LINE UID(oper) SERVICE(DELETE) LOG STOP.INITIATOR UID(oper) SERVICE(DELETE) LOG STOP.LINE UID(oper) SERVICE(DELETE) LOG - UID(*) PREVENT
From there ACF Command screen enter: SET RESOURCE(SPL) LIST LIKE(localnodeid-) If the accesses to the JESSPOOL resources are properly restricted using the following guidance, this is not a finding. NOTE: If CLASMAP defines JESSPOOL as anything other than TYPE(SPL), replace SPL below with the appropriate three letters. Review the JESSPOOL report for resource rules with the following naming convention. These rules may be fully qualified, be specified as generic, or be specified with masking as indicated below: localnodeid.logonid.jobname.jobid.dsnumber.name localnodeid - The name of the node on which the SYSIN or SYSOUT data set currently resides. logonid - The logonid associated with the job. This is the logonid ACF2 uses for validation purposes when the job runs. jobname - The name that appears in the name field of the JOB statement. jobid - The job number JES2 assigned to the job. dsnumber - The unique data set number JES2 assigned to the spool data set. A D is the first character of this qualifier. name -The name of the data set specified in the DSN= parameter of the DD statement. If the JCL did not specify DSN= on the DD statement that creates the spool data set, JES2 uses a question mark (?). All users have access to their own JESSPOOL resources. The localnodeid. resource will be restricted to only system programmers, operators, and automated operations personnel, with access to allow all SERVICEs or any combination of SERVICE(...). All access will be logged. (localnodeid. resource includes all generic and/or masked permissions, example: localnodeid.-.-, localnodeid.-, etc) The JESSPOOL localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked, can be made available to users, when approved by the ISSO. Access will be identified at the minimum access for the user to accomplish the users function, SERVICE(READ, UPDATE, DELETE, ADD). All access will be logged. An example is team members within a team, providing the capability to view, help, and/or debug other team member jobs/processes. CSSMTP will be restricted to localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked when approved by the ISSO. All access will be logged. Spooling products users (CA-SPOOL, CA View, etc) will be restricted to localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked when approved by the ISSO. Logging of access is not required.
Configure JESSPOOL resources as defined below. The JESSPOOL resources may be fully qualified, be specified as generic, or be specified with masking as indicated below: localnodeid.userid.jobname.jobid.dsnumber.name localnodeid - The name of the node on which the SYSIN or SYSOUT data set currently resides. userid - The userid associated with the job. This is the userid used for validation purposes when the job runs. jobname - The name that appears in the name field of the JOB statement. jobid - The job number JES2 assigned to the job. dsnumber - The unique data set number JES2 assigned to the spool data set. A D is the first character of this qualifier. name - The name of the data set specified in the DSN= parameter of the DD statement. If the JCL did not specify DSN= on the DD statement that creates the spool data set, JES2 uses a question mark (?). The CLASMAP defines JESSPOOL as TYPE(SPL). Example: SHOW CLASMAP By default a user has access only to that user's own JESSPOOL resources. However, situations exist where a user legitimately requires access to jobs that run under another user's userid. In particular, if a user routes SYSOUT to an external writer, the external writer should have access to that user's SYSOUT. The localnodeid. resource will be restricted to only system programmers, operators, and automated operations personnel with access to allow all SERVICEs or any combination of SERVICE(READ, UPDATE, DELETE, ADD). All access will be logged. (localnodeid. resource includes all generic and/or masked permissions, example: localnodeid.-.-, localnodeid.-, etc) Example: SET R(SPL) $KEY(localnode) TYPE(SPL) - UID(sysprgmr) SERVICE(UPDATE,READ) LOG - UID(*) PREVENT The JESSPOOL localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked, can be made available to users, when approved by the ISSO. Access will be identified at the minimum access for the user to accomplish the users function, SERVICE(READ, UPDATE, DELETE, ADD). All access will be logged. An example is team members within a team, providing the capability to view, help, and/or debug other team member jobs/processes. If frequent situations occur where users working on a common project require selective access to each other's jobs, then the installation may delegate to the individual users the authority to grant access, but only with the approval of the ISSO. Example: SET R(SPL) $KEY(localnode) TYPE(SPL) UMO- UID(UML03IGUSRZSS***UMO) SERVICE(UPDATE,READ) LOG - UID(*) PREVENT If IBM's SDSF product is installed on the system, resources defined to the JESSPOOL resource class control functions related to jobs, output groups, and SYSIN/SYSOUT data sets on various SDSF panels. CSSMTP will not be granted to the JESSPOOL resource of the high level "node." or "localnodeid.". CSSMTP can have access to the specific approved JESSPOOL resources, minimally qualified to the node.userid. and all access will be logged. This will ensure system records who (userid) sent traffic to CSSMTP, when and what job/process. Spooling products users (CA-SPOOL, CA View, etc) will be restricted to localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked when approved by the ISSO. Logging of access is not required. The ISSO will review JESSPOOL resource rules. If a rule has been determined not to have been used within the last two years, the rule must be removed.
If the Classification of the system is Unclassified, this is not applicable. Verify that the accesses for WRITER resources are restricted. If the following guidance is true, this is not a finding. The ACF2 resources and/or generic equivalent are defined with a default access of PREVENT. The ACF2 resources and/or generic equivalent identified below will be defined with access restricted to the operators and system programming personnel: JES2.LOCAL.devicename JES2.LOCAL.OFFn.* JES2.LOCAL.OFFn.JT JES2.LOCAL.OFFn.ST JES2.LOCAL.PRTn JES2.LOCAL.PUNn JES2.NJE.nodename JES2.RJE.devicename NOTE: Common sense should prevail during the analysis. For example, access to the offload output destinations should be limited to only systems personnel (e.g., operations staff/system programmers) on a classified system.
Configure the access authorization for resources defined to the WRITER resource class to be restricted to the operators and system programmers on a classified system only. Define resources in the ACP's respective WRITER class for each of the following output destinations: JES2.LOCAL.devicename JES2.LOCAL.OFFn.* JES2.LOCAL.OFFn.JT JES2.LOCAL.OFFn.ST JES2.LOCAL.PRTn JES2.LOCAL.PUNn JES2.NJE.nodename JES2.RJE.devicename The resource definition will be generic if all of the resources of the same type have identical access controls (e.g., if all off load transmitters are equivalent). If all users are permitted to route output to a specific destination, the resource controlling it may be defined with a default access of either NONE or READ. Otherwise it will be defined with a default access of NONE.
