IBM z/OS ACF2 Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]

Details

Version / Release: V7R3

Published: 2020-06-29

Updated At: 2020-08-15 20:22:35

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-106639r1_rule ACF2-CE-000010 CCI-000764 MEDIUM IBM z/OS Certificate Name Filtering must be implemented with appropriate authorization and documentation. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-106641r1_rule ACF2-CE-000020 CCI-000185 MEDIUM IBM z/OS must not use Expired Digital Certificates. Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entity represented via a public key and associated data. It is
    SV-106643r1_rule ACF2-CE-000030 CCI-000185 MEDIUM All IBM z/OS digital certificates in use must have a valid path to a trusted Certification authority. Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entity represented via a public key and associated data. It is
    SV-106645r1_rule ACF2-ES-000010 CCI-000015 HIGH CA-ACF2 OPTS GSO record must be set to ABORT mode. Enterprise environments make account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other errors. A comprehensive account management process that includes automation helps t
    SV-106647r1_rule ACF2-ES-000020 CCI-000213 MEDIUM The number of ACF2 users granted the special privilege PPGM must be justified. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106649r1_rule ACF2-ES-000030 CCI-000213 MEDIUM The number of ACF2 users granted the special privilege OPERATOR must be kept to a strictly controlled minimum. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106651r1_rule ACF2-ES-000040 CCI-000213 MEDIUM The number of ACF2 users granted the special privilege CONSOLE must be justified. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106653r1_rule ACF2-ES-000050 CCI-000213 MEDIUM The number of ACF2 users granted the special privilege ALLCMDS must be justified. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106655r1_rule ACF2-ES-000060 CCI-000213 MEDIUM IBM z/OS system commands must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106657r1_rule ACF2-ES-000070 CCI-000213 MEDIUM IBM z/OS Sensitive Utility Controls must be properly defined and protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106659r1_rule ACF2-ES-000080 CCI-000213 MEDIUM CA-ACF2 NJE GSO record value must indicate validation options that apply to jobs submitted through a network job entry subsystem (JES2, JES3, RSCS). To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106661r1_rule ACF2-ES-000090 CCI-000213 MEDIUM CA-ACF2 must protect Memory and privileged program dumps in accordance with proper security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106663r1_rule ACF2-ES-000100 CCI-000213 MEDIUM CA-ACF2 must properly define users that have access to the CONSOLE resource in the TSOAUTH resource class. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106665r1_rule ACF2-ES-000110 CCI-000213 MEDIUM CA-ACF2 must limit update and allocate access to system backup files to system programmers and/or batch jobs that perform DASD backups. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106667r1_rule ACF2-ES-000120 CCI-000213 MEDIUM CA-ACF2 must limit access to SYSTEM DUMP data sets to appropriate authorized users. Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be empl
    SV-106669r1_rule ACF2-ES-000130 CCI-000213 MEDIUM CA-ACF2 must limit access to SYS(x).TRACE to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106671r2_rule ACF2-ES-000140 CCI-000213 MEDIUM CA-ACF2 allocate access to system user catalogs must be properly protected. Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be empl
    SV-106673r1_rule ACF2-ES-000150 CCI-000213 MEDIUM ACF2 Classes required to properly security the z/OS UNIX environment must be ACTIVE. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106675r1_rule ACF2-ES-000160 CCI-000213 MEDIUM Access to IBM z/OS special privilege TAPE-LBL or TAPE-BLP must be limited and/or justified. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106677r1_rule ACF2-ES-000170 CCI-000213 MEDIUM CA-ACF2 must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106679r1_rule ACF2-ES-000180 CCI-000213 HIGH IBM z/OS must protect dynamic lists in accordance with proper security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106681r1_rule ACF2-ES-000190 CCI-000213 HIGH IBM z/OS Libraries included in the system REXXLIB concatenation must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106683r1_rule ACF2-ES-000200 CCI-000213 HIGH CA-ACF2 must limit Write or greater access to SYS1.UADS To system programmers only and read and update access must be limited to system programmer personnel and/or security personnel. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106685r1_rule ACF2-ES-000210 CCI-000213 HIGH CA-ACF2 must limit all system PROCLIB data sets to appropriate authorized users. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106687r1_rule ACF2-ES-000220 CCI-000213 HIGH CA-ACF2 access to the System Master Catalog must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106689r1_rule ACF2-ES-000230 CCI-000213 MEDIUM IBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106691r1_rule ACF2-ES-000240 CCI-000213 HIGH CA-ACF2 must limit Write or greater access to SYS1.NUCLEUS to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106693r1_rule ACF2-ES-000250 CCI-000213 HIGH CA-ACF2 must limit Write or greater access to SYS1.LPALIB to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106695r1_rule ACF2-ES-000260 CCI-000213 HIGH CA-ACF2 must limit Write or greater access to SYS1.IMAGELIB to system programmers. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106697r1_rule ACF2-ES-000270 CCI-000213 HIGH CA-ACF2 must limit Write or greater access to Libraries containing EXIT modules to system programmers only. Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be empl