From the ACF input screen enter: SET CONTROL(GSO) LIST LIKE(CLASMAP-) [To determine the resource class for WRITER] NOTE: If CLASMAP defines WRITER as anything other than TYPE(WTR), replace WTR below with the appropriate three letters. SET RESOURCE(WTR) LIST LIKE(-) If the JES2.- resource is defined to the WRITER resource class with a default access of PREVENT, this is not a finding. If the other resources mentioned below are protected by generic and/or fully qualified rules defined to the WRITER resource class with a default access of PREVENT, this is not a finding. If the ACF2 resources and/or generic equivalent identified below are defined with access restricted to the appropriate personnel, this is not a finding. NOTE: A default access of READ is allowed for output destinations that are permitted to route output for all users. Currently, there is no guidance on which output destinations are appropriate for a default access of READ. However, common sense should prevail during the analysis. For example, a default access of READ would typically be inappropriate for RJE, NJE, and offload output destinations. JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem. OFFn, where n is the number of the offload transmitter. Determine the numbers by searching for OFF( in the JES2 parameters. PRTn, where n is the number of the local printer. Determine the numbers by searching for PRT( in the JES2 parameters. PUNn, where n is the number of the local card punch. Determine the numbers by searching for PUN( in the JES2 parameters. Nodename is the NAME parameter value specified on the NODE statement. Review the JES2 parameters for NJE node definitions by searching for NODE( in the report. Rnnnn.PRm, where nnnn is the number of the remote workstation and m is the number of the printer. Determine the numbers by searching for .PR in the JES2 parameters. Rnnnn.PUm, where nnnn is the number of the remote workstation and m is the number of the punch. Determine the numbers by searching for .PU in the JES2 parameters.
NOTE: If CLASMAP defines WRITER as anything other than TYPE(WTR), replace WTR below with the appropriate three letters. Configure the WRITER resource class (i.e., TYPE(WTR)) as follows with: JES2.- (backstop profile) JES2.LOCAL.OFFn.- (spool offload transmitter) JES2.LOCAL.OFFn.ST (spool offload SYSOUT transmitter) JES2.LOCAL.OFFn.JT (spool offload job transmitter) JES2.LOCAL.PRTn (local printer) JES2.LOCAL.PUNn (local punch) JES2.NJE.nodename (NJE node) JES2.RJE.Rnnnn.PRm (remote printer) JES2.RJE.Rnnnn.PUm (remote punch) Ensure the following items are in effect: The JES2.- resource is defined to the WRITER resource class with a default access of PREVENT. The other resources mentioned above are protected by generic and/or fully qualified rules defined to the WRITER resource class with a default access of PREVENT. NOTE: A default access of READ is allowed for output destinations that are permitted to route output for all users. Currently, there is no guidance on which output destinations are appropriate for a default access of READ. However, common sense should prevail during the analysis. For example, a default access of READ would typically be inappropriate for RJE, NJE, and offload output destinations. Examples: $KEY(JES2) TYPE(WTR) LOCAL.OFF- UID(*) PREVENT LOCAL.OFF-.JT UID(*) PREVENT LOCAL.OFF-.ST UID(oper) SERVICE(READ) ALLOW LOCAL.OFF-.ST UID(sysprgmr) SERVICE(READ) ALLOW LOCAL.OFF-.ST UID(seca) SERVICE(READ) ALLOW LOCAL.OFF-.ST UID(*) PREVENT LOCAL.PRT- UID(*) SERVICE(READ) ALLOW LOCAL.PUN- UID(*) PREVENT NJE.- UID(*) SERVICE(READ) ALLOW RJE.- UID(sysprgmr) SERVICE(READ) ALLOW RJE.- UID(*) PREVENT - UID(*) PREVENT
From the ACF input screen enter: SET CONTROL(GSO) LIST LIKE(CLASMAP-) Or SHOW CLASMAP {to determine the resource type for JESINPUT} NOTE: If CLASMAP defines JESINPUT as anything other than TYPE(INP), replace INP below with the appropriate three letters. SET RESOURCE(INP) LIST LIKE(-) NOTE: If any of the following are not defined within the JES2 parameters, the resource in the JESINPUT resource class does not have to be defined. Nodename is the NAME parameter in the NODE statement. Review the NJE node definitions by searching for NODE( in the JES2 parameters. OFFn, where n is the number of the offload receiver. Review the spool offload receiver definitions by searching for OFF( in the JES2 parameters. Rnnnn, where nnnn is the number of the remote workstation. Review the RJE node definitions by searching for RMT( in the JES2 parameters. RDRnn, where nn is the number of the reader. Review the reader definitions by searching for RDR( in the JES2 parameters. If the resources mentioned below are protected by generic and/or fully qualified rules defined to the JESINPUT resource class this is not a finding. If a default access of PREVENT is specified for all resources this is not a finding. If the ACF2 resources and/or generic equivalent identified below are defined with access restricted to the appropriate personnel this is not a finding. NOTE: Use common sense during the analysis. For example, access to the offload input sources should be limited to systems personnel (e.g., operations staff). NOTE: A default access of READ is allowed for input sources that are permitted to submit jobs for all users. No guidance on which input sources are appropriate for a default access of READ. However, common sense should prevail during the analysis. For example, a default access of READ would typically be inappropriate for RJE, NJE, offload, and STC input sources. INTRDR (internal reader for batch jobs) nodename (NJE node) OFFn.- (spool offload receiver) Rnnnn.- (RJE workstation) RDRnn (local card reader) STCINRDR (internal reader for started tasks) TSUINRDR (internal reader for TSO logons)
NOTE: If CLASMAP defines JESINPUT as anything other than TYPE(INP), replace INP below with the appropriate three letters. Configure resources in the JESINPUT resource class (i.e., TYPE(INP)) granting read access to authorized users for each of the following input resources: INTRDR (internal reader for batch jobs) nodename (NJE node) OFFn.- (spool offload receiver) OFFn.JR (spool offload job receiver) OFFn.SR (spool offload SYSOUT receiver) Rnnnn.RDm (RJE workstation) RDRnn (local card reader) STCINRDR (internal reader for started tasks) TSUINRDR (internal reader for TSO logons) The resource definition will be generic if all of the resources of the same type have identical access controls (e.g., if all off load receivers are equivalent). The default access will be NONE except for sources that are permitted to submit jobs for all users. Those resources may be defined as either NONE or READ. Nodename is the NAME parameter value specified on the NODE statement. Review the JES2 parameters for NJE node definitions by searching for NODE( in the JES2 parameters. OFFn, where n is the number of the offload receiver. Determine the numbers by searching for OFF( in the JES2 parameters. Rnnnn.RDm, where nnnn is the number of the remote workstation and m is the number of the reader. Determine the numbers by searching for .RD in the JES2 parameters. RDRnn, where nn is the number of the reader. Determine the numbers by searching for RDR( in the JES2 parameters. Ensure the following items are in effect: The CLASMAP record defines the JESINPUT resource class. Example: SHOW CLASMAP The resources mentioned in (b) are protected by generic and/or fully qualified rules defined to the JESINPUT resource class. A default access of PREVENT is specified for all resources. NOTE: A default access of READ is allowed for input sources that are permitted to submit jobs for all users. Currently, there is no guidance on which input sources are appropriate for a default access of READ. However, common sense should prevail during the analysis. For example, a default access of READ would typically be inappropriate for RJE, NJE, offload, and STC input sources. Examples: $KEY(STCINRDR) TYPE(INP) - UID(*) PREVENT $KEY(TSUINRDR) TYPE(INP) - UID(*) PREVENT $KEY(RDR*****) TYPE(INP) $MEMBER(RDR#####) - UID(*) PREVENT $KEY(OFF*****) TYPE(INP) $MEMBER(OFF#####) JR UID(oper) SERVICE(READ) JR UID(*) PREVENT SR UID(oper) SERVICE(READ) SR UID(*) PREVENT - UID(oper) SERVICE(READ) - UID(*) PREVENT
Review the ACFGSO report executionuserid.SUBMIT resources. These are usually defined to CLASMAP as TYPE(SUR). NOTE: If CLASMAP defines SURROGAT as anything other than TYPE(SUR), replace SUR below with the appropriate three letters. If no executionuserid.SUBMIT resources are defined to the SURROGAT resource class, this is not applicable. If executionuserid.SUBMIT resources are defined to the SURROGAT resource class, review resource rules for TYPE(SUR). If the following items are in effect, this is not a finding. All executionlogonid.SUBMIT resources defined to the SURROGAT class specify a default access of PREVENT. All resource access is logged; at the discretion of the ISSM/ISSO, scheduling tasks may be exempted. Access authorization is restricted to scheduling tools, started tasks, or other system applications required for running production jobs. Other users may have minimal access required for running production jobs with documentation properly approved and filed with the site security official (ISSM or equivalent).
All executionuserid.SUBMIT resources defined to the SURROGAT resource class specify a default of no access; all resource access is logged (at the discretion of the ISSM/ISSO scheduling tasks may be exempted) and access authorization is restricted to the minimum number of personnel required for running production jobs. Ensure the CLASMAP defines SURROGAT as TYPE(SUR). NOTE: If CLASMAP defines SURROGAT as anything other than TYPE(SUR), replace SUR below with the appropriate three letters. Ensure the following items are in effect: All executionlogonid.SUBMIT resources defined to the SURROGAT class specify a default access of PREVENT. All resource access is logged except for scheduling tasks. Access authorization is restricted to scheduling tools, started tasks, or other system applications required for running production jobs. Other users may have minimal access required for running production jobs with documentation properly approved and filed with the site security official (ISSM or equivalent). Consider the following recommendations when implementing security for Executionuserid.SUBMIT resources: Keep the use of Executionuserid.SUBMIT resources outside of those granted to the scheduling software to a minimum number of individuals. The simplest configuration is to only use Executionuserid.SUBMIT for the appropriate Scheduling task/software for production scheduling purposes as documented. Temporary Cross Authorization of the production batch ACID to the scheduling tasks may be allowed for a period for testing by the appropriate specific production Support Team members. Authorization, eligibility, and test period is determined by site policy. Access authorization is restricted to the minimum number of personnel required for running production jobs. However, Executionuserid.SUBMIT usage should not become the default for all jobs submitted by individual userids (i.e., system programmer must use their assigned individual userids for software installation, duties, whereas using a Executionuserid.SUBMIT resource would normally be for scheduled batch production only and as such must normally be limited to the scheduling task such as CONTROLM) and not granted as a normal daily basis to individual users. Example: $KEY(SRR) TYPE(SUR) SUBMIT UID(*******STC******CONTROLM) ALLOW - UID(*) PREVENT
Review the FACILITY resource class for BPX.SMF. If the ACF2 rules are as follows, this is not a finding. BPX.SMF.119.94 - READ allowed for users running the ssh, sftp, or scp client commands. BPX.SMF.119.96 - READ allowed for users running the scp or sftp-server server commands. BPX.SMF.119.97 - READ allowed for users running the scp or sftp client commands. The following profile grants the permitted users the authority to write or test for any SMF record being recorded. Access should be permitted as follows: BPX.SMF - READ access only when documented and justified in Site Security Plan. Documentation should include a reason why a more specific profile is not acceptable.
Configure Facility resource class for BPX.SMF as follows: BPX.SMF.119.94 - READ allowed for users running the ssh, sftp, or scp client commands. BPX.SMF.119.96 - READ allowed for users running the scp or sftp-server server commands. BPX.SMF.119.97 - READ allowed for users running the scp or sftp client commands. The following profile grants the permitted users the authority to write or test for any SMF record being recorded. Access should be permitted as follows: BPX.SMF - READ access only when documented and justified in Site Security Plan. Documentation should include a reason why a more specific profile is not acceptable.
Review program entries in the IBM Program Properties Table (PPT). You may use a third-party product to examine these entries however, to determine program entries issue the following command from an ISPF command line: TSO ISRDDN LOAD IEFSDPPT Press Enter. Interpret the display as follows: Examine contents at offset 8 Hex 'x2' - Bypass Password Protection Hex 'x3' - Bypass Password Protection Hex 'x4' - No data set Integrity Hex 'x5' - No data set Integrity Hex 'x6' - Both Hex 'x7' - Both Determine Privilege Key at offset 9. A value of hex '70' or less indicates an elevated privilege. For each module identified in the 'eyecatcher' that has BYPASS Password Protection, No data set Integrity, an elevated Privilege Key or any combination thereof, determine if there is a valid loaded module. Again, you may use a third-party product otherwise execute the following steps: From an ISPF command line: TSO ISRDDN LOAD <privileged module> Press Enter. If the return message is "Load Failed", make sure there is an entry in PARMLIB member SCHEDxx that revokes the excessive privilege, if this is not true, this is a finding.
Review the PPT and define all entries associated with non-existent or inapplicable modules as invalidated. Nullify the invalid IEFSDPPT entry by ensuring that there is a corresponding SCHED entry, which confers no special attributes. Use the following recommendations and techniques to provide protection for the PPT: Review the IEFSDPPT module and all programs that IBM has, by default, placed in the PPT to validate their applicability to the execution system. Refer to the IBM z/OS MVS Initialization and Tuning Reference documentation for the version and release of z/OS installed at the individual site for the actual contents of the default IEFSDPPT. Modules for products not in use on the system will have their special privileges explicitly revoked. Do this by placing a PPT entry for each module in the SYS1.PARMLIB(SCHEDxx) member, specifying no special privileges. The PPT entry for each overridden program will be in the following format, accepting the default (unprivileged) values for the sub parameters: PPT PGMNAME(<program name>) Assemble documentation regarding these PPT entries, and the ISSO will keep it on file. Include the following in the documentation: - The product and release for which the PPT entry was made - The last date this entry was reviewed to authenticate status - The reason the module's privileges are being revoked
Ask the SA for the documented process to notify appropriate personnel when accounts are removed. If there is no documented process this is a finding.
Develop a documented process to notify appropriate personnel when accounts are removed.
Ask the SA for the documented process to notify appropriate personnel when accounts are modified. If there is no documented process, this is a finding.