    SV-106699r1_rule ACF2-ES-000280 CCI-000213 HIGH CA-ACF2 must limit Update and Allocate access to all APF-authorized libraries to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106701r1_rule ACF2-ES-000290 CCI-000213 HIGH CA-ACF2 must limit Write or greater access to all LPA libraries to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106703r1_rule ACF2-ES-000300 CCI-000213 MEDIUM CA-ACF2 must limit Update and Allocate access to LINKLIST libraries to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106705r1_rule ACF2-ES-000310 CCI-000213 MEDIUM CA-ACF2 must limit update and allocate access to all system-level product installation libraries to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106707r1_rule ACF2-ES-000320 CCI-000213 HIGH CA-ACF2 must limit Write or greater access to SYS1.SVCLIB to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106709r1_rule ACF2-ES-000330 CCI-000213 MEDIUM CA-ACF2 Access to SYS1.LINKLIB must be properly protected. If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement a
    SV-106711r1_rule ACF2-ES-000340 CCI-000213 MEDIUM CA-ACF2 must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106713r1_rule ACF2-ES-000350 CCI-002235 HIGH CA-ACF2 LOGONIDs must not be defined to SYS1.UADS for non-emergency use. Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts,
    SV-106715r1_rule ACF2-ES-000370 CCI-002235 MEDIUM IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumvent
    SV-106717r2_rule ACF2-ES-000380 CCI-002235 MEDIUM CA-ACF2 must limit Update and Allocate access to system backup files to system programmers and/or batch jobs that perform DASD backups. Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts,
    SV-106719r1_rule ACF2-ES-000390 CCI-002235 MEDIUM ACF2 PPGM GSO record value must specify protected programs that are only executed by privileged users. Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts,
    SV-106721r1_rule ACF2-ES-000410 CCI-002233 MEDIUM IBM z/OS BPX.SRV.user SURROGAT resources must be protected appropriately. In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invo
    SV-106723r1_rule ACF2-ES-000420 CCI-000044 MEDIUM CA-ACF2 PSWD GSO record value must be set to limit three consecutive invalid logon attempts by a user during a 15-minute time period. By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
    SV-106725r1_rule ACF2-ES-000430 CCI-002238 MEDIUM The CA-ACF2 PSWD GSO record values for MAXTRY and PASSLMT must be properly set. By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
    SV-106727r1_rule ACF2-ES-000440 CCI-000171 HIGH IBM z/OS SYS1.PARMLIB must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106729r1_rule ACF2-ES-000450 CCI-001813 HIGH CA-ACF2 must be installed, functional, and properly configured. Failure to provide logical access restrictions associated with changes to system configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, it should be noted that
    SV-106733r1_rule ACF2-ES-000470 CCI-000213 MEDIUM CA-ACF2 must limit update and allocate access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106735r1_rule ACF2-ES-000480 CCI-000213 LOW CA-ACF2 must limit Write or greater access to libraries that contain PPT modules to system programmers only. If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement a
    SV-106737r1_rule ACF2-ES-000490 CCI-000366 MEDIUM The EXITS GSO record value must specify the module names of site written ACF2 exit routines. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-106739r1_rule ACF2-ES-000500 CCI-000225 MEDIUM The CA-ACF2 LOGONID with the REFRESH attribute must have procedures for utilization. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-106741r1_rule ACF2-ES-000510 CCI-000366 MEDIUM IBM z/OS TSO GSO record values must be set to the values specified. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-106743r1_rule ACF2-ES-000520 CCI-000366 MEDIUM IBM z/OS procedures must restrict ACF2 LOGONIDs with the READALL attribute to auditors and/or authorized users. The use of security policy filters provides protection for the confidentiality of data by restricting the flow of data. A crucial part of any flow control solution is the ability to configure policy filters. This allows the operating system to enforce mul
    SV-106745r1_rule ACF2-ES-000530 CCI-000366 MEDIUM IBM z/OS must have the RULEVLD and RSRCVLD attributes specified for LOGONIDs with the SECURITY attribute. The use of security policy filters provides protection for the confidentiality of data by restricting the flow of data. A crucial part of any flow control solution is the ability to configure policy filters. This allows the operating system to enforce mul
    SV-106747r1_rule ACF2-ES-000540 CCI-000366 MEDIUM IBM z/OS LOGONIDs with the AUDIT or CONSULT attribute must be properly scoped. The use of security policy filters provides protection for the confidentiality of data by restricting the flow of data. A crucial part of any flow control solution is the ability to configure policy filters. This allows the operating system to enforce mul
    SV-106749r1_rule ACF2-ES-000550 CCI-000366 MEDIUM IBM z/OS LOGONID with the ACCTPRIV attribute must be restricted to the ISSO. The use of security policy filters provides protection for the confidentiality of data by restricting the flow of data. A crucial part of any flow control solution is the ability to configure policy filters. This allows the operating system to enforce mul
    SV-106751r1_rule ACF2-ES-000560 CCI-000366 MEDIUM IBM z/OS batch jobs with restricted ACF2 LOGONIDs must have the PGM(xxxxxxxx) and SUBAUTH attributes or the SOURCE(xxxxxxxx) attribute assigned to the corresponding LOGONIDs. Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours can indicate hostile activity if it occurs during off hours. Depending on mission needs and conditions, account usage restrictions
    SV-106753r1_rule ACF2-ES-000570 CCI-000366 MEDIUM CA-ACF2 RULEOPTS GSO record values must be set to the values specified. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-106755r1_rule ACF2-ES-000580 CCI-000366 MEDIUM The CA-ACF2 GSO OPTS record value must be properly specified. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-106757r1_rule ACF2-ES-000590 CCI-000366 MEDIUM CA-ACF2 must prevent the use of dictionary words for passwords. If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.