Develop a documented process to notify appropriate personnel when accounts are modified.
Develop a documented develop a process to notify appropriate personnel when accounts are deleted. If there is no documented process, this is a finding.
Develop a documented process to notify appropriate personnel when accounts are deleted.
Ask the SA for the documented process to notify appropriate personnel when accounts are created. If there is no documented process, this is a finding.
Develop a documented process to notify appropriate personnel when accounts are created.
Refer to IEASYS00 member in SYS1.PARMLIB Concatenation. Determine proper SMFPRMxx member. If all of the required SMF record types identified below are collected, this is not a finding. IBM SMF Records to be collected at a minimum: 0 (00) - IPL 6 (06) - External Writer/ JES Output Writer/ Print Services Facility (PSF) 7 (07) - [SMF] Data Lost 14 (0E) - INPUT or RDBACK Data Set Activity 15 (0F) - OUTPUT, UPDAT, INOUT, or OUTIN Data Set Activity 17 (11) - Scratch Data Set Status 18 (12) - Rename Non-VSAM Data Set Status 24 (18) - JES2 Spool Offload 25 (19) - JES3 Device Allocation 26 (1A) - JES Job Purge 30 (1E) - Common Address Space Work 32 (20) - TSO/E User Work Accounting 41 (29) - DIV Objects and VLF Statistics 42 (2A) - DFSMS statistics and configuration 43 (2B) - JES Start 45 (2D) - JES Withdrawal/Stop 47 (2F) - JES SIGNON/Start Line (BSC)/LOGON 48 (30) - JES SIGNOFF/Stop Line (BSC)/LOGOFF 49 (31) - JES Integrity 52 (34) - JES2 LOGON/Start Line (SNA) 53 (35) - JES2 LOGOFF/Stop Line (SNA) 54 (36) - JES2 Integrity (SNA) 55 (37) - JES2 Network SIGNON 56 (38) - JES2 Network Integrity 57 (39) - JES2 Network SYSOUT Transmission 58 (3A) - JES2 Network SIGNOFF 60 (3C) - VSAM Volume Data Set Updated 61 (3D) - Integrated Catalog Facility Define Activity 62 (3E) - VSAM Component or Cluster Opened 64 (40) - VSAM Component or Cluster Status 65 (41) - Integrated Catalog Facility Delete Activity 66 (42) - Integrated Catalog Facility Alter Activity 80 (50) - RACF/TOP SECRET Processing 81 (51) - RACF Initialization 82 (52) - ICSF Statistics 83 (53) - RACF Audit Record For Data Sets 90 (5A) - System Status 92 (5C) except subtypes 10, 11 - OpenMVS File System Activity 102 (66) - DATABASE 2 Performance 103 (67) - IBM HTTP Server 110 (6E) - CICS/ESA Statistics 118 (76) - TCP/IP Statistics 119 (77) - TCP/IP Statistics 199 (C7) - TSOMON 230 (E6) - ACF2 or as specified in ACFFDR (vendor-supplied default is 230) 231 (E7) - TSS logs security events under this record type
Ensure that SMF recording options are consistent with those outlined below. IBM SMF Records to be collected at a minimum: 0 (00) - IPL 6 (06) - External Writer/ JES Output Writer/ Print Services Facility (PSF) 7 (07) - [SMF] Data Lost 14 (0E) - INPUT or RDBACK Data Set Activity 15 (0F) - OUTPUT, UPDAT, INOUT, or OUTIN Data Set Activity 17 (11) - Scratch Data Set Status 18 (12) - Rename Non-VSAM Data Set Status 24 (18) - JES2 Spool Offload 25 (19) - JES3 Device Allocation 26 (1A) - JES Job Purge 30 (1E) - Common Address Space Work 32 (20) - TSO/E User Work Accounting 41 (29) - DIV Objects and VLF Statistics 42 (2A) - DFSMS statistics and configuration 43 (2B) - JES Start 45 (2D) - JES Withdrawal/Stop 47 (2F) - JES SIGNON/Start Line (BSC)/LOGON 48 (30) - JES SIGNOFF/Stop Line (BSC)/LOGOFF 49 (31) - JES Integrity 52 (34) - JES2 LOGON/Start Line (SNA) 53 (35) - JES2 LOGOFF/Stop Line (SNA) 54 (36) - JES2 Integrity (SNA) 55 (37) - JES2 Network SIGNON 56 (38) - JES2 Network Integrity 57 (39) - JES2 Network SYSOUT Transmission 58 (3A) - JES2 Network SIGNOFF 60 (3C) - VSAM Volume Data Set Updated 61 (3D) - Integrated Catalog Facility Define Activity 62 (3E) - VSAM Component or Cluster Opened 64 (40) - VSAM Component or Cluster Status 65 (41) - Integrated Catalog Facility Delete Activity 66 (42) - Integrated Catalog Facility Alter Activity 80 (50) - RACF/TOP SECRET Processing 81 (51) - RACF Initialization 82 (52) - ICSF Statistics 83 (53) - RACF Audit Record For Data Sets 90 (5A) - System Status 92 (5C) except subtypes 10, 11 - OpenMVS File System Activity 102 (66) - DATABASE 2 Performance 103 (67) - IBM HTTP Server 110 (6E) - CICS/ESA Statistics 118 (76) - TCP/IP Statistics 119 (77) - TCP/IP Statistics 199 (C7) - TSOMON 230 (E6) - ACF2 or as specified in ACFFDR (vendor-supplied default is 230) 231 (E7) - TSS logs security events under this record type
From the ISPF Command Shell enter: ACF SET LID SET VERBOSE LIST IF(ACCTPRIV OR CONSOLE OR OPERATOR OR MOUNT) If the ACCTPRIV privilege is restricted to security personnel, this is not a finding. If the CONSOLE and OPERATOR privileges are restricted to authorized systems personnel (e.g., systems programming personnel, operations staff, etc), this is not a finding. If the MOUNT privilege is restricted to DASD batch users only, this is not a finding.
Review all Logonids for the following and ensure that only authorized users with justification are given access to the privileges. The ACCTPRIV privilege is restricted for used to the domain level security personnel (ISSO/ISSM). The CONSOLE and OPERATOR privileges are restricted to authorized systems personnel (e.g., systems programming personnel, operations staff, etc). The MOUNT privilege is restricted to DASD batch users only on an as-needed basis to execute TSO in batch. Ensure that all privileges are kept to a minimum and are controlled and documented.
Refer to IEASYS00 member in SYS1.PARMLIB Concatenation. Determine proper SMFPRMxx member. If the following SMF collection options are specified as stated below, this is not a finding. The settings for several parameters are critical to the collection process: ACTIVE - Activates the collection of SMF data. MAXDORM - Specifies the amount of real time that SMF allows data to remain in an SMF buffer before it is written to a recording data set. Value is site defined. SID - Specifies the system ID to be recorded in all SMF records. SYS(DETAIL) - Controls the level of detail recorded. SYS(INTERVAL) - Ensures the periodic recording of data for long running jobs. SYS - Specifies the types and sub types of SMF records that are to be collected. SYS(TYPE) indicates that the supplied list is inclusive (i.e., specifies the record types to be collected). Record types not listed are not collected. SYS(NOTYPE) indicates that the supplied list is exclusive (i.e., specifies those record types not to be collected). Record types listed are not collected. The site may use either form of this parameter to specify SMF record type collection. However, at a minimum all record types listed.