    SV-106759r1_rule ACF2-ES-000600 CCI-000366 MEDIUM CA-ACF2 database must be on a separate physical volume from its backup and recovery data sets. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-106761r1_rule ACF2-ES-000610 CCI-000366 MEDIUM CA-ACF2 database must be backed up on a scheduled basis. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-106763r1_rule ACF2-ES-000620 CCI-000366 MEDIUM ACF2 REFRESH attribute must be restricted to security administrators only. Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours can indicate hostile activity if it occurs during off hours. Depending on mission needs and conditions, account usage restrictions
    SV-106765r1_rule ACF2-ES-000630 CCI-000366 MEDIUM ACF2 maintenance LOGONIDs must have corresponding GSO MAINT records. Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours can indicate hostile activity if it occurs during off hours. Depending on mission needs and conditions, account usage restrictions
    SV-106767r1_rule ACF2-ES-000640 CCI-000366 MEDIUM ACF2 LOGONIDs with the NON-CNCL attribute specified in the associated LOGONID record must be listed as trusted and must be specifically approved. Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours can indicate hostile activity if it occurs during off hours. Depending on mission needs and conditions, account usage restrictions
    SV-106769r1_rule ACF2-ES-000650 CCI-000366 MEDIUM ACF2 LOGONIDs with the ACCOUNT, LEADER, or SECURITY attribute must be properly scoped. Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours can indicate hostile activity if it occurs during off hours. Depending on mission needs and conditions, account usage restrictions
    SV-106771r1_rule ACF2-ES-000660 CCI-000366 MEDIUM ACF2 LOGONIDs associated with started tasks that have the MUSASS attribute and the requirement to submit jobs on behalf of its users must have the JOBFROM attribute as required. Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours can indicate hostile activity if it occurs during off hours. Depending on mission needs and conditions, account usage restrictions
    SV-106773r1_rule ACF2-ES-000670 CCI-000366 MEDIUM ACF2 LOGONIDs assigned for started tasks must have the STC attribute specified in the associated LOGONID record. Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours can indicate hostile activity if it occurs during off hours. Depending on mission needs and conditions, account usage restrictions
    SV-106775r1_rule ACF2-ES-000680 CCI-000366 MEDIUM ACF2 emergency LOGONIDS with the REFRESH attribute must have the SUSPEND attribute specified. Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours can indicate hostile activity if it occurs during off hours. Depending on mission needs and conditions, account usage restrictions
    SV-106777r1_rule ACF2-ES-000690 CCI-000366 MEDIUM ACF2 BACKUP GSO record must be defined with a TIME value specifies greater than 00 unless the database is shared and backed up on another system. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-106779r1_rule ACF2-ES-000700 CCI-000366 LOW ACF2 APPLDEF GSO record if used must have supporting documentation indicating the reason it was used. Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data.
    SV-106781r1_rule ACF2-ES-000710 CCI-001764 MEDIUM ACF2 MAINT GSO record value if specified must be restricted to production storage management user. Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This i
    SV-106783r1_rule ACF2-ES-000720 CCI-001764 MEDIUM ACF2 LINKLST GSO record if specified must only contains trusted system data sets. Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This i
    SV-106785r1_rule ACF2-ES-000730 CCI-000382 MEDIUM IBM z/OS must properly protect MCS console userid(s). In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical po
    SV-106787r1_rule ACF2-ES-000740 CCI-000382 MEDIUM ACF2 BLPPGM GSO record must not be defined. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical po
    SV-106789r1_rule ACF2-ES-000750 CCI-000764 HIGH IBM z/OS UID(0) must be properly assigned. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-106791r1_rule ACF2-ES-000760 CCI-000764 MEDIUM IBM z/OS user account for the UNIX kernel (OMVS) must be properly defined to the security database. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-106793r1_rule ACF2-ES-000770 CCI-000764 MEDIUM IBM z/OS user account for the UNIX (RMFGAT) must be properly defined. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-106795r1_rule ACF2-ES-000780 CCI-000764 MEDIUM ACF2 LOGONIDs must be defined with the required fields completed. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-106797r1_rule ACF2-ES-000790 CCI-000764 MEDIUM CA-ACF2 defined user accounts must uniquely identify system users. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-106799r1_rule ACF2-ES-000800 CCI-000795 MEDIUM CA-ACF2 userids found inactive for more than 35 days must be suspended. Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user acco
    SV-106801r2_rule ACF2-ES-000810 CCI-001619 MEDIUM CA-ACF2 PWPHRASE GSO record must be properly defined. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password co
    SV-106803r1_rule ACF2-ES-000820 CCI-001619 MEDIUM CA-ACF2 must enforce password complexity by requiring that at least one special character be used. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password co
    SV-106807r1_rule ACF2-ES-000840 CCI-000192 MEDIUM ACF2 PSWD GSO record value must be set to require at least one upper-case character be used. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
    SV-106809r1_rule ACF2-ES-000850 CCI-000194 MEDIUM ACF2 PSWD GSO record value must be set to require at least one numeric character be used. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password
    SV-106811r1_rule ACF2-ES-000860 CCI-000193 MEDIUM ACF2 PSWD GSO record value must be set to require at least one lower-case character be used. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password
    SV-106813r1_rule ACF2-ES-000870 CCI-000195 MEDIUM ACF2 PSWD GSO record value must be set to require the change of at least 50% of the total number of characters when passwords are changed. If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of chan
    SV-106817r1_rule ACF2-ES-000880 CCI-000196 HIGH ACF2 must use NIST FIPS-validated cryptography to protect passwords in the security database. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-0
    SV-106819r1_rule ACF2-ES-000890 CCI-000199 MEDIUM ACF2 PSWD GSO record value must be set to require a 60-day maximum password lifetime restriction. Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the op
    SV-106821r1_rule ACF2-ES-000900 CCI-000198 MEDIUM ACF2 PSWD GSO record value must be set to require 24 hours/1 day as the minimum password lifetime. Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeate
    SV-106823r1_rule ACF2-ES-000910 CCI-000200 MEDIUM ACF2 PSWD GSO record value must be set to prohibit password reuse for a minimum of five generations or more. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password
    SV-106825r1_rule ACF2-ES-000920 CCI-000206 MEDIUM ACF2 TSOTWX GSO record values must be set to obliterate the logon password on TWX devices. To prevent the compromise of authentication information, such as passwords during the authentication process, the feedback from the operating system must not provide any information allowing an unauthorized user to compromise the authentication mechanism.
    SV-106827r1_rule ACF2-ES-000930 CCI-000206 MEDIUM ACF2 TSOCRT GSO record values must be set to obliterate the logon to ASCII CRT devices. To prevent the compromise of authentication information, such as passwords during the authentication process, the feedback from the operating system must not provide any information allowing an unauthorized user to compromise the authentication mechanism.
    SV-106829r1_rule ACF2-ES-000940 CCI-000206 MEDIUM ACF2 TSO2741 GSO record values must be set to obliterate the logon password on 2741 devices. To prevent the compromise of authentication information, such as passwords during the authentication process, the feedback from the operating system must not provide any information allowing an unauthorized user to compromise the authentication mechanism.
    SV-106831r1_rule ACF2-ES-000950 CCI-000368 MEDIUM ACF2 SECVOLS GSO record value must be set to VOLMASK(). Any local changes are justified and documented with the ISSO. The SECVOLS record defines the DASD and tape volumes for which CA-ACF2 provides volume-level protection. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used fo
    SV-106835r1_rule ACF2-ES-000960 CCI-000368 MEDIUM ACF2 RESVOLS GSO record value must be set to Volmask(-). Any other setting requires documentation justifying the change. The RESVOLS record defines DASD and mass storage volumes for which CA ACF2 is to provide protection at the data set name level. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and t
    SV-106837r1_rule ACF2-ES-000970 CCI-000213 HIGH ACF2 security data sets and/or databases must be properly protected. An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. Security functions are the hardware, software, and/or firmware of the information system responsible for enf
    SV-106839r1_rule ACF2-ES-000980 CCI-001090 MEDIUM ACF2 AUTOERAS GSO record value must be set to indicate that ACF2 is controlling the automatic physical erasure of VSAM or non VSAM data sets. Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from bein
    SV-106841r1_rule ACF2-ES-000990 CCI-002418 MEDIUM The operating system must enforce a minimum 8-character password length. Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the operating system. This requirement
    SV-106843r1_rule ACF2-FT-000010 CCI-000067 MEDIUM IBM z/OS SMF recording options for the FTP Server must be configured to write SMF records for all eligible events. Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security
    SV-106845r1_rule ACF2-FT-000020 CCI-000213 MEDIUM IBM z/OS data sets for the FTP Server must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106847r1_rule ACF2-FT-000030 CCI-000213 MEDIUM IBM z/OS permission bits and user audit bits for HFS objects that are part of the FTP Server component must be properly configured. MVS data sets of the FTP Server provide the configuration and operational characteristics of this product. Failure to properly secure these data sets may lead to unauthorized access resulting in the compromise of the integrity and availability of customer
    SV-106849r1_rule ACF2-FT-000040 CCI-000048 MEDIUM IBM z/OS FTP.DATA configuration statements must have a proper BANNER statement with the Standard Mandatory DoD Notice and Consent Banner. Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations,
    SV-106851r1_rule ACF2-FT-000050 CCI-001384 MEDIUM IBM z/OS warning banner for the FTP Server must be properly specified. Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, po
    SV-106853r1_rule ACF2-FT-000060 CCI-001384 MEDIUM IBM z/OS FTP.DATA configuration statements for the FTP Server must specify the BANNER statement. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operationa
    SV-106855r1_rule ACF2-FT-000070 CCI-000366 MEDIUM IBM z/OS FTP Control cards must be properly stored in a secure PDS file. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-106857r1_rule ACF2-FT-000080 CCI-001764 MEDIUM The IBM z/OS TFTP Server program must be properly protected. Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This i
    SV-106859r1_rule ACF2-FT-000090 CCI-000764 MEDIUM IBM z/OS FTP Server daemon must be defined with proper security parameters. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-106861r1_rule ACF2-FT-000100 CCI-001133 MEDIUM IBM z/OS startup parameters for the FTP Server must be defined in the SYSTCPD and SYSFTPD DD statements for configuration files. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat
    SV-106863r1_rule ACF2-FT-000110 CCI-001133 MEDIUM IBM z/OS FTP.DATA configuration for the FTP Server must have INACTIVE statement properly set. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat
    SV-106865r1_rule ACF2-JS-000010 CCI-000213 MEDIUM IBM z/OS JESTRACE and/or SYSLOG resources must be protected in accordance with security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106867r1_rule ACF2-JS-000020 CCI-000213 MEDIUM IBM z/OS JESSPOOL resources must be protected in accordance with security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106869r1_rule ACF2-JS-000030 CCI-000213 MEDIUM IBM z/OS JESNEWS resources must be protected in accordance with security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106871r1_rule ACF2-JS-000040 CCI-000213 MEDIUM IBM z/OS JES2 system commands must be protected in accordance with security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106873r1_rule ACF2-JS-000050 CCI-000213 MEDIUM IBM z/OS JES2 spool resources must be controlled in accordance with security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106875r1_rule ACF2-JS-000060 CCI-000213 MEDIUM IBM z/OS JES2 output devices must be properly controlled for Classified Systems. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106877r1_rule ACF2-JS-000070 CCI-000213 MEDIUM IBM z/OS JES2 output devices must be controlled in accordance with the proper security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106879r1_rule ACF2-JS-000080 CCI-000213 MEDIUM IBM z/OS JES2 input sources must be controlled in accordance with the proper security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106881r1_rule ACF2-JS-000090 CCI-000213 MEDIUM IBM z/OS Surrogate users must be controlled in accordance with proper security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106883r1_rule ACF2-OS-000010 CCI-000067 MEDIUM The IBM z/OS BPX.SMF resource must be properly configured. Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD
    SV-106885r1_rule ACF2-OS-000020 CCI-001453 HIGH IBM z/OS must implement DoD-approved encryption to protect the confidentiality of remote access sessions. Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
    SV-106887r1_rule ACF2-OS-000030 CCI-000381 MEDIUM IBM z/OS Inapplicable PPT entries must be invalidated. It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the ri
    SV-106889r1_rule ACF2-OS-000040 CCI-001686 MEDIUM IBM z/OS system administrator must develop a process notify appropriate personnel when accounts are removed. When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual operating system users or for identifying the operating system processes themselves. Sending notification of account disabling ev
    SV-106891r1_rule ACF2-OS-000050 CCI-001684 MEDIUM IBM z/OS system administrator must develop a process notify appropriate personnel when accounts are modified. Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Notification of account modification is one
    SV-106893r1_rule ACF2-OS-000060 CCI-001685 MEDIUM IBM z/OS system administrator must develop a process notify appropriate personnel when accounts are deleted. When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual operating system users or for identifying the operating system processes themselves. Sending notification of account disabling ev
    SV-106895r1_rule ACF2-OS-000070 CCI-001683 MEDIUM IBM z/OS system administrator must develop a process notify appropriate personnel when accounts are created. Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create a new account. Notification of account creation is one method for
    SV-106897r1_rule ACF2-OS-000080 CCI-000018 MEDIUM IBM z/OS Required SMF data record types must be collected. Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security
    SV-106899r1_rule ACF2-OS-000090 CCI-000213 MEDIUM IBM z/OS special privileges must be assigned on an as-needed basis to LOGONIDs associated with STCs and LOGONIDs that need to execute TSO in batch. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106901r1_rule ACF2-OS-000100 CCI-000131 MEDIUM IBM z/OS must specify SMF data options to assure appropriate activation. Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security
    SV-106903r1_rule ACF2-OS-000110 CCI-001849 MEDIUM IBM z/OS SMF collection files (system MANx data sets or LOGSTREAM DASD) must have storage capacity to store at least one weeks worth of audit data. In order to ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually perform
    SV-106905r1_rule ACF2-OS-000120 CCI-001851 MEDIUM IBM z/OS system administrators must develop an automated process to collect and retain SMF data. Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
    SV-106907r1_rule ACF2-OS-000130 CCI-000139 MEDIUM IBM z/OS BUFUSEWARN in the SMFPRMxx must be properly set. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system oper
    SV-106909r1_rule ACF2-OS-000140 CCI-000140 MEDIUM IBM z/OS NOBUFFS in SMFPRMxx must be properly set (Default is MSG). It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include: software/hardware errors; failures in the audit capturing mechanisms; and au
    SV-106911r1_rule ACF2-OS-000150 CCI-001891 MEDIUM IBM z/OS SNTP daemon (SNTPD) permission bits must be properly configured. Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time, a particular event occurred on a system is critical when conducting forensic analysis and investigating system events.
    SV-106913r1_rule ACF2-OS-000160 CCI-001891 MEDIUM IBM z/OS SNTP daemon (SNTPD) must be active. Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time, a particular event occurred on a system is critical when conducting forensic analysis and investigating system events.
    SV-106915r1_rule ACF2-OS-000170 CCI-002046 MEDIUM IBM z/OS PARMLIB CLOCKxx must have the Accuracy PARM coded properly. Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time, a particular event occurred on a system is critical when conducting forensic analysis and investigating system events.
    SV-106917r1_rule ACF2-OS-000180 CCI-000162 MEDIUM IBM z/OS SMF collection files (i.e., SYS1.MANx) access must be limited to appropriate users and/or batch jobs that perform SMF dump processing. SMF data collection is the system activity journaling facility of the z/OS system. Unauthorized access could result in the compromise of logging and recording of the operating system environment, ESM, and customer data. Unauthorized disclosure of audit r
    SV-106919r1_rule ACF2-OS-000190 CCI-000366 MEDIUM IBM z/OS system administrator must develop a process to notify ISSOs of account enabling actions. Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable an existing disabled account. Sending notification of account ena
    SV-106921r1_rule ACF2-OS-000200 CCI-000366 MEDIUM IBM z/OS PASSWORD data set and OS passwords must not be used. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-106923r1_rule ACF2-OS-000210 CCI-000366 MEDIUM IBM z/OS must configure system waittimes to protect resource availability based on site priorities. Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable an existing disabled account. Sending notification of account ena
    SV-106925r1_rule ACF2-OS-000220 CCI-000366 MEDIUM IBM z/OS Emergency LOGONIDs must be properly defined. Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours can indicate hostile activity if it occurs during off hours. Depending on mission needs and conditions, account usage restrictions
    SV-106927r1_rule ACF2-OS-000230 CCI-000366 MEDIUM IBM z/OS DFSMS control data sets must reside on separate storage volumes. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impactin
    SV-106929r1_rule ACF2-OS-000240 CCI-000366 MEDIUM IBM z/OS Policy Agent must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems. Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data.