Ensure that collection options for SMF Data are consistent with options specified below. Review all SMF recording specifications found in SMFPRMxx members. Ensure that SMF recording options used are consistent with those outlined below. The settings for several parameters are critical to the collection process: ACTIVE Activates the collection of SMF data. MAXDORM(mmss) Specifies the amount of real time that SMF allows data to remain in an SMF buffer before it is written to a recording data set. Use the MAXDORM parameter to minimize the amount of data lost because of system failure. This value is site determined and should be carefully configured. SID Specifies the system ID to be recorded in all SMF records. SYS(DETAIL) Controls the level of detail recorded. SYS(INTERVAL) Ensures the periodic recording of data for long running jobs. SYS Specifies the types and sub types of SMF records that are to be collected. SYS(TYPE) indicates that the supplied list is inclusive (i.e., specifies the record types to be collected). Record types not listed are not collected. SYS(NOTYPE) indicates that the supplied list is exclusive (i.e., specifies those record types not to be collected). Record types not listed are not collected. The site may use either form of this parameter to specify SMF record type collection. However, at a minimum all record types listed.
Review the SMF dump procedure in the system. If the output data sets in the procedure have storage capacity to store at least one week's worth of audit data, this is not a finding.
Make sure output file and dump procedures allow storage capacity to store one week's worth of audit data.
Ask the system administrator if there is an automated process is in place to collect and retain all SMF data produced on the system. If, based on the information provided, it can be determined that an automated process is in place to collect and retain all SMF data produced on the system, this is not a finding. If it cannot be determined this process exists and is being adhered to, this is a finding.
The ISSO will ensure that an automated process is in place to collect SMF data. Review SMF data collection and retention processes. Verify processes are automatically started to dump SMF collection files immediately upon their becoming full. To ensure that all SMF data is collected in a timely manner, and to reduce the risk of data loss, the site will ensure that automated mechanisms are in place to collect and retain all SMF data produced on the system. Dump the SMF files (MANx) in systems based on the following guidelines: Dump each SMF file as it fills up during the normal course of daily processing. - Dump all remaining SMF data at the end of each processing day, or - Establish a process using Audit logging.
Refer to IEASYS00 member in SYS1.PARMLIB Concatenation. Determine proper SMFPRMxx member in SYS1.PARMLIB. If BUFUSEWARN is set for 75 (75%) or less this is not a finding.
Configure the BUFUSEWARN statement in SMFPRMxx to 75 (75%) or less.
Refer to IEASYS00 member in SYS1.PARMLIB Concatenation. Determine proper SMFPRMxx member in SYS1.PARMLIB. If NOBUFFS is set to HALT, this is not a finding. Note: If availability is an overriding concern NOBUFFS can be set to MSG.
Configure NOBUFFS to HALT unless availability is an overriding concern then NOBUFFS can be set to MSG.
From the ISPF Command Shell enter: cd /usr/sbin ls -al If the following File permission and user Audit Bits are true, this is not a finding. /usr/sbin/sntpd 1740 faf The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing
With the assistance of a systems programmer with UID(0) and/or SUPERUSER access, configure the UNIX permission bits and user audit bits on the SNTPD to conform to the specifications below: /usr/sbin/sntpd 1740 faf
Verify the operating system, for networked systems, compares internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). If it does not, this is a finding.
Obtain a copy of this sample procedure from SEZAINST and store it in one of the PROCLIB concatenation data sets. Perform the following step to start SNTPD as a procedure: Invoke the procedure using the system operator start command. The following sample, SEZAINST(SNTPD), shows how to start SNTPD as a procedure: //* //* Sample procedure for the Simple Network Time Protocol (SNTP) //* //* z/OS Communications Server Version 1 Release 13 //* SMP/E Distribution Name: SEZAINST(EZASNPRO) //* //* Copyright: Licensed Materials - Property of IBM //* 5650-ZOS //* Copyright IBM Corp. 2002, 2015 //* //* Status: CSV2R2 //* //SNTPD EXEC PGM=SNTPD,REGION=4096K,TIME=NOLIMIT, //PARM='/ -d' //SYSPRINT DD SYSOUT=*,DCB=(RECFM=F,LRECL=132,BLKSIZE=132) //SYSIN DD DUMMY //SYSERR DD SYSOUT=* //SYSOUT DD SYSOUT=*,DCB=(RECFM=F,LRECL=132,BLKSIZE=132) //CEEDUMP DD SYSOUT=* //SYSABEND DD SYSOUT=*
Refer to the CLOCKxx member of PARMLIB. If the ACCURACY parm is not coded, this is a finding. If the ACCURACY parm is coded to "1000", this is not a finding.
Define the CLOCKxx statement to include the ACCURACY parm set to "1000".
Refer to the SMFPRMxx member in SYS1.PARMLIB. Determine the SMF and/or Logstream data set name. If the following statements are true, this is not a finding. - The ACF2 data set rules for the SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) restrict ALLOCATE access to only z/OS systems programming personnel. - The ACF2 data set rules for the SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) restrict WRITE access to z/OS systems programming personnel and/or batch jobs that perform SMF dump processing and others as approved by the ISSM. - The ACF2 data set rules for the SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) restrict READ access to auditors and others approved by the ISSM. - The ACF2 data set rules for SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) specify that all (i.e., failures and successes) WRITE and/or ALLOCATE access is logged.
Ensure that WRITE or greater authority to SMF collection files is limited to only systems programming staff and and/or batch jobs that perform SMF dump processing, access can be granted to others as determined by ISSM. Ensure that read access is limited to auditors. READ access may be granted to others as determined by the ISSM. Ensure the accesses are being logged. Ensure that all (i.e., failures and successes) WRITE and/or ALLOCATE access are logged. Ensure read access failures are logged.
Ask the system administrator to determine if the system PASSWORD data set and OS passwords are being used. If, based on the information provided, it can be determined that the system PASSWORD data set and OS passwords are not used, this is not a finding. If it is evident that OS passwords are utilized, this is a finding.
System programmers will ensure that the old OS Password Protection is not used and any data protected by the old OS Password technology is removed and protection is replaced by the ACP. Review the contents of the PASSWORD data set. Ensure that any protections it provides are provided by the ACP and delete the PASSWORD data set. Access to data sets on z/OS systems can be protected using the OS password capability of MVS. This capability has been available in MVS for many years, and its use is commonly found in data centers. Since the advent of ACPs, the use of OS passwords for file protection has diminished, and is commonly considered archaic and of little use. The use of z/OS passwords is not supported by all the ACPs.
Refer to IEASYS00 member in SYS1.PARMLIB Concatenation. Determine proper SMFPRMxx member. Examine the JWT; SWT, and TWT values. If the JWT parameter is greater than "15" minutes, and the system is processing unclassified information, review the following items. If any of these items is true, this is not a finding. If a session is not terminated, but instead is locked out after 15 minutes of inactivity, a process must be in place that requires user identification and authentication before the session is unlocked. Session lock-out will be implemented through system controls or terminal screen protections. A system's default time for terminal lock-out or session termination may be lengthened to 30 minutes at the discretion of the ISSM or ISSO. The ISSA and/or ISSO will maintain the documentation for each system with a time-out adjusted beyond the 15-minute recommendation to explain the basis for this decision. The ISSM and/or ISSO may set selected userids to have a time-out of up to 60 minutes in order to complete critical reports or transactions without timing out. Each exception must meet the following criteria: The time-out exception cannot exceed 60 minutes. A letter of justification fully documenting the user requirement(s) must be submitted and approved by the site ISSM or ISSO. In addition, this letter must identify an alternate means of access control for the terminal(s) involved (e.g., a room that is locked at all times, a room with a cipher lock to limit access, a password protected screen saver set to 30 minutes or less, etc). The requirement must be revalidated on an annual basis. If the TWT and SWT values are equal or less than the JWT value, this is not a finding.
Configure the SMFPRMxx JWT to "15" minutes for classified systems. The JWT parameter can be greater than 15 minutes if the system is processing unclassified information and the following items are reviewed. If a session is not terminated, but instead is locked out after 15 minutes of inactivity, a process must be in place that requires user identification and authentication before the session is unlocked. Session lock-out will be implemented through system controls or terminal screen protections. A system's default time for terminal lock-out or session termination may be lengthened to 30 minutes at the discretion of the ISSM or ISSO. The ISSM and/or ISSO will maintain the documentation for each system with a time-out adjusted beyond the 15-minute recommendation to explain the basis for this decision. The ISSM and/or ISSO may set selected userids to have a time-out of up to 60 minutes in order to complete critical reports or transactions without timing out. Each exception must meet the following criteria: The time-out exception cannot exceed 60 minutes. A letter of justification fully documenting the user requirement(s) must be submitted and approved by the site ISSM or ISSO. In addition, this letter must identify an alternate means of access control for the terminal(s) involved (e.g., a room that is locked at all times, a room with a cipher lock to limit access, a password protected screen saver set to 30 minutes or less, etc). The requirement must be revalidated on an annual basis. Configure any TWT and or SWT to be equal or less than the JWT.
Ask the system administrator to provide a list of all emergency logonids available to the site along with the associated function of each. If there are no emergency logonids defined, ask the system administrator for an alternate documented procedure to handle emergencies. If there are no emergency logonids and no documented emergency procedure, this is a finding. If emergency logonids exist, at a minimum, a logonid will exist with the security administration attributes specified in accordance with the following requirements: For emergency IDs with security administration privileges, but which cannot access and update system data sets: ACCOUNT JCL JOB MONITOR NONON CNCL RULEVLD RSRCVLD SECURITY TSO TSOPROC(xxxxxxxx) TSOACCT(none) An additional class of logonids can exist to perform all operating system functions except ESM administration. These emergency logonid/logonid(s) will have ability to access and update all system data sets, but will not have security administration privileges. See the following requirements: JCL JOB MONITOR NON CNCL (Will force logging of all activity.) TSO TSOPROC(xxxxxxxx) TSOACCT(none) All emergency logonid/logonid(s) are to be implemented with logging to provide an audit trail of their activities. All emergency logonid/logonid(s) are to be maintained in both the ESM and SYS1.UADS to ensure they are available in the event that the ESM is not functional. All emergency logonid/logonid(s) will have distinct, different passwords in SYS1.UADS and in the ESM, and the site is to establish procedures to ensure that the passwords differ. The password for any ID in SYS1.UADS is never to match the password for the same ID in the ESM. All emergency logonid/logonid(s) will have documented procedures to provide a mechanism for the use of the IDs. Their release for use is to be logged, and the log is to be maintained by the ISSO. When an emergency logonid is released for use, its password is to be reset by the ISSO within 12 hours. If all the emergency logonid items above are true, this is not a finding. If any item above is untrue, this is a finding.
Ensure that Emergency Logonids use these fields to enforce restrictions for Emergency logonids. Two classes of emergency logonids may exist. The following privileges and specifications will be used for these logonids: Note: Only the emergency logonid with the security administration logonid attributes is required. (1) For emergency IDs with the ability to access and update all system data sets, but which do not have security administration privileges: NOFSRETAIN JCL JOB MONITOR NON CNCL (Will force logging of all activity.) TSO TSOPROC(xxxxxxxx) TSOACCT(none) Example: SET LID INSERT logonid NOFSRETAIN JCL JOB MONITOR NON-CNCL TSO TSOPRC(xxxxxxxx) TSOACCT(none) (2) For emergency IDs with security administration privileges, but which cannot access and update system data sets: ACCOUNT NOFSRETAIN JCL JOB MONITOR NONON CNCL RULEVLD RSRCVLD SECURITY TSO TSOPROC(xxxxxxxx) TSOACCT(none) Example: SET LID INSERT logonid ACCOUNT NOFSRETAIN JCL JOB MONITOR RULEVLD RSRCVLD NONON-CNCL SECURITY TSO TSOPRC(xxxxxxxx) TSOACCT(none) If no emergency logonids are in use on the system, develop and document a procedure to manage emergencies access to the system.
Review the logical parmlib data sets, example: SYS1.PARMLIB(IGDSMSxx), to identify the fully qualified file names for the following SMS data sets: Active Control Data Set (ACDS) Communications Data Set (COMMDS) If the COMMDS and ACDS SMS data sets identified above reside on different volumes, this is not a finding. If the COMMDS and ACDS SMS data sets identified above are collocated on the same volume, this is a finding.
Allocate the primary and backup SMS Control data sets on separate volumes. Source Control Data Set (SCDS) contains a SMS configuration, which defines a storage management policy. Active Control Data Set (ACDS) contains a copy of the most recently activated configuration. All systems in a SMS complex use this configuration to manage storage. Communications Data Set (COMMDS) contains the name of the ACDS containing the currently active storage management policy, the current utilization statistics for each system managed volume, and other system information. The ACDS data set will reside on a different volume than the COMMDS data set. Allocate backup copies of the ADCS and COMMDS data sets on a different shared volume from the primary ACDS and COMMDS data sets.
Examine the Policy Agent policy statements. If it can be determined that the policy agent employs a deny-all, allow-by exception firewall policy for allowing connections to other systems, this is not a finding.
Develop a policy application and policy agent to employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.
This check applies to all products that meet the following criteria: - Uses authorized and restricted z/OS interfaces by utilizing Authorized Program Facility (APF) authorized modules or libraries. - Require access to system data sets or sensitive information or requires special or privileged authority to run. For the products in the above category, refer to the vendor's support lifecycle information for current versions and releases. If the software products currently running on the reviewed system are at a version greater than or equal to the products listed in the vendor's support lifecycle information, this is not a finding.
For all products that meet the following criteria: - Uses authorized and restricted z/OS interfaces by utilizing Authorized Program Facility (APF) authorized modules or libraries. - Require access to system data sets or sensitive information or requires special or privileged authority to run. The ISSO will ensure that unsupported system software for the products in the above category is removed or upgraded prior to a vendor dropping support. Authorized software which is NO longer supported is a CAT I vulnerability. The customer and site will be given six months to mitigate the risk, come up with a supported solution, or obtain a formal letter approving such risk/software.
From and ISPF Command line enter: TSO ISRDDN LINKLIST Review the list. If there are any DUMMY entries i.e., inaccessible LINKLINK libraries, this is a finding.
Review all entries contained in the LINKLIST for the actual existence of each library. Develop a plan of action to correct deficiencies. The Linklist is a default set of libraries that MVS searches for a specified program. This facility is used so that a user does not have to know the library names in which utility types of programs are stored. Control over membership in the Linklist is specified within the operating system. The data set SYS1.PARMLIB(LNKLSTxx) is used to specify the library names. (The xx is the suffix designated by the LNK parameter in the IEASYSxx member of SYS1.PARMLIB, or overridden by the computer operator at IPL.) Use the following recommendations and techniques to control the exposures created by the LINKLIST facility: -Avoid inclusion of sensitive libraries in the LNKLSTxx member unless absolutely required. -The LNKLSTxx and PROGxx (LNKLST entries) members will contain only required libraries. On a semiannual basis, Software Support should review the volume serial numbers, and should verify them in accordance with the system catalog. Software Support will remove all non-existent libraries. The ISSO should modify and/or delete the rules associated with these libraries.
From and ISPF Command line enter: TSO ISRDDN LPA Review the list. If there are any DUMMY entries i.e., inaccessible LPA libraries, this is a finding.
Review all entries contained in the LPA members for the actual existence of each library. Develop a plan of action to correct deficiencies. The system Link Pack Area (LPA) is the component of MVS that maintains core operating system functions resident in main storage. A security concern exists when libraries from which LPA modules are obtained require APF authorization. Control over residence in the LPA is specified within the operating system in the following members of the data set SYS1.PARMLIB: - LPALSTxx specifies the names of libraries to be concatenated to SYS1.LPALIB when the LPA is generated at IPL in an MVS/XA or MVS/ESA system. (The xx is the suffix designated by the LPA parameter in the IEASYSxx member of SYS1.PARMLIB or overridden by the computer operator at system initial program load [IPL].) - IEAFIXxx specifies the names of modules from SYS1.SVCLIB, the LPALSTxx concatenation, and the LNKLSTxx concatenation that are to be temporarily fixed in central storage in the Fixed LPA (FLPA) for the duration of an IPL. (The xx is the suffix designated by the FIX parameter in the IEASYSxx member of SYS1.PARMLIB or overridden by the computer operator at IPL.) - IEALPAxx specifies the names of modules that will be loaded from the following: ? SYS1.SVCLIB ? The LPALSTxx concatenation ? The LNKLSTxx concatenation as a temporary extension to the existing Pageable LPA (PLPA) in the Modified LPA (MLPA) for the duration of an IPL. (The xx is the suffix designated by the MLPA parameter in the IEASYSxx member of SYS1.PARMLIB or overridden by the computer operator at IPL.) Use the following recommendations and techniques to control the exposures created by the LPA facility: -The LPALSTxx, IEAFIXxx, and IEALPAxx members will contain only required libraries. On a semiannual basis, Software Support should review the volume serial numbers, and should verify them in accordance with the system catalog. Software Support will remove all non-existent libraries. The ISSO should modify and/or delete the rules associated with these libraries.
Refer to IEASYS00 member in SYS1.PARMLIB Concatenation. Determine proper APF and/or PROG member. Examine each entry and verify that it exists on the specified volume. If inaccessible APF libraries exist this is a finding. ISRDDN APF
Review the entire list of APF authorized libraries and remove those that are no longer valid designations.
Refer to IEASYS00 member in SYS1.PARMLIB Concatenation. If LNKAUTH=APFTAB is not specified, this is a finding.
Configure LNKAUTH=APFTAB in the IEASYS00 member of PARMLIB.
From an ISPF Command line enter: TSO ISRDDN APF An APF List results On the command line enter: DUPlicates (make sure there is appropriate access, if not you may receive insufficient access errors) If any of the list of Sensitive Utilities exist in the duplicate APF modules return, this is a finding. The following list contains Sensitive Utilities that will be checked. AHLGTF AMASPZAP AMAZAP AMDIOCP AMZIOCP BLSROPTR CSQJU003 CSQJU004 CSQUCVX CSQUTIL CSQ1LOGP DEBE DITTO FDRZAPOP GIMSMP HHLGTF ICKDSF ICPIOCP IDCSC01 IEHINITT IFASMFDP IGWSPZAP IHLGTF IMASPZAP IND$FILE IOPIOCP IXPIOCP IYPIOCP IZPIOCP WHOIS L052INIT TMSCOPY TMSFORMT TMSLBLPR TMSMULV TMSREMOV TMSTPNIT TMSUDSNB
Review and ensure that duplicate sensitive utility(ies) and/or program(s) do not exist in APF-authorized libraries. Identify all versions of the sensitive utilities contained in APF-authorized libraries listed in the above check. In cases where duplicates exist, ensure no exposure has been created and written justification has been filed with the ISSO. Comparisons among all the APF libraries will be done to ensure that an exposure is not created by the existence of identically named modules. Address any sensitive utility concerns so that the function can be restricted as required.
Review each CONSOLxx parmlib member. If the following guidance is true, this is not a finding. The "DEFAULT" statement for each CONSOLxx member specifies "LOGON(REQUIRED)" or "LOGON(AUTO)". The "CONSOLE" statement for each console assigns a unique name using the "NAME" parameter. The "CONSOLE" statement for each console specifies "AUTH(INFO)". Exceptions are the "AUTH" parameter is not valid for consoles defined with "UNIT(PRT)" and specifying "AUTH(MASTER)" is permissible for the system console. Note: The site should be able to determine the system consoles. However, it is imperative that the site adhere to the "DEFAULT" statement requirement.
Configure the "DEFAULT" statement to specify "LOGON(REQUIRED)" so that all operators are required to log on prior to entering z/OS system commands. At the discretion of the ISSO, "LOGON(AUTO)" may be used. If "LOGON(AUTO)" is used assure that the console userids are defined with minimal access. Configure each "CONSOLE" statement to specify an explicit console NAME. And that "AUTH(INFO)" is specified, this also including extended MCS consoles. "AUTH(MASTER)" may be specified for systems console. Note: The site should be able to determine the system consoles. However, it is imperative that the site adhere to the "DEFAULT" statement requirement.
Any keys or Certificates must be managed in ICSF or the external security manager and not in UNIX files. From the ISPF Command Shell enter: OMVS enter find / -name *.kdb and find / -name *jks If any files are found, this is a finding.
Define all Keys/Certificates to ICSF or the security database. Remove any .kdb and .jks files.
Determine if IBM's DS880 Disks or equivalent hardware solutions are in use. If they are not in use for systems that require data at rest, this is a finding.
Employ IBM's DS8880 hardware or equivalent hardware solutions to ensure full disk encryption.
Check HMC, VM, and z/OS on how to validate and determine a DASD volume(s) is shared. Note: In VM issue the command "QUEUE DASD SYSTEM" this display will show shared volume(s) and indicates the number of systems sharing the volume. Validate all machines that require access to these shared volume(s) have the volume(s) mounted. Obtain a map or list VTOC of the shared volume(s). Check if shared volume(s) contain any critical or sensitive data sets. Identify shared and critical or sensitive data sets on the system being audited. These data sets can be APF, LINKLIST, LPA, Catalogs, etc, as well as product data sets. If all of the critical or sensitive data sets identified on shared volume(s) are protected and justified to be on shared volume(s), this is not a finding. List critical or sensitive data sets are possible security breaches, if not justified and not protected on systems having access to the data set(s) and on shared volume(s).
Configure all identified volumes of shared DASD to bel valid within the following. HMC VM z/OS If the shared volume(s) are valid and systems having access to these shared volume(s) are valid, map disk/VTOC list to obtain data sets on the shared volume(s). From this list obtain a list of sensitive and critical system data sets that are found on the shared volume(s). Ensure that the data sets are justified to be shared on the system and to reside on the shared volume(s). The ISSO will review all access requirements to validate that sensitive and critical system data sets are protected from unauthorized access across all systems that have access to the shared volume(s), thereby protecting the data set(s) whether the data set(s) are used or not used on the systems that have the shared volume(s) available to them.
Examine the Policy Agent policy statements. If it can be determined that policy that protects against or limits the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces, this is not a finding.
Develop Policy application and policy agent to protect against or limit the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.
Examine the Policy Agent policy statements. If it can be determined that there are policy statements that manages excess capacity, this is not a finding.
Develop Policy application and Policy agent to manage excess capacity.
Ask the system administrator for the configuration parameters for the session manager in use. If there is no session manager in use, this is a finding. If the session manager is not configured to retain a user's session lock until that user reestablishes access using established identification and authentication procedures, this is a finding.
Configure the session manager to retain a user's session lock until that user reestablishes access using established identification and authentication procedures.
Ask the system administrator for the procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner. If there is no procedure, this is a finding.
Develop a procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner.
Ask the system administrator for the configuration parameters for the session manager in use. If there is no session manager in use, this is a finding. If the session manager is not configured to conceal, via the session lock, information previously visible on the display with a publicly viewable image, this is a finding.
Configure the session manager to conceal, via the session lock, information previously visible on the display with a publicly viewable image.
Ask the system administrator for the configuration parameters for the session manager in use. If there is no session manager in use, this is a finding. If the session manager is not configured to initiate session lock after a 15-minute period of inactivity this is a finding.
Configure the session manager to initiate a session lock after a 15-minute period of inactivity.
Ask the SA for the procedure to automatically remove or disable temporary user accounts after 72 hours. If there is no procedure, this is a finding.
Develop a procedure to automatically remove or disable temporary user accounts after 72 hours.
Ask the system administrator for the procedure to automatically remove or disable emergency accounts after the crisis is resolved or 72 hours. If there is no procedure, this is a finding.
Develop a procedure to remove or disable emergency user accounts after the crisis is resolved or 72 hours.
Ask the SA for the procedure to notify SAs and ISSOs of account enabling actions. If no procedures are in place, this is a finding.
Develop and document a procedure to notify SAs and ISSOs of account enabling actions.
Ask the system administrator for the procedure to remove all software components after updated versions have been installed. If there is no procedure, this is a finding.
Develop a procedure to remove all software components after updated versions have been installed.
Ask the system administrator for the procedure to shut down the information system, restart the information system, and/or notify the system administrator when anomalies occur. If a procedure does not exist, this is a finding. If the procedure does not properly shut down the information system, restart the information system, and/or notify the system administrator when anomalies occur, this is a finding.
Develop a procedure to shut down the information system, restart the information system, and/or notify the system administrator when anomalies occur.
Ask the system administrator (SA) for the configuration parameters for the session manager in use. If there is no session manager in use, this is a finding. If the session manager in use does not allow users to directly initiate a session lock for all connection types, this is a finding.
Configure the session manage to allow users to directly initiate a session lock for all connection types.
Ask the system administrator for the procedure to disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. If there is no procedure this is a finding.
Develop a procedure to disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
Ask the system administrator for the procedure to offload SMF files to a different system or media than the system being audited. If the procedure does not exist, this is a finding.
Develop a procedure to offload SMF files to a different system or media than the system being audited.
Locate the SSH daemon configuration file which may be found in "/etc/ssh/" directory. Alternately: From UNIX System Services ISPF Shell, navigate to ribbon select tools. Select option 1 - Work with Processes. If SSH Daemon is not active, this is not a finding. Examine SSH daemon configuration file. If ServerSMF is not coded with ServerSMF TYPE119_U83 or is commented out, this is a finding.
Configure the SERVERSMF statement in the SSH Daemon configuration file to TYPE119_U83.
Locate the SSH daemon configuration file which may be found in /etc/ssh/ directory. Alternately: From UNIX System Services ISPF Shell navigate to ribbon select tools. Select option 1 - Work with Processes. If SSH Daemon is not active, this is not s finding. Examine SSH daemon configuration file. If Banner statement is missing or configured to none this is a finding. Ensure that the contents of the file specified on the banner statement contain a logon banner. The banner below is mandatory and deviations are not permitted except as authorized in writing by the DoD Chief Information Officer. If there is any deviation this is a finding. STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
Configure the banner statement to a file that contains the Department of Defense (DoD) logon banner. Ensure that the contents of the file specified on the banner statement contain a logon banner. The banner below is mandatory and deviations are not permitted except as authorized in writing by the DoD Chief Information Officer. STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
Locate the SSH daemon configuration file, which may be found in /etc/ssh/ directory. Alternately: From UNIX System Services ISPF Shell navigate to ribbon select tools. Select option 1 - Work with Processes. If SSH Daemon is not active, this is not a finding. Examine SSH daemon configuration file. If the variables "Protocol 2,1" or "Protocol 1" are defined on a line without a leading comment, this is a finding.
Edit the sshd_config file and set the "Protocol" setting to "2".