    SV-106931r1_rule ACF2-OS-000250 CCI-001764 HIGH Unsupported IBM z/OS system software must not be installed and/or active on the system. Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This i
    SV-106933r1_rule ACF2-OS-000260 CCI-001764 MEDIUM IBM z/OS must not allow non-existent or inaccessible LINKLIST libraries. Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This i
    SV-106935r1_rule ACF2-OS-000270 CCI-001764 MEDIUM IBM z/OS must not allow non-existent or inaccessible Link Pack Area (LPA) libraries. Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This i
    SV-106937r1_rule ACF2-OS-000280 CCI-000381 MEDIUM IBM z/OS must not have inaccessible APF libraries defined. It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the ri
    SV-106939r1_rule ACF2-OS-000290 CCI-000381 MEDIUM IBM z/OS LNKAUTH=APFTAB must be specified in the IEASYSxx member(s) in the currently active parmlib data set(s). Failure to specify LINKAUTH=APFTAB allows libraries other than those designated as APF to contain authorized modules which could bypass security and violate the integrity of the operating system environment. This expanded authorization list inhibits the a
    SV-106941r1_rule ACF2-OS-000310 CCI-000381 MEDIUM Duplicated IBM z/OS sensitive utilities and/or programs must not exist in APF libraries. Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources. The organization must perform a periodic
    SV-106943r1_rule ACF2-OS-000320 CCI-000382 MEDIUM IBM z/OS must properly configure CONSOLxx members. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical po
    SV-106945r1_rule ACF2-OS-000330 CCI-000186 MEDIUM IBM z/OS must use SAF Key Rings for key management. If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the privat
    SV-106947r1_rule ACF2-OS-000340 CCI-001199 MEDIUM The IBM z/OS systems requiring data at rest protection must properly employ IBM DS8880 for full disk encryption. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. This requirement addresses protection of user-generated data, as
    SV-106949r1_rule ACF2-OS-000350 CCI-001090 MEDIUM IBM z/OS sensitive and critical system data sets must not exist on shared DASD. Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from bein
    SV-106951r1_rule ACF2-OS-000360 CCI-002385 MEDIUM IBM z/OS Policy agent must contain a policy that protects against or limits the effects of Denial of Service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of the operating system t
    SV-106953r1_rule ACF2-OS-000370 CCI-001095 MEDIUM IBM z/OS Policy agent must contain a policy that manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
    SV-106955r1_rule ACF2-OS-002240 CCI-000056 MEDIUM IBM z/OS must employ a session manager to manage retaining a users session lock until that user reestablishes access using established identification and authentication procedures. A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented a
    SV-106957r1_rule ACF2-OS-002330 CCI-001744 MEDIUM IBM z/OS system administrator must develop a procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be
    SV-106959r1_rule ACF2-OS-002350 CCI-000060 MEDIUM IBM z/OS must employ a session manager that conceal, via the session lock, information previously visible on the display with a publicly viewable image. A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. The session lock is implemented at the po
    SV-106961r1_rule ACF2-OS-002360 CCI-000057 MEDIUM IBM z/OS must employ a session manager to manage session lock after a 15-minute period of inactivity. A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented a
    SV-106963r1_rule ACF2-OS-002370 CCI-000016 MEDIUM IBM z/OS System Administrator must develop a procedure to automatically remove or disable temporary user accounts after 72 hours. If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. T
    SV-106965r1_rule ACF2-OS-002380 CCI-001682 MEDIUM IBM z/OS system administrator must develop a procedure to automatically remove or disable emergency accounts after the crisis is resolved or 72 hours. Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these a
    SV-106967r1_rule ACF2-OS-002390 CCI-002132 MEDIUM IBM z/OS system administrator must develop a procedure to notify system administrators and ISSOs of account enabling actions. Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable an existing disabled account. Sending notification of account ena
    SV-106969r1_rule ACF2-OS-002410 CCI-000879 MEDIUM IBM z/OS system administrator must develop a procedure to terminate all sessions and network connections related to nonlocal maintenance when nonlocal maintenance is completed. If a maintenance session or connection remains open after maintenance is completed, it may be hijacked by an attacker and used to compromise or damage the system. Some maintenance and test tools are either standalone devices with their own operating syst
    SV-106971r1_rule ACF2-OS-002420 CCI-002617 MEDIUM IBM z/OS system administrator must develop a procedure to remove all software components after updated versions have been installed. Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the
    SV-106973r1_rule ACF2-OS-002430 CCI-002702 MEDIUM IBM z/OS system administrator must develop a procedure to shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered. If anomalies are not acted upon, security functions may fail to secure the system. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the
    SV-106975r1_rule ACF2-OS-002440 CCI-000058 MEDIUM IBM z/OS must employ a session manager configured for users to directly initiate a session lock for all connection types. A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented a
    SV-106977r1_rule ACF2-OS-002470 CCI-000795 MEDIUM ACF2 system administrator must develop a procedure to disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user acco
    SV-106979r1_rule ACF2-OS-003430 CCI-001851 MEDIUM IBM z/OS system administrator must develop a procedure to offload SMF files to a different system or media than the system being audited. Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
    SV-106981r1_rule ACF2-SH-000010 CCI-000067 MEDIUM IBM z/OS SMF recording options for the SSH daemon must be configured to write SMF records for all eligible events. Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD
    SV-106983r1_rule ACF2-SH-000030 CCI-000048 MEDIUM IBM z/OS SSH daemon must be configured with the Department of Defense (DoD) logon banner. Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, po
    SV-106985r1_rule ACF2-SH-000040 CCI-000382 HIGH IBM z/OS SSH daemon must be configured to only use the SSHv2 protocol. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical po
    SV-106987r1_rule ACF2-SH-000050 CCI-000068 HIGH IBM z/OS SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm. Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) co
    SV-106989r1_rule ACF2-SL-000010 CCI-000213 MEDIUM IBM z/OS permission bits and user audit bits for HFS objects that are part of the Syslog daemon component must be configured properly. HFS directories and files of the Syslog daemon provide the configuration and executable properties of this product. Failure to properly secure these objects could lead to unauthorized access. This exposure may result in the compromise of the integrity and
    SV-106991r1_rule ACF2-SL-000020 CCI-000764 MEDIUM IBM z/OS Syslog daemon must be started at z/OS initialization. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-106993r1_rule ACF2-SL-000030 CCI-000764 MEDIUM IBM z/OS Syslog daemon must be properly defined and secured. The Syslog daemon, known as syslogd, is a zOS UNIX daemon that provides a central processing point for log messages issued by other zOS UNIX processes. It is also possible to receive log messages from other network-connected hosts. Some of the IBM Communi
    SV-106995r1_rule ACF2-SM-000010 CCI-000213 MEDIUM IBM z/OS DFSMS resource class(es) must be defined to the GSO CLASMAP record in accordance with security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106997r1_rule ACF2-SM-000020 CCI-000213 MEDIUM IBM z/OS DFSMS Program Resources must be properly defined and protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-106999r1_rule ACF2-SM-000030 CCI-000213 MEDIUM IBM z/OS DFSMS control data sets must be protected in accordance with security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107001r1_rule ACF2-SM-000040 CCI-000213 MEDIUM IBM z/OS DFMSM resource class(es)must be defined to the GSO SAFDEF record in accordance with security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107003r1_rule ACF2-SM-000050 CCI-000213 MEDIUM IBM z/OS DFSMS resources must be protected in accordance with the proper security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107005r1_rule ACF2-SM-000060 CCI-000366 MEDIUM IBM z/OS using DFSMS must properly specify SYS(x).PARMLIB(IGDSMSxx), SMS parameter settings. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-107007r1_rule ACF2-TC-000010 CCI-000067 MEDIUM IBM z/OS PROFILE.TCPIP configuration statements for the TCP/IP stack must be coded properly. Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD
    SV-107009r1_rule ACF2-TC-000020 CCI-002314 MEDIUM IBM z//OS must be configured to restrict all TCP/IP ports to ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments. Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD no
    SV-107011r1_rule ACF2-TC-000030 CCI-000213 MEDIUM IBM z/OS TCP/IP resources must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107013r1_rule ACF2-TC-000040 CCI-000213 MEDIUM IBM z/OS permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be configured properly. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107015r1_rule ACF2-TC-000050 CCI-000213 MEDIUM IBM z/OS data sets for the Base TCP/IP component must be properly protected. MVS data sets of the Base TCP/IP component provide the configuration, operational, and executable properties of IBMs TCP/IP system product. Failure to properly secure these data sets may lead to unauthorized access resulting in the compromise of the integ
    SV-107017r1_rule ACF2-TC-000060 CCI-000366 MEDIUM IBM z/OS Configuration files for the TCP/IP stack must be properly specified. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-107019r1_rule ACF2-TC-000070 CCI-000764 MEDIUM IBM z/OS Started tasks for the Base TCP/IP component must be defined in accordance with security requirements. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-107021r1_rule ACF2-TC-000080 CCI-002884 MEDIUM IBM z/OS PROFILE.TCPIP configuration statement must include SMFPARMS and/or SMFCONFIG statement for each TCP/IP stack. If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. This requirement addresses auditing-related issues associated with maintenance to
    SV-107023r1_rule ACF2-TC-000090 CCI-002468 MEDIUM IBM z/OS TCPIP.DATA configuration statement must contain the DOMAINORIGIN or DOMAIN specified for each TCP/IP defined. If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records
    SV-107025r1_rule ACF2-TN-000010 CCI-002361 MEDIUM IBM z/OS PROFILE.TCPIP configuration INACTIVITY statement must be configured to 900 seconds. Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, net
    SV-107027r1_rule ACF2-TN-000020 CCI-000067 MEDIUM IBM z/OS SMF recording options for the TN3270 Telnet Server must be properly specified. If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. This requirement addresses auditing-related issues associated with maintenance to
    SV-107029r1_rule ACF2-TN-000030 CCI-000068 MEDIUM IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS. Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) co
    SV-107031r1_rule ACF2-TN-000040 CCI-000048 MEDIUM IBM z/OS TN3270 Telnet Server configuration statement MSG10 text must have the Standard Mandatory DoD Notice and Consent Banner. A logon banner can be used to inform users about the environment during the initial logon. In the DISA environment, logon banners are used to warn users against unauthorized entry and the possibility of legal action for unauthorized users, and advise all
    SV-107033r1_rule ACF2-TN-000050 CCI-001384 MEDIUM IBM z/OS warning banner for the TN3270 Telnet Server must be properly specified. Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, po
    SV-107035r1_rule ACF2-TN-000060 CCI-000366 MEDIUM IBM z/OS VTAM session setup controls for the TN3270 Telnet Server must be properly specified. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-107037r1_rule ACF2-TN-000070 CCI-001133 MEDIUM IBM z/OS PROFILE.TCPIP configuration for the TN3270 Telnet Server must have INACTIVE statement properly specified. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat
    SV-107039r1_rule ACF2-TS-000010 CCI-000213 MEDIUM IBM z/OS TSOAUTH resources must be restricted to authorized users. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107041r1_rule ACF2-US-000010 CCI-000213 HIGH IBM z/OS UNIX SUPERUSER resource must be protected in accordance with guidelines. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107043r1_rule ACF2-US-000020 CCI-000213 MEDIUM IBM z/OS UNIX security parameters in etc/profile must be properly specified. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impactin
    SV-107045r1_rule ACF2-US-000030 CCI-000213 MEDIUM IBM z/OS UNIX security parameters in /etc/rc must be properly specified. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-107047r1_rule ACF2-US-000040 CCI-000213 MEDIUM IBM z/OS UNIX resources must be protected in accordance with security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107049r1_rule ACF2-US-000050 CCI-000213 MEDIUM IBM z/OS UNIX MVS HFS directory(s) with other write permission bit set must be properly defined. Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be empl
    SV-107051r1_rule ACF2-US-000060 CCI-000213 MEDIUM IBM z/OS BPX resource(s) must be protected in accordance with security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107053r1_rule ACF2-US-000070 CCI-000213 MEDIUM IBM z/OS UNIX SYSTEM FILE SECURITY SETTINGS must be properly protected or specified. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107055r1_rule ACF2-US-000080 CCI-000213 MEDIUM IBM z/OS UNIX MVS data sets with z/OS UNIX components must be properly protected. Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be empl
    SV-107057r1_rule ACF2-US-000090 CCI-000213 MEDIUM IBM z/OS UNIX MVS data sets or HFS objects must be properly protected. If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement a
    SV-107059r1_rule ACF2-US-000100 CCI-000213 MEDIUM IBM z/OS UNIX HFS permission bits and audit bits for each directory must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107061r1_rule ACF2-US-000110 CCI-000213 MEDIUM IBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107063r1_rule ACF2-US-000120 CCI-001499 MEDIUM IBM z/OS UNIX SYSTEM FILE SECURITY SETTINGS must be properly protected or specified. If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement a
    SV-107065r1_rule ACF2-US-000130 CCI-001499 MEDIUM IBM z/OS UNIX HFS permission bits and audit bits for each directory must be properly protected or specified. If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement a
    SV-107067r1_rule ACF2-US-000140 CCI-000366 MEDIUM IBM z/OS UNIX OMVS parameters in PARMLIB must be properly specified. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-107069r1_rule ACF2-US-000150 CCI-000366 MEDIUM IBM z/OS UNIX HFS MapName files security parameters must be properly specified. Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources. The organization must perform a periodic
    SV-107071r1_rule ACF2-US-000160 CCI-000366 MEDIUM IBM z/OS UNIX BPXPRMxx security parameters in PARMLIB must be properly specified. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impactin
    SV-107073r1_rule ACF2-US-000170 CCI-000382 MEDIUM IBM z/OS User exits for the FTP Server must not be used without proper approval and documentation. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical po
    SV-107075r1_rule ACF2-US-000180 CCI-000382 MEDIUM IBM z/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf must be properly specified. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical po
    SV-107077r1_rule ACF2-US-000190 CCI-000764 MEDIUM IBM z/OS user account for the z/OS UNIX SUPERSUSER userid must be properly defined. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-107079r1_rule ACF2-US-000200 CCI-000764 MEDIUM IBM z/OS UNIX user accounts must be properly defined. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-107081r1_rule ACF2-US-000210 CCI-000764 MEDIUM IBM z/OS UNIX groups must be defined with a unique GID. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-107083r1_rule ACF2-US-000220 CCI-000764 MEDIUM IBM z/OS Attributes of z/OS UNIX user accounts must have a unique GID in the range of 1-99. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-107085r1_rule ACF2-US-000230 CCI-000764 MEDIUM IBM z/OS Attributes of UNIX user accounts used for account modeling must be defined in accordance with security requirements. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-107087r1_rule ACF2-UT-000010 CCI-000213 MEDIUM IBM z/OS startup user account for the z/OS UNIX Telnet Server must be defined properly. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107089r1_rule ACF2-UT-000020 CCI-000213 MEDIUM IBM z/OS HFS objects for the z/OS UNIX Telnet Server must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107091r1_rule ACF2-UT-000030 CCI-000048 MEDIUM IBM z/OS UNIX Telnet Server etc/banner file must have the Standard Mandatory DoD Notice and Consent Banner. A logon banner can be used to inform users about the environment during the initial logon. In the DISA environment, logon banners are used to warn users against unauthorized entry and the possibility of legal action for unauthorized users, and advise all
    SV-107093r1_rule ACF2-UT-000040 CCI-001384 MEDIUM IBM z/OS UNIX Telnet Server warning banner must be properly specified. Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, po
    SV-107095r1_rule ACF2-UT-000050 CCI-000366 MEDIUM IBM z/OS UNIX Telnet Server Startup parameters must be properly specified to display the banner. Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, po
    SV-107097r1_rule ACF2-VT-000010 CCI-000213 MEDIUM IBM z/OS System data sets used to support the VTAM network must be properly secured. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107099r1_rule ACF2-VT-000020 CCI-001499 MEDIUM IBM z/OS VTAM USSTAB definitions must not be used for unsecured terminals. If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement a