IBM z/OS RACF Security Technical Implementation Guide
Pick two releases to diff their requirements.
Open a previous version of this STIG.
Digest of Updates −1 ✎ 4
Comparison against the immediately-prior release (V7R2). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.
Removed rules 1
- V-98091 Medium The IBM z/OS JES(BATCHALLRACF) SETROPTS value must be set to JES(BATCHALLRACF).
Content changes 4
- V-98045 Medium checkfix IBM RACF must limit WRITE or greater access to System backup files to system programmers and/or batch jobs that perform DASD backups.
- V-98139 Medium check IBM z/OS must properly protect MCS console userid(s).
- V-98343 Medium checkfix IBM z/OS DFSMS resources must be protected in accordance with the proper security requirements.
- V-98359 Medium checkfix IBM z/OS data sets for the Base TCP/IP component must be properly protected.
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000764
- Version
- RACF-CE-000010
- Vuln IDs
-
- V-97997
- Rule IDs
-
- SV-107101r1_rule
Checks: C-96833r1_chk
Currently the RACDCERT command does not support a generic userid value of ID(*) LISTMAP to list all the certificate name filters defined to RACF. However, the following commands can be issued to determine if certificate name filtering may be implemented. If certificate name filtering is in use, collect documentation describing each active filter rule and written approval from the ISSM to use the rule. Issue the SETROPTS LIST command. If the DIGTNMAP resource class is active, RACF is ready to process any certificate name filters with a Status of TRUST. The DIGTNMAP resource class should not be active unless certificate name filtering is desired. If the DIGTNMAP resource class is not active, this is not a finding. Certificate name filters are stored as profiles in the DIGTNMAP resource class. The RLIST command is not intended for use with profiles in the DIGTNMAP resource class. However it can be used to determine if any profiles are defined. (NOTE: The information will not be displayed in a suitable format to easily interpret the filter.) RLIST DIGTNMAP * If there is nothing to list in the DIGTNMAP resource class, this is not a finding. If profile information is displayed, one or more certificate name filters are defined to RACF. Under the NAME heading of each profile listing is the userid the filter is being mapped to. Issue the following command the list the certificate name filter associated with each userid: RACDCERT ID(profile name userid) LISTMAP NOTE: Certificate name filters are only valid when their Status is TRUST. Therefore, you may ignore filters with the NOTRUST status. If the DIGTNMAP resource class is active and certificate name filters have a Status of TRUST, certificate name filtering is in use. If certificate name filtering is in use and filtering rules have been documented and approved by the ISSM, this is not a finding. If certificate name filtering is in use and filtering rules have not been documented and approved by the ISSM, this is a finding.
Fix: F-103673r1_fix
Ensure any certificate name filtering rules in use are documented and approved by the ISSM.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000185
- Version
- RACF-CE-000020
- Vuln IDs
-
- V-97999
- Rule IDs
-
- SV-107103r1_rule
Checks: C-96835r1_chk
From the ISPF Command Shell enter: RACDCERT CERT AUTH If no certificate information is found, this is not a finding. NOTE: Certificates are only valid when their Status is TRUST. Therefore, you may ignore certificates with the NOTRUST status during the following check. Check the expiration (End Date) for each certificate with a status of TRUST. If the expiration date has passed, this is a finding.
Fix: F-103675r1_fix
If the certificate is a user or device certificate with a status of TRUST, follow procedures to obtain a new certificate or re-key certificate. If it is an expired CA certificate remove it.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000185
- Version
- RACF-CE-000030
- Vuln IDs
-
- V-98001
- Rule IDs
-
- SV-107105r1_rule
Checks: C-96837r2_chk
From the ISPF Command Shell enter: RACDCERT CERT AUTH If no certificate information is found, this is not a finding. NOTE: Certificates are only valid when their Status is TRUST. Therefore, you may ignore certificates with the NOTRUST status during the following check. If the digital certificate information indicates that the issuer's distinguished name leads to a DoD PKI Root Certification Authority, External Root Certification Authority (ECA), or an approved External Partner PKI’s Root Certification Authority, this is not a finding. Reference the DoD Cyber Exchange website for complete information as to which certificates are acceptable (https://cyber.mil/pki-pke/interoperability/). Examples of an acceptable DoD CA are: DoD PKI Class 3 Root CA DoD PKI Med Root CA
Fix: F-103677r1_fix
Remove or and replace certificates with a Status of TRUST whose the issuer's distinguished name does not lead to a DoD PKI Root Certification Authority, External Root Certification Authority (ECA), or an approved External Partner PKI’s Root Certification Authority.
- RMF Control
- AC-3
- Severity
- H
- CCI
- CCI-000213
- Version
- RACF-ES-000010
- Vuln IDs
-
- V-98003
- Rule IDs
-
- SV-107107r1_rule
Checks: C-96839r1_chk
Execute a dataset access list for SYS1.NUCLEUS. If all of the Following are untrue, this is not a finding. If any of the following is true, this is a finding. -The ACP data set rules for SYS1.NUCLEUS do not restrict WRITE or greater access to only z/OS systems programming personnel. -The ACP data set rules for SYS1.NUCLEUS do not specify that all (i.e., failures and successes) WRITE or greater access will be logged.
Fix: F-103679r1_fix
Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect SYS1.NUCLEUS. Configure the WRITE or greater access to SYS1.NUCLEUS to be limited to system programmers only and all WRITE or greater access is logged.
- RMF Control
- AC-3
- Severity
- L
- CCI
- CCI-000213
- Version
- RACF-ES-000020
- Vuln IDs
-
- V-98005
- Rule IDs
-
- SV-107109r1_rule
Checks: C-96841r1_chk
Review program entries in the IBM Program Properties Table (PPT). You may use a third-party product to examine these entries however, to determine program entries issue the following command from an ISPF command line: TSO ISRDDN LOAD IEFSDPPT Press Enter. For each module identified in the "eyecatcher" if all of the following are untrue, this is not a finding. If any of the following is true, this is a finding. -The ACP data set rules for libraries that contain PPT modules do not restrict WRITE or greater access to only z/OS systems programming personnel. -The ACP data set rules for libraries that contain PPT modules do not specify that all WRITE or greater access will be logged.
Fix: F-103681r1_fix
Configure the WRITE or greater access to libraries containing PPT modules to be limited to system programmers only and all WRITE or greater access is logged.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-ES-000030
- Vuln IDs
-
- V-98007
- Rule IDs
-
- SV-107111r1_rule
Checks: C-96843r1_chk
From Any ISPF input line, enter: TSO ISRDDN LINKLIST If all of the following are untrue, this is not a finding. If any of the following is true, this is a finding. -The ACP data set rules for LINKLIST libraries do not restrict WRITE or greater access to only z/OS systems programming personnel. -The ACP data set rules for LINKLIST libraries do not specify that all (i.e., failures and successes) WRITE or greater access will be logged.
Fix: F-103683r1_fix
Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect the LINKLIST libraries. Configure the WRITE or greater access to LINKLIST libraries to be limited to system programmers only and all WRITER or greater access is logged.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-001682
- Version
- RACF-ES-000040
- Vuln IDs
-
- V-98009
- Rule IDs
-
- SV-107113r1_rule
Checks: C-96845r1_chk
Ask the system administrator for a list of all emergency userids available to the site along with the associated function of each userid. Execute an access list for each emergency userid. At a minimum an emergency logonid will exist with the security administration attributes specified in accordance with the following requirements. If the following guidance is not followed, this is a finding. At least one userid exists to perform RACF security administration. These userids are defined to RACF with the system-SPECIAL attribute. They must not have the OPERATIONS attribute. If any userids exist to perform operating system functions, they are defined without any RACF security administration privileges. These userids are defined to RACF with the system-OPERATIONS attribute, and FULL access to all DASD volumes. They must not have the SPECIAL attribute. NOTE: A user who has the system-OPERATIONS attribute has FULL access authorization to all RACF-protected resources in the DASDVOL/GDASDVOL resource classes. However, if their userid or any associated group (i.e., default or connect) is in the access list of a resource profile, they will only have the access specified in the access list. All emergency userids are defined to RACF and SYS1.UADS. All emergency logonid/logonid(s) are to be implemented with logging to provide an audit trail of their activities. This is accomplished with the UAUDIT attribute. All emergency logonid/logonid(s) will have distinct, different passwords in SYS1.UADS and in RACF, and the site is to establish procedures to ensure that the passwords differ. The password for any ID in SYS1.UADS is never to match the password for the same ID in RACF. All emergency logonid/logonid(s) will have documented procedures to provide a mechanism for the use of the IDs. Their release for use is to be logged, and the log is to be maintained by the ISSO. When an emergency logonid is released for use, its password is to be reset by the ISSO within 12 hours.
Fix: F-103685r1_fix
Configure emergency USERIDs to have access granted only authorizes those resources required to support the specific functions of either DASD Recovery or System Administration. Ensure the following items are in effect regarding emergency userids: At a minimum an emergency userids will exists with the security administration attributes specified in accordance with the following requirements: - Userids exist to perform RACF security administration only. These userids are defined to RACF with the system-SPECIAL attribute. They must not have the OPERATIONS attribute. Emergency userids will have either SPECIAL or OPERATIONS but not both. - Userids can be defined to perform operating system functions. Such userids must be defined without any RACF security administration privileges. These userids are defined to RACF with the system-OPERATIONS attribute, FULL access to all DASD volumes resources as well as the FACILITY Class STGADMN profiles. They must not have the SPECIAL attribute. NOTE: A user who has the system-OPERATIONS attribute has FULL access authorization to all RACF-protected resources in the DASDVOL/GDASDVOL resource classes. However, if their userid or any associated group (i.e., default or connect) is in the access list of a resource profile, they will only have the access specified in the access list since access lists override OPERATIONS. - Userids exist to perform RACF security administration only. These userids are defined to RACF with the system-SPECIAL attribute. They must not have the OPERATIONS attribute. Emergency userids will have either SPECIAL or OPERATIONS but not both. - All emergency userids are defined to RACF and SYS1.UADS. See TSO Command Ref for info on adding users to UADS. - All emergency userids are to be implemented with logging to provide an audit trail of their activities. This is accomplished with the UAUDIT attribute via the command: ALU <uid> UAUDIT - All emergency userids will have distinct, different passwords in SYS1.UADS and in RACF, and the site is to establish procedures to ensure that the passwords differ. The password for any ID in SYS1.UADS is never to match the password for the same ID in RACF. - All emergency userids will have documented procedures - such as a COOP Plan - to provide a mechanism for the use of the IDs. Their release for use is to be logged, and the log is to be maintained by the ISSO. When an emergency userids is released for use, its password is to be reset by the ISSO within 12 hours.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000018
- Version
- RACF-ES-000050
- Vuln IDs
-
- V-98011
- Rule IDs
-
- SV-107115r1_rule
Checks: C-96847r1_chk
Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: Verify that the following LOGOPTIONS are specified: LOGOPTIONS "FAILURES" CLASSES = <all the classes listed in the “ACTIVE” class as a minimum> LOGOPTIONS "NEVER" CLASSES = NONE The other LOGOPTIONS may be site determined. If the LOGOPTIONS are not set as described above, this is a finding.
Fix: F-103687r1_fix
Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: Ensure that the following LOGOPTIONS are specified: LOGOPTIONS "FAILURES" CLASSES = <all the classes listed in the “ACTIVE” class as a minimum> LOGOPTIONS "NEVER" CLASSES = NONE The other LOGOPTIONS may be site determined.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-ES-000060
- Vuln IDs
-
- V-98013
- Rule IDs
-
- SV-107117r1_rule
Checks: C-96849r1_chk
Execute a resource access list for the IEAABD. resources. If the IEAABD. resource and/or generic equivalent is defined with no access and all access logged, this is not a finding. If the IEAABD.DMPAUTH. resource and/or generic equivalent is defined with READ access limited to authorized users, this is not a finding. If the IEAABD.DMPAUTH. resource and/or generic equivalent WRITE or greater access is restricted to only systems personnel and all access is logged, this is not a finding. If the IEAABD.DMPAKEY resource and/or generic equivalent is defined and all access is restricted to systems personnel and that all access is logged, this is not a finding.
Fix: F-103689r1_fix
Memory and privileged program dump resources are provided via resources in the FACILITY resource class. Configure these resources to the ESM as specified in the following. (Note: The resources and/or resource prefixes identified below are examples of a possible installation. The actual resources and/or resource prefixes are determined when the product is actually installed on a system through the product’s installation guide and can be site specific.) Below is listed the access requirements for memory and privileged program dump resources. Ensure the guidelines for the resource type, resources, and/or generic equivalent are followed. When protecting the facilities for dumps lists via the FACILITY resource class, ensure that the following items are in effect: IEAABD. IEAABD.DMPAUTH. IEAABD.DMPAKEY. The RACF resource rules for the resources specify UACC(NONE) and NOWARNING. Ensure that no access is given to "IEAABD." resource. Example: RDEF FACILITY IEAABD.** UACC(NONE) OWNER(owner group) AUDIT(ALL(READ)) IEAABD.DMPAUTH. READ access is limited to authorized users that have a valid job duties requirement for access. WRITE or greater access will be restricted to system programming personnel and access will be logged. Example: RDEF FACILITY IEAABD.DMPAUTH.** UACC(NONE) OWNER(owner group) AUDIT(ALL(UPDATE)) PERMIT IEAABD.DMPAUTH.** CLASS(FACILITY) ID(authusers) ACCESS(READ) PERMIT IEAABD.DMPAUTH.** CLASS(FACILITY) ID(syspsmpl) ACCESS(UPDATE) IEAABD.DMPAKEY. access will be restricted to system programming personnel and access will be logged. Example: RDEF FACILITY IEAABD.DMPAKEY.** UACC(NONE) OWNER(owner group) AUDIT(ALL(READ)) PERMIT IEAABD.DMPAKEY.** CLASS(FACILITY) ID(syspsmpl) ACCESS(READ)
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-ES-000070
- Vuln IDs
-
- V-98015
- Rule IDs
-
- SV-107119r1_rule
Checks: C-96851r1_chk
From the ISPF Command Shell enter: RList OPERCMDS * If the MVS.** resource is defined to the OPERCMDS class with an access of NONE and all (i.e., failures and successes) access logged, this is not a finding. If the access to z/OS system commands defined in the table entitled MVS commands, RACF access authorities, and resource names, in the IBM z/OS MVS System Commands manual, is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users) as determined in the Documented site Security Plan, this is not a finding. Note: Display commands and others as deemed by the site IAW site security plan may be allowed for all users with no logging. The (MVS.SEND) Command will not be a finding if used by all. If all access (i.e., failures and successes) to specific z/OS system commands is logged as indicated in the table entitled MVS commands, RACF access authorities, and resource names, in the z/OS MVS System Commands, this is not a finding.
Fix: F-103691r1_fix
z/OS system commands provide control over z/OS functions and can compromise security if misused. These commands are subject to various types of potential abuse. For this reason, it is necessary to place restrictions on the z/OS system commands that can be entered by particular operators. Some commands are particularly dangerous and should only be used when all less drastic options have been exhausted. Misuse of these commands can create a situation in which the only recovery is an IPL. Apply the following recommendations when implementing security: The MVS.** resource is defined to the OPERCMDS class with an access of NONE and all (i.e., failures and successes) access logged. Access to z/OS system commands defined in the entitled MVS commands, RACF access authorities, and resource names, in the IBM z/OS MVS System Commands manual is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users). The (MVS.SEND) Command will not be a finding if used by all. Display commands and others as deemed by the site IAW site security plan may be allowed for all users with no logging. The (MVS.SEND) Command will not be a finding if used by all. All elevated access (i.e., failures and successes) to specific z/OS system commands is logged. A sample set of commands to define and permit access to system command resources is shown here: RDEF OPERCMDS MVS.** UACC(NONE) OWNER(<syspsmpl>) AUDIT(ALL(READ)) DATA("set up deny-by-default profile') Then, in accordance with the referenced table, use the following template to define profiles for each command: RDEF OPERCMDS <system command profile> UACC(NONE) OWNER(<syspsmpl>) AUDIT(ALL(READ)) PERMIT <system command profile> CLASS(OPERCMDS) ID(<groupname>) ACCESS(<accesslevel>)
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-ES-000080
- Vuln IDs
-
- V-98017
- Rule IDs
-
- SV-107121r1_rule
Checks: C-96853r1_chk
If the CONSOLE privilege is not defined to the TSOAUTH resource class, this is not a finding. At the discretion of the site, users may be allowed to issue z/OS system commands from a TSO session. With this in mind, review the following items for users granted the CONSOLE resource in the TSOAUTH resource class: If Userids are restricted to the INFO level on the AUTH parameter specified in the OPERPARM segment of their userid, this is not a finding. If Userids are restricted to READ access to the MVS.MCSOPER.userid resource defined in the OPERCMDS resource class, this is not a finding. If Userids and/or group IDs are restricted to READ access to the CONSOLE resource defined in the TSOAUTH resource class, this is not a finding.
Fix: F-103693r1_fix
Evaluate the impact of correcting any deficiencies. Develop a plan of action and implement the required changes. Ensure the following items are in effect for all MCS consoles: Define a profile protecting the use of the CONSOLE command within TSO. A sample command to accomplish this is shown here: RDEF TSOAUTH CONSOLE UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) Permit only authorized users. A sample command to accomplish this is shown here: PE CONSOLE CL(TSOAUTH) ID(<syspsmpl>) Set up the OPERPARM segment in corresponding user-class entry. A sample command to accomplish this is shown here: ALU <authorized user> OPERPARM(AUTH(INFO)) Userids are restricted to READ access to the MVS.MCSOPER.userid resource defined in the OPERCMDS resource class. A sample command to accomplish this is shown here using the GLOBAL class: RDEF GLOBAL OPERCMDS ADDMEM(MVS.MCSOPER.&RACUID/READ) OWNER(ADMIN)
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-ES-000090
- Vuln IDs
-
- V-98019
- Rule IDs
-
- SV-107123r1_rule
Checks: C-96855r1_chk
The RACF Command SETR LIST will show the status of RACF Controls including a list of ACTIVE classes. From the ISPF Command Shell enter: SETRopts List If the FACILITY resource class is active, this is not a finding.
Fix: F-103695r1_fix
Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a list of ACTIVE classes. The FACILITY Class is activated with the command SETR CLASSACT(FACILITY). Generic profiles and commands should also be enabled with the command SETR GENERIC(FACILITY) GENCMD(FACILITY). IBM recommends RACLISTing the FACILITY Class which is accomplished with the command SETR RACL(FACILITY).
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-ES-000100
- Vuln IDs
-
- V-98021
- Rule IDs
-
- SV-107125r1_rule
Checks: C-96857r1_chk
The RACF Command SETR LIST will show the status of RACF Controls including a list of ACTIVE classes. From the ISPF Command Shell enter: SETRopts List If the OPERCMDS resource class is active, this is not a finding.
Fix: F-103697r1_fix
Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a list of ACTIVE classes. The OPERCMDS Class is activated with the command SETR CLASSACT(OPERCMDS). Generic profiles and commands should also be enabled with the command SETR GENERIC(OPERCMDS) GENCMD(OPERCMDS). IBM recommends RACLISTing the OPERCMDSClass which is accomplished with the command SETR RACL(OPERCMDS).
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-ES-000110
- Vuln IDs
-
- V-98023
- Rule IDs
-
- SV-107127r1_rule
Checks: C-96859r1_chk
The RACF Command SETR LIST will show the status of RACF Controls including a list of ACTIVE classes. From the ISPF Command Shell enter: SETRopts List If the CONSOLE resource class is active, this is not a finding.
Fix: F-103699r1_fix
Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a list of ACTIVE classes. The CONSOLE Class is activated with the command SETR CLASSACT(CONSOLE). Generic profiles and commands should also be enabled with the command SETR GENERIC(CONSOLE) GENCMD(CONSOLE). IBM recommends RACLISTing the CONSOLE Class which is accomplished with the command SETR RACL(CONSOLE).
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-ES-000120
- Vuln IDs
-
- V-98025
- Rule IDs
-
- SV-107129r1_rule
Checks: C-96861r1_chk
The RACF Command SETR LIST will show the status of RACF Controls including a list of ACTIVE classes. From the ISPF Command Shell enter: SETRopts List If the TEMPDSN resource class is ACTIVE, this is not a finding.
Fix: F-103701r1_fix
Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a list of ACTIVE classes. The TEMPDSN Class is activated with the command SETR CLASSACT(TEMPDSN). Generic profiles and commands should also be enabled with the command SETR GENERIC(TEMPDSN) GENCMD(TEMPDSN). IBM recommends RACLISTing the TEMPDSN Class which is accomplished with the command SETR RACL(TEMPDSN).
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-ES-000130
- Vuln IDs
-
- V-98027
- Rule IDs
-
- SV-107131r1_rule
Checks: C-96863r1_chk
Refer to the list of z/OS started tasks and address spaces in the IBM z/OS MVS Initialization and Tuning Reference. If the only approved Started Tasks that have the TRUSTED flag enabled are in this list, this is not a finding. If there are no Started Tasks that have been granted the PRIVILEGED attribute, this is not a finding. Guidelines for reference: Assign the TRUSTED attribute when one of the following conditions applies: - The started procedure or address space creates or accesses a wide variety of unpredictably named data sets within your installation. - Insufficient authority to an accessed resource might risk an unsuccessful IPL or other system problem. Avoid assigning TRUSTED to a z/OS started procedure or address space unless it is listed here or you are instructed to do so by the product documentation. Additionally external security managers are candidates for trusted attribute. Any other started tasks not listed or not covered by the guidelines are a finding unless approval by the Authorizing Official.
Fix: F-103703r1_fix
Review assignment of the TRUSTED attribute in ICHRIN03 and/or the STARTED resource class. Ensure only those trusted STCs that are listed in the IBM z/OS MVS Initialization and Tuning Reference have been granted this authority. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes. While the actual list may vary based on local site requirements and software configuration, the started tasks listed in the IBM z/OS MVS Initialization and Tuning Reference is an approved list of started tasks that may be considered trusted started procedures. Guidelines for reference: Assign the TRUSTED attribute when one of the following conditions applies: -The started procedure or address space creates or accesses a wide variety of unpredictably named data sets within your installation. -Insufficient authority to an accessed resource might risk an unsuccessful IPL or other system problem. -Avoid assigning TRUSTED to a z/OS started procedure or address space unless it is listed here or you are instructed to do so by the product documentation. Additionally external security managers are candidates for trusted attribute. Any other started tasks not listed or not covered by the guidelines are a finding unless approval by the Authorizing Official. The TRUSTED attribute can be removed from a STARTED class profile using the command: RALT STARTED <profilename> STDATA(TRUSTED(NO)) If the STARTED class is RACLISTed then a refresh command is necessary: SETR RACL(STARTED) REFRESH If any Started Tasks exist with the PRIVILEGED attribute then take the following action to remove this attribute: RALT STARTED <profilename> STDATA(PRIVILEGED(NO)) If the STARTED class is RACLISTed then a refresh command is necessary: SETR RACL(STARTED) REFRESH
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-ES-000140
- Vuln IDs
-
- V-98029
- Rule IDs
-
- SV-107133r1_rule
Checks: C-96865r1_chk
From the ISPF Command Shell enter: RLIST FACILITY ICHBLP AUTHUSER If access authorization to the ICHBLP resource is restricted at the userid level to data center personnel (e.g., tape librarian, operations staff, etc.), this is not a finding. If no tape management system (e.g., CA-1) is installed the following: From the ISPF Command Shell enter: SETROPTS LIST If the TAPEVOL class is active, this is not a finding.
Fix: F-103705r1_fix
Review all USERIDs with the BLP attribute. Ensure documentation providing justification for access is maintained and filed with the ISSO, and that unjustified access is removed. BLP is controlled thru the FACILITY class profile ICHBLP. Access is removed with the following command: PE ICHBLP CL(FACILITY) id(<userid>) DELETE a subsequent REFRESH of the FACILITY class may be required via the command: SETR RACL(FACILITY) REFRESH
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-ES-000150
- Vuln IDs
-
- V-98031
- Rule IDs
-
- SV-107135r1_rule
Checks: C-96867r2_chk
From the ISPF Command Shell enter: RLIST DASDVOL AUTHUSER If a profile of "**" is defined for the "DASDVOL" resource class, this is not finding. If access authorization to "DASDVOL" profiles is restricted to Storage Management Personnel, Storage Management Batch Userids, and Systems Programmers, this is not a finding. If all (i.e., failures and successes) access is logged, this is not a finding.
Fix: F-103707r1_fix
Develop a plan of action to implement the required changed. Define profiles in the "DASDVOL" class. A sample command is provided here: RDEF DASDVOL ** UACC(NONE) OWNER(<StgMgmtGrp>) AUDIT(ALL(READ)). More specific "DASDVOL" profiles should be defined to protect groups of "DASDVOLs". A sample command to create a profile protecting all DASDVOLs beginning with "SYS" is provided here: RDEF DASDVOL SYS* UACC(NONE) OWNER(<StgMgmtGrp>) AUDIT(ALL(READ)). Permission can be granted to "DASDVOL" profiles. A sample command is provided here: PE SYS* CLASS(DASDVOL) ID(<syspsmpl>) ACCESS(ALTER) If any profiles are in "WARN" mode, they should be reset. A sample command is provided here: RALT DASDVOL <profilename> NOWARN. Note that the "GDASDVOL" class can also be used. See the RACF Security Admin Guide for more information.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-ES-000160
- Vuln IDs
-
- V-98033
- Rule IDs
-
- SV-107137r1_rule
Checks: C-96869r1_chk
If the RACF resource access authorizations for the following sensitive utilities restrict access to the appropriate personnel according to the site security plan, this is not a finding. Sensitive Utility Controls Program Product Function AHLGTF z/OS System Activity Tracing HHLGTF IHLGTF ICPIOCP z/OS System Configuration IOPIOCP IXPIOCP IYPIOCP IZPIOCP BLSROPTR z/OS Data Management DEBE OS/DEBE Data Management DITTO OS/DITTO Data Management FDRZAPOP FDR Product Internal Modification GIMSMP SMP/E Change Management Product ICKDSF z/OS DASD Management IDCSC01 z/OS IDCAMS Set Cache Module IEHINITT z/OS Tape Management IFASMFDP z/OS SMF Data Dump Utility IND$FILE z/OS PC to Mainframe File Transfer (Applicable only for classified systems) CSQJU003 IBM WebSphereMQ CSQJU004 CSQUCVX CSQ1LOGP CSQUTIL WHOIS z/OS Share MOD to identify user name from USERID. Restricted to data center personnel only.
Fix: F-103709r1_fix
Note: The resources, and/or resource prefixes identified below are examples of a possible installation. The actual resource type, resources, and/or resource prefixes are determined when the product is actually installed on a system through the product’s installation guide and can be site specific. Ensure that all Sensitive Utility Controls resources and/or generic equivalent are properly protected according to the site security plan. Use Sensitive Utility Controls table below that lists the resources, access requirements, and logging requirements for Sensitive Utilities, ensures the following guidelines are followed: Sensitive Utility Controls Program Product Function AHLGTF z/OS System Activity Tracing HHLGTF IHLGTF ICPIOCP z/OS System Configuration IOPIOCP IXPIOCP IYPIOCP IZPIOCP BLSROPTR z/OS Data Management DEBE OS/DEBE Data Management DITTO OS/DITTO Data Management FDRZAPOP FDR Product Internal Modification GIMSMP SMP/E Change Management Product ICKDSF z/OS DASD Management IDCSC01 z/OS IDCAMS Set Cache Module IEHINITT z/OS Tape Management IFASMFDP z/OS SMF Data Dump Utility IND$FILE z/OS PC to Mainframe File Transfer (Applicable only for classified systems) CSQJU003 IBM WebSphereMQ CSQJU004 CSQUCVX CSQ1LOGP CSQUTIL WHOIS z/OS Share MOD to identify user name from USERID. Restricted to data center personnel only. The RACF resources as designated in the table above are defined with a default access of NONE. The RACF resource access authorizations restrict access to the appropriate personnel as designated in the table above. The RACF resource rules for the resources designated in the table above specify UACC(NONE) and NOWARNING. The following commands are provided as a sample for implementing resource controls: RDEF PROGRAM AHLGTF ADDMEM('SYS1.LINKLIB'//NOPADCHK) - DATA('ADDED PER SRR PDI RACF0770 ') - AUDIT(ALL(READ)) UACC(NONE) OWNER(ADMIN) PERMIT AHLGTF CLASS(PROGRAM) ID(stcgsmpl)
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-ES-000170
- Vuln IDs
-
- V-98035
- Rule IDs
-
- SV-107139r1_rule
Checks: C-96871r1_chk
From a command input screen enter: RL Global * If Global * is specified in SETROPTS, this is a finding. The following entries may be allowed with the approval of the ISSM: Dataset Class - ALTER access level to &RACUID.** (Allows users all access to their own datasets) OPERCMDS Class – READ access to MVS.MCSOPER.&RACUID (Allows users access to console for their jobs) JESJOBS Class – ALTER access to CANCEL.*.*.&RACUID (Allows users to cancel their own jobs) JESJOBS Class – ALTER access to SUBMIT.*.*.&RACUID (Allows users to submit their own jobs) The ISSM may allow other classes to be included after evaluation with the system programmer. If any other members are included for Global Access Checking, this is a finding. If written approval by the ISSM is not provided, this is a finding.
Fix: F-103711r1_fix
Configure Global Access Checking to be appropriately administered. Evaluate the impact associated with implementation of the control option. Develop approval; documentation and a plan of action to implement the control option as specified in the example below: RALT GLOBAL class-name ADDMEM (resourcename)/accesslevel)
- RMF Control
- AC-3
- Severity
- H
- CCI
- CCI-000213
- Version
- RACF-ES-000180
- Vuln IDs
-
- V-98037
- Rule IDs
-
- SV-107141r1_rule
Checks: C-96873r1_chk
Refer to SYSCATxx member of SYS1.NUCLEUS. Multiple SYSCATxx members may be defined. If so, refer to Master Catalog message for IPL. If the member is not found, refer to the appropriate LOADxx member of SYS1.PARMLIB. If data set rules for the Master Catalog do not restrict greater than “READ” access to only z/OS systems programming personnel, this is a finding. Access greater than “READ” for the Master catalog is allowed to a batch job ID in the following specific case: The batch job must reside in a data set that is restricted to systems programmers only. If dataset rules for the Master Catalog do not specify that all (i.e., failures and successes) greater than “READ” access will be logged, this is a finding.
Fix: F-103713r1_fix
Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect the MASTER CATALOG. Configure the ESM rules for system catalog to only allow access above “READ” to systems programmers and those authorized by the ISSM/ISSO. Configure ESM rules for the master catalog to allow access above “READ” to systems programmers ONLY. Configure ESM rules for the master catalog to allow any batch ID access above “READ” only in this specific case: The batch job that requires above “READ” access must reside in a data set that has restricted “ALTER” or equivalent access to systems programmers ONLY. All greater than read access must be logged.
- RMF Control
- AC-3
- Severity
- H
- CCI
- CCI-000213
- Version
- RACF-ES-000190
- Vuln IDs
-
- V-98039
- Rule IDs
-
- SV-107143r1_rule
Checks: C-96875r1_chk
The ESM data set rules for SYS1.UADS restrict WRITE or Greater access to only z/OS systems programming personnel. The ESM data set rules for SYS1.UADS restrict READ and/or UPDATE access to z/OS systems programming personnel and/or security personnel. The ESM data set rules for SYS1.UADS restrict READ access to auditors as documented in Security Plan. The ESM data set rules for SYS1.UADS specify that all (i.e., failures and successes) data set access authorities (i.e., READ, UPDATE, ALTER, and CONTROL) will be logged. If all of the above are untrue, this is not a finding. If any of the above is true, this is a finding.
Fix: F-103715r1_fix
Evaluate the impact of correcting any deficiency. Develop a plan of action and implement the changes as required to protect SYS1.UADS. SYS1.UADS WRITE or Greater authority is limited to the systems programming staff. READ and/or UPDATE access should be limited to the security staff. READ access is limited to Auditors when included in the site security plan. Configure allocate access to SYS1.UADS to be limited to system programmers only, Read and Update access to SYS1.UADS to be limited to system programmer personnel and/or security personnel, and all dataset access is logged.
- RMF Control
- AC-3
- Severity
- H
- CCI
- CCI-000213
- Version
- RACF-ES-000200
- Vuln IDs
-
- V-98041
- Rule IDs
-
- SV-107145r1_rule
Checks: C-96877r1_chk
Execute RACF command: RLIST FACILITY * If the RACF resources and/or generic equivalent identified below are defined with AUDIT(ALL(READ)) and WRITE or greater access restricted to system programming personnel, this is not a finding. CSVAPF. CSVAPF.MVS.SETPROG.FORMAT.DYNAMIC CSVAPF.MVS.SETPROG.FORMAT.STATIC CSVDYLPA. CSVDYNEX. CSVDYNEX.LIST CSVDYNL. CSVDYNL.UPDATE.LNKLST CSVLLA. If the RACF CSVDYNEX.LIST resource and/or generic equivalent is defined with AUDIT(FAILURE(READ)SUCCESS(UPDATE)) and WRITE or greater access restricted to system programming personnel, this is not a finding. If the RACF CSVDYNEX.LIST resource and/or generic equivalent is defined with READ access restricted to auditors, this is not a finding. If the products CICS and/or CONTROL-O are on the system, the RACF access to the CSVLLA resource and/or generic equivalent will be defined with AUDIT(ALL) and UPDATE access restricted to the CICS and CONTROL-O STC userids. If any software product requires access to dynamic LPA updates on the system, the RACF access to the CSVDYLPA resource and/or generic equivalent will be defined with LOG and SERVICE(UPDATE) only after the product has been validated with the appropriate STIG or SRG for compliance AND receives documented and filed authorization that details the need and any accepted risks from the site ISSM or equivalent security authority. Note: In the above, UPDATE access can be substituted with ALTER or CONTROL. Review the permissions in the IBM documentation when specifying UPDATE.
Fix: F-103717r1_fix
Configure the Dynamic List resources to be defined to the RACF FACILITY resource class and protected. Only system programmers and a limited number of authorized users and Approved authorized Started Tasks are able to issue these commands. All access is logged. The required CSV-prefixed Facility Class resources are listed below. These resources or generic equivalents should be defined and permitted as required with only z/OS systems programmers and logging enabled. Minimum required list of CSV-prefixed resources: CSVAPF.** CSVAPF.MVS.SETPROG.FORMAT.DYNAMIC CSVAPF.MVS.SETPROG.FORMAT.STATIC CSVDYLPA.** CSVDYLPA.ADD.** CSVDYLPA.DELETE.** CSVDYNEX.** CSVDYNEX.LIST CSVDYNL.** CSVDYNL.UPDATE.LNKLST CSVLLA.** Limit authority to those resources to z/OS systems programmers. Restrict to the absolute minimum number of personnel with AUDIT(ALL(READ)) and UPDATE access. Sample commands are shown here to accomplish this: RDEF FACILITY CSVAPF.** UACC(NONE) OWNER(syspsmpl) AUDIT(ALL(READ)) RDEF FACILITY CSVAPF.MVS.SETPROG.FORMAT.DYNAMIC.** UACC(NONE) OWNER(syspsmpl) AUDIT(ALL(READ)) RDEF FACILITY CSVAPF.MVS.SETPROG.FORMAT.STATIC.** UACC(NONE) OWNER(syspsmpl) AUDIT(ALL(READ)) PERMIT CSVAPF.** CLASS(FACILITY) ID(syspsmpl) ACCESS(UPDATE) PERMIT CSVAPF.MVS.SETPROG.SETPROG.FORMAT.DYNAMIC.** CLASS(FACILITY) ID(syspsmpl) ACCESS(UPDATE) PERMIT CSVAPF.MVS.SETPROG.SETPROG.FORMAT.STATIC.** CLASS(FACILITY) ID(syspsmpl) ACCESS(UPDATE) The CSVDYLPA.ADD resource will be permitted to products BMC Mainview, CA 1, and CA Common Services STC userids with AUDIT(ALL(READ)) and UPDATE access. The CSVDYLPA.DELETE resource will be permitted to products CA 1 and CA Common Services STC userids with AUDIT(ALL(READ)) and UPDATE access. Sample commands are shown here to accomplish one set of resources: RDEF FACILITY CSVDYLPA.** UACC(NONE) OWNER(syspsmpl) AUDIT(ALL(READ)) RDEF FACILITY CSVDYLPA.ADD.** UACC(NONE) OWNER(syspsmpl) AUDIT(ALL(READ)) RDEF FACILITY CSVDYLPA.DELETE.** UACC(NONE) OWNER(syspsmpl) AUDIT(ALL(READ)) PERMIT CSVDYLPA.** CLASS(FACILITY) ID(syspsmpl) ACCESS(UPDATE) PERMIT CSVDYLPA.** CLASS(FACILITY) ID(BMC Mainview STC userid) ACCESS(UPDATE) PERMIT CSVDYLPA.** CLASS(FACILITY) ID(CA 1 STC userid) ACCESS(UPDATE) PERMIT CSVDYLPA.** CLASS(FACILITY) ID(CCS STC userid) ACCESS(UPDATE) PERMIT CSVDYLPA.ADD.** CLASS(FACILITY) ID(syspsmpl) ACCESS(UPDATE) PERMIT CSVDYLPA.ADD.** CLASS(FACILITY) ID(BMC Mainview STC userid) ACCESS(UPDATE) PERMIT CSVDYLPA.ADD.** CLASS(FACILITY) ID(CA 1 STC userid) ACCESS(UPDATE) PERMIT CSVDYLPA.ADD.** CLASS(FACILITY) ID(CCS STC userid) ACCESS(UPDATE) PERMIT CSVDYLPA.DELETE.** CLASS(FACILITY) ID(syspsmpl) ACCESS(UPDATE) PERMIT CSVDYLPA.DELETE.** CLASS(FACILITY) ID(CA 1 STC userid) ACCESS(UPDATE) PERMIT CSVDYLPA.DELETE.** CLASS(FACILITY) ID(CCS STC userid) ACCESS(UPDATE) The CSVDYNEX.LIST resource and/or generic equivalent will be defined with AUDIT(FAILURE(READ)SUCCESS(UPDATE)) and UPDATE access restricted to system programming personnel. The CSVDYNEX.LIST resource and/or generic equivalent will be defined with READ access restricted to auditors. Sample commands are shown here to accomplish this: RDEF FACILITY CSVDYNEX.** UACC(NONE) OWNER(syspsmpl) – AUDIT(ALL(READ)) RDEF FACILITY CSVDYNEX.LIST.** UACC(NONE) OWNER(syspsmpl) – AUDIT(FAILURE(READ)SUCCESS(UPDATE)) PERMIT CSVDYNEX.** CLASS(FACILITY) ID(syspsmpl) ACCESS(UPDATE) PERMIT CSVDYNEX.LIST.** CLASS(FACILITY) ID(syspsmpl) ACCESS(UPDATE) PERMIT CSVDYNEX.LIST.** CLASS(FACILITY) ID(smplsmpl) ACCESS(READ) The CSVLLA resource will be permitted to CICS and CONTROL-O STC userids with AUDIT(ALL(READ)) and UPDATE access. Sample commands are shown here to accomplish one set of resources: RDEF FACILITY CSVLLA.** UACC(NONE) OWNER(syspsmpl) AUDIT(ALL(READ)) PERMIT CSVLLA.** CLASS(FACILITY) ID(syspsmpl) ACCESS(UPDATE) PERMIT CSVLLA.** CLASS(FACILITY) ID(CICS STC userids) ACCESS(UPDATE) PERMIT CSVLLA.** CLASS(FACILITY) ID(CONTROL-O STC userid) ACCESS(UPDATE)
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-ES-000210
- Vuln IDs
-
- V-98043
- Rule IDs
-
- SV-107147r2_rule
Checks: C-96879r1_chk
From the ISPF Command Shell enter: LISTCat USERCATALOG ALL NOPREFIX Review the ESM data set rules for each usercatalog defined. If the data set rules for User Catalogs do not restrict ALTER access to only z/OS systems programming personnel, this is a finding. If access greater than “READ” for the User Catalogs is allowed to a batch job ID used for system level maintenance in the following specific case: (The batch job must reside in a data set that is restricted to systems programmers only) this is not a finding. If the data set rules for User Catalogs do not specify that all (i.e., failures and successes) ALTER access will be logged, this a finding.
Fix: F-103719r1_fix
Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect USER CATALOGS. Configure ESM rules for allocate access to USER CATALOGS, limited to system programmers only, and all allocate access is logged. Configure ESM rules for the USER CATALOGS to allow any batch ID used for system level maintenance access above “READ” only in this specific case: The batch job that requires above “READ” access must reside in a data set that has restricted “ALTER” or equivalent access to systems programmers ONLY.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-ES-000220
- Vuln IDs
-
- V-98045
- Rule IDs
-
- SV-107149r2_rule
Checks: C-96881r2_chk
Collect from the storage management group the identification of the DASD backup files and all associated storage management userids. If ESM data set rules for system DASD backup files do not restrict WRITE or greater access to z/OS systems programming and/or batch jobs that perform DASD backups, this is a finding. If READ Access to system backup data sets is not limited to auditors and others approved by the ISSM, this is a finding.
Fix: F-103721r2_fix
Obtain the high level indexes to backup data sets names define their access to be restricted by the System's ESM to System Programmers and batch jobs that perform the backups. Define READ Access to system backup data sets to be limited to auditors and others approved by the ISSM.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-ES-000230
- Vuln IDs
-
- V-98047
- Rule IDs
-
- SV-107151r1_rule
Checks: C-96883r1_chk
Execute a dataset list of access for SYS(x).TRACE files. If the ESM data set rule for SYS1.TRACE restricts access to systems programming personnel and started tasks that perform GTF processing, this is not a finding. If the ESM data set rule for SYS1.TRACE restricts access to others as documented and approved by ISSM, this is not a finding.
Fix: F-103723r1_fix
Configure the ESM access to SYS1.TRACE to be limited to system programmers or started tasks that perform GTF processing. Other user access can be granted as documented and approved by the ISSM.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-ES-000240
- Vuln IDs
-
- V-98049
- Rule IDs
-
- SV-107153r1_rule
Checks: C-96885r1_chk
Refer to the documentation of the processes used for submission of batch jobs via an automated process (i.e., scheduler or other sources) and each of the associated userids. Determine any other scheduled batch jobs on the system. From an ISPF Command Shell enter: RLIST SURROGAT * If each batch job userid used for batch submission by a Job Scheduler (e.g., CONTROL-M, CA-7, CA-Scheduler, etc.) is defined as an execution-userid in a SURROGAT resource class profile, this is not a finding. From an ISPF Command Shell enter: RLIST SURROGAT <surrogat-userid> ALL If the Job Scheduler userids (i.e., surrogate-userid) are permitted surrogate authority to the appropriate SURROGAT profiles, this is not a finding.
Fix: F-103725r1_fix
Configure each batch job userid used for batch submission by a Job Scheduler (e.g., CONTROL-M, CA-7, CA-Scheduler, etc.) is defined as an execution-userid in a SURROGAT resource class profile. For example: RDEFINE SURROGAT execution-userid.SUBMIT UACC(NONE) OWNER(execution-userid) Configure Job Scheduler userids (i.e., surrogate-userid) are permitted surrogate authority to the appropriate SURROGAT profiles. For example: PERMIT execution-userid.SUBMIT CLASS(SURROGAT) ID(surrogate-userid) ACCESS(READ)
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-ES-000250
- Vuln IDs
-
- V-98051
- Rule IDs
-
- SV-107155r1_rule
Checks: C-96887r1_chk
Refer to a list all Multiple User Access Systems in use on this system. These are systems that run in a single address space, but allow multiple users to sign on to them (e.g., CICS regions, Session Managers, etc.). For each region, also include corresponding userids, profiles, data management files, and a brief description (of each region). Refer to the documentation of the processes used for submission of batch jobs via an automated process (i.e., scheduler or other sources) and each of the associated userids. If the submission of batch jobs via an automated process (e.g., job scheduler, job submission started task, etc.) is being utilized, and/or Multiple User Single Address Space Systems (MUSASS) capable of submitting batch jobs are active on this system and the following items are in effect, this is not a finding. The PROPCNTL resource class is active. A PROPCNTL resource class profile is defined for each userid associated with a job scheduler (e.g., CONTROL-M, CA-7, etc.) and a MUSASS able to submit batch jobs (e.g., CA-ROSCOE, etc.).
Fix: F-103727r1_fix
Add a PROPCNTL profile for each userid associated with a job scheduler (e.g., CONTROL-M, CA-7, etc.) or a MUSASS able to submit batch jobs (e.g., CA-ROSCOE, etc.). A sample command is shown here: RDEF PROPCNTL controlm UACC(NONE) OWNER(ADMIN)
- RMF Control
- AC-3
- Severity
- H
- CCI
- CCI-000213
- Version
- RACF-ES-000260
- Vuln IDs
-
- V-98053
- Rule IDs
-
- SV-107157r1_rule
Checks: C-96889r1_chk
Execute a dataset list of access for SYS1.IMAGELIB. If the following guidance is true, this is not a finding. -The ACP data set rules for SYS1.IMAGELIB do not restrict WRITER or greater access to only systems programming personnel. -The ACP data set rules for SYS1.IMAGELIB do not specify that all (i.e., failures and successes) WRITER or greater access will be logged.
Fix: F-103729r1_fix
Configure UPDATE and/or ALLOCATE access to SYS1.IMAGELIB to be limited to system programmers only and all WRITE or greater access is logged. Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect SYS1.IMAGELIB. SYS1.IMAGELIB is automatically APF-authorized. This data set contains modules, images, tables, and character sets which are essential to system print services.
- RMF Control
- AC-3
- Severity
- H
- CCI
- CCI-000213
- Version
- RACF-ES-000270
- Vuln IDs
-
- V-98055
- Rule IDs
-
- SV-107159r1_rule
Checks: C-96891r1_chk
Execute a dataset list of access for SYS1.SVCLIB. If all of the following are true, this is not a finding. If any of the following are untrue, this is a finding. -ESM data set rules for SYS1.SVCLIB restrict WRITE or greater access to only z/OS systems programming personnel. -ESM data set rules for SYS1.SVCLIB specify that all (i.e., failures and successes) WRITE or greater access will be logged.
Fix: F-103731r1_fix
Configure Write or greater access to SYS1.SVCLIB to be limited to system programmers only and all WRITE or greater access is logged and reviewed. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes for SYS1.SVCLIB. SYS1.SVCLIB contains SVCs and I/O appendages as such: they are very powerful and will be strictly controlled to avoid compromising system integrity.
- RMF Control
- AC-3
- Severity
- H
- CCI
- CCI-000213
- Version
- RACF-ES-000280
- Vuln IDs
-
- V-98057
- Rule IDs
-
- SV-107161r1_rule
Checks: C-96893r1_chk
Execute a dataset list of access for SYS1.LPALIB. If any of the following is true, this is a finding. -The ESM data set rules for SYS1.LPALIB do not restrict WRITE or greater access to only z/OS systems programming personnel. -The ESM data set rules for SYS1.LPALIB do not specify that all (i.e., failures and successes) WRITE or greater access will be logged.
Fix: F-103733r1_fix
Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect SYS1.LPALIB. Configure WRITE or greater access to SYS1.LPALIB to be limited to system programmers only and all WRITE or greater access is logged.
- RMF Control
- AC-3
- Severity
- H
- CCI
- CCI-000213
- Version
- RACF-ES-000290
- Vuln IDs
-
- V-98059
- Rule IDs
-
- SV-107163r1_rule
Checks: C-96895r1_chk
Refer to AXRxx member of PARMLIB, for each REXXLIB ADD statement: If the ESM data set rules for libraries in the REXXLIB concatenation restrict WRITE or greater access to only z/OS systems programming personnel, this is not a finding. If ESM dataset rules for libraries in the TEXXLIB concatenation restrict GLOBAL read access, this is not a finding. If ESM data set rules for libraries in the REXLIB concatenating restrict WRITE or Greater access to z/OS system Programmers, this is not a finding. If the ESM data set rules for libraries in the REXXLIB concatenation restrict READ access to the following, this is not a finding. -Appropriate Started Tasks -Auditors -User-id defined in PARMLIB member AXR00 AXRUSER(user-id) If the ESM data set rules for libraries in the REXXLIB concatenation specify that all (i.e., failures and successes) WRITE or greater access will be logged, this is not a finding.
Fix: F-103735r1_fix
Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect APF Authorized Libraries. Configure ESM dataset rules to limit WRITE or greater access to libraries included in the system REXXLIB concatenation to system programmers only. Configure ESM dataset rules allow READ access to only appropriate Started Tasks and Auditors. Configure ESM dataset rules to log UPDATE and/or ALTER access (i.e., successes and failures).
- RMF Control
- AC-3
- Severity
- H
- CCI
- CCI-000213
- Version
- RACF-ES-000300
- Vuln IDs
-
- V-98061
- Rule IDs
-
- SV-107165r1_rule
Checks: C-96897r1_chk
From Any ISPF input line, enter: TSO ISRDDN LPA. If any of the following is true, this is a finding. -The ACP data set rules for LPA libraries do not restrict WRITE or greater access to only z/OS systems programming personnel. -The ACP data set rules for LPA libraries do not specify that all (i.e., failures and successes) WRITE or greater access will be logged.
Fix: F-103737r1_fix
Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect LPA Libraries. Configure the WRITE or greater access to all LPA libraries to be limited to system programmers only and all WRITE or greater access is logged.
- RMF Control
- AC-3
- Severity
- H
- CCI
- CCI-000213
- Version
- RACF-ES-000310
- Vuln IDs
-
- V-98063
- Rule IDs
-
- SV-107167r1_rule
Checks: C-96899r2_chk
Examine the system for active exit modules. You may need the system administrator help for this. There are third-party software products that can determine standard and dynamic exits loaded in the system. If all the exits are found within APF, LPA and LINKLIST, this is Not Applicable. If ESM data set rules for libraries that contain system exit modules restrict WRITE or greater access to only z/OS systems programming personnel, this is not a finding. If the ESM data set rules for libraries that contain exit modules specify that all WRITE or greater access will be logged, this is not a finding.
Fix: F-103739r1_fix
Using the ESM, protect the data sets associated with all product exits installed in the z/OS environment. This reduces the potential of a hacker adding a routine to a library and possibly creating an exposure. See that all exits are tracked using a CMP. Develop usermods to include the source/object code used to support the exits. Have Systems programming personnel review all z/OS and other product exits to confirm that the exits are required and are correctly installed. Configure ESM Dataset rules for all WRITE or greater access to libraries containing z/OS and other system level exits will be logged using the ACP’s facilities. Only systems programming personnel will be authorized to update the libraries containing z/OS and other system level exits.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-ES-000320
- Vuln IDs
-
- V-98065
- Rule IDs
-
- SV-107169r1_rule
Checks: C-96901r1_chk
Have the systems programmer for z/OS supply the following information: The data set name and associated SREL for each SMP/E CSI utilized to maintain this system. The data set name of all SMP/E TLIBs and DLIBs used for installation and production support. A comprehensive list of the SMP/E DDDEFs for all CSIs may be used if valid. If the ESM data set rules for system-level product installation libraries (e.g., SMP/E CSIs) do not restrict WRITE or greater access to only z/OS systems programming personnel this is a finding. If any of these data sets cannot be identified due to a lack of requested information, this is a finding.
Fix: F-103741r1_fix
Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect System-level product installation libraries. Configure allocate access to all system-level product execution libraries to be limited to system programmers only.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-ES-000330
- Vuln IDs
-
- V-98067
- Rule IDs
-
- SV-107171r1_rule
Checks: C-96903r1_chk
Ask the system administrator and/or DASD administrator to determine the System Dump data sets. Refer to data sets SYS1.DUMPxx, additionally, Dump data sets can be identified by reviewing the logical parmlib concatenation data sets for the current COMMNDxx member. Find the COM= which specifies the DUMPDS NAME (DD NAME=name-pattern) entry. The name-pattern is used to identify additional Dump data sets. If ESM data set rules for System Dump data sets do not restrict READ, UPDATE, and/or ALTER access to only systems programming personnel, this is a finding. If ESM data set rules for all System Dump data sets do not restrict READ access to personnel having justification to review these dump data, this is a finding.
Fix: F-103743r1_fix
Configure data set rules for access to SYSTEM DUMP data set(s) to be limited to system programmers only, unless a letter justifying access is filed with the ISSO in the site security plan. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to restrict access to these data sets.
- RMF Control
- AC-3
- Severity
- H
- CCI
- CCI-000213
- Version
- RACF-ES-000340
- Vuln IDs
-
- V-98069
- Rule IDs
-
- SV-107173r1_rule
Checks: C-96905r1_chk
From Any ISPF input line, enter TSO ISRDDN APF. If all of the following are untrue, this is not a finding. If any of the following are true, this is a finding. -The ACP data set rules for APF libraries do not restrict WRITE or greater access to only z/OS systems programming personnel. -The ACP data set rules for APF libraries do not specify that all (i.e., failures and successes) WRITE or greater access will be logged.
Fix: F-103745r1_fix
Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect APF Authorized Libraries. Configure, WRITE, or greater access to all APF-authorized libraries to be limited to system programmers only and all WRITE or greater access is logged.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-ES-000350
- Vuln IDs
-
- V-98071
- Rule IDs
-
- SV-107175r1_rule
Checks: C-96907r1_chk
Execute a dataset list of access to SYS1.LINKLIB. If the ESM data set rules for SYS1.LINKLIB allow inappropriate (e.g., global READ) access, this is a finding. If data set rules for SYS1.LINKLIB do not restrict READ, UPDATE, and ALTER access to only systems programming personnel, this is a finding. If data set rules for SYS1.LINKLIB do not restrict READ and UPDATE access to only domain level security administrators, this is a finding. If data set rules for SYS1.LINKLIB do not restrict READ access to only system Level Started Tasks, authorized Data Center personnel, and auditors, this is a finding. If data set rules for SYS1.LINKLIB do not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged, this is a finding.
Fix: F-103747r1_fix
Configure the ESM rules for SYS1.LINKLIB to limit access to system programmers only and all update and allocate access is logged.
- RMF Control
- AC-3
- Severity
- H
- CCI
- CCI-000213
- Version
- RACF-ES-000360
- Vuln IDs
-
- V-98073
- Rule IDs
-
- SV-107177r1_rule
Checks: C-96909r1_chk
Refer to the zOS system REXXLIB concatenation found in SYS1. PARMLIB (AXR) for the data set that contains the REXX for Password exit named IRRPWREX and the defined AXRUSER. If the following guidance is true, this is not a finding. -RACF data set access authorizations restrict READ to AXRUSER, z/OS systems programming personnel, security personnel, and auditors. -RACF data set access authorizations restrict UPDATE to security personnel using a documented change management procedure to provide a mechanism for access and revoking of access after use. -All (i.e., failures and successes) data set access authorities (i.e., READ, UPDATE, and CONTROL) is logged. -RACF data set access authorizations specify UACC(NONE) and NOWARNING.
Fix: F-103749r1_fix
Configure read access to be restricted to security administrators, systems programmers, and auditors. Establish a procedure documented with the ISSM that defines a change management process to provide mechanism for granting Update access to security administrators on an exception basis. The process should contain procedures to revoke access when documented update is completed. Configure all failures and successes data set access authorities for RACF data set that contains the Password exit to be logged. Examples: ad 'sys3.racf.rexxlib.**' quack(none) owner(sys3) - audit(all(read)) Permit 'sys3.racf.rexxlib.**' id(<syspsmpl> <secasmpl> <smplsmpl> AXRUSER) acc(r) Permit 'sys3.racf.rexxlib.**' id(<secasmpl>) acc(u)
- RMF Control
- AC-3
- Severity
- H
- CCI
- CCI-000213
- Version
- RACF-ES-000370
- Vuln IDs
-
- V-98075
- Rule IDs
-
- SV-107179r1_rule
Checks: C-96911r1_chk
If the following accesses to the ESM security data sets and/or databases are properly restricted as detailed below, this is not a finding. -The ESM data set rules for ESM security data sets and/or databases restrict READ access to auditors and DASD batch. -The ESM data set rules for ESM security data sets and/or databases restrict READ and/or greater access to z/OS systems programming personnel, security personnel, and/or batch jobs that perform ESM maintenance. All (i.e., failures and successes) data set access authorities (i.e., READ, UPDATE, ALTER, and CONTROL) for ESM security data sets and/or databases are logged.
Fix: F-103751r1_fix
Review access authorization to critical security database files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect the ESM files. Configure READ and/or greater access to all ESM files and/or databases are limited to system programmers and/or security personnel, and/or batch jobs that perform ESM maintenance. READ access can be given to auditors and DASD batch. All accesses to ESM files and/or databases are logged.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-ES-000380
- Vuln IDs
-
- V-98077
- Rule IDs
-
- SV-107181r1_rule
Checks: C-96913r1_chk
Obtain the procedures and collection specifics for SMF datasets and backup. If the ESM data set rules for the SMF dump/backup files do not restrict WRITE or greater to authorized DISA and site personnel (e.g., systems programmers and batch jobs that perform SMF processing), this is a finding. If the ESM dataset rules for the SMF dump/backup files do not restrict update access as documented in the site security plan, this is a finding. If the ESM data set rules for the SMF dump/backup files do not restrict READ access to auditors and others approved by the ISSM, this is a finding. If the ESM data set rules for SMF dump/backup files do not specify that all (i.e., failures and successes) WRITE or greater will be logged, this is a finding.
Fix: F-103753r1_fix
Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect datasets used to backup and/or dump SMF collection files. Configure data set rules for the SMF dump/backup files to restrict WRITE or greater access to authorized DISA and site personnel (e.g., systems programmers and batch jobs that perform SMF processing). Configure data set rules for the SMF dump/backup files to restrict UPDATE access to others approved the ISSM. Configure data set rules for the SMF dump/backup files to restrict READ access to authorized auditors and others approved by the ISSM. Ensure that all WRITE or greater access authority to SMF history files will be logged using the ESM’s facilities.
- RMF Control
- AC-3
- Severity
- H
- CCI
- CCI-000213
- Version
- RACF-ES-000390
- Vuln IDs
-
- V-98079
- Rule IDs
-
- SV-107183r1_rule
Checks: C-96915r1_chk
Refer to the following for the PROCLIB data sets that contain the STCs and TSO logons from the following sources: - MSTJCLxx member used during an IPL. The PROCLIB data sets are obtained from the IEFPDSI and IEFJOBS DD statements. - PROCxx DD statements and JES2 Dynamic PROCLIBs. Where ‘xx’ is the PROCLIB entries for the STC and TSU JOBCLASS configuration definitions. Verify that the accesses to the above PROCLIB data sets are properly restricted. If the following guidance is true, this is not a finding. If the ESM data set access authorizations restrict READ access to all authorized users, this is not a finding. If the ESM data set access authorizations restrict WRITE and/or greater access to systems programming personnel, this is not a finding.
Fix: F-103755r1_fix
Configure ESM dataset rules to restrict all WRITE and/or greater access to all PROCLIBs referenced in the Master JCL and JES2 or JES3 procedure for started tasks (STCs) and TSO logons to systems programming personnel only. Suggestion on how to update system to be compliant with this vulnerability: NOTE: All examples are only examples and may not reflect your operating environment. Obtain only the PROCLIB data sets that contain STC and TSO procedures. The data sets to be reviewed are obtained using the following steps: - All data sets contained in the MSTJCLxx member in the DD statement concatenation for IEFPDSI and IEFJOBS. - The data set in the PROCxx DD statement concatenation that are within the JES2 procedure or identified in the JES2 dynamic PROCLIB definitions. The specific PROCxx DD statement that is used is obtained from the PROCLIB entry for the JOBCLASSes of STC and TSU. The following is what data sets the process will obtain for analysis: MSTJCL00 //MSTJCL00 JOB MSGLEVEL=(1,1),TIME=1440 //EXEC PGM=IEEMB860,DPRTY=(15,15) //STCINRDR DD SYSOUT=(A,INTRDR) //TSOINRDR DD SYSOUT=(A,INTRDR) //IEFPDSI DD DSN=SYS3.PROCLIB,DISP=SHR <<=== //DD DSN=SYS2.PROCLIB,DISP=SHR <<=== //DD DSN=SYS1.PROCLIB,DISP=SHR <<=== //SYSUADS DD DSN=SYS1.UADS,DISP=SHR //SYSLBC DD DSN=SYS1.BRODCAST,DISP=SHR JES2 //JES2 PROC //IEFPROC EXEC PGM=HASJES20,PARM=NOREQ, //DPRTY=(15,15),TIME=1440,PERFORM=9 //ALTPARM DD DISP=SHR, //DSN=SYS1.PARMLIB(JES2BKUP) //HASPPARM DD DISP=SHR, //DSN=SYS1.PARMLIB(JES2PARM) //PROC00 DD DSN=SYS3.PROCLIB,DISP=SHR <<=== //DD DSN=SYS2.PROCLIB,DISP=SHR <<=== //DD DSN=SYS1.PROCLIB,DISP=SHR <<=== //PROC01 DD DSN=SYS4.USERPROC,DISP=SHR //DD DSN=SYS3.PROCLIB,DISP=SHR //DD DSN=SYS2.PROCLIB,DISP=SHR //DD DSN=SYS1.PROCLIB,DISP=SHR //IEFRDER DD SYSOUT=* //HASPLIST DD DDNAME=IEFRDER JES2 initialization parameter JOBCLASS PROCLIB entries JOBCLASS(*) ACCT=NO, /* ACCT # NOT REQUIRED (DEF.)*/ … PROCLIB=01, /* DEFAULT TO //PROC01 DD (DEF.)*/ … JOBCLASS(STC) AUTH=ALL, /* ALLOW ALL COMMANDS (DEF.)*/ … PROCLIB=00, /* USE //PROC00 DD (DEF.)*/ … JOBCLASS(TSU) AUTH=ALL, /* ALLOW ALL COMMANDS (DEF.)*/ … PROCLIB=00, /* USE //PROC00 DD (DEF.)*/ … PROCLIB data set that will be used in the access authorization process: SYS3.PROCLIB SYS2.PROCLIB SYS1.PROCLIB The following PROCLIB data set will NOT be used or evaluated: SYS4.USERPROC Recommendation for sites: The following are recommendations for the sites to ensure only PROCLIB data sets that contain the STC and TSO procedures are protected. - Remove all application PROCLIB data sets from MSTJCLxx and JES2 procedures. The customer will have all JCL changed to use the JCLLIB JCL statement to refer to the application PROCLIB data sets. Example: //USERPROC JCLLIB ORDER=(SYS4.USERPROC) - Remove all access to the application PROCLIB data sets and only authorize system programming personnel WRITE and/or greater access to these data sets. - Document the application PROCLIB data set access for the customers that require WRITE and/or greater access. Use this documentation as justification for the inappropriate access created by the scripts. - Change MSTJCLxx and JES2 procedure to identify STC and TSO PROCLIB data sets separate from application PROCLIB data sets. The following is a list of actions that can be performed to accomplish this recommendation: a. Ensure that MSTJCLxx contains only PROCLIB data sets that contain STC and TSO procedures. b. If an application PROCLIB data set is required for JES2, ensure that the JES2 procedure specifies more than one PROCxx DD statement concatenation or identified in the JES2 dynamic PROCLIB definitions. Identify one PROCxx DD statement data set concatenation that contains the STC and TSO PROCLIB data sets. Identify one or more additional PROCxx DD statements that can contain any other PROCLIB data sets. The concatenation of the additional PROCxx DD statements can contain the same data sets that are identified in the PROCxx DD statement for STC and TSO. The following is an example of the JES2 procedure: //JES2 PROC //IEFPROC EXEC PGM=HASJES20,PARM=NOREQ, //DPRTY=(15,15),TIME=1440,PERFORM=9 //ALTPARM DD DISP=SHR, //DSN=SYS1.PARMLIB(JES2BKUP) //HASPPARM DD DISP=SHR, //DSN=SYS1.PARMLIB(JES2PARM) //PROC00 DD DSN=SYS3.PROCLIB,DISP=SHR //DD DSN=SYS2.PROCLIB,DISP=SHR //DD DSN=SYS1.PROCLIB,DISP=SHR //PROC01 DD DSN=SYS4.USERPROC,DISP=SHR //DD DSN=SYS3.PROCLIB,DISP=SHR //DD DSN=SYS2.PROCLIB,DISP=SHR //DD DSN=SYS1.PROCLIB,DISP=SHR //IEFRDER DD SYSOUT=* //HASPLIST DD DDNAME=IEFRDER c. Ensure that the JES2 configuration file is changed to specify that the PROCLIB entry for the STC and TSU JOBCLASSes point to the proper PROCxx entry within the JES2 procedure or JES2 dynamic PROCLIB definitions that contain the STC and/or TSO procedures. All other JOBCLASSes can specify a PROCLIB entry that uses the same PROCxx or any other PROCxx DD statement identified in the JES2 procedure or identified in the JES2 dynamic PROCLIB definitions. The following is an example of the JES2 initialization parameters: JOBCLASS(*) ACCT=NO, /* ACCT # NOT REQUIRED (DEF.)*/ … PROCLIB=01, /* DEFAULT TO //PROC01 DD (DEF.)*/ … JOBCLASS(STC) AUTH=ALL, /* ALLOW ALL COMMANDS (DEF.)*/ … PROCLIB=00, /* USE //PROC00 DD (DEF.)*/ … JOBCLASS(TSU) AUTH=ALL, /* ALLOW ALL COMMANDS (DEF.)*/ … PROCLIB=00, /* USE //PROC00 DD (DEF.)*/ … d. Ensure that only system programming personnel are authorized WRITE and/or greater access to PROCLIB data sets that contain STC and TSO procedures.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-ES-000400
- Vuln IDs
-
- V-98081
- Rule IDs
-
- SV-107185r1_rule
Checks: C-96917r1_chk
Execute a dataset list of access for System page data sets (i.e., PLPA, COMMON, and LOCALx). If ESM data set rules for system page data sets (PLPA, COMMON, and LOCAL) restrict access to only systems programming personnel, this is not a finding. If ESM data set rules for system page data sets (PLPA, COMMON, and LOCAL) restrict auditors to READ only, this is not a finding.
Fix: F-103757r1_fix
Configure the ESM data set rules for system page data sets (PLPA, COMMON, and LOCAL) to restrict access to only systems programming personnel. Auditors may be allowed READ Access as approved by the ISSM.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-ES-000410
- Vuln IDs
-
- V-98083
- Rule IDs
-
- SV-107187r1_rule
Checks: C-96919r1_chk
Refer to the CONSOLxx member of SYS1.PARMLIB.console is defined to RACF with a corresponding profile in the CONSOLE resource class. If each console is defined to RACF with a corresponding profile in the CONSOLE resource class, this is not a finding. If the userid associated with each console has READ access to the corresponding resource defined in the CONSOLE resource class, this is not a finding. If access authorization for CONSOLE resources restricts READ access to operations and system programming personnel, this is not a finding.
Fix: F-103759r1_fix
Define all MCS consoles to the CONSOLE resource class and configure READ access to be limited to operators and system programmers. Configure the MCS console resources defined to z/OS and the ESM to conform to those outlined below. Each console defined in the CONSOLxx parmlib member is defined to RACF with a corresponding profile in the CONSOLE resource class. See the IBM zOS OPERATIONS AND PLANNING guide for further information. Each CONSOLE profile is defined with UACC(NONE). Example: RDEF CONSOLE MMDMST UACC(NONE) OWNER(syspsmpl) RDEF CONSOLE MMD041 UACC(NONE) OWNER(syspsmpl) RDEF CONSOLE MMDSCN UACC(NONE) OWNER(syspsmpl) RDEF CONSOLE ** UACC(NONE) OWNER(syspsmpl) DATA('** represents all consoles not specifically defined') Do not permit any user or group access to the ** profile. If a new console is added to the CONSOLxx member of it will be covered by this profile and a subsequent error will display in the log which will allow identification of the undefined console. The userid associated with each console will have READ access to the corresponding resource defined in the CONSOLE resource class. A sample command file to accomplish this is shown here: PE MMDMST CL(CONSOLE) ID(mmdmst) PE MMDSCN CL(CONSOLE) ID(mmdscn) PE MMD041 CL(CONSOLE) ID(mmd041) Access authorization for CONSOLE resources restricts READ access to operations and system programming personnel. A sample command file showing a permission of READ access for sysprogs and operators is shown here: PE MMDMST CL(CONSOLE) ID(syspsmpl opersmpl) PE MMDSCN CL(CONSOLE) ID(syspsmpl opersmpl) PE MMD041 CL(CONSOLE) ID(syspsmpl opersmpl)
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-ES-000420
- Vuln IDs
-
- V-98085
- Rule IDs
-
- SV-107189r1_rule
Checks: C-96921r1_chk
The ESM data set rules for the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) do not restrict WRITE or greater access to only z/OS systems programming personnel. The ESM data set rules for the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) allow inappropriate access not documented and approved by ISSO. If both of the above are untrue, this is not a finding. If either of the above is true, this is a finding.
Fix: F-103761r1_fix
Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect JES2 System datasets (spool, checkpoint, and parmlib datasets). Configure WRITE or greater access to JES2 System datasets (spool, checkpoint, and parmlib datasets) to be limited to system programmers only. Access other than this should be documented and approved by the ISSO (for example, all SYS1.HASP* data sets).
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002235
- Version
- RACF-ES-000430
- Vuln IDs
-
- V-98087
- Rule IDs
-
- SV-107191r1_rule
Checks: C-96923r1_chk
From the ISPF Command Shell enter: Search all Class(Facility) MASK(ieasymup) For each entity found enter: RL facility <entity> If RACF resources are defined with a default access of NONE, this is not a finding. If RACF resource access authorizations restrict UPDATE and/or greater access to appropriate personnel (i.e., DASD administrators, Tape Library personnel, and system programming personnel), this is not a finding. If RACF resource logging requirements are specified for UPDATE and/or greater access, this is not a finding.
Fix: F-103763r1_fix
Ensure that the System level symbolic resources are defined to the FACILITY resource class and protected. UPDATE access to the System level symbolic resources are limited to System Programmers, DASD Administrators, and/or Tape Library personnel. All access is logged. Ensure the guidelines for the resources and/or generic equivalent are followed. Limit access to the IEASYMUP resources to above personnel with UPDATE and/or greater access. The following commands are provided as a sample for implementing resource controls: rdef facility ieasymup.* uacc(none) owner(admin) - audit(all(read)) - data('protected per acp00350') rdef facility ieasymup.symbolname uacc(none) owner(admin) - audit(all(read)) - data('protected per acp00350') pe ieasymup.symbolname cl(facility) id(<dasdsmpl) acc(u) pe ieasymup.symbolname cl(facility) id(<syspsmpl) acc(u) pe ieasymup.symbolname cl(facility) id(<tapesmpl) acc(u)
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002233
- Version
- RACF-ES-000440
- Vuln IDs
-
- V-98089
- Rule IDs
-
- SV-107193r1_rule
Checks: C-96925r1_chk
From ISPF Command Shell enter: SETRopts List If the JES(BATCHALLRACF) is enabled then the message "JES-BATCHALLRACF OPTION IS ACTIVE" will be displayed, this is not a finding. If the message "JES-BATCHALLRACF OPTION IS INACTIVE" is displayed, this is a finding.
Fix: F-103765r1_fix
Configure JES(BATCHALLRACF) SETROPTS value to be set to JES(BATCHALLRACF). This specifies that JES is to test for a userid and password on the job statement or for propagated RACF identification information for all batch jobs. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a status of JES BATCHALLRACF. JES BATCHALLRACF is activated with the command SETR JES(BATCHALLRACF).
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002233
- Version
- RACF-ES-000460
- Vuln IDs
-
- V-98093
- Rule IDs
-
- SV-107197r1_rule
Checks: C-96929r1_chk
From the ISPF Command Shell enter: SETRopts List If the JES(XBMALLRACF) is enabled then the message "JES-XBMALLRACF OPTION IS ACTIVE" will be displayed, this is not a finding. If the message "JES-XBMALLRACF OPTION IS INACTIVE" is displayed, this is a finding.
Fix: F-103769r1_fix
Configure JES(XBMALLRACF) SETROPTS value to be set to JES(XBMALLRACF). This specifies that JES is set to test for a userid and password on the job statement or for propagated RACF identification information for all jobs run under the execution batch monitor. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a status of JES-XBMALLRACF. XBMALLRACF is activated with the command SETR XBMALLRACF.
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002234
- Version
- RACF-ES-000470
- Vuln IDs
-
- V-98095
- Rule IDs
-
- SV-107199r1_rule
Checks: C-96931r1_chk
From the ISPF Command Shell enter: SETRopts List If the OPERAUDIT value is listed as one of the ATTRIBUTES, this is not a finding. If the OPERAUDIT value is not listed as one of the ATTRIBUTES, this is a finding.
Fix: F-103771r1_fix
NOTE: The RACF AUDITOR attribute is required in order to specify SETROPTS OPERAUDIT and also to display the OPERAUDIT attribute with the SETROPTS LIST command. Configure the OPERAUDIT SETROPTS value to be set to OPERAUDIT. This specifies that RACF logs all actions such as accesses to resources and commands for a user who has operations or group operations attribute. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a list of ATTRIBUTES. Logging of all actions, such as accesses to resources and commands, allowed only because a user has the OPERATIONS or group-OPERATIONS attribute is activated with the command SETR OPERAUDIT.
- RMF Control
- AC-7
- Severity
- M
- CCI
- CCI-000044
- Version
- RACF-ES-000480
- Vuln IDs
-
- V-98097
- Rule IDs
-
- SV-107201r1_rule
Checks: C-96933r1_chk
From the ISPF Command Shell enter: SETRopts List If the PASSWORD(REVOKE) value shows "AFTER <n> CONSECUTIVE UNSUCCESSFUL PASSWORD ATTEMPTS, A USERID WILL BE REVOKED." where <n> is either "1" or "2", this is not a finding. If the PASSWORD(REVOKE) value is not enabled and is not set to either "1" or "2", this is a finding.
Fix: F-103773r1_fix
Ensure that PASSWORD(REVOKE) SETROPTS value is set to "1" or "2". This specifies the number of consecutive incorrect password attempts RACF allows before it revokes the USERID on the next incorrect attempt. If you specify REVOKE, ensure INITSTATS are in effect. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD REVOKE. Setting the password REVOKE to "2" invalid attempts activated with the command SETR PASSWORD(REVOKE(2)).
- RMF Control
- AC-7
- Severity
- M
- CCI
- CCI-002238
- Version
- RACF-ES-000490
- Vuln IDs
-
- V-98099
- Rule IDs
-
- SV-107203r1_rule
Checks: C-96935r1_chk
From the ISPF Command Shell enter: SETRopts List If the PASSWORD(REVOKE) value shows "AFTER <n> CONSECUTIVE UNSUCCESSFUL PASSWORD ATTEMPTS, A USERID WILL BE REVOKED." where <n> is either "1" or "2", this is not a finding. If the PASSWORD(REVOKE) value is not enabled and is not set to either "1" or "2", this is a finding.
Fix: F-103775r1_fix
Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: NOTE: In order to set or list the SAUDIT value, the RACF AUDITOR attribute is required. Reference the documentation for the SETROPTS command in the RACF Command Language Reference. The RACF Command SETR LIST will show the status of RACF Controls including the value for SAUDIT. SAUDIT is activated and set to the required value by issuing the command SETR SAUDIT.
- RMF Control
- AU-12
- Severity
- H
- CCI
- CCI-000171
- Version
- RACF-ES-000500
- Vuln IDs
-
- V-98101
- Rule IDs
-
- SV-107205r1_rule
Checks: C-96937r1_chk
Execute a dataset list of access to SYS1.PARMLIB. If the ESM data set rules for SYS1.PARMLIB allow inappropriate (e.g., global READ) access, this is a finding. If data set rules for SYS1.PARMLIB do not restrict READ, WRITE or greater access to only systems programming personnel, this is a finding. If data set rules for SYS1.PARMLIB do not restrict READ and UPDATE access to only domain level security administrators, this is a finding. If data set rules for SYS1.PARMLIB do not restrict READ access to only system Level Started Tasks, authorized Data Center personnel, and auditors, this is a finding. If data set rules for SYS1.PARMLIB do not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged, this is a finding.
Fix: F-103777r1_fix
Configure access rules for SYS1.PARMLIB as follows: Systems programming personnel will be authorized to WRITE or greater the SYS1.PARMLIB concatenation. Domain level security administrators can be authorized to update the SYS1.PARMLIB concatenation. System Level Started Tasks, authorized Data Center personnel, and auditor can be authorized read access by the ISSO. All WRITE or greater access is logged.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RACF-ES-000510
- Vuln IDs
-
- V-98103
- Rule IDs
-
- SV-107207r1_rule
Checks: C-96939r1_chk
From the ISPF Command Shell enter: SETRopts List If the SAUDIT value is listed as one of the ATTRIBUTES, this is not a finding.
Fix: F-103779r1_fix
Configure SETRopts to include SAUDIT as an attribute.
- RMF Control
- AU-12
- Severity
- M
- CCI
- CCI-000172
- Version
- RACF-ES-000520
- Vuln IDs
-
- V-98105
- Rule IDs
-
- SV-107209r1_rule
Checks: C-96941r1_chk
From the ISPF Command Shell enter: SETROPTS LIST If the SAUDIT value is listed as one of the ATTRIBUTES, this is not a finding. If the NOSAUDIT value is listed as one of the ATTRIBUTES, this is a finding.
Fix: F-103781r1_fix
Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: Note: that in order to set or list the SAUDIT value, the RACF AUDITOR attribute is required. Reference the documentation for the SETROPTS command in the RACF Command Language Reference. The RACF Command SETR LIST will show the status of RACF Controls including the value for SAUDIT. SAUDIT is activated and set to the required value by issuing the command SETR SAUDIT.
- RMF Control
- AU-3
- Severity
- M
- CCI
- CCI-001487
- Version
- RACF-ES-000530
- Vuln IDs
-
- V-98107
- Rule IDs
-
- SV-107211r1_rule
Checks: C-96943r1_chk
From the ISPF Command Shell enter: SETRopts list If the REALDSN is enabled then the message "REAL DATA SET NAMES OPTION IS ACTIVE" will be displayed, this is not a finding. If the message "REAL DATA SET NAMES OPTION IS INACTIVE" is displayed, this is a finding.
Fix: F-103783r1_fix
Evaluate the impact associated with implementation of the control option. Configure control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including the value for the REALDSN Option. REALDSN is ACTIVATED by issuing the command SETR REALDSN.
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-000162
- Version
- RACF-ES-000540
- Vuln IDs
-
- V-98109
- Rule IDs
-
- SV-107213r1_rule
Checks: C-96945r1_chk
Refer to the SMFPRMxx member in SYS1.PARMLIB. Determine the SMF and/or Logstream dataset name. If the following statements are true, this is not a finding. The ESM data set rules for the SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) restrict WRITE or greater access to only z/OS systems programming personnel. The ESM data set rules for the SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) restrict UPDATE access to z/OS systems programming personnel, and/or batch jobs that perform SMF dump processing and others approved by ISSM. The ESM data set rules for the SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) restrict READ access to auditors and others approved by the ISSM. The ESM data set rules for SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) specify that all (i.e., failures and successes) UPDATE and/or ALTER access are logged.
Fix: F-103785r1_fix
Configure WRITE and above access to SMF collection files to be limited to only systems programming staff and and/or batch jobs that perform SMF dump processing, access can be granted to others as determined by ISSM. Configure READ access to be limited to auditors. READ access may be granted to others as determined by the ISSM. Access to other users specified must be documented in a security plan. Ensure the accesses are being logged.
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001813
- Version
- RACF-ES-000550
- Vuln IDs
-
- V-98111
- Rule IDs
-
- SV-107215r1_rule
Checks: C-96947r1_chk
From the ISPF Command Shell enter: SETROPTS LIST If the "INSTALLATION DEFINED RVARY PASSWORD IS IN EFFECT" message for both the SWITCH and STATUS functions, this is not a finding.
Fix: F-103787r1_fix
Configure RACF ensure that the RVARYPW passwords are specified and conform to password requirements documented in RACF0460. The ISSO will evaluate the impact associated with implementation of the control option and develop a plan of action to implement the control option as required. A sample command for setting both the SWITCH and STATUS passwords are shown here: SETR RVARYPW(SWITCH(Wxy$8Pqu) STATUS(pbZ0@wL2))
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- RACF-ES-000560
- Vuln IDs
-
- V-98113
- Rule IDs
-
- SV-107217r1_rule
Checks: C-96949r1_chk
Review all Dataset and resource profiles in the RACF database. If any are not defined with WARN = NO, this is a finding.
Fix: F-103789r1_fix
Define each dataset and resource profile with WARN = NO
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- RACF-ES-000570
- Vuln IDs
-
- V-98115
- Rule IDs
-
- SV-107219r1_rule
Checks: C-96951r1_chk
From the ISPF Command Shell enter: SETROPTS LIST If the SETROPTS values for PROTECTALL is ACTIVE and set to FAIL, this is not a finding. If the SETROPTS PROTECTALL parameter is set to NOPROTECTALL or PROTECTALL(WARNING), this is a finding. Additional analysis may be required to determine whether this finding should be downgraded to a Category II or remain a Category I. Example of a Category I finding where not a further analysis is required: Control Options: SETROPTS NOPROTECTALL Example of a possible Category I finding requiring additional analysis: Control Options: SETROPTS PROTECTALL(WARNING) PROTECTALL(WARNING) allows access to a data set only if it is not at protected by a profile in the DATASET resource class. Therefore if all sensitive data sets are properly protected by profiles in the DATASET resource class, PROTECTALL(WARNING) will not at allow unauthorized access. This situation allows for a downgrade to a Category II.
Fix: F-103791r1_fix
Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including the value for the PROTECTALL Option. PROTECTALL is ACTIVATED and set to FAIL by issuing the command SETR PROTECTALL(FAIL).
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RACF-ES-000580
- Vuln IDs
-
- V-98117
- Rule IDs
-
- SV-107221r1_rule
Checks: C-96953r1_chk
From the ISPF Command Shell enter: SETROPTS LIST If the GRPLIST is enabled then the message "LIST OF GROUPS ACCESS CHECKING IS ACTIVE." will be displayed, this is not a finding. If the message indicates that LIST OF GROUPS is NOT ACTIVE, this is a finding.
Fix: F-103793r1_fix
Configure the GRPLIST SETROPTS value to be set to ACTIVE. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a status of GRPLIST. List of Groups Checking is activated with the command SETR GRPLIST.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RACF-ES-000590
- Vuln IDs
-
- V-98119
- Rule IDs
-
- SV-107223r1_rule
Checks: C-96955r1_chk
From the ISPF Command Shell enter: SETROPTS LIST If the RETPD is enabled then the message "SECURITY RETENTION PERIOD IN EFFECT IS NEVER-EXPIRES DAYS" will be displayed, this is not a finding. If the RETPD value is not set to "NEVER-EXPIRES", this is a finding.
Fix: F-103795r1_fix
Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including the value for the RETPD (Retention Period) Option. RETPD is activated and set to the required value by issuing the command SETR RETPD(99999).
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RACF-ES-000600
- Vuln IDs
-
- V-98121
- Rule IDs
-
- SV-107225r1_rule
Checks: C-96957r1_chk
From the ISPF Command Shell enter: SETROPTS LIST If the TAPEDSN is enabled then the message "TAPE DATA SET PROTECTION IS ACTIVE" will be displayed, this is not a finding. NOTE 1: TAPEDSN should be active for domains without a tape management product. NOTE 2: For domains running CA 1, Computer Associates recommends that TAPEDSN be active and CA 1 parameter OCEOV be set to OFF. If the TAPEDSN value is set to INACTIVE, this is a finding.
Fix: F-103797r1_fix
Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including the value for the TAPEDSN Option. TAPEDSN is ACTIVATED by issuing the command SETR TAPEDSN.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RACF-ES-000610
- Vuln IDs
-
- V-98123
- Rule IDs
-
- SV-107227r1_rule
Checks: C-96959r1_chk
From the ISPF Command Shell enter: SETROPTS LIST If the WHEN(PROGRAM) value is listed as one of the ATTRIBUTES, this is not a finding. If the NOWHEN(PROGRAM) value is listed as one of the ATTRIBUTES, this is a finding.
Fix: F-103799r1_fix
Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including the value for the WHEN(PROGRAM) Option. WHEN(PROGRAM) is ACTIVATED by issuing the command SETR WHEN(PROGRAM).
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RACF-ES-000620
- Vuln IDs
-
- V-98125
- Rule IDs
-
- SV-107229r1_rule
Checks: C-96961r1_chk
From the ISPF Command Shell enter: ListUser * If authorization to the SYSTEM AUDITOR attribute is restricted to auditing and/or security personnel, this is not a finding. If at minimum, any users connected to sensitive system dataset HLQ (e.g., SYS1, SYS2, etc.) groups or general resource owning groups with the Group-AUDITOR attribute are Auditor and/or Security personnel, this is not a finding. Otherwise, Group-AUDITOR is allowed.
Fix: F-103801r1_fix
Review all USERIDs with the AU (Manual) - Review all USERIDs with the AUDITOR attribute. Ensure documentation providing justification for access is maintained and filed with the ISSO, and that unjustified access is removed. The AUDITOR attribute is removed from a user with the command: ALU <userid> NOAUDITOR. To remove the Group-Auditor attribute: CO <user> GROUP(<groupname>) NOAUDITOR
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RACF-ES-000630
- Vuln IDs
-
- V-98127
- Rule IDs
-
- SV-107231r1_rule
Checks: C-96963r1_chk
Execute the RACDST report from DSMON Utility using 'RACF PRIMARY' and 'RACF BACKUP' as selection criteria. If the security database and its backup exist on the same volume, this is a finding.
Fix: F-103803r1_fix
Identify the ACP database(s), backup database(s), and recovery data set(s). Develop a plan to keep these data sets on different physical volumes. Implement the movement of these critical ACP files.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RACF-ES-000640
- Vuln IDs
-
- V-98129
- Rule IDs
-
- SV-107233r1_rule
Checks: C-96965r1_chk
Ask the system administrator to determine that procedures exist to back up the security data base and files. Have the system administrator identify the dataset names and frequency of the backups. If, based on the information provided, it can be determined that the ESM database is being backed up on a regularly scheduled basis, this is not a finding. If it cannot be determined that the ESM database is being backed up on a regularly scheduled basis, this is a finding.
Fix: F-103805r1_fix
Develop procedures to back up all ACP files needed for recovery on a scheduled basis. Identify the ACP database and ensure that documented processes are in place to back up its contents on a regularly scheduled basis. At a minimum, this should include nightly backup of the ACP databases and of other critical security files (such as the ACP parameter file). More frequent backups (two or three times daily) will reduce the time necessary to effect recovery. The ISSO will verify that the backup job(s) run successfully.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RACF-ES-000650
- Vuln IDs
-
- V-98131
- Rule IDs
-
- SV-107235r1_rule
Checks: C-96967r1_chk
Refer to the documentation of the processes used for submission of batch jobs via an automated process (i.e., scheduler or other sources) and each of the associated user IDs. From the ISPF COMMAND INPUT screen enter: LISTUSER(each identified batch job) The following USERID record fields/attributes must be specified: NAME PROTECTED No USERID has the LAST-ACCESS field set to UNKNOWN. If both of the above are true, this is not a finding. If either of the USERID record fields/attributes (NAME and/or PROTECTED) are blank and/or the LAST ACCESS field is set to unknown, this is a finding.
Fix: F-103807r1_fix
Ensure the following: Associated USERIDs are defined for all batch jobs and documentation authorizing access to system resources is maintained and implemented. Set up the userids with the RACF PROTECTED attribute. A sample RACF command to accomplish is shown here: ALU <execution-userid> NOPASSWORD NOOIDCARD.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RACF-ES-000660
- Vuln IDs
-
- V-98133
- Rule IDs
-
- SV-107237r1_rule
Checks: C-96969r1_chk
From the ISPF Command Shell enter: ListUser * If Authorization to the SYSTEM OPERATIONS attribute is restricted to key systems personnel, such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is not a finding. If any users connected to sensitive system dataset HLQ (e.g., SYS1, SYS2, ETC) groups with the Group-OPERATIONS are key systems personnel, such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is a finding. Otherwise, Group-OPERATIONS is allowed.
Fix: F-103809r1_fix
Review all USERIDs with the SPECIAL attribute. Ensure documentation providing justification for access is maintained and filed with the ISSO, and that unjustified access is removed. For the SYSTEM SPECIAL attribute: A sample command for removing the SPECIAL attribute is shown here: ALU <userid> NOSPECIAL. For the GROUP SPECIAL attribute: CO <user> GROUP(<groupname>) NOSPECIAL
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RACF-ES-000670
- Vuln IDs
-
- V-98135
- Rule IDs
-
- SV-107239r1_rule
Checks: C-96971r1_chk
From the ISPF Command Shell enter: ListUser * If Authorization to the SYSTEM SPECIAL attribute is restricted to key systems personnel, such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is not a finding. If any users connected to sensitive system dataset HLQ (e.g., SYS1, SYS2, ETC) groups with the Group-SPECIAL are key systems personnel, such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is a finding. Otherwise, Group-SPECIAL is allowed.
Fix: F-103811r1_fix
Review all USERIDs with the OPERATIONS attribute. Ensure documentation providing justification for access is maintained and filed with the ISSO, and that unjustified access is removed. A sample command to remove the OPERATIONS attribute from a userid is shown here: ALU <userid> NOOPERATIONS To remove the Group-Operations attribute: CO <user> GROUP(<groupname>) NOOPERATIONS
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000382
- Version
- RACF-ES-000680
- Vuln IDs
-
- V-98137
- Rule IDs
-
- SV-107241r1_rule
Checks: C-96973r1_chk
Review each CONSOLxx parmlib member. If the following guidance is true, this is not a finding. The "DEFAULT" statement for each CONSOLxx member specifies "LOGON(REQUIRED)" or "LOGON(AUTO)". The "CONSOLE" statement for each console assigns a unique name using the "NAME" parameter. The "CONSOLE" statement for each console specifies "AUTH(INFO)". Exceptions are the "AUTH" parameter is not valid for consoles defined with "UNIT(PRT)" and specifying "AUTH(MASTER)" is permissible for the system console. Note: The site should be able to determine the system consoles. However, it is imperative that the site adhere to the "DEFAULT" statement requirement.
Fix: F-103813r1_fix
Configure the "DEFAULT" statement to specify "LOGON(REQUIRED)" so that all operators are required to log on prior to entering z/OS system commands. At the discretion of the ISSO, "LOGON(AUTO)" may be used. If "LOGON(AUTO)" is used assure that the console userids are defined with minimal access. See ACP00292. Configure each "CONSOLE" statement to specify an explicit console NAME. And that "AUTH(INFO)" is specified, this also including extended MCS consoles. "AUTH(MASTER)" may be specified for systems console. Note: The site should be able to determine the system consoles. However, it is imperative that the site adhere to the "DEFAULT" statement requirement.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000382
- Version
- RACF-ES-000690
- Vuln IDs
-
- V-98139
- Rule IDs
-
- SV-107243r2_rule
Checks: C-96975r3_chk
Refer to IEASYS00 to determine correct CONSOLxx member. Examine the CONSOLxx member. Verify that the MCS console userids are properly restricted. If the following guidance is true, this is not a finding. Each console defined in the currently active CONSOLxx parmlib member in EXAM.RPT(PARMLIB) is associated with a valid RACF userid. Each console userid has no special privileges and/or attributes (e.g., SPECIAL, OPERATIONS, etc.). Each console userid has no accesses to interactive on-line facilities (e.g., TSO, CICS, etc.; excluding VTAM SMCS consoles). Each console userid will be restricted from accessing all data sets and resources except MVS.MCSOPER.consolename in the OPERCMDS resource class and console name in the CONSOLE resource class. Each console userid has the RACF default group that is an appropriate console group profile. NOTE: If LOGON(AUTO) is specified in the currently active CONSOLxx parmlib member, additional access may be required. Permissions for the console userids and/or console group may be given with access READ to MVS.CONTROL, MVS.DISPLAY, MVS.MONITOR, and MVS.STOPMN OPERCMDS resource. NOTE: Execute the JCL in CNTL(IRRUT100) using the RACF console userids as SYSIN input. This report lists all occurrences of these userids within the RACF database, including data set and resource access lists.
Fix: F-103815r1_fix
Define all consoles identified in the currently active CONSOLxx parmlib member in EXAM.RPT(PARMLIB) to be defined to RACF. Review the MCS console resources defined to z/OS and RACF, and ensure they conform to those outlined below. Each console defined in the currently active CONSOLxx parmlib member in EXAM.RPT(PARMLIB) is associated with a valid RACF userid. Each console userid has no special privileges and/or attributes (e.g., SPECIAL, OPERATIONS, etc.). Each console userid has no accesses to interactive on-line facilities (e.g., TSO, CICS, etc.; excluding VTAM SMCS consoles). Each console userid will be restricted from accessing all data sets and resources except MVS.MCSOPER.consolename in the OPERCMDS resource class and consolename in the CONSOLE resource class. Each console userid has the RACF default group that is an appropriate console group profile. NOTE: If LOGON(AUTO) is specified in the currently active CONSOLxx parmlib member, additional access may be required. Permissions for the console userids and/or console group may be given with access READ to MVS.CONTROL, MVS.DISPLAY, MVS.MONITOR, and MVS.STOPMN OPERCMDS resource. NOTE: Execute the JCL in CNTL(IRRUT100) using the RACF console userids as SYSIN input. This report lists all occurrences of these userids within the RACF database, including data set and resource access lists. Examples: AG consautolog SUPGROUP(<syspsmpl>) OWNER(<syspsmpl>) - DATA(' group for console userids for autolog processing ') AG consnoautolog SUPGROUP(<syspsmpl>) OWNER(<syspsmpl>) - DATA('group for console userids for no autolog processing') AU consname NAME('CONSOLE USERID FOR consname') NOPASSWORD NOOIDCARD - DFLTGRP(consautolog) OWNER(consautolog) - DATA('ADDED TO SUPPORT THE CHANGE TO LOGON(AUTO) IN CONSOLXX') PERMIT MVS.CONTROL.** CL(OPERCMDS) ID(consautolog) ACCESS(READ) PERMIT MVS.DISPLAY.** CL(OPERCMDS) ID(consautolog) ACCESS(READ) PERMIT MVS.MONITOR.** CL(OPERCMDS) ID(consautolog) ACCESS(READ) PERMIT MVS.STOPMN.** CL(OPERCMDS) ID(consautolog) ACCESS(READ) PERMIT consname CL(CONSOLE) ID(consname)
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000764
- Version
- RACF-ES-000700
- Vuln IDs
-
- V-98141
- Rule IDs
-
- SV-107245r2_rule
Checks: C-96977r5_chk
From a z/OS command screen enter: ListUser * Examine each user entry verify every user is fully identified with all of the following conditions: -A completed NAME field that can either be traced back to a current DD2875 or a Vendor Requirement (example: A Started Task). -The presence of the DEFAULT-GROUP and OWNER fields. -The PASSDATE field or the PHRASEDATE field accordingly is not set to N/A excluding users with the PROTECTED attribute. If all of the above are true, this is not a finding. If any of above is untrue, this is a finding.
Fix: F-103817r2_fix
Review all USERID definitions to ensure required information is provided. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes listed in this PDI. The following are sample commands to correct this vulnerability. -To Add a NAME to a userid with the command ALU <userid> NAME('lastname, firstname'). -Every user will be assigned a default group by default. A sample command to reassign a default group is shown here: ALU <userid> DFLTGRP(<newdefaultgroup>). You must first be connected to a group via the RACF CONNECT command before making it a default group. -A PASSDATE field or a PHRASEDATE field showing 00.000 indicates that a temporary password or password phrase has been assigned but the user has not logged in and set a permanent value. This could indicate that a new userid was recently added or that a userid previously added is unused and should be considered for deletion. The ISSO should investigate and determine if the userid should be deleted or that the new user should be contacted and told to login to set a permanent value.
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000764
- Version
- RACF-ES-000710
- Vuln IDs
-
- V-98143
- Rule IDs
-
- SV-107247r1_rule
Checks: C-96979r1_chk
From a z/OS command screen enter: ListUser * Examine each user entry that has either TSO, CICS, ROSCOE, IMS, or any other products that support logging on at a terminal. If every user is fully identified with all of the following condition, this is not a finding. -Each interactive userid has a valid LAST-ACCESS date that does not contain the value UNKNOWN. -Each interactive userid has PASS-INTERVAL define and set to a value of 60 days. Note: FTP only process and server to server userids may have PASSWORD(NOINTERVAL) specified. These users must be identified in the FTPUSERS group in the Dialog Process or FTP in the name field. Additionally these users must change their passwords on an annual basis.
Fix: F-103819r1_fix
Review all interactive USERID definitions to ensure required information is provided. Evaluate the impact of correcting any deficiencies. Develop a plan of action and implement the required changes. The PASSWORD-INTERVAL for an interactive user must be set to 60 days. Note: FTP only process and server to server userids may have PASSWORD(NOINTERVAL) specified. These users must be identified in the FTPUSERS group in the Dialog Process or FTP in the name field. Additionally, these users must change their passwords on an annual basis or less. A sample command to accomplish this is shown here: PW USER(<userid>) INTERVAL(60). The LAST-ACCESS date must be set to a valid date and not to the value UNKNOWN. A sample command to accomplish this is shown here: ALU <userid> RESUME
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000764
- Version
- RACF-ES-000720
- Vuln IDs
-
- V-98145
- Rule IDs
-
- SV-107249r1_rule
Checks: C-96981r1_chk
Ask the system administrator for a list of stated tasks available on the system. If each Started task procedures identified has a unique associated userid or STC userids that is unique per product and function, this is not a finding.
Fix: F-103821r1_fix
Define a RACF STARTED Class profile for each Started Proc that maps the proc to a unique userid, or STC userids will be unique per product and function if supported by vendor documentation. This can be accomplished with the sample command: RDEF STARTED <procname>.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) STDATA(USER(<userid>) GROUP(<groupname>) TRACE(YES)) A corresponding USERID must be defined with appropriate authority. The "groupname" should be a valid STC group with no interactive users.
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000764
- Version
- RACF-ES-000730
- Vuln IDs
-
- V-98147
- Rule IDs
-
- SV-107251r1_rule
Checks: C-96983r1_chk
Ask the system administrator for a list of stated tasks available on the system. For each Identified started task, if all of the following are true, this is not a finding. If any of the following are untrue, this is a finding. -All started task userids are connected to a valid STC group ID. -Only userids associated with STCs are connected to STC group IDs. -All STC userids are defined with the PROTECTED attribute. From the ISPF Command Shell enter: RL STARTED (Alternately execute RACF DSMON utility for the RACSPT report) If the following is true this is not a finding, If and of the following is untrue this is a finding. -A generic catch all profile of ** is defined to the STARTED resource class. -The STC group associated with the ** profile is not granted any explicit data set or resource access authorizations. -The STC userid associated with the ** profile is not granted any explicit dataset or resource access authorizations and is defined with the RESTRICTED attribute. NOTE: Execute the JCL in CNTL(IRRUT100) using the STC group associated with the ** profile as SYSIN input. This report lists all occurrences of this group within the RACF database, including data set and resource access lists. Refer to the DSMON RACSPT report. If the ICHRIN03 started procedures table is maintained to support recovery efforts in the event the STARTED resource class is deactivated or critical STC profiles are deleted, this is not a finding. If STCs critical to support this recovery effort (e.g., JES2, VTAM, TSO, etc.) are maintained in ICHRIN03 to reflect the current STARTED resource class profiles, this is not a finding.
Fix: F-103823r1_fix
Review all STCs for compliance. Connect a STC userid to a STC group. Sample command: CO <stcuser> GROUP(<stcgroup>) OWNER(<stcgroup>) If any non-STC userids are connected to a STC group, they should be removed. Sample command: RE <nonstcuser> GROUP(<stcgroup>) Set up STC userids with the PROTECTED attribute. Sample command: ALU <stcuser> NOPASSWORD NOOIDCARD Define a generic catch all profile. Sample command: RDEF STARTED ** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) STDATA(USER(STCDFLT) GROUP(#STCDFLT) TRACE(YES)) Run IRRUT100 against the group specified in the STARTED class ** profile. Remove this group from any access lists. Sample command: PE <profile> CL(<classname>) ID(<#STCDFLT or alternate group name>) DEL. Set up the userid as Restricted with the command: ALU <stcdflt> RESTRICTED. Remove from any and all access lists using the same steps as found in the previous item. The IBM zOS Security Server RACF library documents procedures for updating ICHRIN03 (The RACF Started Procedures Table). With each SSOPAC release, the SSO includes an ICHRIN03 table that contains entries necessary for system recovery: JES2, VTAM, TSO, and the RACF subsystem. Evaluate the impact of the change and develop a plan of action to implement the changes as required.
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000764
- Version
- RACF-ES-000740
- Vuln IDs
-
- V-98149
- Rule IDs
-
- SV-107253r1_rule
Checks: C-96985r2_chk
From the ISPF Command Shell enter: SETROPTS LIST If the ADSP value is NOT IN EFFECT, this is not a finding. Note: NOADSP is the required setting. In the SETROPTS LIST output this will display as AUTOMATIC DATASET PROTECTION IS NOT IN EFFECT. If the ADSP value is IN EFFECT, this is a finding.
Fix: F-103825r1_fix
Configure ADSP SETROPTS value to be set to NOADSP. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: NOADSP is set with the command SETR NOADSP.
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000764
- Version
- RACF-ES-000750
- Vuln IDs
-
- V-98151
- Rule IDs
-
- SV-107255r1_rule
Checks: C-96987r1_chk
Obtain a list of all userids that are shared among multiple users (i.e., not uniquely identified system users). If there are no shared userids on this domain, this is not a finding. If there are shared userids on this domain, this is a finding.
Fix: F-103827r1_fix
Identify user accounts defined to the ESM that are being shared among multiple users. This may require interviews with appropriate system-level support personnel. Remove the shared user accounts from the ESM.
- RMF Control
- IA-4
- Severity
- M
- CCI
- CCI-000795
- Version
- RACF-ES-000760
- Vuln IDs
-
- V-98153
- Rule IDs
-
- SV-107257r1_rule
Checks: C-96989r1_chk
From a z/OS command input screen enter: List SETRopts If the INACTIVE value is set properly In the message "INACTIVE USERIDS ARE BEING AUTOMATICALLY REVOKED AFTER xxx DAYS.", where xxx is a value "35" or less, this is not a finding.
Fix: F-103829r1_fix
Configure the INACTIVE SETROPTS value to a value that is "35" or less. INACTIVE specifies the number of days that a USERID can remain unused and still be considered valid.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000192
- Version
- RACF-ES-000770
- Vuln IDs
-
- V-98155
- Rule IDs
-
- SV-107259r1_rule
Checks: C-96991r1_chk
From the ISPF Command Shell enter: SETRopts If the following options are specified, this is not a finding. At least one PASSWORD(RULE) under "INSTALLATION PASSWORD SYNTAX RULES" is defined with the values shown below: RULE 1 LENGTH(8) xxxxxxxx The following options are in effect under "PASSWORD PROCESSING OPTIONS": “MIXED CASE PASSWORD SUPPORT IS IN EFFECT” “SPECIAL CHARACTERS ARE ALLOWED.”
Fix: F-103831r1_fix
Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: For z/OS release 1.13 and 1.14 PTF UA90720 must be applied. For z/OS Release 2.1 PTF UA90721 must be applied. The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD SYNTAX RULEs. Setting the password syntax to all Mixed Case Alphanumeric and Special Characters is activated with the commands: setr password(mixedcase) setr password(specialchars) setr password(rule1(length(8) mixedall(1:8))
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000193
- Version
- RACF-ES-000780
- Vuln IDs
-
- V-98157
- Rule IDs
-
- SV-107261r1_rule
Checks: C-96993r1_chk
From a system console screen issue the following modify command: F AXR,IRRPWREX LIST Review the results of the modify command. If the following options are listed, this is not a finding. -The number of required character types is 4 (assures that at least 1 upper case, 1 lower case, 1 number, and 1 special character is used in Password) -The user's name cannot be contained in the password (Only 3 consecutive characters of the user's name are allowed) -The minimum word length checked is 8 -The user ID cannot be contained in the password (Only 3 consecutive characters of the user ID are allowed) -Only 3 unchanged positions of the current password are allowed (These positions need to be consecutive to cause a failure and this check is not case sensitive) -No more than 0 pairs of repeating characters are allowed (This check is not case sensitive) -A minimum list of 33 restricted prefix strings is being checked: APPL APR AUG ASDF BASIC CADAM DEC DEMO FEB FOCUS GAME IBM JAN JUL JUN LOG MAR MAY NET NEW NOV OCT PASS ROS SEP SIGN SYS TEST TSO VALID VTAM XXX 1234 If the modify command fails or returns the following message in the system log, this is a finding. IRX0406E REXX exec load file REXXLIB does not contain exec member IRRPWREX.
Fix: F-103833r1_fix
Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: For z/OS release 1.12 through z/OS release 2.1 APARs OA43998 and OA43999 must be applied. Install exit IRRPWREX according to the following guidelines: REXX Parameter Setting STIG_Compliant 'yes' Pwd_minlen 8 numbers '0123456789' Lower_letters 'abcdefghijklmnopqrstuvwxyz' Upper_letters 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' special '$@#.<+|&!*-%_>?:’ Pwd_allowed_chars numbers||Upper_letters||special Pwd_req_types 4 Pwd_name_allowed 'no' Pwd_name_minlen 8 Pwd_name_chars 4 Pwd_min_unique 3 Pwd_min_unique_upper 'yes' Pwd_max_unchanged 3 Pwd_max_unchanged_upper 'yes' Pwd_max_unchanged_consecutive 'yes' Pwd_all_unique 'no' Pwd_no_consecutive 'no' Pwd_no_consecutive_upper 'yes' Pwd_min_new 4 Pwd_userID_allowed 'no' Pwd_userID_chars 4 Pwd_repeat_chars 0 Pwd_repeat_upper 'yes' Pwd_dict.0 8 /* Change this as words are added and deleted */ Pwd_dict.1 'IBM' Pwd_dict.2 'RACF' Pwd_dict.3 'PASSWORD' Pwd_dict.4 'PHRASE' Pwd_dict.5 'SECRET' Pwd_dict.6 'IBMUSER' Pwd_dict.7 'SYS1' Pwd_dict.8 '12345678' Pwd_dict.9 '99999999' Pwd_prefix.0 33 /* Change this as values are added and deleted Pwd_prefix.1 'APPL' Pwd_prefix.2 'APR' Pwd_prefix.3 'AUG' Pwd_prefix.4 'ASDF' Pwd_prefix.5 'BASIC' Pwd_prefix.6 'CADAM' Pwd_prefix.7 'DEC' Pwd_prefix.8 'DEMO' Pwd_prefix.9 'FEB' Pwd_prefix.10 'FOCUS' Pwd_prefix.11 'GAME' Pwd_prefix.12 'IBM' Pwd_prefix.13 'JAN' Pwd_prefix.14 'JUL' Pwd_prefix.15 'JUN' Pwd_prefix.16 'LOG' Pwd_prefix.17 'MAR' Pwd_prefix.18 'MAY' Pwd_prefix.19 'NET' Pwd_prefix.20 'NEW' Pwd_prefix.21 'NOV' Pwd_prefix.22 'OCT' Pwd_prefix.23 'PASS' Pwd_prefix.24 'ROS' Pwd_prefix.25 'SEP' Pwd_prefix.26 'SIGN' Pwd_prefix.27 'SYS' Pwd_prefix.28 'TEST' Pwd_prefix.29 'TSO' Pwd_prefix.30 'VALID' Pwd_prefix.31 'VTAM' Pwd_prefix.32 'XXX' Pwd_prefix.33 '1234' Note: RACF exit ICHPWX01 is coded to call a System REXX named IRRPWREX, so the name cannot be changed without a corresponding change to ICHPWX01. System REXX requires that this exec (IRRPWREX) reside in the REXXLIB concatenation. Update parameters in IRRPWREX according to table Parameters for RACF IRRPWREX as listed above.
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000198
- Version
- RACF-ES-000790
- Vuln IDs
-
- V-98159
- Rule IDs
-
- SV-107263r1_rule
Checks: C-96995r1_chk
From the ISPF Command Shell enter: SETRopts List If the PASSWORD(MINCHANGE) value shows PASSWORD MINIMUM CHANGE INTERVAL IS <1> DAYS, this is not a finding.
Fix: F-103835r1_fix
Configure PASSWORD(MINCHANGE) SETROPTS value number to "1". This specifies the number of days that must pass before a user can change their password. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD MINCHANGE. Use the following command as an example command: SETROPTS PASSWORD(MINCHANGE(1))
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000199
- Version
- RACF-ES-000800
- Vuln IDs
-
- V-98161
- Rule IDs
-
- SV-107265r1_rule
Checks: C-96997r1_chk
From the ISPF Command Shell enter: SETRopts List If the PASSWORD(INTERVAL) value is set properly then the message PASSWORD CHANGE INTERVAL IS 060 DAYS, this is not a finding.
Fix: F-103837r1_fix
Configure PASSWORD(INTERVAL) SETROPTS value is set to "060" days. This specifies the maximum number of days that each user’s password is valid. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD INTERVAL. Setting the password interval to 60 days is activated with the command SETR PASSWORD(INTERVAL(60)).
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000200
- Version
- RACF-ES-000810
- Vuln IDs
-
- V-98163
- Rule IDs
-
- SV-107267r1_rule
Checks: C-96999r1_chk
From the ISPF Command Shell enter: SETRopts List If the PASSWORD(HISTORY) value is set properly then the message x GENERATIONS OF PREVIOUS PASSWORDS BEING MAINTAINED, where x is equal to "10", this is not a finding.
Fix: F-103839r1_fix
Configure the PASSWORD(HISTORY) SETROPTS value is set to "10". This specifies the number of previous passwords that RACF saves for each USERID and compares with an intended new password. If there is a match with one of the previous passwords, or with the current password, RACF rejects the intended new password. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD HISTORY. Setting the password history to 10 generations is activated with the command SETR PASSWORD(HISTORY(10)).
- RMF Control
- IA-5
- Severity
- H
- CCI
- CCI-000196
- Version
- RACF-ES-000820
- Vuln IDs
-
- V-98165
- Rule IDs
-
- SV-107269r1_rule
Checks: C-97001r2_chk
From the ISPF Command Shell enter: SETRopts List If the following is specified under PASSWORD PROCESSING OPTIONS: THE ACTIVE PASSWORD ENCRYPTION ALGORITHM IS KDFAES, this is not a finding.
Fix: F-103841r1_fix
Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified below: For z/OS release 1.12 through z/OS release 2.1 APARs OA43998 and OA43999 must be applied. Set the passwords option for algorithm to KDFAES. Sample syntax to activate: SETRopts PASSWORD(ALGORITHM(KDFAES))
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000186
- Version
- RACF-ES-000830
- Vuln IDs
-
- V-98167
- Rule IDs
-
- SV-107271r2_rule
Checks: C-97003r2_chk
From the ISPF Command Shell enter: OMVS enter find / -name *.kdb If any files are found, this is a finding.
Fix: F-103843r2_fix
Define all Keys/Certificates to the security database. Remove the all .kdb files.
- RMF Control
- SC-4
- Severity
- M
- CCI
- CCI-001090
- Version
- RACF-ES-000840
- Vuln IDs
-
- V-98169
- Rule IDs
-
- SV-107273r1_rule
Checks: C-97005r1_chk
From the ISPF Command Shell enter: SETRopts List For all systems, if the ERASE values are set as follows, this is not a finding. ERASE-ON-SCRATCH IS ACTIVE, CURRENT OPTIONS: ERASE-ON-SCRATCH FOR ALL DATA SETS IS IN EFFECT
Fix: F-103845r1_fix
Configure the ERASE SETROPTS value to ERASE(ALL) this allows DASD datasets to be erased when deleted. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: -Issue the RACF Command SETR LIST to show the status of RACF Controls including the status of the ERASE options. -Take the appropriate actions to ensure that the SETR ERASE(ALL) has been issued to enable Erase On Scratch for all datasets.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-ES-000850
- Vuln IDs
-
- V-98171
- Rule IDs
-
- SV-107275r1_rule
Checks: C-97007r1_chk
This applies to non-SMS volumes. For SMS-Managed volumes this is Not Applicable. Ask the system administrator for all documents and procedures that apply to Storage Management, including identification of the DASD backup data sets and associated storage management userids. From the ISPF Command enter: RL User for each identified Userid. Review storage management userids, if the following guidance is true, this is not a finding. Storage management userids will not be given the "OPERATIONS" attribute. Storage management userids will be defined with the "PROTECTED" attribute. Storage management userids are permitted to the appropriate "STGADMIN" profiles in the "FACILITY" class for SMS-managed volumes. Storage management userids assigned to storage management tasks (e.g., volume backup, data set archive and restore, etc.) are given access to data sets using "DASDVOL" and/or "GDASDVOL" profiles for non-SMS-managed volumes. NOTE: "DASDVOL" profiles will not work with SMS-managed volume. "FACILITY" class profiles must be used instead. If "DFSMS/MVS" is used to perform DASD management operations, "FACILITY" class profiles may also be used to authorize storage management operations to non-SMS-managed volumes in lieu of using "DASDVOL" profiles. Therefore, not all volumes may be defined to the "DASDVOL/GDASDVOL" resource classes, and not all storage management userids may be represented in the profile access lists.
Fix: F-103847r1_fix
Note: This applies to non-SMS volumes. Refer to the System Managed Storage group (i.e., ZSMSnnnn) for requirements for System managed Storage. Evaluate the impact of accomplishing the change. Develop a plan of action and implement the change as required. Ensure that storage management userids do not possess the "OPERATIONS" attribute. A sample command to accomplish this is shown here: ALU <userid> NOOPERATIONS Ensure that storage management userids possess the "PROTECTED" attribute. A sample command to accomplish this is shown here: ALU <userid> NOPASS NOOIDCARD Ensure that storage management userids are permitted to the appropriate "STGADMIN" profiles in the "FACILITY" class for SMS-managed volumes. Ensure that storage management userids are permitted to appropriate "DASDVOL" profiles for non-SMS-managed volumes.
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000067
- Version
- RACF-FT-000010
- Vuln IDs
-
- V-98173
- Rule IDs
-
- SV-107277r1_rule
Checks: C-97009r1_chk
If FTPDATA is configured with the following SMF statements, this is not a finding. FTP.DATA Configuration Statements SMF TYPE119 SMFJES TYPE119 SMFSQL TYPE119 SMFAPPE [Not coded or commented out] SMFDEL [Not coded or commented out] SMFEXIT [Not coded or commented out] SMFLOGN [Not coded or commented out] SMFREN [Not coded or commented out] SMFRETR [Not coded or commented out] SMFSTOR [Not coded or commented out]
Fix: F-103849r1_fix
Configure SMF options to conform to the specifications in the FTPDATA Configuration Statements below: SMF TYPE119 SMFJES TYPE119 SMFSQL TYPE119 SMFAPPE [Not coded or commented out] SMFDEL [Not coded or commented out] SMFEXIT [Not coded or commented out] SMFLOGN [Not coded or commented out] SMFREN [Not coded or commented out] SMFRETR [Not coded or commented out] SMFSTOR [Not coded or commented out] The FTP Server can provide audit data in the form of SMF records. SMF record type 119, the TCP/IP Statistics record, can be written with the following subtypes: 70 – Append 70 – Delete and Multiple Delete 72 – Invalid Logon Attempt 70 – Rename 70 – Get (Retrieve) and Multiple Get 70 – Put (Store and Store Unique) and Multiple Put SMF data produced by the FTP Server provides transaction information for both successful and unsuccessful FTP commands. This data may provide valuable information for security audit activities. Type 119 records use a more standard format and provide more information.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-FT-000020
- Vuln IDs
-
- V-98175
- Rule IDs
-
- SV-107279r1_rule
Checks: C-97011r1_chk
From the ISPF Command Shell enter: omvs At the input line enter: cd /usr/sbin/ enter ls -alW If the following File permission and user Audit Bits are true, this is not a finding. /usr/sbin/ftpd 1740 fff /usr/sbin/ftpdns 1755 fff /usr/sbin/tftpd 0644 faf cd ls -alW If the following file permission and user Audit Bits are true, this is not a finding. /etc/ftp.data 0744 faf /etc/ftp.banner 0744 faf NOTES: Some of the files listed above are not used in every configuration. The absence of a file is not considered a finding. The /usr/sbin/ftpd and /usr/sbin/ftpdns objects are symbolic links to /usr/lpp/tcpip/sbin/ftpd and /usr/lpp/tcpip/sbin/ftpdns respectively. The permission and user audit bits on the targets of the symbolic links must have the required settings. The /etc/ftp.data file may not be the configuration file the server uses. It is necessary to check the SYSFTPD DD statement in the FTP started task JCL to determine the actual file. The TFTP Server does not perform any user identification or authentication, allowing any client to connect to the TFTP Server. Due to this lack of security, the TFTP Server will not be used. The TFTP Client is not secured from use. The permission bits for /usr/sbin/tftpd should be set to 644. The /etc/ftp.banner file may not be the banner file the server uses. It is necessary to check the BANNER statement in the FTP Data configuration file to determine the actual file. Also, the permission bit setting for this file must be set as indicated in the table above. A more restrictive set of permissions is not permitted. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing
Fix: F-103851r1_fix
With the assistance of a systems programmer with UID(0) and/or SUPERUSER access, configure the UNIX permission bits and user audit bits on the HFS directories and files for the FTP Server to conform to the specifications in the table below: FTP Server HFS Object Security Settings File Permission Bits User Audit Bits /usr/sbin/ftpd 1740 fff /usr/sbin/ftpdns 1755 fff /usr/sbin/tftpd 0644 faf /etc/ftp.data 0744 faf /etc/ftp.banner 0744 faf The /usr/sbin/ftpd and /usr/sbin/ftpdns objects are symbolic links to /usr/lpp/tcpip/sbin/ftpd and /usr/lpp/tcpip/sbin/ftpdns respectively. The permission and user audit bits on the targets of the symbolic links must have the required settings. The TFTP Server does not perform any user identification or authentication, allowing any client to connect to the TFTP Server. Due to this lack of security, the TFTP Server will not be used. The TFTP Client is not secured from use. The /etc/ftp.data file may not be the configuration file the server uses. It is necessary to check the SYSFTPD DD statement in the FTP started task JCL to determine the actual file. The /etc/ftp.banner file may not be the banner file the server uses. It is necessary to check the BANNER statement in the FTP Data configuration file to determine the actual file. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing Some of the files listed above (e.g., /etc/ftp.data) are not used in every configuration. While the absence of a file is generally not a security issue, the existence of a file that has not been properly secured can often be an issue. Therefore, all files that do exist should have the specified permission and audit bit settings. The following commands can be used (from a user account with an effective UID(0)) to update the permission bits and audit bits: chmod 1740 /usr/lpp/tcpip/sbin/ftpd chaudit rwx=f /usr/lpp/tcpip/sbin/ftpd chmod 1755 /usr/lpp/tcpip/sbin/ftpdns chaudit rwx=f /usr/lpp/tcpip/sbin/ftpdns chmod 0744 /etc/ftp.data chaudit w=sf,rx+f /etc/ftp.data chmod 0744 /etc/ftp.banner chaudit w=sf,rx+f /etc/ftp.banner
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-FT-000030
- Vuln IDs
-
- V-98177
- Rule IDs
-
- SV-107281r1_rule
Checks: C-97013r1_chk
Refer to the FTP server Started task (usually FTPD). Refer to the dataset defined on the SYSFTPD DD statement. If WRITE and ALLOCATE access to the data set containing the FTP Data configuration file is restricted to systems programming personnel, this is not a finding. Note: READ access to all authenticated users is permitted. If WRITE and ALLOCATE access to the data set containing the FTP Data configuration file is logged, this is not a finding. If WRITE and ALLOCATE access to the data set containing the FTP banner file is restricted to systems programming personnel, this is not a finding. Note: READ access to the data set containing the FTP banner file is permitted to all authenticated users. Notes: The MVS data sets mentioned above are not used in every configuration. Absence of a data set will not be considered a finding. The data set containing the FTP Data configuration file is determined by checking the SYSFTPD DD statement in the FTP started task JCL. The data set containing the FTP banner file is determined by checking the BANNER statement in the FTP Data configuration file.
Fix: F-103853r1_fix
Review the data set access authorizations defined to the ACP for the FTP.DATA and FTP.BANNER files. Configure these data sets to be protected as follows: The data set containing the FTP.DATA configuration file allows read access to all authenticated users and all other access is restricted to systems programming personnel. All Write and Allocate access to the data set containing the FTP.DATA configuration file is logged. The data set containing the FTP banner file allows read access to all authenticated users and all other access is restricted to systems programming personnel.
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-000048
- Version
- RACF-FT-000040
- Vuln IDs
-
- V-98179
- Rule IDs
-
- SV-107283r1_rule
Checks: C-97015r1_chk
Refer to the FTP.DATA file specified on the SYSFTPD DD statement in the FTP started task JCL. The SYSFTPD DD statement is optional. The search order for FTP.DATA is: /etc/ftp.data SYSFTPD DD statement jobname.FTP.DATA SYS1.TCPPARMS(FTPDATA) tcpip.FTP.DATA Examine the BANNER statement. Ensure the BANNER statement in the FTP Data configuration file specifies an HFS file or data set that contains a logon banner. The below banner is mandatory and deviations are not permitted except as authorized in writing by the DoD Chief Information Officer. The thrust of this new policy is to make it clear that there is no expectation of privacy when using DoD information systems and all use of DoD information systems is subject to searching, auditing, inspecting, seizing, and monitoring, even if some personal use of a system is permitted: STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. If the BANNER statement in the FTP Data configuration file does not specify an HFS file or z/OS data set that contains a logon banner, this is a finding.
Fix: F-103855r1_fix
Ensure the BANNER statement in the FTP Data configuration file specifies an HFS file or z/OS data set that contains a logon banner. The below banner is mandatory and deviations are not permitted except as authorized in writing by the DoD Chief Information Officer. The thrust of this new policy is to make it clear that there is no expectation of privacy when using DoD information systems and all use of DoD information systems is subject to searching, auditing, inspecting, seizing, and monitoring, even if some personal use of a system is permitted: STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-001384
- Version
- RACF-FT-000050
- Vuln IDs
-
- V-98181
- Rule IDs
-
- SV-107285r1_rule
Checks: C-97017r1_chk
Refer to the Data configuration file specified on the SYSFTPD DD statement in the FTP started task JCL. If the BANNER statement is coded, this is not a finding.
Fix: F-103857r1_fix
Configure the FTP configuration to include the BANNER statement.
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-001384
- Version
- RACF-FT-000060
- Vuln IDs
-
- V-98183
- Rule IDs
-
- SV-107287r1_rule
Checks: C-97019r1_chk
Refer to the FTP.DATA file specified on the SYSFTPD DD statement in the FTP started task JCL. The SYSFTPD DD statement is optional. The search order for FTP.DATA is: /etc/ftp.data SYSFTPD DD statement jobname.FTP.DATA SYS1.TCPPARMS(FTPDATA) tcpip.FTP.DATA Examine the BANNER statement. If the BANNER statement in the FTP Data configuration file specifies an HFS file or data set contains a logon banner, this is not a finding. The below banner is mandatory and deviations are not permitted except as authorized in writing by the DoD Chief Information Officer. The thrust of this new policy is to make it clear that there is no expectation of privacy when using DoD information systems and all use of DoD information systems is subject to searching, auditing, inspecting, seizing, and monitoring, even if some personal use of a system is permitted: STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
Fix: F-103859r1_fix
Ensure the BANNER statement in the FTP Data configuration file specifies an HFS file or z/OS data set that contains a logon banner. The below banner is mandatory and deviations are not permitted except as authorized in writing by the DoD Chief Information Officer. The thrust of this new policy is to make it clear that there is no expectation of privacy when using DoD information systems and all use of DoD information systems is subject to searching, auditing, inspecting, seizing, and monitoring, even if some personal use of a system is permitted: STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RACF-FT-000070
- Vuln IDs
-
- V-98185
- Rule IDs
-
- SV-107289r1_rule
Checks: C-97021r1_chk
Refer to the Data configuration file specified on the SYSFTPD DD statement in the FTP started task JCL. If the UMASK statement is coded with a value of 077, this is not a finding.
Fix: F-103861r1_fix
Configure the FTP configuration to include the UMASK statement with a value of 077. If the FTP Server requires a UMASK value less restrictive than 077, requirements should be justified and documented with the ISSO.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-001764
- Version
- RACF-FT-000080
- Vuln IDs
-
- V-98187
- Rule IDs
-
- SV-107291r1_rule
Checks: C-97023r1_chk
From the ISPF Command Shell enter: RL Program * If Program resources TFTPD and EZATD are defined to the PROGRAM resource class with a UACC(NONE), this is not a finding. The library name where these programs are located is SYS1.TCPIP.SEZALOAD. If no access to the program resources TFTPD and EZATD is permitted, this is not a finding.
Fix: F-103863r1_fix
Evaluate the impact of implementing the following change. Develop a plan of action and implement the change as required. Define the EZATD program and its alias TFTPD to RACF with no access granted. The following commands provide a sample of how this can be accomplished. rdef program tftpd addmem('sys1.tcpip.sezaload'//nopadchk) - data('Reference SRR PDI # IFTP0090') - audit(all(read)) quack(none) owner(admin) rdef program ezatd - addmem('sys1.tcpip.sezaload'//nopadchk) - data('Reference SRR PDI # IFTP0090') - audit(all(read)) quack(none) owner(admin) A PROGRAM class refresh will be necessary and can be accomplished with the command: setr when(program) refresh
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000382
- Version
- RACF-FT-000090
- Vuln IDs
-
- V-98189
- Rule IDs
-
- SV-107293r1_rule
Checks: C-97025r1_chk
Refer to the Data configuration file specified on the SYSFTPD DD statement in the FTP started task JCL. Refer to the file(s) allocated by the STEPLIB DD statement in the FTP started task JCL. Refer to the libraries specified in the system Linklist and LPA. If any FTP Server exits are in use, identify them and validate that they were reviewed for integrity and approved by the site AO. If the following items are in effect for FTP Server user exits, this is not a finding: The FTCHKCMD, FTCHKIP, FTCHKJES, FTCHKPWD, FTPSMFEX, and FTPOSTPR modules are not located in the FTP daemon’s STEPLIB, Linklist, or LPA. NOTE: The ISPF ISRFIND utility can be used to search the system Linklist and LPA for specific modules.
Fix: F-103865r1_fix
Review the configuration statements in the FTP.DATA file. Review the FTP daemon STEPLIB, system Linklist, and Link Pack Area libraries. If FTP Server exits are enabled or present, and have not been approved by the site ISSM and not securely written and implemented by the site systems programmer, they should not be installed. Verify that none of the following exits are installed unless they have met the requirements listed above: FTCHKCMD FTCHKIP FTCHKJES FTCHKPWD FTPOSTPR FTPSMFEX
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000764
- Version
- RACF-FT-000100
- Vuln IDs
-
- V-98191
- Rule IDs
-
- SV-107295r1_rule
Checks: C-97027r1_chk
From z/OS command screen enter: ListUser FTPD OMVS (FTPD is usual name of the FTP daemon) If all of the following are true, this is not a finding. If either of the following is untrue, this is a finding. -The FTPD userid is defined as a PROTECTED userid. -The FTPD userid has the following z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh. From z/OS command screen enter: RList STARTED FTPD If a matching entry in the STARTED resource class exists enabling the use of the standard userid and appropriate group, this is not a finding.
Fix: F-103867r1_fix
Define the FTP daemon userid and a matching entry in the STARTED resource class enabling the use of the standard userid and an appropriate group. Define the FTPD userid as a PROTECTED userid. Define the FTPD userid with the following z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh. Sample commands to accomplish these requirements are shown here: Add the FTPD userid: AU FTPD NAME('STC, FTP Daemon') NOPASSWORD NOOIDCARD DFLTGRP(STCTCPX) OWNER(STCTCPX) OMVS(UID(0) HOME('/') PROGRAM('/bin/sh')) RDEF STARTED FTPD.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) STDATA(USER(=MEMBER) GROUP(STCTCPX) TRACE(YES)) Additional permissions may be required. See SYS1.TCPIP.SEZAINST(EZARACF) or IBM Comm Server: IP Config Guide.
- RMF Control
- SC-10
- Severity
- M
- CCI
- CCI-001133
- Version
- RACF-FT-000110
- Vuln IDs
-
- V-98193
- Rule IDs
-
- SV-107297r1_rule
Checks: C-97029r1_chk
Refer to the Data configuration file specified on the SYSFTPD DD statement in the FTP started task JCL. If the INACTIVE statement is coded with a value between 1 and 900 (seconds), this is not a finding.
Fix: F-103869r1_fix
Configure the FTP configuration to include an Inactive statement with a value between 1 and 900 (seconds).
- RMF Control
- IA-8
- Severity
- M
- CCI
- CCI-000804
- Version
- RACF-FT-000120
- Vuln IDs
-
- V-98195
- Rule IDs
-
- SV-107299r1_rule
Checks: C-97031r1_chk
Refer to the FTPD started task procedure. If the SYSTCPD and SYSFTPD DD statements specify the TCP/IP Data and FTP Data configuration files respectively, this is not a finding. If the ANONYMOUS keyword is not coded on the PARM parameter on the EXEC statement, this is not a finding. If the ANONYMOUS=logonid combination is not coded on the PARM parameter on the EXEC statement, this is not a finding. If the INACTIVE keyword is not coded on the PARM parameter on the EXEC statement, this is not a finding.
Fix: F-103871r1_fix
Review the FTP daemon’s started task JCL. Ensure that the ANONYMOUS and INACTIVE startup parameters are not specified and configuration file names are specified on the appropriate DD statements. The FTP daemon program can accept parameters in the JCL procedure that is used to start the daemon. The ANONYMOUS and ANONYMOUS= keywords are designed to allow anonymous FTP connections. The INACTIVE keyword is designed to set the timeout value for inactive connections. Control of these options is recommended through the configuration file statements rather than the startup parameters. The systems programmer responsible for supporting ICS will ensure that the startup parameters for the FTP daemon does not include the ANONYMOUS, ANONYMOUS=, or INACTIVE keywords. During initialization the FTP daemon searches multiple locations for the TCPIP.DATA and FTP.DATA files according to fixed sequences. In the daemon’s started task JCL, Data Definition (DD) statements will be used to specify the locations of the files. The SYSTCPD DD statement identifies the TCPIP.DATA file and the SYSFTPD DD statement identifies the FTP.DATA file. The systems programmer responsible for supporting ICS will ensure that the FTP daemon’s started task JCL specifies the SYSTCPD and SYSFTPD DD statements for configuration files.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-JS-000010
- Vuln IDs
-
- V-98197
- Rule IDs
-
- SV-107301r1_rule
Checks: C-97033r1_chk
Refer to SYS1.PARMLIB (JES2PARM) For each node entry If all JES2 defined NJE nodes and RJE workstations have a profile defined in the FACILITY resource class, this is not a finding. Notes: Nodename is the NAME parameter value specified on the NODE statement. Review the JES2 parameters for NJE node definitions by searching for NODE( in the report. Workstation is RMTnnnn, where nnnn is the number on the RMT statement. Review the JES2 parameters for RJE workstation definitions by searching for RMT( in the report. NJE.* and RJE.* profiles will force userid and password protection of all NJE and RJE connections respectively. This method is acceptable in lieu of using discrete profiles.
Fix: F-103873r1_fix
Configure associated PROFILEs TO exist for all RJE/NJE sources and review the authorizations for these remote facilities.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-JS-000020
- Vuln IDs
-
- V-98199
- Rule IDs
-
- SV-107303r1_rule
Checks: C-97035r1_chk
Refer the JES2PARM member of SYS1.PARMLIB. Review the following resources in the RACF JESINPUT resource class: INTRDR (internal reader for batch jobs) nodename (NJE node) OFFn.* (spool offload receiver) Rnnnn (RJE workstation) RDRnn (local card reader) STCINRDR (internal reader for started tasks) TSUINRDR (internal reader for TSO logons) Note: If any of the following are not defined within the JES2 parameters, the resource in the JESINPUT resource class does not have to be defined. -Nodename is the NAME parameter in the NODE statement. Review the NJE node definitions by searching for NODE( in the report. -OFFn, where n is the number of the offload receiver. Review the spool offload receiver definitions by searching for OFF( in the report. -Rnnnn, where nnnn is the number of the remote workstation. Review the RJE node definitions by searching for RMT( in the report. -RDRnn, where nn is the number of the reader. Review the reader definitions by searching for RDR( in the report. If the JESINPUT resource class is active, this is not a finding. If the resources detailed above are protected by generic and/or fully qualified profiles defined to the JESINPUT resource class, this is not a finding.
Fix: F-103875r1_fix
Review the following resources in the JESINPUT resource class: INTRDR (internal reader for batch jobs) nodename (NJE node) OFFn.* (spool offload receiver) Rnnnn (RJE workstation) RDRnn (local card reader) STCINRDR (internal reader for started tasks) TSUINRDR (internal reader for TSO logons) Note: If any of the following are not defined within the JES2 parameters, the resource in the JESINPUT resource class does not have to be defined. -Nodename is the NAME parameter in the NODE statement. Review the JES2 parameters for NJE node definitions by searching for NODE( in the report. -OFFn, where n is the number of the offload receiver. Review the JES2 parameters for spool offload receiver definitions by searching for OFF( in the report. -Rnnnn, where nnnn is the number of the remote workstation. Review the JES2 parameters for RJE node definitions by searching for RMT( in the report. -RDRnn, where nn is the number of the reader. Review the JES2 parameters for reader definitions by searching for RDR( in the report. Define the JESINPUT resource class to the ACTIVE CLASSES in RACF SETROPTS. Configure the resources detailed above to be protected by generic and/or fully qualified profiles defined to the JESINPUT resource class. Examples: setr classact(jesinput) setr generic(jesinput) rdef jesinput intrdr quack(none) owner(admin) audit(failures(read) success(update)) data('Per SRR PDI ZJES0021') pe intrdr cl(jesinput) id(<syspsmpl>) pe intrdr cl(jesinput) id(*) /* all users */
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-JS-000030
- Vuln IDs
-
- V-98201
- Rule IDs
-
- SV-107305r1_rule
Checks: C-97037r1_chk
From the ISPF Command Shell enter: RL JESINPUT * If the RACF resources and/or generic equivalent identified below are defined with access restricted to the appropriate personnel, this is not a finding. INTRDR nodename OFFn.* OFFn.JR OFFn.SR Rnnnn.RDm RDRnn STCINRDR TSUINRDR and/or TSOINRDR Note: Examples of appropriate might be access to the offload input sources is limited to systems personnel (e.g., operations staff) as directed by site operations and the site security plan.
Fix: F-103877r1_fix
Configure access for resources defined to the JESINPUT resource class to restrict to the appropriate personnel. Grant read access to authorized users for each of the following input sources: INTRDR nodename OFFn.* OFFn.JR OFFn.SR Rnnnn.RDm RDRnn STCINRDR TSUINRDR and/or TSOINRDR The resource definition will be generic if all of the resources of the same type have identical access controls (e.g., if all off load receivers are equivalent).
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-JS-000040
- Vuln IDs
-
- V-98203
- Rule IDs
-
- SV-107307r1_rule
Checks: C-97039r1_chk
Refer the JES2PARM member of SYS1.PARMLIB. Review the following resources in the RACF WRITER resource class: JES2.** (backstop profile) JES2.LOCAL.OFFn.* (spool offload transmitter) JES2.LOCAL.OFFn.ST (spool offload SYSOUT transmitter) JES2.LOCAL.OFFn.JT (spool offload job transmitter) JES2.LOCAL.PRTn (local printer) JES2.LOCAL.PUNn (local punch) JES2.NJE.nodename (NJE node) JES2.RJE.Rnnnn.PRm (remote printer) JES2.RJE.Rnnnn.PUm (remote punch) -JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem. -OFFn, where n is the number of the offload transmitter. Determine the numbers by searching for OFF( in the JES2 parameters. -PRTn, where n is the number of the local printer. Determine the numbers by searching for PRT( in the JES2 parameters. -PUNn, where n is the number of the local card punch. Determine the numbers by searching for PUN( in the JES2 parameters. -Nodename is the NAME parameter value specified on the NODE statement. Review the JES2 parameters for NJE node definitions by searching for NODE( in the report. -Rnnnn.PRm, where nnnn is the number of the remote workstation and m is the number of the printer. Determine the numbers by searching for .PR in the JES2 parameters. -Rnnnn.PUm, where nnnn is the number of the remote workstation and m is the number of the punch. Determine the numbers by searching for .PU in the JES2 parameters. If the WRITER resource class is active, this is not a finding. If the other resources detailed above are protected by generic and/or fully qualified profiles defined to the WRITER resource class with UACC(NONE), this is not a finding.
Fix: F-103879r1_fix
Review the following resources in the WRITER resource class: JES2.** (backstop profile) JES2.LOCAL.OFFn.* (spool offload transmitter) JES2.LOCAL.OFFn.ST (spool offload SYSOUT transmitter) JES2.LOCAL.OFFn.JT (spool offload job transmitter) JES2.LOCAL.PRTn (local printer) JES2.LOCAL.PUNn (local punch) JES2.NJE.nodename (NJE node) JES2.RJE.Rnnnn.PRm (remote printer) JES2.RJE.Rnnnn.PUm (remote punch) -JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem. -OFFn, where n is the number of the offload transmitter. Determine the numbers by searching for OFF( in the JES2 parameters. -PRTn, where n is the number of the local printer. Determine the numbers by searching for PRT( in the JES2 parameters. -PUNn, where n is the number of the local card punch. Determine the numbers by searching for PUN( in the JES2 parameters. -Nodename is the NAME parameter value specified on the NODE statement. Review the JES2 parameters for NJE node definitions by searching for NODE( in the report. -Rnnnn.PRm, where nnnn is the number of the remote workstation and m is the number of the printer. Determine the numbers by searching for .PR in the JES2 parameters. -Rnnnn.PUm, where nnnn is the number of the remote workstation and m is the number of the punch. Determine the numbers by searching for .PU in the JES2 parameters. Define the WRITER resource class to the ACTIVE CLASSES in RACF SETROPTS. Configure the profile JES2.** to have no access in the WRITER resource class. Configure the resources detailed above to be protected by generic and/or fully qualified profiles defined to the WRITER resource class. Examples: setr classact(writer) setr gencmd(writer) generic(writer) setr raclist(writer) RDEF WRITER JES2.** owner(admin) AUDIT(ALL) UACC(NONE) - data('Reference SRR PDI ZJES0031') RDEF WRITER JES2.LOCAL.** owner(admin) AUDIT(ALL) UACC(NONE) - data('Reference SRR PDI ZJES0031') RDEF WRITER JES2.LOCAL.OFF*.JT owner(admin) audit(ALL) UACC(NONE) - data('Reference SRR PDI ZJES0031') RDEF WRITER JES2.LOCAL.OFF*.ST owner(admin) audit(ALL) UACC(NONE) - data('Reference SRR PDI ZJES0031') RDEF WRITER JES2.LOCAL.PRT* owner(admin) audit(ALL) UACC(NONE) - data('Reference SRR PDI ZJES0031') RDEF WRITER JES2.LOCAL.PUN* owner(admin) audit(ALL) UACC(NONE) - data('Reference SRR PDI ZJES0031') RDEF WRITER JES2.NJE.** owner(admin) audit(ALL) UACC(NONE) - data('Reference SRR PDI ZJES0031') RDEF WRITER JES2.RJE.** owner(admin) audit(ALL) UACC(NONE) - data('Reference SRR PDI ZJES0031') pe JES2.** cl(writer) id(<syspsmpl>) pe JES2.LOCAL.** cl(writer) id(<syspsmpl>) pe JES2.LOCAL.OFF*.JT cl(writer) id(<syspsmpl>) pe JES2.LOCAL.OFF*.ST cl(writer) id(<syspsmpl>) pe JES2.LOCAL.PRT* cl(writer) id(<syspsmpl>) pe JES2.LOCAL.PUN* cl(writer) id(<syspsmpl>) pe JES2.NJE.** cl(writer) id(<syspsmpl>) pe JES2.RJE.** cl(writer) id(<syspsmpl>) setr racl(writer) Ref
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-JS-000050
- Vuln IDs
-
- V-98205
- Rule IDs
-
- SV-107309r1_rule
Checks: C-97041r1_chk
From the ISPF Command Shell enter: RL WRITER * If the RACF resources and/or generic equivalent identified below are defined with access restricted to the appropriate personnel, this is not a finding. JES2.LOCAL.devicename JES2.LOCAL.OFFn.* JES2.LOCAL.OFFn.JT JES2.LOCAL.OFFn.ST JES2.LOCAL.PRTn JES2.LOCAL.PUNn JES2.NJE.nodename JES2.RJE.devicename Note: Examples of appropriate might be access to the offload input sources is limited to systems personnel (e.g., operations staff) as directed by site operations and the site security plan.
Fix: F-103881r1_fix
Configure access authorization for resources defined to the WRITER resource class to be restricted to the operators and system programmers on a classified system only. Define resources in the ACP’s respective WRITER class for each of the following output destinations: JES2.LOCAL.devicename JES2.LOCAL.OFFn.* JES2.LOCAL.OFFn.JT JES2.LOCAL.OFFn.ST JES2.LOCAL.PRTn JES2.LOCAL.PUNn JES2.NJE.nodename JES2.RJE.devicename
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-JS-000060
- Vuln IDs
-
- V-98207
- Rule IDs
-
- SV-107311r1_rule
Checks: C-97043r1_chk
From the ISPF Command Shell enter: SETRopt list If the JESSPOOL resource class is active, this is not a finding.
Fix: F-103883r1_fix
Configure the JESSPOOL resource class to be active: Use the RACF Command: SETROPTS CLASSACT(JESSPOOL).
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-JS-000070
- Vuln IDs
-
- V-98209
- Rule IDs
-
- SV-107313r1_rule
Checks: C-97045r1_chk
From the ISPF Command Shell enter: RL OPERCMS * JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem. If the JES2.UPDATE.JESNEWS resource is defined to the OPERCMDS resource class, this is not a finding. If access authorization to the JES2.UPDATE.JESNEWS resource in the OPERCMDS class restricts CONTROL access to the appropriate personnel (i.e., users responsible for maintaining the JES News data set), this is not a finding. If all access to the JES2.UPDATE.JESNEWS resource is logged, this is not a finding.
Fix: F-103885r1_fix
Refer to "Protecting JESNEWS" in Chapter 7 of the JES2 Init & Tuning Guide. a) Ensure the following items are in effect: 1) The JES2.UPDATE.JESNEWS resource is defined to the OPERCMDS resource class with a default access of NONE and all access is logged. NOTE: JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem. 2) Access authorization to the JES2.UPDATE.JESNEWS resource in the OPERCMDS class restricts CONTROL access to the appropriate personnel (i.e., users responsible for maintaining the JES News data set) and all access is logged. Examples of setting up proper protection are shown here: RDEF OPERCMDS JES2.UPDATE.JESNEWS UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('COMPLY WITH ZJES0042') PERMIT JES2.UPDATE.JESNEWS CLASS(OPERCMDS) ID(<syspsmpl>) ACCESS(CONTROL)
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-JS-000080
- Vuln IDs
-
- V-98211
- Rule IDs
-
- SV-107315r1_rule
Checks: C-97047r1_chk
Refer to the JESPARM member of SYS1.PARMLIB. Review the JES2 parameters to determine the localnodeid by searching for OWNNODE in the NJEDEF statement, and then searching for NODE(nnnn) (where nnnn is the value specified by OWNNODE). The NAME parameter value specified on this NODE statement is the localnodeid. Another method is to issue the JES2 command $D NODE,NAME,OWNNODE=YES to obtain the NAME of the OWNNODE. From the ISPF Command Shell enter: RL JESSPOOL * Review the following resources defined to the JESSPOOL resource class: localnodeid.JES2.$TRCLOG.taskid.*.JESTRACE localnodeid.+MASTER+.SYSLOG.jobid.*.SYSLOG or localnodeid.+BYPASS+.SYSLOG.jobid.-.SYSLOG NOTE: These resource profiles may be more generic as long as they pertain directly to the JESTRACE and SYSLOG data sets. For example: localnodeid.JES2.*.*.*.JESTRACE localnodeid.+MASTER+.*.*.*.SYSLOG or localnodeid.+BYPASS+.*.*.*.SYSLOG If Userid(s) associated with external writer(s) have complete access, this is not a finding. Note: An external writer is an STC that removes data sets from the JES spool. In this case, it is responsible for archiving the JESTRACE and SYSLOG data sets. The STC default name is XWTR and the external writer program is called IASXWR00. If Systems personnel and security administrators responsible for diagnosing JES2 and z/OS problems have complete access, this is not a finding. If Application Development and Application Support personnel responsible for diagnosing application problems have READ access to the SYSLOG resource, this is not a finding.
Fix: F-103887r1_fix
Configure RACF access authorization for resources defined to the JESTRACE and SYSLOG resources in the JESSPOOL resource class to be restricted to the appropriate personnel a detailed below. Review the following resources defined to the JESSPOOL resource class: localnodeid.JES2.$TRCLOG.taskid.*.JESTRACE localnodeid.+MASTER+.SYSLOG.jobid.*.SYSLOG or localnodeid.+BYPASS+.SYSLOG.jobid.*.SYSLOG Note: These resource profiles may be more generic as long as they pertain directly to the JESTRACE and SYSLOG data sets. For example: localnodeid.JES2.$TRCLOG.*.** localnodeid.+MASTER+.SYSLOG.*.** or localnodeid.+BYPASS+.SYSLOG.*.** Note: Review the JES2 parameters to determine the localnodeid by searching for OWNNODE in the NJEDEF statement, and then searching for NODE(nnnn) (where nnnn is the value specified by OWNNODE). The NAME parameter value specified on this NODE statement is the localnodeid. Another method is to issue the JES2 command $D NODE,NAME,OWNNODE=YES to obtain the NAME of the OWNNODE. Ensure that access authorization for the resources mentioned above is restricted to the following: Userid(s) associated with external writer(s) can have complete access. Note: An external writer is a STC that removes data sets from the JES spool. In this case, it is responsible for archiving the JESTRACE and SYSLOG data sets. The STC default name is XWTR and the external writer program is called IASXWR00. Systems personnel and security administrators responsible for diagnosing JES2 and z/OS problems can have complete access. Application Development and Application Support personnel responsible for diagnosing application problems can have READ access to the SYSLOG resource. Examples: RDEFINE JESSPOOL localnodeid.JES2.$TRCLOG.*.** audit(failures(read)) quack(NONE) - data('Reference srr finding ZJES0044 ') owner(admin) RDEFINE JESSPOOL localnodeid.+MASTER+.SYSLOG.*.** audit(failures(read)) quack(NONE) - data('Reference srr finding ZJES0044') owner(admin) or RDEFINE JESSPOOL localnodeid.+BYPASS+.SYSLOG.*.** audit(failures(read)) quack(NONE) - data('Reference srr finding ZJES0044') owner(admin) PE localnodeid.JES2.$TRCLOG.** cl(jesspool) id(<syspsmpl> <secasmpl>) acc(a) PE localnodeid.+MASTER+.SYSLOG.*.** cl(jesspool) id(<syspsmpl> <secasmpl>) acc(a) PE localnodeid.+MASTER+.SYSLOG.*.** cl(jesspool) id(<appdpsmpl> <appssmpl>) acc(r) or PE localnodeid.+BYPASS+.SYSLOG.*.** cl(jesspool) id(<syspsmpl> <secasmpl>) acc(a) PE localnodeid.+BYPASS+.SYSLOG.*.** cl(jesspool) id(<appdpsmpl> <appssmpl>) acc(r)
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-JS-000090
- Vuln IDs
-
- V-98213
- Rule IDs
-
- SV-107317r1_rule
Checks: C-97049r1_chk
From the ISPF Command Shell enter: RL JESSPOOL * Review the accesses to the JESSPOOL resources. If the following guidance is true, this is not a finding. Review the JESSPOOL report for resource permissions with the following naming convention. These profiles may be fully qualified, be specified as generic, or be specified with masking as indicated below: localnodeid.userid.jobname.jobid.dsnumber.name localnodeid The name of the node on which the SYSIN or SYSOUT data set currently resides. userid The userid associated with the job. This is the userid RACF uses for validation purposes when the job runs. jobname The name that appears in the name field of the JOB statement. jobid The job number JES2 assigned to the job. dsnumber The unique data set number JES2 assigned to the spool data set. A D is the first character of this qualifier. name The name of the data set specified in the DSN= parameter of the DD statement. If the JCL did not specify DSN= on the DD statement that creates the spool data set, JES2 uses a question mark (?). All users have access to their own JESSPOOL resources. The localnodeid. resources are restricted to only system programmers, operators, and automated operations personnel with access of ALTER. All access will be logged. (localnodeid. resource includes all generic and/or masked permissions, example: localnodeid.**, localnodeid.*, etc.) The JESSPOOL localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked, can be made available to users, when approved by the ISSO. Access will be identified at the minimum access for the user to accomplish the users function. UPDATE, CONTROL, and ALTER access will be logged. An example is team members within a team, providing the capability to view, help, and/or debug other team member jobs/processes. CSSMTP will be restricted to localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked when approved by the ISSO. All access will be logged. Spooling products users (CA-SPOOL, CA View, etc.) will be restricted to localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked when approved by the ISSO. Logging of access is not required.
Fix: F-103889r1_fix
Configure accesses for JESSPOOL resources as detailed below. The JESSPOOL may have more restrictive security at the direction of the ISSO. The JESSPOOL resources may be fully qualified, be specified as generic, or be specified with masking as indicated below: localnodeid.userid.jobname.jobid.dsnumber.name localnodeid The name of the node on which the SYSIN or SYSOUT data set currently resides. userid The userid associated with the job. This is the userid used for validation purposes when the job runs. jobname The name that appears in the name field of the JOB statement. jobid The job number JES2 assigned to the job. dsnumber The unique data set number JES2 assigned to the spool data set. A D is the first character of this qualifier. name The name of the data set specified in the DSN= parameter of the DD statement. If the JCL did not specify DSN= on the DD statement that creates the spool data set, JES2 uses a question mark (?). By default a user has access only to that user’s own JESSPOOL resources. However, situations exist where a user legitimately requires access to jobs that run under another user’s userid. In particular, if a user routes SYSOUT to an external writer, the external writer should have access to that user’s SYSOUT. The localnodeid. resource will be restricted to only system programmers, operators, and automated operations personnel with access of ALTER. All access will be logged. (localnodeid. resource includes all generic and/or masked permissions, example: localnodeid.**, localnodeid.*, etc.) RDEF JESSPOOL localnodeid.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('PROTECT JESSPOOL AT HIGH LEVEL, REF ZJES0046') PE localnodeid.** CL(JESSPOOL) ID(syspsmpl) ACC(A) The JESSPOOL localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked, can be made available to users, when approved by the ISSO. Access will be identified at the minimum access for the user to accomplish the users function, SERVICE(READ, UPDATE, DELETE, ADD). All access will be logged. An example is team members within a team, providing the capability to view, help, and/or debug other team member jobs/processes. If frequent situations occur where users working on a common project require selective access to each other's jobs, then the installation may delegate to the individual users the authority to grant access, but only with the approval of the ISSO. RDEF JESSPOOL localnode.userid.jobname.jobid.dsnumber.name – UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) – DATA('PROTECT JESSPOOL, REF ZJES0046') PE localnode.userid.jobname.jobid.dsnumber.name CL(JESSPOOL) ID(<users_or_groups>) ACC(R) If IBM’s SDSF product is installed on the system, resources defined to the JESSPOOL resource class control functions related to jobs, output groups, and SYSIN/SYSOUT data sets on various SDSF panels. CSSMTP will not be granted to the JESSPOOL resource of the high level “node.” or “localnodeid.”. CSSMTP can have access to the specific approved JESSPOOL resources, minimally qualified to the node.userid. and all access will be logged. This will ensure system records who (userid) sent traffic to CSSMTP, when and what job/process. Spooling products users (CA-SPOOL, CA View, etc.) will be restricted to localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked when approved by the ISSO. Logging of access is not required. Conduct a review of JESSPOOL resource rules. If a rule has been determined not to have been used within the last two years, the rule must be removed.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-JS-000100
- Vuln IDs
-
- V-98215
- Rule IDs
-
- SV-107319r1_rule
Checks: C-97051r1_chk
From the ISPF Command Shell enter: RList OPERCMDS * If the JES2.** resource is defined to the OPERCMDS class with an access of NONE and all access is logged, this is not a finding. If access to JES2 system commands defined in the IBM z/OS JES2 Commands is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users), as determined in the documented site Security Plan, this is not a finding. If access to specific JES2 system commands is logged as indicated in the documented site Security Plan, this is not a finding. Note: Display commands and others as deemed by the site IAW site security plan may be allowed for all users with no logging.
Fix: F-103891r1_fix
Extended MCS support allows the installation to control the use of JES2 system commands through the ESM. These commands are subject to various types of potential abuse. For this reason, it is necessary to place restrictions on the JES2 system commands that can be entered by particular operators. Some commands are particularly dangerous and should only be used when less drastic options have been exhausted. Misuse of these commands can create a situation in which the only recovery is an IPL. To control access to JES2 system commands, apply the following: implementing security: Define the JES2.** resource in the OPERCMDS class with an access of NONE and all access is logged. Define the JES2 system commands as specified in the IBM z/OS JES2 Commands to be restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users), as determined in the documented site Security Plan. Define the JES2 system commands with proper logging as determined in the documented site Security Plan. Note: Display commands and others as deemed by the site IAW site security plan may be allowed for all users with no logging. Build a command file based on the referenced JES2 Command Table. A sample of the commands in the command file is provided here: RDEF OPERCMDS JES2.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('REQUIRED BY SRR PDI ZJES0052') RDEF OPERCMDS JES2.<command>.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('REQUIRED BY SRR PDI ZJES0052') PE JES2.<command>.** CL(OPERCMDS) ID(<syspsmpl>) ACC(U) SETR RACL(OPERCMDS) REF
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-JS-000110
- Vuln IDs
-
- V-98217
- Rule IDs
-
- SV-107321r1_rule
Checks: C-97053r1_chk
From the ISPF Command Shell enter: RList SURROGAT * If no executionuserid.SUBMIT resources are defined to the SURROGAT resource class, this is Not Applicable. For each executionuserid.SUBMIT resource defined to the SURROGAT resource class, if the following items are in true regarding surrogate controls, this is not a finding. -All executionuserid.SUBMIT resources defined to the SURROGAT resource class specify a default access of NONE. -All resource access is logged; at the discretion of the ISSM/ISSO scheduling tasks may be exempted. Access authorization is restricted to scheduling tools, started tasks, or other system applications required for running production jobs. Other users may have minimal access required for running production jobs with documentation properly approved and filed with the site security official (ISSM or equivalent).
Fix: F-103893r1_fix
Configure the SURROGAT as follows: For executionuserid.SUBMIT resources defined to the SURROGAT resource class, ensure the following items are in effect regarding surrogate controls: All executionuserid.SUBMIT resources defined to the SURROGAT resource class specify a default access of NONE. All resource access is logged; at the discretion of the ISSM/ISSO scheduling tasks may be exempted. Access authorization is restricted to scheduling tools, started tasks or other system applications required for running production jobs. Other users may have minimal access required for running production jobs with documentation properly approved and filed with the site security official (ISSM or equivalent). Consider the following recommendations when implementing security for Surrogate Users: Keep the use of Surrogate Users outside of those granted to the scheduling software to a minimum number of individuals. The simplest configuration is to only use Surrogate resource for the appropriate Scheduling task/software for production scheduling purposes as documented. Temporary use of surrogate resource of the production batch to the scheduling tasks may be allowed for a period for testing by the appropriate specific production Support Team members. Authorization, eligibility, and test period are determined by site policy. Access authorization is restricted to the minimum number of personnel required for running production jobs. However, Surrogate usage should not become the default for all jobs submitted by individual userids (i.e., system programmer must use their assigned individual userids for software installation, duties, whereas a Cross Authorized ACID would normally be utilized for scheduled batch production only and as such must normally be limited to the scheduling task such as CONTROLM) and not granted as a normal daily basis to individual users. Command samples are provided to define/permit SURROGAT profiles: SETR CLASSACT(SURROGAT) SETR GENERIC(SURROGAT) GENCMD(SURROGAT) SETR RACL(SURROGAT) RDEF SURROGAT <batchid>.SUBMIT UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('SUBMIT JOBS FOR <batchid>, REFERENCE ZJES0060') PE <batchid>.SUBMIT CL(SURROGAT) ID(<authorized user such as CONTROLM>)
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RACF-JS-000120
- Vuln IDs
-
- V-98219
- Rule IDs
-
- SV-107323r1_rule
Checks: C-97055r1_chk
Note that this guidance addresses RJE Workstations that are "Dedicated". If an RJE workstation is dedicated, the assumption is that the RJE to host connection is hard-wired between the RJE and host. In this case the RMT definition statement will contain the keyword LINE= which specifies that this RJE is only connected via that one LINE statement. Refer to the JES2PARM member of PARMLIB. If all of the statements below are true, this is not a finding. If any of the statements below are untrue, this is a finding. Review the JES2 parameters for RJE workstation definitions by searching for RMT( in the report. A userid of RMTnnnn is defined to RACF for each RJE workstation, where nnnn is the number on the RMT statement. No userid segments (e.g., TSO, CICS, etc.) are defined. Restricted from accessing all data sets and resources with exception of the corresponding JESINPUT class profile for that remote. NOTE: Execute the JCL in CNTL(IRRUT100) using the RACF RMTnnnn userids as SYSIN input. This report lists all occurrences of these userids within the RACF database, including data set and resource access lists. A FACILITY-Class profile exists in the format RJE.RMTnnnn where nnn identifies the remote number.
Fix: F-103895r1_fix
Note that this guidance addresses RJE Workstations that are "Dedicated". If an RJE workstation is dedicated, the assumption is that the RJE to host connection is hard-wired between the RJE and host. In this case the RMT definition statement will contain the keyword LINE= which specifies that this RJE is only connected via that one LINE statement. Review the JES2 parameters for RJE workstation definitions by searching for RMT( in the report. Configure the RJE workstation userids to be defined as follows: A userid of RMTnnnn is defined to RACF for each RJE workstation, where nnnn is the number on the RMT statement. No userid segments (e.g., TSO, CICS, etc.) are defined. Restricted from accessing all data sets and resources with exception of the corresponding JESINPUT-class profile for that remote. Review Chapter 17 of the RACF Security Admin Guide. The following is an example that show proper implementation: AG RMTGRP OWNER(ADMIN) SUPGROUP(ADMIN) AU RMT777 NAME('RMT RJE 777') DFLTGRP(RMTGRP) OWNER(RMTGRP) DATA('COMPLY WITH ZJES0011') NOPASS RESTRICTED PE RMT777 CL(JESINPUT) ID(RMT777) Ensure that a FACILITY-Class profile exists in the format RJE.RMTnnnn where nnn identifies the remote number. A command example is shown here: RDEF FACILITY RJE.RMT777 UACC(NONE) OWNER(ADMIN) DATA('COMPLY WITH ZJES0011 FOR RJE 777')
- RMF Control
- AC-12
- Severity
- M
- CCI
- CCI-002361
- Version
- RACF-OS-000010
- Vuln IDs
-
- V-98221
- Rule IDs
-
- SV-107325r1_rule
Checks: C-97057r1_chk
Refer to IEASYS00 member in SYS1.PARMLIB Concatenation. Determine proper SMFPRMxx member. Examine the JWT, SWT, and TWT values. If the JWT parameter is greater than "15" minutes, and the system is processing unclassified information, review the following items. If any of these items is true, this is not a finding. -If a session is not terminated, but instead is locked out after "15" minutes of inactivity, a process must be in place that requires user identification and authentication before the session is unlocked. Session lock-out will be implemented through system controls or terminal screen protections. -A system’s default time for terminal lock-out or session termination may be lengthened to "30" minutes at the discretion of the ISSM or ISSO. The ISSA and/or ISSO will maintain the documentation for each system with a time-out adjusted beyond the 15-minute recommendation to explain the basis for this decision. -The ISSM and/or ISSO may set selected userids to have a time-out of up to "60" minutes in order to complete critical reports or transactions without timing out. Each exception must meet the following criteria: -The time-out exception cannot exceed "60" minutes. -A letter of justification fully documenting the user requirement(s) must be submitted and approved by the site ISSM or ISSO. In addition, this letter must identify an alternate means of access control for the terminal(s) involved (e.g., a room that is locked at all times, a room with a cipher lock to limit access, a password protected screen saver set to "30" minutes or less, etc.). -The requirement must be revalidated on an annual basis. If the TWT and SWT values are equal or less than the JWT value, this is not a finding.
Fix: F-103897r1_fix
Configure the SMFPRMxx JWT to "15" minutes for classified systems. The JWT parameter can be greater than "15" minutes if the system is processing unclassified information and the following items are reviewed: -If a session is not terminated, but instead is locked out after "15" minutes of inactivity, a process must be in place that requires user identification and authentication before the session is unlocked. Session lock-out will be implemented through system controls or terminal screen protections. -A system’s default time for terminal lock-out or session termination may be lengthened to "30" minutes at the discretion of the ISSM or ISSO. The ISSM and/or ISSO will maintain the documentation for each system with a time-out adjusted beyond the 15-minute recommendation to explain the basis for this decision. -The ISSM and/or ISSO may set selected userids to have a time-out of up to "60" minutes in order to complete critical reports or transactions without timing out. Each exception must meet the following criteria: -The time-out exception cannot exceed 60 minutes. -A letter of justification fully documenting the user requirement(s) must be submitted and approved by the site ISSM or ISSO. In addition, this letter must identify an alternate means of access control for the terminal(s) involved (e.g., a room that is locked at all times, a room with a cipher lock to limit access, a password protected screen saver set to 30 minutes or less, etc.). -The requirement must be revalidated on an annual basis. Configure any TWT and or SWT to be equal or less than the JWT.
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000067
- Version
- RACF-OS-000020
- Vuln IDs
-
- V-98223
- Rule IDs
-
- SV-107327r1_rule
Checks: C-97059r1_chk
Review the FACILITY resource class for BPX.SMF. If the RACF rules are as follows this is not a finding. BPX.SMF.119.94 – READ allowed for users running the ssh, sftp, or scp client commands. BPX.SMF.119.96 – READ allowed for users running the scp or sftp-server server commands. BPX.SMF.119.97 – READ allowed for users running the scp or sftp client commands. The following profile grants the permitted users the authority to write or test for any SMF record being recorded. Access should be permitted as follows: BPX.SMF – READ access only when documented and justified in Site Security Plan. Documentation should include a reason why a more specific profile is not acceptable.
Fix: F-103899r1_fix
Configure Facility resource class for BPX.SMF as follows: BPX.SMF.119.94 – READ allowed for users running the ssh, sftp, or scp client commands. BPX.SMF.119.96 – READ allowed for users running the scp or sftp-server server commands. BPX.SMF.119.97 – READ allowed for users running the scp or sftp client commands. The following profile grants the permitted users the authority to write or test for any SMF record being recorded. Access should be permitted as follows: BPX.SMF – READ access only when documented and justified in Site Security Plan. Documentation should include a reason why a more specific profile is not acceptable.
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000067
- Version
- RACF-OS-000030
- Vuln IDs
-
- V-98225
- Rule IDs
-
- SV-107329r1_rule
Checks: C-97061r1_chk
Refer to the Profile configuration file specified on the PROFILE DD statement in the TCPIP started task JCL. If the following configuration statement settings are in effect in the TCP/IP Profile configuration data set, this is not a finding. NOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration data set, the data set specified on this statement must be checked for the following items as well. The TELNETPARMS SMFINIT statement is coded with the TYPE119 operand within each TELNETPARMS statement block. The TELNETPARMS SMFTERM statement is coded with the TYPE119 operand within each TELNETPARMS statement block. Note: The SMFINIT and SMFTERM statement can appear in both TELNETGLOBAL and TELNETPARM statement blocks. If duplicate statements appear in the TELNETGLOBALS, TELNETPARMS, Telnet uses the last valid statement that was specified.
Fix: F-103901r1_fix
Configure the TELNETPARMS SMFINIT and SMFTERM statements in the PROFILE.TCPIP file to conform to the requirements specified below. NOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. The TELNETPARMS SMFINIT statement is coded with the TYPE119 operand within each TELNETPARMS statement block. The TELNETPARMS SMFTERM statement is coded with the TYPE119 operand within each TELNETPARMS statement block. Note: The SMFINIT and SMFTERM statement can appear in both TELNETGLOBAL and TELNETPARM statement blocks. If duplicate statements appear in the TELNETGLOBALS, TELNETPARMS, Telnet uses the last valid statement that was specified.
- RMF Control
- AC-2
- Severity
- H
- CCI
- CCI-000015
- Version
- RACF-OS-000040
- Vuln IDs
-
- V-98227
- Rule IDs
-
- SV-107331r1_rule
Checks: C-97063r1_chk
Refer to IEASYS00 member in SYS1.PARMLIB Concatenation. Determine proper IEFSSnxx member. If RACF is defined in the SubSystem member, this is not a finding.
Fix: F-103903r1_fix
Refer to the IBM Security Server RACF System Programmer Guide and the IBM Security Server RACF Security Administrator guide to properly implement RACF on the system.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-001682
- Version
- RACF-OS-000050
- Vuln IDs
-
- V-98229
- Rule IDs
-
- SV-107333r1_rule
Checks: C-97065r1_chk
Ask the system administrator for the documented process to disable emergency accounts. If there is no documented process, this is a finding. Examine the process, if it does not include procedures to disable emergency accounts after the crisis is resolved or 72 hours, this is a finding.
Fix: F-103905r1_fix
Develop a process to disable emergency accounts after the crisis is resolved or 72 hours.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-001683
- Version
- RACF-OS-000060
- Vuln IDs
-
- V-98231
- Rule IDs
-
- SV-107335r1_rule
Checks: C-97067r1_chk
Ask the system Administrator for the documented process to notify appropriate personnel when accounts are created. If there is no documented process, this is a finding.
Fix: F-103907r1_fix
Develop a documented develop a process to notify appropriate personnel when accounts are created.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-001684
- Version
- RACF-OS-000070
- Vuln IDs
-
- V-98233
- Rule IDs
-
- SV-107337r1_rule
Checks: C-97069r1_chk
Ask the system Administrator for the documented process to notify appropriate personnel when accounts are modified. If there is no documented process, this is a finding.
Fix: F-103909r1_fix
Develop a documented develop a process to notify appropriate personnel when accounts are modified.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-001685
- Version
- RACF-OS-000080
- Vuln IDs
-
- V-98235
- Rule IDs
-
- SV-107339r1_rule
Checks: C-97071r1_chk
Ask the system Administrator for the documented process to notify appropriate personnel when accounts are deleted. If there is no documented process, this is a finding.
Fix: F-103911r1_fix
Develop a documented develop a process to notify appropriate personnel when accounts are deleted.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-001686
- Version
- RACF-OS-000090
- Vuln IDs
-
- V-98237
- Rule IDs
-
- SV-107341r1_rule
Checks: C-97073r1_chk
Ask the system Administrator for the documented process to notify appropriate personnel when accounts are removed. If there is no documented process, this is a finding.
Fix: F-103913r1_fix
Develop a documented develop a process to notify appropriate personnel when accounts are removed.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-002132
- Version
- RACF-OS-000100
- Vuln IDs
-
- V-98239
- Rule IDs
-
- SV-107343r1_rule
Checks: C-97075r1_chk
Ask the system Administrator for the documented processes to notify the Information System Security Officers (ISSOs) of account enabling actions. If there is no documented process, this is a finding.
Fix: F-103915r1_fix
Develop a documented process to notify the Information System Security Officers (ISSOs) of account enabling actions.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000018
- Version
- RACF-OS-000110
- Vuln IDs
-
- V-98241
- Rule IDs
-
- SV-107345r1_rule
Checks: C-97077r1_chk
Refer to IEASYS00 member in SYS1.PARMLIB Concatenation. Determine proper SMFPRMxx member. If all of the required SMF record types identified below are collected, this is not a finding. IBM SMF Records to be collect at a minimum: 0 (00) – IPL 6 (06) – External Writer/ JES Output Writer/ Print Services Facility (PSF) 7 (07) – [SMF] Data Lost 14 (0E) – INPUT or RDBACK Data Set Activity 15 (0F) – OUTPUT, UPDAT, INOUT, or OUTIN Data Set Activity 17 (11) – Scratch Data Set Status 18 (12) – Rename Non-VSAM Data Set Status 24 (18) – JES2 Spool Offload 25 (19) – JES3 Device Allocation 26 (1A) – JES Job Purge 30 (1E) – Common Address Space Work 32 (20) – TSO/E User Work Accounting 41 (29) – DIV Objects and VLF Statistics 42 (2A) – DFSMS statistics and configuration 43 (2B) – JES Start 45 (2D) – JES Withdrawal/Stop 47 (2F) – JES SIGNON/Start Line (BSC)/LOGON 48 (30) – JES SIGNOFF/Stop Line (BSC)/LOGOFF 49 (31) – JES Integrity 52 (34) – JES2 LOGON/Start Line (SNA) 53 (35) – JES2 LOGOFF/Stop Line (SNA) 54 (36) – JES2 Integrity (SNA) 55 (37) – JES2 Network SIGNON 56 (38) – JES2 Network Integrity 57 (39) – JES2 Network SYSOUT Transmission 58 (3A) – JES2 Network SIGNOFF 60 (3C) – VSAM Volume Data Set Updated 61 (3D) – Integrated Catalog Facility Define Activity 62 (3E) – VSAM Component or Cluster Opened 64 (40) – VSAM Component or Cluster Status 65 (41) – Integrated Catalog Facility Delete Activity 66 (42) – Integrated Catalog Facility Alter Activity 80 (50) – RACF/TOP SECRET Processing 81 (51) – RACF Initialization 83 (53) – RACF Audit Record For Data Sets 90 (5A) – System Status 92 (5C) except subtypes 10, 11 – OpenMVS File System Activity 102 (66) – DATABASE 2 Performance 103 (67) – IBM HTTP Server 110 (6E) – CICS/ESA Statistics 118 (76) – TCP/IP Statistics 119 (77) – TCP/IP Statistics 199 (C7) – TSOMON 230 (E6) – ACF2 or as specified in ACFFDR (vendor-supplied default is 230) 231 (E7) – TSS logs security events under this record type
Fix: F-103917r1_fix
Ensure that SMF recording options are consistent with those outlined below. IBM SMF Records to be collect at a minimum: 0 (00) – IPL 6 (06) – External Writer/ JES Output Writer/ Print Services Facility (PSF) 7 (07) – [SMF] Data Lost 14 (0E) – INPUT or RDBACK Data Set Activity 15 (0F) – OUTPUT, UPDAT, INOUT, or OUTIN Data Set Activity 17 (11) – Scratch Data Set Status 18 (12) – Rename Non-VSAM Data Set Status 24 (18) – JES2 Spool Offload 25 (19) – JES3 Device Allocation 26 (1A) – JES Job Purge 30 (1E) – Common Address Space Work 32 (20) – TSO/E User Work Accounting 41 (29) – DIV Objects and VLF Statistics 42 (2A) – DFSMS statistics and configuration 43 (2B) – JES Start 45 (2D) – JES Withdrawal/Stop 47 (2F) – JES SIGNON/Start Line (BSC)/LOGON 48 (30) – JES SIGNOFF/Stop Line (BSC)/LOGOFF 49 (31) – JES Integrity 52 (34) – JES2 LOGON/Start Line (SNA) 53 (35) – JES2 LOGOFF/Stop Line (SNA) 54 (36) – JES2 Integrity (SNA) 55 (37) – JES2 Network SIGNON 56 (38) – JES2 Network Integrity 57 (39) – JES2 Network SYSOUT Transmission 58 (3A) – JES2 Network SIGNOFF 60 (3C) – VSAM Volume Data Set Updated 61 (3D) – Integrated Catalog Facility Define Activity 62 (3E) – VSAM Component or Cluster Opened 64 (40) – VSAM Component or Cluster Status 65 (41) – Integrated Catalog Facility Delete Activity 66 (42) – Integrated Catalog Facility Alter Activity 80 (50) – RACF/TOP SECRET Processing 81 (51) – RACF Initialization 83 (53) – RACF Audit Record For Data Sets 90 (5A) – System Status 92 (5C) except subtypes 10, 11 – OpenMVS File System Activity 102 (66) – DATABASE 2 Performance 103 (67) – IBM HTTP Server 110 (6E) – CICS/ESA Statistics 118 (76) – TCP/IP Statistics 119 (77) – TCP/IP Statistics 199 (C7) – TSOMON 230 (E6) – ACF2 or as specified in ACFFDR (vendor-supplied default is 230) 231 (E7) – TSS logs security events under this record type
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-000048
- Version
- RACF-OS-000120
- Vuln IDs
-
- V-98243
- Rule IDs
-
- SV-107347r1_rule
Checks: C-97079r1_chk
Verify that any session manger in use displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. If the session manager does not display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system, this is a finding.
Fix: F-103919r1_fix
Configure any session manger in use to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
- RMF Control
- AU-3
- Severity
- M
- CCI
- CCI-000131
- Version
- RACF-OS-000130
- Vuln IDs
-
- V-98245
- Rule IDs
-
- SV-107349r1_rule
Checks: C-97081r1_chk
Refer to IEASYS00 member in SYS1.PARMLIB Concatenation. Determine proper SMFPRMxx member. If the following SMF collection options are specified as stated below, this is not a finding. The settings for several parameters are critical to the collection process: ACTIVE - Activates the collection of SMF data. MAXDORM - Specifies the amount of real time that SMF allows data to remain in an SMF buffer before it is written to a recording data set. Value is site defined. SID - Specifies the system ID to be recorded in all SMF records. SYS(DETAIL) - Controls the level of detail recorded. SYS(INTERVAL) - Ensures the periodic recording of data for long running jobs. SYS - Specifies the types and sub types of SMF records that are to be collected. SYS(TYPE) indicates that the supplied list is inclusive (i.e., specifies the record types to be collected). Record types not listed are not collected. SYS(NOTYPE) indicates that the supplied list is exclusive (i.e., specifies those record types not to be collected). Record types listed are not collected. The site may use either form of this parameter to specify SMF record type collection. However, at a minimum all record types listed.
Fix: F-103921r1_fix
Ensure that collection options for SMF Data are consistent with options specified below. Review all SMF recording specifications found in SMFPRMxx members. Ensure that SMF recording options used are consistent with those outlined below. The settings for several parameters are critical to the collection process: ACTIVE - Activates the collection of SMF data. MAXDORM(mmss) - Specifies the amount of real time that SMF allows data to remain in an SMF buffer before it is written to a recording data set. Use the MAXDORM parameter to minimize the amount of data lost because of system failure. This value is site determined and should be carefully configured. SID - Specifies the system ID to be recorded in all SMF records. SYS(DETAIL) - Controls the level of detail recorded. SYS(INTERVAL) - Ensures the periodic recording of data for long running jobs. SYS - Specifies the types and sub types of SMF records that are to be collected. SYS(TYPE) indicates that the supplied list is inclusive (i.e., specifies the record types to be collected). Record types not listed are not collected. SYS(NOTYPE) indicates that the supplied list is exclusive (i.e., specifies those record types not to be collected). Record types not listed are not collected. The site may use either form of this parameter to specify SMF record type collection. However, at a minimum all record types listed.
- RMF Control
- AU-4
- Severity
- M
- CCI
- CCI-001849
- Version
- RACF-OS-000140
- Vuln IDs
-
- V-98247
- Rule IDs
-
- SV-107351r1_rule
Checks: C-97083r1_chk
Review the SMF dump procedure in there system. If the output datasets in the procedure have storage capacity to store at least one week's worth of audit data, this is not a finding.
Fix: F-103923r1_fix
Make sure output file and dump procedures allow storage capacity to store one week's worth of audit data.
- RMF Control
- AU-4
- Severity
- M
- CCI
- CCI-001851
- Version
- RACF-OS-000150
- Vuln IDs
-
- V-98249
- Rule IDs
-
- SV-107353r1_rule
Checks: C-97085r1_chk
Ask the system administrator if there is an automated process is in place to collect and retain all SMF data produced on the system. If, based on the information provided, it can be determined that an automated process is in place to collect and retain all SMF data produced on the system, this is not a finding. If it cannot be determined this process exists and is being adhered to, this is a finding.
Fix: F-103925r1_fix
The ISSO will ensure that an automated process is in place to collect SMF data. Review SMF data collection and retention processes. Develop processes are automatically started to dump SMF collection files immediately upon their becoming full. To ensure that all SMF data is collected in a timely manner, and to reduce the risk of data loss, the site will ensure that automated mechanisms are in place to collect and retain all SMF data produced on the system. Dump the SMF files (MANx) in systems based on the following guidelines: -Dump each SMF file as it fills up during the normal course of daily processing -Dump all remaining SMF data at the end of each processing day or -Establish a process using Audit logging
- RMF Control
- AU-5
- Severity
- M
- CCI
- CCI-000139
- Version
- RACF-OS-000160
- Vuln IDs
-
- V-98251
- Rule IDs
-
- SV-107355r1_rule
Checks: C-97087r1_chk
Refer to IEASYS00 member in SYS1.PARMLIB Concatenation. Determine proper SMFPRMxx member in SYS1.PARMLIB. If BUFUSEWARN is set for "75" (75%) or less, this is not a finding.
Fix: F-103927r1_fix
Configure the BUFUSEWARN statement in SMFPRMxx to "75" (75%) or less.
- RMF Control
- AU-5
- Severity
- M
- CCI
- CCI-000140
- Version
- RACF-OS-000170
- Vuln IDs
-
- V-98253
- Rule IDs
-
- SV-107357r1_rule
Checks: C-97089r1_chk
Refer to IEASYS00 member in SYS1.PARMLIB Concatenation. Determine proper SMFPRMxx member in SYS1.PARMLIB. If NOBUFFS is set to "HALT", this is not a finding. Note: If availability is an overriding concern NOBUFFS can be set to MSG.
Fix: F-103929r1_fix
Configure NOBUFFS to "HALT" unless availability is an overriding concern then NOBUFFS can be set to MSG.
- RMF Control
- AU-8
- Severity
- M
- CCI
- CCI-001891
- Version
- RACF-OS-000180
- Vuln IDs
-
- V-98255
- Rule IDs
-
- SV-107359r1_rule
Checks: C-97091r1_chk
From UNIX System Services ISPF Shell navigate to ribbon select tools. Select option 1 - Work with Processes. If SNTP Daemon (SNTPD) is not active, this is a finding.
Fix: F-103931r1_fix
Obtain a copy of this sample procedure from SEZAINST and store it in one of your PROCLIB concatenation data sets. Perform the following step to start SNTPD as a procedure: Invoke the procedure using the system operator start command. The following sample, SEZAINST(SNTPD), shows how to start SNTPD as a procedure: //* //* Sample procedure for the Simple Network Time Protocol (SNTP) //* //* z/OS Communications Server Version 1 Release 13 //* SMP/E Distribution Name: SEZAINST(EZASNPRO) //* //* Copyright: Licensed Materials - Property of IBM //* 5650-ZOS //* Copyright IBM Corp. 2002, 2015 //* //* Status: CSV2R2 //* //SNTPD EXEC PGM=SNTPD,REGION=4096K,TIME=NOLIMIT, //PARM=’/ -d’ //SYSPRINT DD SYSOUT=*,DCB=(RECFM=F,LRECL=132,BLKSIZE=132) //SYSIN DD DUMMY //SYSERR DD SYSOUT=* //SYSOUT DD SYSOUT=*,DCB=(RECFM=F,LRECL=132,BLKSIZE=132) //CEEDUMP DD SYSOUT=* //SYSABEND DD SYSOUT=*
- RMF Control
- AU-8
- Severity
- M
- CCI
- CCI-001891
- Version
- RACF-OS-000190
- Vuln IDs
-
- V-98257
- Rule IDs
-
- SV-107361r1_rule
Checks: C-97093r1_chk
From the ISPF Command Shell enter: cd /usr/sbin ls -al If the following File permission and user Audit Bits are true, this is not a finding. /usr/sbin/sntpd 1740 faf The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing
Fix: F-103933r1_fix
With the assistance of a systems programmer with UID(0) and/or SUPERUSER access, configure the UNIX permission bits and user audit bits on the SNTPD to conform to the specifications below: /usr/sbin/sntpd 1740 faf
- RMF Control
- AU-8
- Severity
- M
- CCI
- CCI-002046
- Version
- RACF-OS-000200
- Vuln IDs
-
- V-98259
- Rule IDs
-
- SV-107363r1_rule
Checks: C-97095r1_chk
Refer to the CLOCKxx member of PARMLIB. If the ACCURACY parm is not coded, this is a finding. If the ACCURACY parm is coded to "1000", this is not a finding.
Fix: F-103935r1_fix
Define the CLOCKxx statement to include the ACCURACY parm set to "1000".
- RMF Control
- CM-7
- Severity
- H
- CCI
- CCI-001774
- Version
- RACF-OS-000210
- Vuln IDs
-
- V-98261
- Rule IDs
-
- SV-107365r1_rule
Checks: C-97097r1_chk
Review all Dataset and resource profiles in the RACF database. If any are not defined with UACC NONE, this is a finding.
Fix: F-103937r1_fix
Define each dataset and resource profile with UACC(NONE)
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RACF-OS-000220
- Vuln IDs
-
- V-98263
- Rule IDs
-
- SV-107367r1_rule
Checks: C-97099r1_chk
Ask the system administrator to determine if the system PASSWORD data set and OS passwords are being used. If, based on the information provided, it can be determined that the system PASSWORD data set and OS passwords are not used, this is not a finding. If it is evident that OS passwords are utilized, this is a finding.
Fix: F-103939r1_fix
System programmers will ensure that the old OS Password Protection is not used and any data protected by the old OS Password technology is removed and protection is replaced by the ACP. Review the contents of the PASSWORD data set. Ensure that any protections it provides are provided by the ACP and delete the PASSWORD data set. Access to data sets on z/OS systems can be protected using the OS password capability of MVS. This capability has been available in MVS for many years, and its use is commonly found in data centers. Since the advent of ACPs, the use of OS passwords for file protection has diminished, and is commonly considered archaic and of little use. The use of z/OS passwords is not supported by all the ACPs.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RACF-OS-000230
- Vuln IDs
-
- V-98265
- Rule IDs
-
- SV-107369r1_rule
Checks: C-97101r1_chk
Ask the system Administrator for the documented processes to notify the Information System Security Officers (ISSOs) of account enabling actions. If there is no documented process, this is a finding.
Fix: F-103941r1_fix
Develop a documented process to notify the Information System Security Officers (ISSOs) of account enabling actions.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RACF-OS-000240
- Vuln IDs
-
- V-98267
- Rule IDs
-
- SV-107371r1_rule
Checks: C-97103r1_chk
Examine the policy agent policy statements. If it can be determined that the policy agent employs a deny-all, allow-by exception firewall policy for allowing connections to other systems this is not a finding.
Fix: F-103943r1_fix
Develop a policy application and policy agent to employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.
- RMF Control
- CM-7
- Severity
- H
- CCI
- CCI-001764
- Version
- RACF-OS-000250
- Vuln IDs
-
- V-98269
- Rule IDs
-
- SV-107373r1_rule
Checks: C-97105r1_chk
This check applies to all products that meet the following criteria: - Uses authorized and restricted z/OS interfaces by utilizing Authorized Program Facility (APF) authorized modules or libraries. - Require access to system datasets or sensitive information or requires special or privileged authority to run. For the products in the above category refer to the Vendor’s support lifecycle information for current versions and releases. If the software products currently running on the reviewed system are at a version greater than or equal to the products listed in the vendor’s Support Lifecycle information, this is not a finding.
Fix: F-103945r1_fix
For all products that meet the following criteria: - Uses authorized and restricted z/OS interfaces by utilizing Authorized Program Facility (APF) authorized modules or libraries. - Require access to system datasets or sensitive information or requires special or privileged authority to run. The ISSO will ensure that unsupported system software for the products in the above category is removed or upgraded prior to a vendor dropping support. Authorized software which is NO longer supported is a CAT I – vulnerability. The customer and site will be given 6 months to mitigate the risk, come up with a supported solution, or obtain a formal letter approving such risk/software.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-001764
- Version
- RACF-OS-000260
- Vuln IDs
-
- V-98271
- Rule IDs
-
- SV-107375r1_rule
Checks: C-97107r1_chk
From and ISPF Command line enter: TSO ISRDDN LINKLIST Review the list, if there are any DUMMY entries i.e., inaccessible LINKLIST libraries, this is a finding.
Fix: F-103947r1_fix
Review all entries contained in the LINKLIST for the actual existence of each library. Develop a plan of action to correct deficiencies. The Linklist is a default set of libraries that MVS searches for a specified program. This facility is used so that a user does not have to know the library names in which utility types of programs are stored. Control over membership in the Linklist is specified within the operating system. The data set SYS1.PARMLIB(LNKLSTxx) is used to specify the library names. (The xx is the suffix designated by the LNK parameter in the IEASYSxx member of SYS1.PARMLIB, or overridden by the computer operator at IPL.) Use the following recommendations and techniques to control the exposures created by the LINKLIST facility: -Avoid inclusion of sensitive libraries in the LNKLSTxx member unless absolutely required. -The LNKLSTxx and PROGxx (LNKLST entries) members will contain only required libraries. On a semiannual basis, Software Support should review the volume serial numbers, and should verify them in accordance with the system catalog. Software Support will remove all nonexistent libraries. The ISSO should modify and/or delete the rules associated with these libraries.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-001764
- Version
- RACF-OS-000270
- Vuln IDs
-
- V-98273
- Rule IDs
-
- SV-107377r1_rule
Checks: C-97109r1_chk
From and ISPF Command line enter: TSO ISRDDN LPA Review the list, if there are any DUMMY entries i.e., inaccessible LPA libraries, this is a finding.
Fix: F-103949r1_fix
Review all entries contained in the LPA members for the actual existence of each library. Develop a plan of action to correct deficiencies. The system Link Pack Area (LPA) is the component of MVS that maintains core operating system functions resident in main storage. A security concern exists when libraries from which LPA modules are obtained require APF authorization. Control over residence in the LPA is specified within the operating system in the following members of the data set SYS1.PARMLIB: -LPALSTxx specifies the names of libraries to be concatenated to SYS1.LPALIB when the LPA is generated at IPL in an MVS/XA or MVS/ESA system. (The xx is the suffix designated by the LPA parameter in the IEASYSxx member of SYS1.PARMLIB or overridden by the computer operator at system initial program load [IPL].) -IEAFIXxx specifies the names of modules from SYS1.SVCLIB, the LPALSTxx concatenation, and the LNKLSTxx concatenation that are to be temporarily fixed in central storage in the Fixed LPA (FLPA) for the duration of an IPL. (The xx is the suffix designated by the FIX parameter in the IEASYSxx member of SYS1.PARMLIB or overridden by the computer operator at IPL.) -IEALPAxx specifies the names of modules that will be loaded from the following: ? SYS1.SVCLIB ? The LPALSTxx concatenation ? The LNKLSTxx concatenation as a temporary extension to the existing Pageable LPA (PLPA) in the Modified LPA (MLPA) for the duration of an IPL. (The xx is the suffix designated by the MLPA parameter in the IEASYSxx member of SYS1.PARMLIB or overridden by the computer operator at IPL.) Use the following recommendations and techniques to control the exposures created by the LPA facility: -The LPALSTxx, IEAFIXxx, and IEALPAxx members will contain only required libraries. On a semiannual basis, Software Support should review the volume serial numbers, and should verify them in accordance with the system catalog. Software Support will remove all nonexistent libraries. The ISSO should modify and/or delete the rules associated with these libraries.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- RACF-OS-000280
- Vuln IDs
-
- V-98275
- Rule IDs
-
- SV-107379r1_rule
Checks: C-97111r1_chk
Refer to IEASYS00 member in SYS1.PARMLIB Concatenation. Determine proper APF and/or PROG member. Examine each entry and verify that it exists on the specified volume. If inaccessible APF libraries exist, this is a finding. ISRDDN APF
Fix: F-103951r1_fix
Review the entire list of APF authorized libraries and remove those which are no longer valid designations.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- RACF-OS-000290
- Vuln IDs
-
- V-98277
- Rule IDs
-
- SV-107381r1_rule
Checks: C-97113r1_chk
Review program entries in the IBM Program Properties Table (PPT). You may use a third-party product to examine these entries however, to determine program entries issue the following command from an ISPF command line enter: TSO ISRDDN LOAD IEFSDPPT Interpret the display as follows: Examine contents at offset 8 Hex ‘x2’ - Bypass Password Protection Hex ‘x3’ - Bypass Password Protection Hex ‘x4’ - No Dataset Integrity Hex ‘x5’ - No Dataset Integrity Hex ‘x6’ - Both Hex ‘x7’ - Both Determine Privilege Key at offset 9. A value of hex ’70’ or less indicates an elevated privilege. For each module identified in the "eyecatcher" that has BYPASS Password Protection, No Dataset Integrity, an elevated Privilege Key or any combination thereof, determine if there is a valid loaded module. Again, you may use a third-party product otherwise execute the following steps from an ISPF command line enter: TSO ISRDDN LOAD <privileged module> If the return message is "Load Failed" make sure there is an entry in PARMLIB member SCHEDxx that revokes the excessive privilege. If this is not true, this is a finding.
Fix: F-103953r1_fix
Review the PPT and define all entries associated with non-existent or inapplicable modules as invalidated. Nullify the invalid IEFSDPPT entry by ensuring that there is a corresponding SCHED entry, which confers no special attributes. Use the following recommendations and techniques to provide protection for the PPT: Review the IEFSDPPT module and all programs that IBM has, by default, placed in the PPT to validate their applicability to the execution system. Refer to the IBM z/OS MVS Initialization and Tuning Reference documentation for the version and release of z/OS installed at the individual site for the actual contents of the default IEFSDPPT. Modules for products not in use on the system will have their special privileges explicitly revoked. Do this by placing a PPT entry for each module in the SYS1.PARMLIB(SCHEDxx) member, specifying no special privileges. The PPT entry for each overridden program will be in the following format, accepting the default (unprivileged) values for the sub parameters: PPT PGMNAME(<program name>) Assemble documentation regarding these PPT entries, and the ISSO will keep it on file. Include the following in the documentation: - The product and release for which the PPT entry was made - The last date this entry was reviewed to authenticate status - The reason the module's privileges are being revoked
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000381
- Version
- RACF-OS-000300
- Vuln IDs
-
- V-98279
- Rule IDs
-
- SV-107383r1_rule
Checks: C-97115r1_chk
Refer to IEASYS00 member in SYS1.PARMLIB Concatenation. If LNKAUTH=APFTAB is not specified, this is a finding.
Fix: F-103955r1_fix
Configure LNKAUTH=APFTAB in the IEASYS00 member of PARMLIB.
- RMF Control
- CM-7
- Severity
- L
- CCI
- CCI-000381
- Version
- RACF-OS-000310
- Vuln IDs
-
- V-98281
- Rule IDs
-
- SV-107385r1_rule
Checks: C-97117r1_chk
From an ISPF Command line enter: TSO ISRDDN APF An APF List results On the command line enter: DUPlicates (make sure there is appropriate access; if there is not you may receive insufficient access errors) If any of the list of Sensitive Utilities exist in the duplicate APF modules return, this is a finding. The following list contains Sensitive Utilities that will be checked. AHLGTF AMASPZAP AMAZAP AMDIOCP AMZIOCP BLSROPTR CSQJU003 CSQJU004 CSQUCVX CSQUTIL CSQ1LOGP DEBE DITTO FDRZAPOP GIMSMP HHLGTF ICKDSF ICPIOCP IDCSC01 IEHINITT IFASMFDP IGWSPZAP IHLGTF IMASPZAP IND$FILE IOPIOCP IXPIOCP IYPIOCP IZPIOCP WHOIS L052INIT TMSCOPY TMSFORMT TMSLBLPR TMSMULV TMSREMOV TMSTPNIT TMSUDSNB
Fix: F-103957r1_fix
Review and ensure that duplicate sensitive utility(ies) and/or program(s) do not exist in APF-authorized libraries. Identify all versions of the sensitive utilities contained in APF-authorized libraries listed in the above check. In cases where duplicates exist, ensure no exposure has been created and written justification has been filed with the ISSO. Comparisons among all the APF libraries will be done to ensure that an exposure is not created by the existence of identically named modules. Address any sensitive utility concerns so that the function can be restricted as required.
- RMF Control
- SC-13
- Severity
- M
- CCI
- CCI-002450
- Version
- RACF-OS-000320
- Vuln IDs
-
- V-98283
- Rule IDs
-
- SV-107387r1_rule
Checks: C-97119r1_chk
Determine if IBM's DS880 Disks are in use. If they are not in use for systems that require data at rest, this is a finding.
Fix: F-103959r1_fix
Employ IBM's DS8880 hardware to ensure full disk encryption.
- RMF Control
- SC-28
- Severity
- M
- CCI
- CCI-001199
- Version
- RACF-OS-000330
- Vuln IDs
-
- V-98285
- Rule IDs
-
- SV-107389r1_rule
Checks: C-97121r1_chk
Determine if IBM's DS880 Disks are in use. If they are not in use for systems that require data at rest, this is a finding.
Fix: F-103961r1_fix
Employ IBM's DS8880 hardware to ensure full disk encryption.
- RMF Control
- SC-28
- Severity
- M
- CCI
- CCI-002475
- Version
- RACF-OS-000340
- Vuln IDs
-
- V-98287
- Rule IDs
-
- SV-107391r1_rule
Checks: C-97123r1_chk
Determine if IBM's DS880 Disks are in use. If they are not in use for systems that require data at rest, this is a finding.
Fix: F-103963r1_fix
Employ IBM's DS8880 hardware to ensure full disk encryption.
- RMF Control
- SC-4
- Severity
- M
- CCI
- CCI-001090
- Version
- RACF-OS-000350
- Vuln IDs
-
- V-98289
- Rule IDs
-
- SV-107393r1_rule
Checks: C-97125r1_chk
Check HMC, VM, and z/OS on how to validate and determine a DASD volume(s) is shared. Note: In VM issue the command "QUEUE DASD SYSTEM" this display will show shared volume(s) and indicates the number of systems sharing the volume. Validate all machines that require access to these shared volume(s) have the volume(s) mounted. Obtain a map or list VTOC of the shared volume(s). Check if shared volume(s) contain any critical or sensitive data sets. Identify shared and critical or sensitive data sets on the system being audited. These data sets can be APF, LINKLIST, LPA, Catalogs, etc, as well as product data sets. If all of the critical or sensitive data sets identified on shared volume(s) are protected and justified to be on shared volume(s), this is not a finding. List critical or sensitive data sets are possible security breaches, if not justified and not protected on systems having access to the data set(s) and on shared volume(s).
Fix: F-103965r1_fix
Configure all identified volumes of shared DASD to be valid within the following. HMC VM z/OS If the shared volume(s) are valid and systems having access to these shared volume(s) are valid, map disk/VTOC list to obtain data sets on the shared volume(s). From this list obtain a list of sensitive and critical system data sets that are found on the shared volume(s). Ensure that the data sets are justified to be shared on the system and to reside on the shared volume(s). The ISSO will review all access requirements to validate that sensitive and critical system data sets are protected from unauthorized access across all systems that have access to the shared volume(s), protecting the data set(s) whether the data set(s) are used or not used on the systems that have the shared volume(s) available to them.
- RMF Control
- SC-5
- Severity
- M
- CCI
- CCI-002385
- Version
- RACF-OS-000360
- Vuln IDs
-
- V-98291
- Rule IDs
-
- SV-107395r1_rule
Checks: C-97127r1_chk
Examine the Policy Agent policy statements. If it can be determined that policy that protects against or limits the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces, this is not a finding.
Fix: F-103967r1_fix
Develop Policy application and policy agent to protect against or limit the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.
- RMF Control
- SC-5
- Severity
- M
- CCI
- CCI-001095
- Version
- RACF-OS-000370
- Vuln IDs
-
- V-98293
- Rule IDs
-
- SV-107397r1_rule
Checks: C-97129r1_chk
Examine the Policy Agent policy statements. If it can be determined that there are policy statements that manages excess capacity, this is not a finding.
Fix: F-103969r1_fix
Develop Policy application and Policy agent to manage excess capacity.
- RMF Control
- AC-11
- Severity
- M
- CCI
- CCI-000060
- Version
- RACF-OS-000400
- Vuln IDs
-
- V-98295
- Rule IDs
-
- SV-107399r1_rule
Checks: C-97131r1_chk
Ask the system administrator for the configuration parameters for the session manager in use. If there is no session manager in use, this is a finding. If the session manager is not configure to conceal, via the session lock, information previously visible on the display with a publicly viewable image, this is a finding.
Fix: F-103971r1_fix
Configure the session manager to conceal, via the session lock, information previously visible on the display with a publicly viewable image.
- RMF Control
- AC-11
- Severity
- M
- CCI
- CCI-000057
- Version
- RACF-OS-000410
- Vuln IDs
-
- V-98297
- Rule IDs
-
- SV-107401r1_rule
Checks: C-97133r1_chk
Ask the system administrator for the configuration parameters for the session manager in use. If there is no session manager in use, this is a finding. If the session manager is not configured to initiate session lock after a 15-minute period of inactivity, this is a finding.
Fix: F-103973r1_fix
Configure the session manager to initiate a session lock after a 15-minute period of inactivity.
- RMF Control
- AC-11
- Severity
- M
- CCI
- CCI-000058
- Version
- RACF-OS-000420
- Vuln IDs
-
- V-98299
- Rule IDs
-
- SV-107403r1_rule
Checks: C-97135r1_chk
Ask the system administrator for the configuration parameters for the session manager in use. If there is no session manager in use, this is a finding. If the session manager in use does not allow users to directly initiate a session lock for all connection types, this is a finding.
Fix: F-103975r1_fix
Develop a procedure to offload SMF files to a different system or media than the system being audited.
- RMF Control
- AC-11
- Severity
- M
- CCI
- CCI-000056
- Version
- RACF-OS-000430
- Vuln IDs
-
- V-98301
- Rule IDs
-
- SV-107405r1_rule
Checks: C-97137r1_chk
Ask the system administrator for the configuration parameters for the session manager in use. If there is no session manager in use this is a finding. If the session manager is not configured to retain a user's session lock until that user reestablishes access using established identification and authentication procedures, this is a finding.
Fix: F-103977r1_fix
Configure the session manager to retain a user's session lock until that user reestablishes access using established identification and authentication procedures.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-000016
- Version
- RACF-OS-000440
- Vuln IDs
-
- V-98303
- Rule IDs
-
- SV-107407r1_rule
Checks: C-97139r1_chk
Ask the system administrator for the procedure to automatically remove or disable temporary user accounts after 72 hours. If there is no procedure, this is a finding.
Fix: F-103979r1_fix
Develop a procedure to automatically remove or disable temporary user accounts after 72 hours.
- RMF Control
- AC-2
- Severity
- M
- CCI
- CCI-001682
- Version
- RACF-OS-000450
- Vuln IDs
-
- V-98305
- Rule IDs
-
- SV-107409r1_rule
Checks: C-97141r1_chk
Ask the system administrator for the procedure to automatically remove or disable emergency accounts after the crisis is resolved or 72 hours. If there is no procedure, this is a finding.
Fix: F-103981r1_fix
Develop a procedure to remove or disable emergency user accounts after the crisis is resolved or 72 hours.
- RMF Control
- CM-3
- Severity
- M
- CCI
- CCI-001744
- Version
- RACF-OS-000460
- Vuln IDs
-
- V-98307
- Rule IDs
-
- SV-107411r1_rule
Checks: C-97143r1_chk
Ask the system administrator for the procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner. If there is no procedure, this is a finding.
Fix: F-103983r1_fix
Develop a procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner.
- RMF Control
- AU-7
- Severity
- M
- CCI
- CCI-001876
- Version
- RACF-OS-000470
- Vuln IDs
-
- V-98309
- Rule IDs
-
- SV-107413r1_rule
Checks: C-97145r1_chk
Ask the system administrator for the procedure to provide an audit reduction capability that supports on-demand reporting requirements. If there is no procedure, this is a finding.
Fix: F-103985r1_fix
Develop a procedure to provide an audit reduction capability that supports on-demand reporting requirements.
- RMF Control
- MA-4
- Severity
- M
- CCI
- CCI-000879
- Version
- RACF-OS-000480
- Vuln IDs
-
- V-98311
- Rule IDs
-
- SV-107415r1_rule
Checks: C-97147r1_chk
Ask the system administrator for the procedure to terminate all sessions and network connections related to nonlocal maintenance when nonlocal maintenance is completed. If there is no procedure, this is a finding.
Fix: F-103987r1_fix
Develop a procedure to terminate all sessions and network connections related to nonlocal maintenance when nonlocal maintenance is completed.
- RMF Control
- SI-2
- Severity
- M
- CCI
- CCI-002617
- Version
- RACF-OS-000490
- Vuln IDs
-
- V-98313
- Rule IDs
-
- SV-107417r1_rule
Checks: C-97149r1_chk
Ask the system administrator for the procedure to remove all software components after updated versions have been installed. If there is no procedure, this is a finding.
Fix: F-103989r1_fix
Develop a procedure to remove all software components after updated versions have been installed.
- RMF Control
- SI-6
- Severity
- M
- CCI
- CCI-002702
- Version
- RACF-OS-000500
- Vuln IDs
-
- V-98315
- Rule IDs
-
- SV-107419r1_rule
Checks: C-97151r1_chk
Ask the system administrator for the procedure to shut down the information system, restart the information system, and/or notify the system administrator when anomalies occur. If a procedure does not exist, this is a finding. If the procedure does not properly shut down the information system, restart the information system, and/or notify the system administrator when anomalies occur, this is a finding.
Fix: F-103991r1_fix
Develop a procedure to shut down the information system, restart the information system, and/or notify the system administrator when anomalies occur.
- RMF Control
- AU-4
- Severity
- M
- CCI
- CCI-001851
- Version
- RACF-OS-000510
- Vuln IDs
-
- V-98317
- Rule IDs
-
- SV-107421r1_rule
Checks: C-97153r1_chk
Ask the system administrator for the procedure to offload SMF files to a different system or media than the system being audited. If the procedure does not exist, this is a finding.
Fix: F-103993r1_fix
Develop a procedure to offload SMF files to a different system or media than the system being audited.
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000067
- Version
- RACF-SH-000010
- Vuln IDs
-
- V-98319
- Rule IDs
-
- SV-107423r1_rule
Checks: C-97155r1_chk
Locate the SSH daemon configuration file, which may be found in /etc/ssh/ directory. Alternately: From UNIX System Services ISPF Shell navigate to ribbon select tools. Select option 1 - Work with Processes. If SSH Daemon is not active, this is not a finding. Examine SSH daemon configuration file. If ServerSMF is not coded with ServerSMF TYPE119_U83 or is commented out, this is a finding.
Fix: F-103995r1_fix
Configure the SERVERSMF statement in the SSH Daemon configuration file to TYPE119_U83.
- RMF Control
- AC-17
- Severity
- H
- CCI
- CCI-000068
- Version
- RACF-SH-000020
- Vuln IDs
-
- V-98321
- Rule IDs
-
- SV-107425r2_rule
Checks: C-97157r1_chk
Locate the SSH daemon configuration file, which may be found in /etc/ssh/ directory. Alternately: From UNIX System Services ISPF Shell navigate to ribbon select tools. Select option 1 - Work with Processes. If SSH Daemon is not active, this is not a finding. Examine SSH daemon configuration file. sshd_config If there are no "Ciphers" lines or the ciphers list contains any cipher not starting with "3des" or "aes", this is a finding. If the MACs line is not configured to "hmac-sha1" or greater this is a finding. Examine the z/OS-specific sshd server system-wide configuration: zos_sshd_config If any of the following is untrue, this is a finding. FIPSMODE=YES CiphersSource=ICSF MACsSource=ICSF
Fix: F-103997r1_fix
Edit the SSH daemon configuration and remove any ciphers not starting with "3des" or "aes". If necessary, add a "Ciphers" line using FIPS 140-2 compliant algorithms. Configure for message authentication to MACs "hmac-sha1" or greater. Edit the z/OS-specific sshd server system-wide configuration file configuration as follows: FIPSMODE=YES CiphersSource=ICSF MACsSource=ICSF
- RMF Control
- AC-17
- Severity
- H
- CCI
- CCI-001453
- Version
- RACF-SH-000030
- Vuln IDs
-
- V-98323
- Rule IDs
-
- SV-107427r1_rule
Checks: C-97159r1_chk
Locate the SSH daemon configuration file, which may be found in /etc/ssh/ directory. Alternately: From UNIX System Services ISPF Shell navigate to ribbon select tools. Select option 1 - Work with Processes. If SSH Daemon is not active, this is not a finding. Examine SSH daemon configuration file. sshd_config If there are no Ciphers lines or the ciphers list contains any cipher not starting with "3des" or "aes", this is a finding. If the MACs line is not configured to "hmac-sha1" or greater, this is a finding. Examine the z/OS-specific sshd server system-wide configuration: zos_sshd_config If any of the following is untrue, this is a finding. FIPSMODE=YES CiphersSource=ICSF MACsSource=ICSF
Fix: F-103999r1_fix
Edit the SSH daemon configuration and remove any ciphers not starting with "3des" or "aes". If necessary, add a "Ciphers" line using FIPS 140-2 compliant algorithms. Configure for message authentication to MACs "hmac-sha1" or greater. Edit the z/OS-specific sshd server system-wide configuration file configuration as follows: FIPSMODE=YES CiphersSource=ICSF MACsSource=ICSF
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-001384
- Version
- RACF-SH-000040
- Vuln IDs
-
- V-98325
- Rule IDs
-
- SV-107429r1_rule
Checks: C-97161r1_chk
Locate the SSH daemon configuration file, which may be found in /etc/ssh/ directory. Alternately: From UNIX System Services ISPF Shell navigate to ribbon select tools. Select option 1 - Work with Processes. If SSH Daemon is not active, this is not a finding. Examine SSH daemon configuration file. If Banner statement is missing or configured to none, this is a finding. Ensure that the contents of the file specified on the banner statement contain a logon banner. The banner below is mandatory and deviations are not permitted except as authorized in writing by the DoD Chief Information Officer. If there is any deviation this is a finding. STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
Fix: F-104001r1_fix
Configure the banner statement to a file that contains the Department of Defense (DoD) logon banner. Ensure that the contents of the file specified on the banner statement contain a logon banner. The below banner is mandatory and deviations are not permitted except as authorized in writing by the DoD Chief Information Officer. STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
- RMF Control
- CM-7
- Severity
- H
- CCI
- CCI-000382
- Version
- RACF-SH-000050
- Vuln IDs
-
- V-98327
- Rule IDs
-
- SV-107431r1_rule
Checks: C-97163r1_chk
Locate the SSH daemon configuration file, which may be found in /etc/ssh/ directory. Alternately: From UNIX System Services ISPF Shell navigate to ribbon select tools. Select option 1 - Work with Processes. If SSH Daemon is not active, this is not a finding. Examine SSH daemon configuration file. If the variables "Protocol 2,1" or "Protocol 1" are defined on a line without a leading comment, this is a finding.
Fix: F-104003r1_fix
Edit the sshd_config file and set the "Protocol" setting to "2".
- RMF Control
- IA-5
- Severity
- M
- CCI
- CCI-000187
- Version
- RACF-SH-000060
- Vuln IDs
-
- V-98329
- Rule IDs
-
- SV-107433r1_rule
Checks: C-97165r1_chk
From the ISPF Command Shell enter: OMVS enter find / -name *.kdb If any files are found, this is a finding
Fix: F-104005r1_fix
Define all Keys/Certificates to the security database. Remove the all .kdb files.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-SL-000010
- Vuln IDs
-
- V-98331
- Rule IDs
-
- SV-107435r1_rule
Checks: C-97167r1_chk
From an ISPF Enter cd /usr/sbin Enter ls -alW If File Permission Bits and User Audit Bits for SYSLOG Daemon HFS directories and files is as below, this is not a finding. /usr/sbin/syslogd 1740 fff Enter cd /etc/ Enter ls -alW If the file Permission Bits and User Audit Bits for Output log file defined in the configuration file are as below, this is not a finding. /etc/syslog.conf 0744 faf 0744 fff Notes: The /usr/sbin/syslogd object is a symbolic link to /usr/lpp/tcpip/sbin/syslogd. The permission and user audit bits on the target of the symbolic link must have the required settings. The /etc/syslog.conf file may not be the configuration file the daemon uses. It is necessary to check the script or JCL used to start the daemon to determine the actual configuration file. For example, in /etc/rc: _BPX_JOBNAME='SYSLOGD' /usr/sbin/syslogd -f /etc/syslog.conf For example, in the SYSLOGD started task JCL: //SYSLOGD EXEC PGM=SYSLOGD,REGION=30M,TIME=NOLIMIT // PARM='POSIX(ON) ALL31(ON)/ -f /etc/syslogd.conf' //SYSLOGD EXEC PGM=SYSLOGD,REGION=30M,TIME=NOLIMIT // PARM='POSIX(ON) ALL31(ON) /-f //''SYS1.TCPPARMS(SYSLOG)''' The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing
Fix: F-104007r1_fix
Configure the UNIX permission bits and user audit bits on the HFS directories and files for the Syslog daemon to conform to the specifications in the SYSLOG Daemon HFS Object Security Settings table below. Log files should have security that prevents anyone except the syslogd process and authorized maintenance jobs from writing to or deleting them. A maintenance process to periodically clear the log files is essential. Logging stops if the target file system becomes full. SYSLOG Daemon HFS Object Security Settings File Permission Bits User Audit Bits /usr/sbin/syslogd 1740 fff [Configuration File] /etc/syslog.conf 0744 faf [Output log file defined in the configuration file] 0744 fff The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing NOTES: The /usr/sbin/syslogd object is a symbolic link to /usr/lpp/tcpip/sbin/syslogd. The permission and user audit bits on the target of the symbolic link must have the required settings. The /etc/syslog.conf file may not be the configuration file the daemon uses. It is necessary to check the script or JCL used to start the daemon to determine the actual configuration file. For example, in /etc/rc: _BPX_JOBNAME='SYSLOGD' /usr/sbin/syslogd -f /etc/syslog.conf For example, in the SYSLOGD started task JCL: //SYSLOGD EXEC PGM=SYSLOGD,REGION=30M,TIME=NOLIMIT // PARM='POSIX(ON) ALL31(ON)/ -f /etc/syslogd.conf' //SYSLOGD EXEC PGM=SYSLOGD,REGION=30M,TIME=NOLIMIT // PARM='POSIX(ON) ALL31(ON) /-f //''SYS1.TCPPARMS(SYSLOG)''' The following commands can be used (from a user account with an effective UID(0)) to update the permission bits and audit bits: chmod 1740 /usr/lpp/tcpip/sbin/syslogd chaudit rwx=f /usr/lpp/tcpip/sbin/syslogd chmod 0744 /etc/syslog.conf chaudit w=sf,rx+f /etc/syslog.conf chmod 0744 /log_dir/log_file chaudit rwx=f /log_dir/log_file
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000764
- Version
- RACF-SL-000020
- Vuln IDs
-
- V-98333
- Rule IDs
-
- SV-107437r1_rule
Checks: C-97169r1_chk
SYSLOGD may be started from the shell, a cataloged procedure (STC), or the BPXBATCH program. Additionally, other mechanisms (e.g., a job scheduler) may be used to automatically start the Syslog daemon. To thoroughly analyze this requirement you may need to view the OS SYSLOG using SDSF, find the last IPL, and look for the initialization of SYSLOGD. If the Syslog daemon SYSLOGD is started automatically during the initialization of the z/S/ system, this is not a finding.
Fix: F-104009r1_fix
Review the files used to initialize tasks during system IPL (e.g., /etc/rc, SYS1.PARMLIB, any job scheduler definitions) configure the Syslog daemon to start automatically during z/OS system initialization. It is important that syslogd be started during the initialization phase of the z/OS system to ensure that significant messages are not lost. As with other z/OS UNIX daemons, there is more than one way to start SYSLOGD. It can be started as a process in the /etc/rc file or as a z/OS started task.
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000764
- Version
- RACF-SL-000030
- Vuln IDs
-
- V-98335
- Rule IDs
-
- SV-107439r1_rule
Checks: C-97171r1_chk
From z/OS command screen enter: ListUser SYSLOGD OMVS (SYSLOGD is usual name of the SYSLOG daemon) If all of the following are true this is not a finding. If either of the following is untrue, this is a finding. -The SYSLOGD userid is defined as a PROTECTED userid. -The SYSLOGD userid has the following z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh. From z/OS command screen enter: RList STARTED SYSLOGD If a matching entry in the STARTED resource class exists enabling the use of the standard userid and appropriate group, this is not a finding.
Fix: F-104011r1_fix
The Syslog daemon userid is SYSLOGD. Define the SYSLOGD userid as a PROTECTED userid. Define the SYSLOGD userid has UID(0), HOME(‘/’), and PROGRAM(‘/bin/sh’) specified in the OMVS segment. To set up and use as an MVS Started Proc, the following sample commands are provided: AU SYSLOGD NAME('stc, tcpip') NOPASSWORD NOOIDCARD DFLTGRP(STC) – OWNER(STC) DATA('Reference ISLG0020 for proper setup ') ALU SYSLOGD DFLTGRP(stctcpx) ALU SYSLOGD OMVS(UID(0) HOME('/') PROGRAM('/bin/sh')) CO SYSLOGD GROUP(stctcpx) OWNER(stctcpx) A matching entry mapping the SYSLOGD started proc to the SYSLOGD userid is in the STARTED resource class. RDEF STARTED SYSLOGD.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) STDATA(USER(SYSLOGD) GROUP(STC)) If /etc/rc is used to start the Syslog daemon ensure that the _BPX_JOBNAME and _BPX_ USERID environment variables are assigned a value of SYSLOGD.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-SM-000010
- Vuln IDs
-
- V-98337
- Rule IDs
-
- SV-107441r1_rule
Checks: C-97173r1_chk
Refer to the load modules residing in the following Load libraries to determine program resource definitions: SYS1.DGTLLIB for DFSMSdfp/ISMF SYS1.DGTLLIB for DFSMSdss/ISMF SYS1.DFQLLIB for DFSMShsm If the installation moves these modules to another load library the installation-defined load library must be used in the program protection. If the RACF resources are defined with a default access of NONE, this is not a finding. If the RACF resource access authorizations restrict access to the appropriate personnel, this is not a finding. (Refer to the chapter titled “Protecting the Storage Management Subsystem” in the IBM z/OS DFSMSdfp Storage Administration Guide to assist with guidance on appropriate access.)
Fix: F-104013r1_fix
(Note: The resource type, resources, and/or resource prefixes identified below are examples of a possible installation. The actual resource type, resources, and/or resource prefixes are determined when the product is actually installed on a system through the product’s installation guide and can be site specific.) Refer to the chapter titled “Protecting the Storage Management Subsystem” in the IBM z/OS DFSMSdfp Storage Administration Guide. Use SMS Program Resources tables to determine the resources and access requirements for SMS Program Resources. Ensure the guidelines for the resource type, resources, and/or generic equivalent are specified. The RACF resources as designated in the table above are defined with a default access of NONE. The RACF resource access authorizations restrict access to the appropriate personnel as designated in the table above. The following commands are provided as a sample for implementing resource controls: RDEF PROGRAM ACBFUTO2 ADDMEM('SYS1.DSF.DGTLLIB'//NOPADCHK) - DATA('ADDED PER SRR PDI ZSMS0012 ') - AUDIT(FAILURE(READ)) UACC(NONE) OWNER(ADMIN) PERMIT ACBFUTO2 CLASS(PROGRAM) ID(********)
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-SM-000020
- Vuln IDs
-
- V-98339
- Rule IDs
-
- SV-107443r1_rule
Checks: C-97175r1_chk
Review the logical parmlib data sets, example: SYS1.PARMLIB(IGDSMSxx), to identify the fully qualified file names for the following SMS data sets: Source Control Data Set (SCDS) Active Control Data Set (ACDS) Communications Data Set (COMMDS) Automatic Class Selection Routine Source Data Sets (ACS) ACDS Backup COMMDS Backup If the RACF data set rules for the SCDS, ACDS, COMMDS, and ACS data sets restrict WRITE or greater access to only systems programming personnel, this is not a finding. If the RACF data set rules for the SCDS, ACDS, COMMDS, and ACS data sets do not restrict WRITE or greater access to only systems programming personnel, this is a finding. Note: At the discretion of the ISSM, DASD administrators are allowed UPDATE access to the control datasets.
Fix: F-104015r1_fix
Review the SYS1.PARMLIB(IGDSMS00) data set to identify the fully qualified file names for the following SMS data sets: Source Control Data Set (SCDS) Active Control Data Set (ACDS) Communications Data Set (COMMDS) Automatic Class Selection Routine Source Data Sets (ACS) ACDS Backup COMMDS Backup Configure the RACF data set rules for the SCDS, ACDS, COMMDS, and ACS data sets to restrict WRITE or greater access to only z/OS systems programming personnel. Note: At the discretion of the ISSM, DASD administrators are allowed UPDATE access to the control datasets. Some example commands to implement the proper controls are shown here: AD 'sys3.dfsms.mmd.commds.**' UACC(NONE) OWNER(SYS3) AUDIT(ALL(READ)) DATA('PROTECTED PER ZSMS0020') PE 'sys3.dfsms.mmd.commds.**' ID(<syspsmpl>) ACC(A)
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-SM-000030
- Vuln IDs
-
- V-98341
- Rule IDs
-
- SV-107445r1_rule
Checks: C-97177r1_chk
From an ISPF Command Shell enter: SETRopts list If ACTIVE CLASSES lists the MGMTCLAS, STORCLAS, PROGRAM, and FACILITY resources classes, this is not a finding.
Fix: F-104017r1_fix
Configure SETRopts to include MGMTCLAS, STORCLAS, PROGRAM, and FACILITY resources classes as ACTIVE. The classes can be activated with the command: SETR CLASSACT(MGMTCLAS STORCLAS PROGRAM FACILITY) The classes can be RACLISTED with the command: SETR RACL(MGMTCLAS STORCLAS)
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-SM-000040
- Vuln IDs
-
- V-98343
- Rule IDs
-
- SV-107447r2_rule
Checks: C-97179r2_chk
If all SMS resources and/or generic equivalent are properly protected according to the requirements specified and the following guidance is true, this is not a finding. The STGADMIN.** profile in the FACILITY resource class has a default access of NONE and no access is granted at this level. STGADMIN.DPDSRN.olddsname is restricted to System Programmers and all access is logged. The STGADMIN.IGD.ACTIVATE.CONFIGURATION is restricted to System Programmers and all access is logged. The STGADMIN.IGG.DEFDEL.UALIAS is restricted to Centralized and Decentralized Security personnel and System Programmers and all access is logged. The resource STGADMIN.IGG.CATALOG.SECURITY.CHANGE is defined with access of NONE. Note: The resource STGADMIN.IGG.CATALOG.SECURITY.CHANGE can be defined with read access for migration purposes. If it is a detailed migration plan must be documented and filed by the ISSM that determines a definite migration period. All access must be logged. At the completion of migration this resource must be configured with access = NONE. The following resources and prefixes may be available to the end-user. STGADMIN.ADR.COPY.CNCURRNT STGADMIN.ADR.COPY.FLASHCPY STGADMIN.ADR.COPY.TOLERATE.ENQF STGADMIN.ADR.DUMP.CNCURRNT STGADMIN.ADR.DUMP.TOLERATE.ENQF STGADMIN.ADR.RESTORE.TOLERATE.ENQF STGADMIN.ARC.ENDUSER.* STGADMIN.IGG.ALTER.SMS The following resource is restricted to Application Production Support Team members, Automated Operations, DASD managers, and System programmers. STGADMIN.IDC.DCOLLECT The following resources are restricted to Application Production Support Team members, DASD managers, and System programmers. STGADMIN.ARC.CANCEL STGADMIN.ARC.LIST STGADMIN.ARC.QUERY STGADMIN.ARC.REPORT STGADMIN.DMO.CONFIG STGADMIN.IFG.READVTOC STGADMIN.IGG.DELGDG.FORCE The following resource prefixes, at a minimum, are restricted to DASD managers and System programmers. STGADMIN.ADR STGADMIN.ANT STGADMIN.ARC STGADMIN.DMO STGADMIN.ICK STGADMIN.IDC STGADMIN.IFG STGADMIN.IGG STGADMIN.IGWSHCDS The following Storage Administrator functions prefix is restricted to DASD managers and System programmers and all access is logged. STGADMIN.ADR.STGADMIN.*
Fix: F-104019r2_fix
(Note: The resources and/or resource prefixes identified below are examples of a possible installation. The actual resource type, resources, and/or resource prefixes are determined when the product is actually installed on a system through the product’s installation guide and can be site specific.) Below is listed the access requirements for SMS Resources. Configure the resources and/or generic equivalent are followed. The RACF resources are defined with a default access of NONE. The RACF resource rules for the resources specify UACC(NONE) and NOWARNING. Ensure that no access is given to the high-level STGADMIN resource. Example: RDEF FACILITY STGADMIN.** OWNER(ADMIN) - UACC(NONE) AUDIT(ALL(READ)) Ensure no access is given to resource STGADMIN.IGG.CATALOG.SECURITY.CHANGE.* Example: RDEF FACILITY STGADMIN.IGG.CATALOG.SECURITY.CHANGE OWNER(ADMIN) – UACC(NONE) AUDIT(ALL(READ)) The STGADMIN.DPDSRN.olddsname is restricted to System Programmers and all access is logged. Example: RDEF FACILITY STGADMIN.DPDSRN.olddsname OWNER(ADMIN) - UACC(NONE) AUDIT(ALL(READ)) PE STGADMIN.DPDSRN.olddsname CL(FACILITY) ID(syspsmpl) The STGADMIN.IGD.ACTIVATE.CONFIGURATION is restricted to System Programmers and all access is logged. Example: RDEF FACILITY STGADMIN.IGD.ACTIVATE.CONFIGURATION OWNER(ADMIN) - UACC(NONE) AUDIT(ALL(READ)) PE STGADMIN.IGD.ACTIVATE.CONFIGURATION CL(FACILITY) ID(syspsmpl) The STGADMIN.IGG.DEFDEL.UALIAS is restricted to System Programmers and Security personnel and all access is logged. Example: RDEF FACILITY STGADMIN.IGG.DEFDEL.UALIAS OWNER(ADMIN) - UACC(NONE) AUDIT(ALL(READ)) PE STGADMIN.IGG.DEFDEL.UALIAS CL(FACILITY) ID(secasmpl) PE STGADMIN.IGG.DEFDEL.UALIAS CL(FACILITY) ID(secdsmpl) PE STGADMIN.IGG.DEFDEL.UALIAS CL(FACILITY) ID(syspsmpl) The following resources and prefixes may be available to the end-user. STGADMIN.ADR.COPY.CNCURRNT STGADMIN.ADR.COPY.FLASHCPY STGADMIN.ADR.COPY.TOLERATE.ENQF STGADMIN.ADR.DUMP.CNCURRNT STGADMIN.ADR.DUMP.TOLERATE.ENQF STGADMIN.ADR.RESTORE.TOLERATE.ENQF STGADMIN.ARC.ENDUSER.* STGADMIN.IGG.ALTER.SMS Example: RDEF FACILITY STGADMIN.ADR.COPY.CNCURRNT.** OWNER(ADMIN) - UACC(NONE) AUDIT(FAILURE(READ)) PE STGADMIN.ADR.COPY.CNCURRNT.** CL(FACILITY) ID(endusers) The following resource is restricted to Application Production Support Team members, Automated Operations, DASD managers, and System programmers. STGADMIN.IDC.DCOLLECT Example: RDEF FACILITY STGADMIN.IDC.DCOLLECT.** OWNER(ADMIN) - UACC(NONE) AUDIT(FAILURE(READ)) PE STGADMIN.IDC.DCOLLECT.** CL(FACILITY) ID(appssmpl) PE STGADMIN.IDC.DCOLLECT.** CL(FACILITY) ID(autosmpl) PE STGADMIN.IDC.DCOLLECT.** CL(FACILITY) ID(dasbsmpl) PE STGADMIN.IDC.DCOLLECT.** CL(FACILITY) ID(dasdsmpl) PE STGADMIN.IDC.DCOLLECT.** CL(FACILITY) ID(syspsmpl) The following resources are restricted to Application Production Support Team members, DASD managers, and System programmers. STGADMIN.ARC.CANCEL STGADMIN.ARC.LIST STGADMIN.ARC.QUERY STGADMIN.ARC.REPORT STGADMIN.DMO.CONFIG STGADMIN.IFG.READVTOC STGADMIN.IGG.DELGDG.FORCE Example: RDEF FACILITY STGADMIN.ARC.CANCEL.** OWNER(ADMIN) - UACC(NONE) AUDIT(FAILURE(READ)) PE STGADMIN.ARC.CANCEL.** CL(FACILITY) ID(appssmpl) PE STGADMIN.ARC.CANCEL.** CL(FACILITY) ID(dasbsmpl) PE STGADMIN.ARC.CANCEL.** CL(FACILITY) ID(dasdsmpl) PE STGADMIN.ARC.CANCEL.** CL(FACILITY) ID(syspsmpl) The following resource prefixes, at a minimum, are restricted to DASD managers and System programmers. STGADMIN.ADR STGADMIN.ANT STGADMIN.ARC STGADMIN.DMO STGADMIN.ICK STGADMIN.IDC STGADMIN.IFG STGADMIN.IGG STGADMIN.IGWSHCDS Example: RDEF FACILITY STGADMIN.ADR.** OWNER(ADMIN) - UACC(NONE) AUDIT(FAILURE(READ)) PE STGADMIN.ADR.** CL(FACILITY) ID(dasbsmpl) PE STGADMIN.ADR.** CL(FACILITY) ID(dasdsmpl) PE STGADMIN.ADR.** CL(FACILITY) ID(syspsmpl) The following Storage Administrator functions prefix is restricted to DASD managers and System programmers and all access is logged. STGADMIN.ADR.STGADMIN.* Example: RDEF FACILITY STGADMIN.ADR.STGADMIN.** OWNER(ADMIN) - UACC(NONE) AUDIT(ALL(READ)) PE STGADMIN.ADR.STGADMIN.** CL(FACILITY) ID(dasbsmpl) PE STGADMIN.ADR.STGADMIN.** CL(FACILITY) ID(dasdsmpl) PE STGADMIN.ADR.STGADMIN.** CL(FACILITY) ID(syspsmpl)
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RACF-SM-000050
- Vuln IDs
-
- V-98345
- Rule IDs
-
- SV-107449r1_rule
Checks: C-97181r1_chk
Review the logical parmlib data sets, example: SYS1.PARMLIB(IGDSMSxx), for the following SMS parameter settings: Parameter Key SMS ACDS(ACDS data set name) COMMDS(COMMDS data set name) If the required parameters are defined, this is not a finding.
Fix: F-104021r1_fix
Configure the DFSMS-related PDS members and statements specified in the system parmlib concatenation as outlined below: Parameter Key SMS ACDS(ACDS data set name) COMMDS(COMMDS data set name)
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000067
- Version
- RACF-TC-000010
- Vuln IDs
-
- V-98347
- Rule IDs
-
- SV-107451r1_rule
Checks: C-97183r1_chk
Refer to the Profile configuration file specified on the PROFILE DD statement in the TCPIP started task JCL. If the following items are in effect for the configuration statements specified in the TCP/IP Profile configuration file, this is not a finding. NOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. The SMFPARMS statement is not coded or commented out. The DELETE statement is not coded or commented out for production systems. The SMFCONFIG statement is coded with (at least) the FTPCLIENT and TN3270CLIENT operands. The TCPCONFIG and UDPCONFIG statements are coded with (at least) the RESTRICTLOWPORTS operand. NOTE: If the INCLUDE statement is coded, the data set specified will be checked for access authorization compliance.
Fix: F-104023r1_fix
Ensure the following items are in effect for the configuration statements specified in the TCP/IP Profile configuration file: NOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. The SMFPARMS statement is not coded or commented out. The DELETE statement is not coded or commented out for production systems. The SMFCONFIG statement is coded with (at least) the FTPCLIENT and TN3270CLIENT operands. The TCPCONFIG and UDPCONFIG statements are coded with (at least) the RESTRICTLOWPORTS operand. NOTE: If the INCLUDE statement is coded, the data set specified will be checked for access authorization compliance in STIG ID ITCP0070. BASE TCP/IP PROFILE.TCPIP CONFIGURATION STATEMENTS FUNCTIONS INCLUDE- Specifies the name of an MVS data set that contains additional PROFILE.TCPIP statements to be used - Alters the configuration specified by previous statements SMFPARMS- Specifies SMF logging options for some TCP applications; replaced by SMFCONFIG - Controls collection of audit data DELETE- Specifies some previous statements, including PORT and PORTRANGE, that are to be deleted - Alters the configuration specified by previous statements SMFCONFIG- - Specifies SMF logging options for Telnet, FTP, TCP, API, and stack activity - Controls collection of audit data TCPCONFIG- Specifies various settings for the TCP protocol layer of TCP/IP - Controls port access
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-002314
- Version
- RACF-TC-000020
- Vuln IDs
-
- V-98349
- Rule IDs
-
- SV-107453r1_rule
Checks: C-97185r1_chk
Refer the TCP/IP PROFILE DD statement to determine the TCP/IP Ports. If the PROFILE DD statement is not supplied, use the default search order to find the PROFILE data set. See the IP Configuration Guide for a description of the search order for PROFILE.TCPIP. If the all the Ports included in the configuration are restricted to the ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments, this is not a finding.
Fix: F-104025r1_fix
Configure TCP/IP PROFILE port definitions to adhere to ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-TC-000030
- Vuln IDs
-
- V-98351
- Rule IDs
-
- SV-107455r1_rule
Checks: C-97187r1_chk
From the ISPF Command Shell enter: omvs At the input line enter: cd /etc enter ls -alW If the following file permission and user Audit Bits are true, this is not a finding. /etc/hosts 0744 faf /etc/protocol 0744 faf /etc/resolv.conf 0744 faf /etc/services 0740 faf cd /usr ls -alW If the following file permission and user Audit Bits are true, this is not a finding. /usr/lpp/tcpip/sbin 0755 faf /usr/lpp/tcpip/bin 0755 faf Notes: Some of the files listed above are not used in every configuration. The absence of a file is not considered a finding. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing
Fix: F-104027r1_fix
With the assistance of a systems programmer with UID(0) and/or SUPERUSER access, configure the UNIX permission bits and user audit bits on the HFS directories and files for the FTP Server to conform to the specifications in the table below: BASE TCP/IP HFS Object Security Settings File Permission Bits User Audit Bits /etc/hosts 0744 faf /etc/protocol 0744 faf /etc/resolv.conf 0744 faf /etc/services 0740 faf /usr/lpp/tcpip/sbin 0755 faf /usr/lpp/tcpip/bin 0755 faf Some of the files listed above (e.g., /etc/resolv.conf) are not used in every configuration. While the absence of a file is generally not a security issue, the existence of a file that has not been properly secured can often be an issue. Therefore, all directories and files that do exist will have the specified permission and audit bit settings. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing The following commands can be used (from a user account with an effective UID(0)) to update the permission bits and audit bits: chmod 0744 /etc/hosts chaudit w=sf,rx+f /etc/hosts chmod 0744 /etc/protocol chaudit w=sf,rx+f /etc/protocol chmod 0744 /etc/resolv.conf chaudit w=sf,rx+f /etc/resolv.conf chmod 0740 /etc/services chaudit w=sf,rx+f /etc/services chmod 0755 /usr/lpp/tcpip/bin chaudit w=sf,rx+f /usr/lpp/tcpip/bin chmod 0755 /usr/lpp/tcpip/sbin chaudit w=sf,rx+f /usr/lpp/tcpip/sbin
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-TC-000040
- Vuln IDs
-
- V-98353
- Rule IDs
-
- SV-107457r1_rule
Checks: C-97189r1_chk
From the ISPF Command Shell enter: RLIST SERVAUTH * ALL If the following guidance is true, this is not a finding. The EZA, EZB, and IST resources and/or generic equivalent are defined to the SERVAUTH resource class with a UACC(NONE). No access is given to the EZA, EZB, and IST high level resources of the SERVAUTH resource class. If the product CSSMTP is on the system, no access is given to EZB.CSSMTP of the SERVAUTH resource class. If the product CSSMTP is on the system, EZB.CSSMTP.sysname.writername.JESnode will be specified and made available to the CSSMTP started task and authenticated users that require access to use CSSMTP for e-mail services. Authenticated users that require access will be permitted access to the second level of the resources in the SERVAUTH resource class. Examples are the network (NETACCESS), port (PORTACCESS), stack (STACKACCESS), and FTP resources in the SERVAUTH resource class. The EZB.STACKACCESS. resource access authorizations restrict access to those started tasks with valid requirements and users with valid FTP access requirements. The EZB.FTP.*.*.ACCESS.HFS) resource access authorizations restrict access to FTP users with specific written documentation showing a valid requirement exists to access OMVS files and Directories.
Fix: F-104029r1_fix
Develop a plan of action to implement the required changes. Ensure the following items are in effect for TCP/IP resources. (Note: The resource class, resources, and/or resource prefixes identified below are examples of a possible installation. The actual resource class, resources, and/or resource prefixes are determined when the product is actually installed on a system through the product’s installation guide and can be site specific.) Ensure that the EZA, EZB and IST resources and/or generic equivalent are defined to the SERVAUTH resource class with a UACC(NONE). No access is given to the EZA, EZB, and IST resources of the SERVAUTH resource class. If the product CSSMTP is on the system, no access is given to EZB.CSSMTP of the SERVAUTH resource class. EZB.CSSMTP.sysname.writername.JESnode will be specified and made available to the CSSMTP started task and authenticated users that require access to use CSSMTP for e-mail services. Only authenticated users that require access are permitted access to the second level of the resources in the SERVAUTH resource class. Examples are the network (NETACCESS), port (PORTACCESS), stack (STACKACCESS), and FTP resources in the SERVAUTH resource class. The EZB.STACKACCESS. resource access authorizations restrict access to those started tasks with valid requirements and users with valid FTP access requirements. The EZB.FTP.*.*.ACCESS.HFS) resource access authorizations restrict access to FTP users with specific written documentation showing a valid requirement exists to access OMVS files and Directories. The following commands are provided as a sample for implementing resource controls: RDEF SERVAUTH EZB.** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ)) RDEF SERVAUTH EZB.CSSMTP.** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ)) RDEF SERVAUTH EZB.CSSMTP.sysname.writername.JESnode UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ)) RDEF SERVAUTH EZB.FTP.** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ)) RDEF SERVAUTH EZB.NETACCESS.** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ)) RDEF SERVAUTH EZB.PORTACCESS.** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ)) RDEF SERVAUTH EZB.STACKACCESS.** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ)) PE EZB.CSSMTP.sysname.writername.JESnode CL(SERVAUTH) ID(authusers) ACC(READ) PE EZB.FTP.** CL(SERVAUTH) ID(authusers) ACC(READ) PE EZB.FTP.sysname.ftpstc.ACCESS.HFS CL(SERVAUTH) ID(ftpprofile) ACC(READ) PE EZB.NETACCESS.** CL(SERVAUTH) ID(authusers) ACC(READ) PE EZB.PORTACCESS.** CL(SERVAUTH) ID(authusers) ACC(READ) PE EZB.STACKACCESS.** CL(SERVAUTH) ID(authusers) ACC(READ) PE EZB.STACKACCESS.sysname.TCPIP CL(SERVAUTH) ID(ftpprofile) ACC(READ) The following notes apply to these controls: - EZB.STACKACCESS.sysname.TCPIP access READ should be limited to only those started tasks that require access to the TCPIP Stack as well as any users approved for FTP Access (inbound and/or outbound). FTP users should not have access to the EZB.FTP.sysname.ftpstc.ACCESS.HFS resource unless specific written justification documenting valid requirement for those FTP users to access USS files and directories via FTP. - To be effective in restricting access, the network (EZB.NETACCESS) resource control requires configuration of the NETACCESS statement in the PROFILE.TCPIP file. - To be effective in restricting access, the port (EZB.PORTACCESS) resource control requires configuration of a PORT or PORTRANGE statement in the PROFILE.TCPIP file. These port definitions within PROFILE.TCPIP must be defined to include SAF keyword and a valid name. A list of possible SERVAUTH resources defined to the first two nodes is shown here: (Note that additional resources may be developed with each new release of TCPIP.) EZA.DCAS. EZB.BINDDVIPARANGE. EZB.CIMPROV. EZB.FRCAACCESS. EZB.FTP. EZB.INITSTACK. EZB.IOCTL. EZB.IPSECCMD. EZB.MODDVIPA. EZB.NETACCESS. EZB.NETMGMT. EZB.NETSTAT. EZB.NSS. EZB.NSSCERT. EZB.OSM. EZB.PAGENT. EZB.PORTACCESS. EZB.RPCBIND. EZB.SOCKOPT. EZB.SNMPAGENT. EZB.STACKACCESS. EZB.TN3270. IST.NETMGMT.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-TC-000050
- Vuln IDs
-
- V-98355
- Rule IDs
-
- SV-107459r1_rule
Checks: C-97191r1_chk
From a command input screen enter: SETROPTS LIST If there are TCP/IP resources defined and the SERVAUTH resource class is not active, this is a finding.
Fix: F-104031r1_fix
Configure RACF SETROPTS to have the SERVAUTH resource class is active. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a list of ACTIVE classes. The SERVAUTH Class is activated with the command SETR CLASSACT (SERVAUTH). Generic profiles and commands should also be enabled with the command SETR GENERIC(SERVAUTH) GENCMD(SERVAUTH).
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-TC-000060
- Vuln IDs
-
- V-98357
- Rule IDs
-
- SV-107461r1_rule
Checks: C-97193r1_chk
From a command input screen enter: SETROPTS LIST If there are TCP/IP resources defined and the SERVAUTH resource class is not active, this is a finding.
Fix: F-104033r1_fix
Ensure that the SERVAUTH resource class is active. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a list of ACTIVE classes. The SERVAUTH Class is activated with the command SETR CLASSACT (SERVAUTH). Generic profiles and commands should also be enabled with the command SETR GENERIC(SERVAUTH) GENCMD(SERVAUTH).
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-TC-000070
- Vuln IDs
-
- V-98359
- Rule IDs
-
- SV-107463r2_rule
Checks: C-97195r2_chk
Execute a dataset access list for Base TCP/IP component datasets. If the following items are true, this is not a finding. WRITE and ALLOCATE access to product data sets is restricted to systems programming personnel (i.e., SMP/E distribution data sets with the prefix SYS1.TCPIP.AEZA and target data sets with the prefix SYS1.TCPIP.SEZA). WRITE and ALLOCATE access to the data set(s) containing the Data and Profile configuration files is restricted to systems programming personnel. Note: If any INCLUDE statements are specified in the Profile configuration file, the named MVS data sets have the same access authorization requirements. WRITE and ALLOCATE access to the data set(s) containing the Data and Profile configuration files is logged. Note: If any INCLUDE statements are specified in the Profile configuration file, the named MVS data sets have the same logging requirements. WRITE and ALLOCATE access to the data set(s) containing the configuration files shared by TCP/IP applications is restricted to systems programming personnel.
Fix: F-104035r2_fix
Review the data set access authorizations defined to the ACP for the Base TCP/IP component. Configure these data sets to be protected in accordance with the following rules: WRITE and ALLOCATE access to product data sets is restricted to systems programming personnel (i.e., SMP/E distribution data sets with the prefix SYS1.TCPIP.AEZA and target data sets with the prefix SYS1.TCPIP. SEZA). WRITE and ALLOCATE access to the data set(s) containing the Data and Profile configuration files is restricted to systems programming personnel. Note: If any INCLUDE statements are specified in the Profile configuration file, the named MVS data sets have the same access authorization requirements. WRITE and ALLOCATE access to the data set(s) containing the Data and Profile configuration files is logged. Note: If any INCLUDE statements are specified in the Profile configuration file, the named MVS data sets have the same logging requirements. WRITE and ALLOCATE access to the data set(s) containing the configuration files shared by TCP/IP applications is restricted to systems programming personnel.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RACF-TC-000080
- Vuln IDs
-
- V-98361
- Rule IDs
-
- SV-107465r1_rule
Checks: C-97197r1_chk
Refer to the procedure libraries defined to JES2 and locate the TCPIP JCL member. If the PROFILE and SYSTCPD DD statements specify the TCP/IP Profile and Data configuration files respectively, this not a finding. If the RESOLVER_CONFIG variable on the EXEC statement is set to the same file name specified on the SYSTCPD DD statement, this is not a finding.
Fix: F-104037r1_fix
Review the TCP/IP started task JCL to ensure the configuration file names are specified on the appropriate DD statements and parameter option. During initialization the TCP/IP stack uses fixed search sequences to locate the PROFILE.TCPIP and TCPIP.DATA files. However, uncertainty is reduced and security auditing is enhanced by explicitly specifying the locations of the files. In the TCP/IP started task’s JCL, Data Definition (DD) statements can be used to specify the locations of the files. The PROFILE DD statement identifies the PROFILE.TCPIP file and the SYSTCPD DD statement identifies the TCPIP.DATA file. The location of the TCPIP.DATA file can also be specified by coding the RESOLVER_CONFIG environment variable as a parameter of the ENVAR option in the TCP/IP started task’s JCL. In fact, the value of this variable is checked before the SYSTCPD DD statement by some processes. However, not all processes (e.g., TN3270 Telnet Server) will access the variable to get the file location. Therefore specifying the file location explicitly, both on a DD statement and through the RESOLVER_CONFIG environment variable, reduces ambiguity. The systems programmer responsible for supporting ICS will ensure that the TCP/IP started task’s JCL specifies the PROFILE and SYSTCPD DD statements for the PROFILE.TCPIP and TCPIP.DATA configuration files and TCP/IP started task’s JCL includes the RESOLVER_CONFIG variable, set to the name of the file specified on the SYSTCPD DD statement.
- RMF Control
- MA-4
- Severity
- M
- CCI
- CCI-002884
- Version
- RACF-TC-000090
- Vuln IDs
-
- V-98363
- Rule IDs
-
- SV-107467r1_rule
Checks: C-97199r2_chk
Refer to the Profile configuration file specified on the PROFILE DD statement in the TCPIP started task JCL. NOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. If the SMFPARMS statement is not coded or commented out, this is not a finding. If the DELETE statement is not coded or commented out for production system, this is not a finding. If the SMFCONFIG statement is coded with (at least) the FTPCLIENT and TN3270CLIENT operands, this is not a finding. If the TCPCONFIG and UDPCONFIG statements are coded with (at least) the RESTRICTLOWPORTS operand, this is not a finding.
Fix: F-104039r1_fix
Configure the statements in the PROFILE.TCPIP file to conform to the specifications below: NOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. -The SMFPARMS statement is not coded or commented out. -The DELETE statement is not coded or commented out for production systems. -The SMFCONFIG statement is coded with (at least) the FTPCLIENT and TN3270CLIENT operands. -The TCPCONFIG and UDPCONFIG statements are coded with (at least) the RESTRICTLOWPORTS operand. NOTE: If the INCLUDE statement is coded, the data set specified will be checked for access authorization compliance in STIG ID ITCP0070.
- RMF Control
- SC-21
- Severity
- M
- CCI
- CCI-002468
- Version
- RACF-TC-000100
- Vuln IDs
-
- V-98365
- Rule IDs
-
- SV-107469r1_rule
Checks: C-97201r1_chk
Refer to the Data configuration file specified on the SYSTCPD DD statement in the TCPIP started task JCL. If the DOMAINORIGIN/DOMAIN (The DOMAIN statement is functionally equivalent to the DOMAINORIGIN Statement) is specified in the TCP/IP Data configuration file, this is not a finding.
Fix: F-104041r1_fix
Configure the TCPIP.DATA file to include the DOMAINORIGIN/DOMAIN (The DOMAIN statement is functionally equivalent to the DOMAINORIGIN Statement).
- RMF Control
- AC-12
- Severity
- M
- CCI
- CCI-002361
- Version
- RACF-TN-000010
- Vuln IDs
-
- V-98367
- Rule IDs
-
- SV-107471r1_rule
Checks: C-97203r1_chk
Refer to the Profile configuration file specified on the PROFILE DD statement in the TN3270 started task JCL. Note: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. TELNETGLOBAL Block (only one defined) TELNETPARMS Block (one defined for each port the server is listening to, typically ports 23 and 992) If the TELNETPARMS INACTIVE statement is coded either in the TELNETGLOBALS or within each TELNETPARMS statement block and specifies a value between "1" and "900", this is not a finding.
Fix: F-104043r1_fix
Configure the configuration statements in the PROFILE.Tn3270 to conform to the specifications below: NOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. The TELNETPARMS INACTIVE statement is coded either within the TELNETGLOBALS OR within each TELNETPARMS statement block and specifies a value between "1" and "900".
- RMF Control
- AC-17
- Severity
- M
- CCI
- CCI-000068
- Version
- RACF-TN-000020
- Vuln IDs
-
- V-98369
- Rule IDs
-
- SV-107473r1_rule
Checks: C-97205r1_chk
Refer to the Profile configuration file specified on the PROFILE DD statement in the TCPIP started task JCL. If the following items are in effect for the configuration specified in the TCP/IP Profile configuration file, this is not a finding. NOTE: If an INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. NOTE: FIPS 140-2 minimum encryption is the accepted level of encryption and will override this requirement if greater. The TELNETGLOBALS block that specifies an ENCRYPTION statement states one or more of the below cipher specifications. Each TELNETPARMS block that specifies the SECUREPORT statement, specifies an ENCRYPTION statement states one or more of the below cipher specifications. And the TELNETGLOBALS block does or does not specify an ENCRYPTION statement. Cipher Specifications SSL_3DES_SHA SSL_AES_256_SHA SSL_AES_128_SHA
Fix: F-104045r1_fix
Configure the SECUREPORT and TELNETPARMS ENCRYPTION statements and/or the TELNETGLOBALS statement in the PROFILE.TCPIP file to conform to the requirements specified below. The TELNETGLOBALS block may specify an ENCRYPTION statement that specifies one or more of the below cipher specifications. Each TELNETPARMS block that specifies the SECUREPORT statement, an ENCRYPTION statement is coded with one or more of the below cipher specifications. And the TELNETGLOBALS block does or does not specify an ENCRYPTION statement. To prevent the use of non FIPS 140-2 encryption, the TELNETGLOBALS block and/or each TELNETPARMS block that specifies an ENCRYPTION statement will specify one or more of the following cipher specifications: Cipher Specifications SSL_3DES_SHA SSL_AES_256_SHA SSL_AES_128_SHA Note: Always check for the minimum allowed in FIPS 140-2.
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-000048
- Version
- RACF-TN-000030
- Vuln IDs
-
- V-98371
- Rule IDs
-
- SV-107475r1_rule
Checks: C-97207r1_chk
Review all USS tables referenced in BEGINVTAM USSTCP statements in the PROFILE.TCPIP file. Verify the MSG10 text specifies a logon banner in accordance with DISA requirements. See MGG10 below: STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. DOD requires that a logon warning banner be displayed. Within the TN3270 Telnet Server, the banner can be implemented through the USS table that is specified on a BEGINVTAM USSTCP statement. The text associated with message ID 10 (i.e., MSG10) in the USS table is sent to clients that are subject to USSTCP processing. If a logon warning banner is not set up to be displayed, this is a finding.
Fix: F-104047r1_fix
Review all USS tables referenced in BEGINVTAM USSTCP statements in the PROFILE.TCPIP file. Ensure the MSG10 text specifies a logon banner in accordance with DISA requirements. See MGG10 below: STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. DOD requires that a logon warning banner be displayed. Within the TN3270 Telnet Server, the banner can be implemented through the USS table that is specified on a BEGINVTAM USSTCP statement. The text associated with message ID 10 (i.e., MSG10) in the USS table is sent to clients that are subject to USSTCP processing.
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-001384
- Version
- RACF-TN-000040
- Vuln IDs
-
- V-98373
- Rule IDs
-
- SV-107477r1_rule
Checks: C-97209r1_chk
Refer to the Profile configuration file specified on the PROFILE DD statement in the TN3270 started task JCL. If all USS tables referenced in BEGINVTAM USSTCP statements include MSG10 text that specifies the Standard logon banner, this is not a finding. The below banner is mandatory and deviations are not permitted except as authorized in writing by the DoD Chief Information Officer. The thrust of this new policy is to make it clear that there is no expectation of privacy when using DoD information systems and all use of DoD information systems is subject to searching, auditing, inspecting, seizing, and monitoring, even if some personal use of a system is permitted: STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. DOD requires that a logon warning banner be displayed. Within the TN3270 Telnet Server, the banner can be implemented through the USS table that is specified on a BEGINVTAM USSTCP statement. The text associated with message ID 10 (i.e., MSG10) in the USS table is sent to clients that are subject to USSTCP processing.
Fix: F-104049r1_fix
Review all USS tables referenced in BEGINVTAM USSTCP statements in the PROFILE.TCPIP file. Ensure the MSG10 text specifies a logon banner in accordance with DISA requirements. See MGG10 below: STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. DOD requires that a logon warning banner be displayed. Within the TN3270 Telnet Server, the banner can be implemented through the USS table that is specified on a BEGINVTAM USSTCP statement. The text associated with message ID 10 (i.e., MSG10) in the USS table is sent to clients that are subject to USSTCP processing.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RACF-TN-000050
- Vuln IDs
-
- V-98375
- Rule IDs
-
- SV-107479r1_rule
Checks: C-97211r1_chk
Refer to the TN3270 Profile configuration file identified by the PROFILE DD in the TN3270 procedure. NOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. If all of the following are true, this is not a finding. If any of the following is untrue, this is a finding. -Within each BEGINVTAM statement block, one BEGINVTAM USSTCP statement is coded that specifies only the table name operand. No client identifier, such as host name or IP address, is specified so the statement applies to all connections not otherwise controlled. -The USS table specified on each “back stop” USSTCP statement mentioned in Item (1) above is coded to allow access only to session manager applications and NC PASS applications. -Within each BEGINVTAM statement block, additional BEGINVTAM USSTCP statements that specify a USS table that allows access to other applications may be coded only if the statements include a client identifier operand that references only secure terminals. -Any BEGINVTAM DEFAULTAPPL statement that does not specify a client identifier, or specifies any type of client identifier that would apply to unsecured terminals, specifies a session manager application or an NC PASS application as the application name. -Any BEGINVTAM LUMAP statement, if used with the DEFAPPL operand and applied to unsecured terminals, specifies only a session manager application or an NC PASS application. NOTE: The BEGINVTAM LINEMODEAPPL requirements will not be reviewed at this time. Further testing must be performed to determine how the CL/Supersession and NC-PASS applications work with line mode.
Fix: F-104051r1_fix
Review the BEGINVTAM configuration statements in the PROFILE.TCPIP file. Ensure they conform to the specifications below. NOTE: If the INCLUDE statement is coded in the TN3270 Profile configuration file, the data set specified on this statement must be checked for the following items as well. Within each BEGINVTAM statement block, one BEGINVTAM USSTCP statement is coded that specifies only the table name operand. No client identifier, such as host name or IP address, is specified so the statement applies to all connections not otherwise controlled. The USS table specified on each “back stop” USSTCP statement mentioned above is coded to allow access only to session manager applications and NC PASS applications. Within each BEGINVTAM statement block, additional BEGINVTAM USSTCP statements that specify a USS table that allows access to other applications may be coded only if the statements include a client identifier operand that references only secure terminals. Any BEGINVTAM DEFAULTAPPL statement that does not specify a client identifier, or specifies any type of client identifier that would apply to unsecured terminals, specifies a session manager application or an NC PASS application as the application name.
- RMF Control
- SC-10
- Severity
- M
- CCI
- CCI-001133
- Version
- RACF-TN-000060
- Vuln IDs
-
- V-98377
- Rule IDs
-
- SV-107481r1_rule
Checks: C-97213r1_chk
Refer to the Profile configuration file specified on the PROFILE DD statement in the TN3270 started task JCL. Note: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. TELNETGLOBAL Block (only one defined) TELNETPARMS Block (one defined for each port the server is listening to, typically ports 23 and 992) If the TELNETPARMS INACTIVE statement is coded either in the TELNETGLOBALS or within each TELNETPARMS statement block and specifies a value between "1" and "900", this is not a finding.
Fix: F-104053r1_fix
Configure the configuration statements in the PROFILE.Tn3270 to conform to the specifications below: NOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. The TELNETPARMS INACTIVE statement is coded either within the TELNETGLOBALS OR within each TELNETPARMS statement block and specifies a value between "1" and "900".
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-TS-000010
- Vuln IDs
-
- V-98379
- Rule IDs
-
- SV-107483r1_rule
Checks: C-97215r1_chk
From the ISPF Command Shell enter: RLIST SURROGAT * Ensure that all TSOAUTH resources and/or generic equivalent are properly protected according to the requirements specified. If the following guidance is true, this is not a finding. The ACCT authorization is restricted to security personnel. The CONSOLE authorization is restricted to authorized systems personnel (e.g., systems programming personnel, operations staff, etc.) and READ access may be given to all user when SDSF in install at the ISSOs discretion. The MOUNT authorization is restricted to DASD batch users only. The OPER authorization is restricted to authorized systems personnel (e.g., systems programming personnel, operations staff, etc.). The PARMLIB authorization is restricted to only z/OS systems programming personnel and READ access may be given to auditors. The TESTAUTH authorization is restricted to only z/OS systems programming personnel.
Fix: F-104055r1_fix
Configure the TSOAUTH resource class to control sensitive TSO/E commands. (Note: The resource type, resources, and/or resource prefixes identified below are examples of a possible installation. The actual resource type, resources, and/or resource prefixes are determined when the product is actually installed on a system through the product’s installation guide and can be site specific.) Below is listed the access requirements for TSOAUTH resources. Ensure the guidelines for the resources and/or generic equivalent are followed. The ACCT authorization is restricted to security personnel. The CONSOLE authorization is restricted to authorized systems personnel (e.g., systems programming personnel, operations staff, etc.) and READ access may be given to all user when SDSF in install at the ISSOs discretion. The MOUNT authorization is restricted to DASD batch users only. The OPER authorization is restricted to authorized systems personnel (e.g., systems programming personnel, operations staff, etc.). The PARMLIB authorization is restricted to only z/OS systems programming personnel and READ access may be given to audit users. The TESTAUTH authorization is restricted to only z/OS systems programming personnel.
- RMF Control
- AC-6
- Severity
- H
- CCI
- CCI-002235
- Version
- RACF-TS-000020
- Vuln IDs
-
- V-98381
- Rule IDs
-
- SV-107485r1_rule
Checks: C-97217r1_chk
Ask the system administrator to provide a list of all emergency userids available to the site along with the associated function of each. If SYS1.UADS userids are limited and reserved for emergency purposes only, this is not a finding.
Fix: F-104057r1_fix
Configure the SYS1.UADS entries to ensure LOGONIDs defined include only those users required to support specific functions related to system recovery. Evaluate the impact of accomplishing the change.
- RMF Control
- AC-3
- Severity
- H
- CCI
- CCI-000213
- Version
- RACF-US-000010
- Vuln IDs
-
- V-98383
- Rule IDs
-
- SV-107487r1_rule
Checks: C-97219r1_chk
From the ISPF Command Shell enter: RL UNIXPRIV * AUTHUSER If the RACF rules for the SUPERUSER resource specify a default access of NONE, this is not a finding. If there are no RACF rules that allow access to the SUPERUSER resource, this is not a finding. If there is no RACF rule for CHOWN.UNRESTRICTED defined, this is not a finding. If the RACF rules for each of the SUPERUSER resources listed in the z/OS UNIX System Services Planning, Establishing UNIX security, specify a default access of NONE, this is not a finding. If the RACF rules for each of the SUPERUSER resources listed in the z/OS UNIX System Services Planning, Establishing UNIX security, restrict access to appropriate system tasks or systems programming personnel, this is not a finding.
Fix: F-104059r1_fix
Configure all SUPERUSER resources for the UNIXPRIV resource class to be restricted to appropriate system tasks and/or system programming personnel. -The RACF rules for the SUPERUSER resource specify a default access of NONE. -There are no RACF rules that allow access to the SUPERUSER resource. -There is no RACF rule for CHOWN.UNRESTRICTED defined. -The RACF rules for each of the SUPERUSER resources listed in the z/OS UNIX System Services Planning, Establishing UNIX security, specify a default access of NONE. -The RACF rules for each of the SUPERUSER resources listed in the z/OS UNIX System Services Planning, Establishing UNIX security, restrict access to appropriate system tasks or systems programming personnel. Sample Commands: RDEF UNIXPRIV SUPERUSER.** UACC(NONE) OWNER(ADMIN) DATA('REFERENCE ZUSS0023') AUDIT(ALL(READ)) /* do not permit any users/groups to this resource */ SR CLASS(UNIXPRIV) MASK(CHOWN.UNRESTRICTED) /* delete if found */ PE SUPERUSER.FILESYS.** CL(UNIXPRIV) ID(<SYSPsmpl>)
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-US-000020
- Vuln IDs
-
- V-98385
- Rule IDs
-
- SV-107489r1_rule
Checks: C-97221r1_chk
From the ISPF Command Shell enter: RL FACILITY * AUTHUSER If the RACF rules for the BPX.** resource specify a default access of NONE, this is not a finding. If there are no RACF user access to the BPX.** resource, this is not a finding. If there is no RACF rule for BPX.SAFFASTPATH defined, this is not a finding. If the RACF rules for each of the BPX resources listed in the z/OS UNIX System Services Planning, Establishing UNIX security, restrict access to appropriate system tasks or systems programming personnel, this is not a finding.
Fix: F-104061r1_fix
There are a number of resources available under z/OS UNIX that must be secured in order to preserve system integrity while allowing effective application and user access. All of these resources might not be used in every configuration, but several of them have critical impacts. The default access for each of these resources must be no access. A generic resource (e.g., BPX.**) must also be set to a default access of none to cover future additions. Because they convey especially powerful privileges, the settings for BPX.DAEMON, BPX.SAFFASTPATH, BPX.SERVER, and BPX.SUPERUSER require special attention. Access to BPX.DAEMON must be restricted to the z/OS UNIX kernel userid, z/OS UNIX daemons (e.g., inetd, syslogd, ftpd), and other system software daemons (e.g., web servers). As noted above, the BPX.SAFFASTPATH definition can cause successful security checks not to be audited. Because auditing of all accesses is required for some system files, BPX.SAFFASTPATH must not be used. Access to BPX.SERVER must be restricted to system software processes that act as servers under z/OS UNIX (e.g., web servers). Access to BPX.SUPERUSER must be restricted to Security Administrators and individual systems programming personnel. It is not appropriate for all systems programming personnel, only for those with responsibilities for components or products that use z/OS UNIX and that require superuser capability for maintenance. -The RACF rules for the BPX.** resource specify a default access of NONE. -There are no RACF user access to the BPX.** resource. -There is no RACF rule for BPX.SAFFASTPATH defined. -The RACF rules for each of the BPX resources specify a UACC value of NONE. -The RACF rules for each of the BPX resources restrict access to appropriate system tasks or systems programming personnel as specified. The following list of sample commands is provided to implement this requirement: rdef facility bpx.** quack(none) owner(admin) audit(all(read)) - data('see zuss0021') rdef facility bpx.daemon quack(none) owner(admin) - audit(all(read)) data('see zuss0021') pe bpx.daemon cl(facility id(<authorized_users>) rdef facility bpx.debug quack(none) owner(admin) - audit(all(read)) data('see zuss0021') pe bpx.debug cl(facility id(<authorized_users>) rdef facility bpx.fileattr.apf quack(none) owner(admin) - audit(all(read)) data('see zuss0021') pe bpx.fileattr.apf cl(facility id(<authorized_users>) rdef facility bpx.fileattr.progctl quack(none) owner(admin) - audit(all(read)) data('see zuss0021') pe bpx.fileattr.progctl cl(facility id(<authorized_users>) rdef facility bpx.jobname quack(none) owner(admin) - audit(all(read)) data('see zuss0021') pe bpx.jobname cl(facility id(<authorized_users>) rdef facility bpx.server quack(none) owner(admin) - audit(all(read)) data('see zuss0021') pe bpx.server cl(facility id(<authorized_users>) rdef facility bpx.smf quack(none) owner(admin) - audit(all(read)) data('see zuss0021') pe bpx.smf cl(facility id(<authorized_users>) rdef facility bpx.stor.swap quack(none) owner(admin) - audit(all(read)) data('see zuss0021') pe bpx.stor.swap cl(facility id(<authorized_users>) rdef facility bpx.superuser quack(none) owner(admin) - audit(all(read)) data('see zuss0021') pe bpx.superuser cl(facility id(<authorized_users>) rdef facility bpx.wlmserver quack(none) owner(admin) - audit(all(read)) data('see zuss0021') pe bpx.wlmserver cl(facility id(<authorized_users>)
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-US-000030
- Vuln IDs
-
- V-98387
- Rule IDs
-
- SV-107491r1_rule
Checks: C-97223r1_chk
On the OMVS Command line enter the following command string: find / -type d -perm -0002 ! -perm -1000 -exec ls -aldWE {} \; If there are no directories that have the other write permission bit set on without the sticky bit set on, this is not a finding. NOTE: In the symbolic permission bit display, the sticky bit is indicated as a “t” or “T” in the execute portion of the other permissions. For example, a display of the permissions of a directory with the sticky bit on could be “drwxrwxrwt”. If all directories that have the other write permission bit set on do not contain any files with the setuid bit set on, this is not a finding. NOTE: In the symbolic permission bit display, the setuid bit is indicated as an “s” or “S” in the execute portion of the owner permissions. For example, a display of the permissions of a file with the setuid bit on could be “-rwsrwxrwx”. If all directories that have the other write permission bit set on do not contain any files with the setgid bit set on, this is not a finding. NOTE: In the symbolic permission bit display, the setgid bit is indicated as an “s” or “S” in the execute portion of the group permissions. For example, a display of the permissions of a file with the setgid bit on could be “-rwxrwsrwx”.
Fix: F-104063r1_fix
Configure directory permissions as follows: There are no directories that have the other write permission bit set on without the sticky bit set on. NOTE: In the symbolic permission bit display, the sticky bit is indicated as a “t” or “T” in the execute portion of the other permissions. For example, a display of the permissions of a directory with the sticky bit on could be “drwxrwxrwt”. All directories that have the other write permission bit set on do not contain any files with the setuid bit set on. NOTE: In the symbolic permission bit display, the setuid bit is indicated as an “s” or “S” in the execute portion of the owner permissions. For example, a display of the permissions of a file with the setuid bit on could be “-rwsrwxrwx”. All directories that have the other write permission bit set on do not contain any files with the setgid bit set on. NOTE: In the symbolic permission bit display, the setgid bit is indicated as an “s” or “S” in the execute portion of the group permissions. For example, a display of the permissions of a file with the setgid bit on could be “-rwxrwsrwx”.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-US-000040
- Vuln IDs
-
- V-98389
- Rule IDs
-
- SV-107493r1_rule
Checks: C-97225r1_chk
From the ISPF Command Shell enter: SETRopts list If the ACTIVE CLASSES list includes entries for the FACILITY, SURROGAT, and UNIXPRIV resource classes, this is not a finding. If the FACILITY, SURROGAT, and UNIXPRIV resource classes are missing, this is a finding.
Fix: F-104065r1_fix
Define the ACTIVE CLASS Parameter in SETROPTS to include the FACILITY, SURROGAT and UNIXPRIV resource classes. EXAMPLES: SETR CLASSACT(FACILITY SURROGAT UNIXPRIV) SETR GENERIC(FACILITY SURROGAT UNIXPRIV) SETR GENCMD(FACILITY SURROGAT UNIXPRIV) SETR RACL(FACILITY SURROGAT UNIXPRIV)
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-US-000050
- Vuln IDs
-
- V-98391
- Rule IDs
-
- SV-107495r1_rule
Checks: C-97227r1_chk
From the ISPF Command Shell enter: ISHELL /etc/profile If the final or only instance of the UMASK command in /etc/profile is specified as “umask 077”, this is not a finding. If the LOGNAME variable is marked read-only (i.e., “readonly LOGNAME”) in /etc/profile, this is not a finding.
Fix: F-104067r1_fix
Configure the etc/profile to specify the UMASK command is executed with a value of 077 and the LOGNAME variable is marked read-only for the /etc/profile file, exceptions are documented with the ISSO.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-US-000060
- Vuln IDs
-
- V-98393
- Rule IDs
-
- SV-107497r1_rule
Checks: C-97229r1_chk
From the ISPF Command Shell enter: ISHELL /etc/rc If all of the CHMOD commands in /etc/rc do not result in less restrictive access than what is specified in the tables below, this is not a finding. NOTE: The use of CHMOD commands in /etc/rc is required in most environments to comply with the required settings, especially for dynamic objects such as the /dev directory. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) If all of the CHAUDIT commands in /etc/rc do not result in less auditing than what is specified in the tables below this is not a finding. NOTE: The use of CHAUDIT commands in /etc/rc may not be necessary. If none are found, there is not a finding. The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing If the _BPX_JOBNAME variable is appropriately set (i.e., to match daemon name) as each daemon (e.g., syslogd, inetd) is started in /etc/rc, this is not a finding. NOTE: If _BPX_JOBNAME is not specified, the started address space will be named using an inherited value. This could result in reduced security in terms of operator command access. SYSTEM DIRECTORY SECURITY SETTINGS DIRECTORY PERMISSION BITS USER AUDIT BITS FUNCTION / [root] 755 faf Root level of all file systems. Holds critical mount points. /bin 1755 fff Shell scripts and executables for basic functions /dev 1755 fff Character-special files used when logging into the OMVS shell and during C language program compilation. Files are created during system IPL and on a per-demand basis. /etc 1755 faf Configuration programs and files (usually with locally customized data) used by z/OS UNIX and other product initialization processes /lib 1755 fff System libraries including dynamic link libraries and files for static linking /samples 1755 fff Sample configuration and other files /tmp 1777 fff Temporary data used by daemons, servers, and users. Note: /tmp must have the sticky bit on to restrict file renames and deletions. /u 1755 fff Mount point for user home directories and optionally for third-party software and other local site files /usr 1755 fff Shell scripts, executables, help (man) files and other data. Contains sub-directories (e.g., lpp) and mount points used by program products that may be in separate file systems. /var 1775 fff Dynamic data used internally by products and by elements and features of z/OS UNIX. SYSTEM FILE SECURITY SETTINGS FILE PERMISSION BITS USER AUDIT BITS FUNCTION /bin/sh 1755 faf z/OS UNIX shell Note: /bin/sh has the sticky bit on to improve performance. /dev/console 740 fff The system console file receives messages that may require System Administrator (SA) attention. /dev/null 666 fff A null file; data written to it is discarded. /etc/auto.master and any mapname files 740 faf Configuration files for automount facility /etc/inetd.conf 740 faf Configuration file for network services /etc/init.options 740 faf Kernel initialization options file for z/OS UNIX environment /etc/log 744 fff Kernel initialization output file /etc/profile 755 faf Environment setup script executed for each user /etc/rc 744 faf Kernel initialization script for z/OS UNIX environment /etc/steplib 740 faf List of MVS data sets valid for set user ID and set group ID executables /etc/tablename 740 faf List of z/OS userids and group names with corresponding alias names /usr/lib/cron/at.allow /usr/lib/cron/at.deny 700 faf Configuration files for the at and batch commands /usr/lib/cron/cron.allow /usr/lib/cron/cron.deny 700 faf Configuration files for the crontab command
Fix: F-104069r1_fix
Review the settings in the /etc/rc. The /etc/rcfile is the system initialization shell script. When z/OS UNIX kernel services start, /etc/rc is executed to set file permissions and ownership for dynamic system files and to perform other system startup functions such as starting daemons. There can be many commands in /etc/rc. There are two specific guidelines that must be followed: Verify that The CHMOD or CHAUDIT command does not result in less restrictive security than what is specified in the table below. Immediately prior to each command that starts a daemon, the _BPX_JOBNAME variable must be set to match the daemon’s name (e.g., inetd, syslogd). The use of _BPX_USERID is at the site’s discretion, but is recommended. Directory Permission Bits User Audit Bits Function / [root] 755 faf Root level of all file systems. Holds critical mount points. /bin 1755 fff Shell scripts and executables for basic functions /dev 1755 fff Character-special files used when logging into the OMVS shell and during C language program compilation. Files are created during system IPL and on a per-demand basis. /etc 1755 faf Configuration programs and files (usually with locally customized data) used by z/OS UNIX and other product initialization processes /lib 1755 fff System libraries including dynamic link libraries and files for static linking /samples 1755 fff Sample configuration and other files /tmp 1777 fff Temporary data used by daemons, servers, and users. Note: /tmp must have the sticky bit on to restrict file renames and deletions. /u 1755 fff Mount point for user home directories and optionally for third-party software and other local site files /usr 1755 fff Shell scripts, executables, help (man) files and other data. Contains sub-directories (e.g., lpp) and mount points used by program products that may be in separate file systems. /var 1775 fff Dynamic data used internally by products and by elements and features of z/OS UNIX.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-US-000070
- Vuln IDs
-
- V-98395
- Rule IDs
-
- SV-107499r1_rule
Checks: C-97231r1_chk
From the ISPF Command Shell enter: RL SURROGAT BPX.SRV AUTHUSER If the RACF rules for all BPX.SRV.user SURROGAT resources specify a default access of NONE, this is not a finding. If the RACF rules for all BPX.SRV.user SURROGAT resources restrict access to system software processes (e.g., web servers) that act as servers under z/OS UNIX, this is not a finding.
Fix: F-104071r1_fix
SURROGAT class BPX resources are used in conjunction with server applications that are performing tasks on behalf of client users that may not supply an authenticator to the server. This can be the case when clients are otherwise validated or when the requested service is performed from userids representing groups. Configure the default access for each BPX.SRV.userid resource must be no access. Access can be permitted only to system software processes that act as servers under z/OS UNIX (e.g., web servers). A sample is provided here: RDEF SURROGAT BPX.SRV.user UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) -RACF rules for all BPX.SRV.user SURROGAT resources must restrict access to system software processes (e.g., web servers) that act as servers under z/OS UNIX. RDEF SURROGAT BPX.SRV.user UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) PE BPX.SRV.user CL(SURROGAT) ID(<server>)
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-US-000080
- Vuln IDs
-
- V-98397
- Rule IDs
-
- SV-107501r1_rule
Checks: C-97233r1_chk
Refer to the proper BPXPRMxx member in SYS1.PARMLIB If the ESM data set rules for the data sets referenced in the ROOT and the MOUNT statements in BPXPRMxx restrict update access to the z/OS UNIX kernel (i.e., OMVS or OMVSKERN), this is not a finding. If the ESM data set rules for the data set referenced in the ROOT and the MOUNT statements in BPXPRMxx restrict update and/or allocate access to systems programming personnel, this is not a finding.
Fix: F-104073r1_fix
Review the access authorizations defined in the ACP for the MVS data sets that contain operating system components and for the MVS data sets that contain HFS file systems and ensure that they conform to the specifications below Review the UNIX permission bits on the HFS directories and files and ensure that they conform to the specifications below: Define ESM data set rules for the data sets referenced in the ROOT and the MOUNT statements in BPXPRMxx to restrict update access to the z/OS UNIX kernel (i.e., OMVS or OMVSKERN). Define ESM data set rules for the data set referenced in the ROOT and the MOUNT statements in BPXPRMxx to restrict update and/or allocate access to systems programming personnel.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-US-000090
- Vuln IDs
-
- V-98399
- Rule IDs
-
- SV-107503r1_rule
Checks: C-97235r1_chk
Execute an access list for MVS DATA SETS WITH z/OS UNIX COMPONENTS. If the ESM data set rules for each of the data sets listed in the table below restrict UPDATE and ALLOCATE access to systems programming personnel, this is not a finding. MVS DATA SETS WITH z/OS UNIX COMPONENTS DATA SET NAME/MASK MAINTENANCE TYPE FUNCTION SYS1.ABPX* Distribution IBM z/OS UNIX ISPF panels, messages, tables, clists SYS1.AFOM* Distribution IBM z/OS UNIX Application Services SYS1.BPA.ABPA* Distribution IBM z/OS UNIX Connection Scaling Process Mgr. SYS1.CMX.ACMX* Distribution IBM z/OS UNIX Connection Scaling Connection Mgr. SYS1.SBPX* Target IBM z/OS UNIX ISPF panels, messages, tables, clists SYS1.SFOM* Target IBM z/OS UNIX Application Services SYS1.CMX.SCMX* Target IBM z/OS UNIX Connection Scaling Connection Mgr.
Fix: F-104075r1_fix
Define ESM data set rules for each of the data sets listed in the table below restrict UPDATE and ALLOCATE access to systems programming personnel. The data sets designated as distribution data sets should have all access restricted to systems programming personnel. TSO/E users who also use z/OS UNIX should have read access to the SYS1.SBPX* data sets. Read access for all users to the remaining target data sets is at the site’s discretion. All other access must be restricted to systems programming personnel. MVS DATA SETS WITH z/OS UNIX COMPONENTS DATA SET NAME/MASK MAINTENANCE TYPE FUNCTION SYS1.ABPX* Distribution IBM z/OS UNIX ISPF panels, messages, tables, clists SYS1.AFOM* Distribution IBM z/OS UNIX Application Services SYS1.BPA.ABPA* Distribution IBM z/OS UNIX Connection Scaling Process Mgr. SYS1.CMX.ACMX* Distribution IBM z/OS UNIX Connection Scaling Connection Mgr. SYS1.SBPX* Target IBM z/OS UNIX ISPF panels, messages, tables, clists SYS1.SFOM* Target IBM z/OS UNIX Application Services SYS1.CMX.SCMX* Target IBM z/OS UNIX Connection Scaling Connection Mgr.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-US-000100
- Vuln IDs
-
- V-98401
- Rule IDs
-
- SV-107505r1_rule
Checks: C-97237r1_chk
From the ISPF Command Shell enter: omvs enter CD / enter ls -alW If the HFS permission bits and user audit bits for each directory and file match or are more restrictive than the specified settings listed in the SYSTEM DIRECTORY SECURITY SETTINGS table below, this is not a finding. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing SYSTEM DIRECTORY SECURITY SETTINGS DIRECTORY PERMISSION BITS USER AUDIT BITS FUNCTION / [root] 755 faf Root level of all file systems. Holds critical mount points. /bin 1755 fff Shell scripts and executables for basic functions /dev 1755 fff Character-special files used when logging into the OMVS shell and during C language program compilation. Files are created during system IPL and on a per-demand basis. /etc 1755 faf Configuration programs and files (usually with locally customized data) used by z/OS UNIX and other product initialization processes /lib 1755 fff System libraries including dynamic link libraries and files for static linking /samples 1755 fff Sample configuration and other files /tmp 1777 fff Temporary data used by daemons, servers, and users. Note: /tmp must have the sticky bit on to restrict file renames and deletions. /u 1755 fff Mount point for user home directories and optionally for third-party software and other local site files /usr 1755 fff Shell scripts, executables, help (man) files and other data. Contains sub-directories (e.g., lpp) and mount points used by program products that may be in separate file systems. /var 1775 fff Dynamic data used internally by products and by elements and features of z/OS UNIX.
Fix: F-104077r1_fix
Configure the UNIX permission bits and user audit bits on each of the HFS directories in the table SYSTEM DIRECTORY SECURITY SETTINGS below to be equal or more restrictive. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing SYSTEM DIRECTORY SECURITY SETTINGS DIRECTORY PERMISSION BITS USER AUDIT BITS FUNCTION / [root] 755 faf Root level of all file systems. Holds critical mount points. /bin 1755 fff Shell scripts and executables for basic functions /dev 1755 fff Character-special files used when logging into the OMVS shell and during C language program compilation. Files are created during system IPL and on a per-demand basis. /etc 1755 faf Configuration programs and files (usually with locally customized data) used by z/OS UNIX and other product initialization processes /lib 1755 fff System libraries including dynamic link libraries and files for static linking /samples 1755 fff Sample configuration and other files /tmp 1777 fff Temporary data used by daemons, servers, and users. Note: /tmp must have the sticky bit on to restrict file renames and deletions. /u 1755 fff Mount point for user home directories and optionally for third-party software and other local site files /usr 1755 fff Shell scripts, executables, help (man) files and other data. Contains sub-directories (e.g., lpp) and mount points used by program products that may be in separate file systems. /var 1775 fff Dynamic data used internally by products and by elements and features of z/OS UNIX. The following commands are a sample of the commands to be used (from a user account with an effective UID(0)) to update the permission bits and audit bits: chmod 0755 / chaudit w=sf,rx+f / chmod 0755 /bin chaudit rwx=f /bin
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-US-000110
- Vuln IDs
-
- V-98403
- Rule IDs
-
- SV-107507r1_rule
Checks: C-97239r1_chk
From the ISPF Command Shell enter: OMVS For each file listed in the table below enter: ls -alW /<directory name>/<file name> If the HFS permission bits and user audit bits for each directory and file match or are more restrictive than the specified settings listed in the table, this is not a finding. NOTE: Some of the files listed are not used in every configuration. Absence of any of the files is not considered a finding. SYSTEM FILE SECURITY SETTINGS FILE PERMISSION BITS USER AUDIT BITS FUNCTION /bin/sh 1755 faf z/OS UNIX shell Note: /bin/sh has the sticky bit on to improve performance. /dev/console 740 fff The system console file receives messages that may require System Administrator (SA) attention. /dev/null 666 fff A null file; data written to it is discarded. /etc/auto.master any mapname files 740 faf Configuration files for automount facility /etc/inetd.conf 740 faf Configuration file for network services /etc/init.options 740 faf Kernel initialization options file for z/OS UNIX environment /etc/log 744 fff Kernel initialization output file /etc/profile 755 faf Environment setup script executed for each user /etc/rc 744 faf Kernel initialization script for z/OS UNIX environment /etc/steplib 740 faf List of MVS data sets valid for set user ID and set group ID executables /etc/tablename 740 faf List of z/OS userids and group names with corresponding alias names /usr/lib/cron/at.allow /usr/lib/cron/at.deny 700 faf Configuration files for the at and batch commands /usr/lib/cron/cron.allow /usr/lib/cron/cron.deny 700 faf Configuration files for the crontab command NOTE: Some of the files listed are not used in every configuration. Absence of any of the files is not considered a finding. NOTE: The names of the MapName files are site-defined. Refer to the listing in the EAUTOM report. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing
Fix: F-104079r1_fix
Define the UNIX permission bits and user audit bits on the HFS files as listed in the table below. SYSTEM FILE SECURITY SETTINGS FILE PERMISSION BITS USER AUDIT BITS FUNCTION /bin/sh 1755 faf z/OS UNIX shell Note: /bin/sh has the sticky bit on to improve performance. /dev/console 740 fff The system console file receives messages that may require System Administrator (SA) attention. /dev/null 666 fff A null file; data written to it is discarded. /etc/auto.master any mapname files 740 faf Configuration files for automount facility /etc/inetd.conf 740 faf Configuration file for network services /etc/init.options 740 faf Kernel initialization options file for z/OS UNIX environment /etc/log 744 fff Kernel initialization output file /etc/profile 755 faf Environment setup script executed for each user /etc/rc 744 faf Kernel initialization script for z/OS UNIX environment /etc/steplib 740 faf List of MVS data sets valid for set user ID and set group ID executables /etc/tablename 740 faf List of z/OS userids and group names with corresponding alias names /usr/lib/cron/at.allow /usr/lib/cron/at.deny 700 faf Configuration files for the at and batch commands /usr/lib/cron/cron.allow /usr/lib/cron/cron.deny 700 faf Configuration files for the crontab command There are a number of files that must be secured to protect system functions in z/OS UNIX. Where not otherwise specified, these files must receive a permission setting of 744 or 774. The 774 setting may be used at the site’s discretion to help to reduce the need for assignment of superuser privileges. The table identifies permission bit and audit bit settings that are required for these specific files. More restrictive permission settings may be used at the site’s discretion or as specific environments dictate. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing The following commands are a sample of the commands to be used (from a user account with an effective UID(0)) to update the permission bits and audit bits: chmod 1755 /bin/sh chaudit w=sf,rx+f /bin/sh chmod 0740 /dev/console chaudit rwx=f /dev/console
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-US-000120
- Vuln IDs
-
- V-98405
- Rule IDs
-
- SV-107509r1_rule
Checks: C-97241r1_chk
Refer to the pathname from the STEPLIBLIST line in BPXPRMxx member of PARMLIB. From the ISPF Command Shell enter: ISHELL On the command line: on the path name line enter: /etc/ From the resulting display scroll down to the <stepliblist name> from BPXPRMxx parm. Enter B for browse on that line. If ESM data set rules for libraries specified restrict WRITE or greater access to only systems programming personnel, this is not a finding. If the ESM data set rules for libraries specify that all (i.e., failures and successes) WRITE or greater access will be logged, this is not a finding.
Fix: F-104081r1_fix
Configure WRITE or greater access to libraries residing in the /etc/steplib to be limited to system programmers only.
- RMF Control
- AC-6
- Severity
- M
- CCI
- CCI-002233
- Version
- RACF-US-000130
- Vuln IDs
-
- V-98407
- Rule IDs
-
- SV-107511r1_rule
Checks: C-97243r1_chk
From the ISPF Command Shell enter: SETRopts list If the ACTIVE CLASSES list includes entries for the FACILITY, SURROGAT, and UNIXPRIV resource classes, this is not a finding. If either of the above resource classes is missing, this is a finding.
Fix: F-104083r1_fix
Define the ACTIVE CLASS Parameter in SETROPTS to include the FACILITY, SURROGAT and UNIXPRIV resource classes. EXAMPLES: SETR CLASSACT(FACILITY SURROGAT UNIXPRIV) SETR GENERIC(FACILITY SURROGAT UNIXPRIV) SETR GENCMD(FACILITY SURROGAT UNIXPRIV) SETR RACL(FACILITY SURROGAT UNIXPRIV)
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RACF-US-000140
- Vuln IDs
-
- V-98409
- Rule IDs
-
- SV-107513r1_rule
Checks: C-97245r1_chk
Refer to the IEASYS00 member of SYS1.PARMLIB. If the parameter is specified as OMVS=xx or OMVS=(xx,xx,…) in the IEASYSxx member, this is not a finding. If the OMVS statement is not specified, OMVS=DEFAULT is used. In minimum mode there is no access to permanent file systems or to the shell, and IBM’s Communication Server TCP/IP will not run.
Fix: F-104085r1_fix
Configure the settings in PARMLIB and /etc for z/OS UNIX security parameters with values that conform to the specifications below: The parameter is specified as OMVS=xx or OMVS=(xx,xx,…) in the IEASYSxx member. Note: If the OMVS statement is not specified, OMVS=DEFAULT is used. In minimum mode there is no access to permanent file systems or to the shell, and IBM’s Communication Server TCP/IP will not run.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RACF-US-000150
- Vuln IDs
-
- V-98411
- Rule IDs
-
- SV-107515r1_rule
Checks: C-97247r1_chk
Refer to the BPXPRM00 member of SYS1.PARMLIB. If the required parameter keywords and values are defined as detailed below, this is not a finding. Parameter Keyword Value SUPERUSER BPXROOT TTYGROUP TTY STEPLIBLIST /etc/steplib USERIDALIASTABLE Will not be specified. ROOT SETUID will be specified MOUNT NOSETUID SETUID (for Vendor-provided files)SECURITY STARTUP_PROC OMVS
Fix: F-104087r1_fix
Define the settings in PARMLIB member BPXPRMxx for z/OS UNIX security parameters values to conform to the specifications below: Parameter Keyword Value SUPERUSER BPXROOT TTYGROUP TTY STEPLIBLIST /etc/steplib USERIDALIASTABLE Will not be specified. ROOT SETUID will be specified MOUNT NOSETUIDSETUID (for Vendor-provided files)SECURITY STARTUP_PROC OMVS
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RACF-US-000160
- Vuln IDs
-
- V-98413
- Rule IDs
-
- SV-107517r1_rule
Checks: C-97249r1_chk
If the system is not classified, this is Not Applicable. From a command input screen enter: RLIST FACILITY (BPX.UNIQUE.USER) ALL Examine APPLICATION DATA for userid If system is classified and a userid is are not defined in the Application Data field in the BPX.UNIQUE.USER resource in the FACILITY report, this is not a finding.
Fix: F-104089r1_fix
If system is classified a userid should not be defined in the application data field of the FACILITY report. The sample commands below show the required security parameters required for the default user: AU OEDFLTU DFLTGRP(OEDFLTG) NAME('OE DEFAULT USER') NOPASS - OMVS(UID(99999) HOME('/u/oeflt') PROGRAM('/bin/echo')) - DATA('DEFAULT OMVSUSERID ADDED WITH SOER5') RDEF FACILITY BPX. UNIQUE.USER APPLDATA() - DATA('ADDED TO SUPPORT THE DEFAULT USER') UACC(NONE) OWNER(ADMIN) SETR RACLIST(FACILITY) REFRESH
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RACF-US-000170
- Vuln IDs
-
- V-98415
- Rule IDs
-
- SV-107519r1_rule
Checks: C-97251r1_chk
Refer to the logical parmlib data sets, example: SYS1.PARMLIB(BPXPRMxx), for the following FILESYSTYPE entry: FILESYSTYPE TYPE(AUTOMNT) ENTRYPOINT(BPXTAMD) If the above entry is not found or is commented out in the BPXPRMxx member(s), this is Not Applicable. From the ISPF Command Shell enter: OMVS cd /etc cat auto.master perform a contents list for the file identified Example: cat u.map Note: The /etc/auto.master HFS file (and the use of Automount) is optional. If the file does not exist, this is not applicable. Note: The setuid parameter and the security parameter have a significant security impact. For this reason these parameters must be explicitly specified and not allowed to default. If each MapName file specifies the “setuid No” and “security Yes” statements for each automounted directory, this is not a finding. If there is any deviation from the required values, this is a finding.
Fix: F-104091r1_fix
Review the settings in /etc/auto.master and /etc/mapname for z/OS UNIX security parameters and configure the values to conform to the specifications below. The /etc/auto.master HFS file (and the use of Automount) is optional. The setuid parameter and the security parameter have a significant security impact. For this reason these parameters must be explicitly specified and not be allowed to default. Each MapName file will specify the “setuid NO” and “security YES statements for each automounted directory. If there is a deviation from the required values, documentation must exist for the deviation. Security NO disables security checking for file access. Security NO is only allowed on test and development domains. Setuid YES allows a user to run under a different UID/GID identity. Justification documentation is required to validate the use of setuid YES.
- RMF Control
- CM-7
- Severity
- M
- CCI
- CCI-000382
- Version
- RACF-US-000180
- Vuln IDs
-
- V-98417
- Rule IDs
-
- SV-107521r1_rule
Checks: C-97253r1_chk
From the UNIX System Services ISPF Shell enter: /etc/inetd.conf If any Restricted Network Services that are listed below are specified or specified but not commented out, this is a finding. RESTRICTED NETWORK SERVICES/PORTS Service Port Chargen 19 Daytime 13 Discard 9 Echo 7 Exec 512 finger 79 shell 514 time 37 login 513 smtp 25 timed 525 nameserver 42 systat 11 uucp 540 netstat 15 talk 517 qotd 17 tftp 69
Fix: F-104093r1_fix
Review the settings in the /etc/inetd.conf file determine if every entry in the file represents a service that is actually in use. Services that are not in use must be disabled to reduce potential security exposures. The following services must be disabled in /etc/inetd.conf unless justified and documented with the ISSO: RESTRICTED NETWORK SERVICES Service Port Chargen 19 Daytime 13 Discard 9 Echo 7 Exec 512 finger 79 shell 514 time 37 login 513 smtp 25 timed 525 nameserver 42 systat 11 uucp 540 netstat 15 talk 517 qotd 17 tftp 69 The /etc/inetd.conf file is used by the INETD daemon. It specifies how INETD is to handle service requests on network sockets. Specifically, there is one entry in inetd.conf for each service. Each service entry specifies several parameters. The login_name parameter is of special interest. It specifies the userid under which the forked daemon is to execute. This userid is defined to the ACP and it may require a UID(0) (i.e., superuser authority) value.
- RMF Control
- IA-2
- Severity
- H
- CCI
- CCI-000764
- Version
- RACF-US-000190
- Vuln IDs
-
- V-98419
- Rule IDs
-
- SV-107523r1_rule
Checks: C-97255r1_chk
From a z/OS command screen enter: LISTUSER * If UID(0) is assigned only to system tasks such as the z/OS/ UNIX kernel (i.e., OMVS), z/OS UNIX daemons (e.g., inetd, syslogd, ftpd), and other system software daemons, this is not a finding. If UID(0) is assigned to security administrators who create or maintain user account definitions; and to systems programming accounts dedicated to maintenance (e.g., SMP/E) of HFS-based components, this not a finding. NOTE: The assignment of UID(0) confers full time superuser privileges. This is not appropriate for personal user accounts. Access to the BPX.SUPERUSER resource is used to allow personal user accounts to gain short-term access to superuser privileges. If UID(0) is assigned to non-systems or non-maintenance accounts, this is a finding.
Fix: F-104095r1_fix
Assign UID(0) as specified below: UID(0) is assigned only to system tasks such as the z/OS UNIX kernel (i.e., OMVS), z/OS UNIX daemons (e.g., inetd, syslogd, ftpd), and other system software daemons. UID(0) is assigned to security administrators who create or maintain user account definitions; and to systems programming accounts dedicated to maintenance (e.g., SMP/E) of HFS-based components. NOTE: The assignment of UID(0) confers full time superuser privileges, this is not appropriate for personal user accounts. Access to the BPX.SUPERUSER resource is used to allow personal user accounts to gain short-term access to superuser privileges.
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000764
- Version
- RACF-US-000200
- Vuln IDs
-
- V-98421
- Rule IDs
-
- SV-107525r1_rule
Checks: C-97257r1_chk
From ISPF Command Shell enter: Listgrp * OMVS Note: A site can choose to have both an OMVSGRP group and an STCOMVS group or combine the groups under one of these names. If OMVSGRP and/or STCOMVS groups are defined and have a unique GID in the range of 1-99, this is not a finding.
Fix: F-104097r1_fix
Define the OMVSGRP group and/or the STCOMVS group to the security database with a unique GID in the range of 1-99. OMVSGRP is the name suggested by IBM for all the required userids. STCOMVS is the standard name used at some sites for the userids that are associated with z/OS UNIX started tasks and daemons. These groups can be combined at the site’s discretion.
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000764
- Version
- RACF-US-000210
- Vuln IDs
-
- V-98423
- Rule IDs
-
- SV-107527r1_rule
Checks: C-97259r1_chk
From the ISPF Command Shell enter: Listgrp * OMVS If each group is defined with a unique GID, this is not a finding.
Fix: F-104099r1_fix
Define each UNIX group with a unique GID.
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000764
- Version
- RACF-US-000220
- Vuln IDs
-
- V-98425
- Rule IDs
-
- SV-107529r1_rule
Checks: C-97261r1_chk
If OMVS userid is defined to the ESM as follows, this is not a finding. No access to interactive on-line facilities (e.g., TSO, CICS, etc.) Default group specified as OMVSGRP or STCOMVS UID(0) HOME directory specified as “/” Shell program specified as “/bin/sh”
Fix: F-104101r1_fix
Define OMVS userid to the ESM as specified below: No access to interactive on-line facilities (e.g., TSO, CICS, etc.) Default group specified as OMVSGRP or STCOMVS UID(0) HOME directory specified as “/” Shell program specified as “/bin/sh”
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000764
- Version
- RACF-US-000230
- Vuln IDs
-
- V-98427
- Rule IDs
-
- SV-107531r1_rule
Checks: C-97263r1_chk
Refer to system PARMLIB member BPXPRMxx (xx is determined by OMVS entry in IEASYS00.) Determine the user ID identified by the SUPERUSER parameter. (BPXROOT is the default). From a command input screen enter: LISTUSER (superuser userid) TSO CICS OMVS If the SUPERUSER userid is defined as follows, this is not a finding: -No access to interactive on-line facilities (e.g., TSO, CICS, etc.) -Default group specified as OMVSGRP or STCOMVS -UID(0) -HOME directory specified as “/” -Shell program specified as “/bin/sh”
Fix: F-104103r1_fix
Define the user ID identified in the BPXPRM00 SUPERUSER parameter as specified below: -No access to interactive on-line facilities (e.g., TSO, CICS, etc.) -Default group specified as OMVSGRP or STCOMVS -UID(0) -HOME directory specified as “/” -Shell program specified as “/bin/sh”
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000764
- Version
- RACF-US-000240
- Vuln IDs
-
- V-98429
- Rule IDs
-
- SV-107533r1_rule
Checks: C-97265r1_chk
RMFGAT is the userid for the Resource Measurement Facility (RMF) Monitor III Gatherer. If RMFGAT is not defined, this is Not Applicable. From a command input screen enter: LISTUSER (RMFGAT) OMVS If RMFGAT is defined as follows, this is not a finding. Default group specified as OMVSGRP or STCOMVS A unique, non-zero UID HOME directory specified as “/” Shell program specified as “/bin/sh”
Fix: F-104105r1_fix
Define the RMFGAT user account as specified below: Default group specified as OMVSGRP or STCOMVS A unique, non-zero UID HOME directory specified as “/” Shell program specified as “/bin/sh”
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000764
- Version
- RACF-US-000250
- Vuln IDs
-
- V-98431
- Rule IDs
-
- SV-107535r1_rule
Checks: C-97267r1_chk
From a z/OS command screen enter: LISTUSER * OMVS NORACF NOTE: This check only applies to users of z/OS UNIX (i.e., users with an OMVS profile defined). If each user account with an OMVS segment is defined as follows, this is not a finding. -A unique UID number (except for UID(0) users) -A unique HOME directory (except for UID(0) and other system task accounts) -Shell program specified as “/bin/sh”, “/bin/tcsh”, “/bin/echo”, or “/bin/false” NOTE: The shell program must have one of the specified values. The HOME directory must have a value (i.e., not be allowed to default).
Fix: F-104107r1_fix
Define users of z/OS UNIX (i.e., users with an OMVS profile defined) as follows: -A unique UID number (except for UID(0) users) -A unique HOME directory (except for UID(0) and other system task accounts) -Shell program specified as “/bin/sh”, “/bin/tcsh”, “/bin/echo”, or “/bin/false” NOTE: The shell program must have one of the specified values. The HOME directory must have a value (i.e., not be allowed to default).
- RMF Control
- IA-2
- Severity
- M
- CCI
- CCI-000764
- Version
- RACF-US-000260
- Vuln IDs
-
- V-98433
- Rule IDs
-
- SV-107537r1_rule
Checks: C-97269r1_chk
If this is a Classified system, and there is an account used for modeling, this is a finding. From a command input screen enter: RLIST FACILITY (BPX.UNIQUE.USER) ALL Examine APPLICATION DATA for userid Enter: List User (<userid>) Note: This check applies to any user id used to model OMVS access on the mainframe. This includes the OMVS default user and BPX.UNIQUE.USER. If the OMVS default user or BPX.UNIQUE.USER is not defined in the FACILITY report, this is Not Applicable. If user account used for OMVS account modeling is defined as follows, this is not a finding: A non-writable HOME directory: Shell program specified as “/bin/echo” or “/bin/false” Note: The shell program must have one of the specified values. The HOME directory must have a value (i.e., not be allowed to default).
Fix: F-104109r1_fix
Use of the OMVS default UID will not be allowed on any Classified system. This is not an issue when using BPX.UNIQUE.USER. Define user id used for OMVS account modeling with a non-0 UID, a non-writable home directory, such as "\" root, and a non-executable, but existing, binary file, "/bin/false" or “/bin/echo.” AG OEDFLTG SUPGROUP(ADMIN) OWNER(ADMIN) OMVS(GID(777777)) AU OEDFLTU DFLTGRP(OEDFLTG) NAME('OE DEFAULT USER') NOPASS - OMVS(UID(99999) HOME('/u/oeflt') PROGRAM('/bin/echo')) - DATA('DEFAULT OMVSUSERID ADDED WITH SOER5') RDEF FACILITY BPX.DEFAULT.USER APPLDATA('OEDFLTU/OEDFLTG') - DATA('ADDED TO SUPPORT THE DEFAULT USER') UACC(NONE) OWNER(ADMIN) SETR RACLIST(FACILITY) REFRESH
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-UT-000010
- Vuln IDs
-
- V-98435
- Rule IDs
-
- SV-107539r1_rule
Checks: C-97271r1_chk
From the ISPF Command Shell enter: omvs cd /etc cat inetd.conf If the otelnetd command specifies any user other than OMVS or OMVSKERN, this is a finding.
Fix: F-104111r1_fix
The user account used at the startup of otelnetd is specified in the inetd configuration file. This account is used to perform the identification and authentication of the user requesting the session. Because the account is only used until user authentication is completed, there is no need for a unique account for this function. The z/OS UNIX kernel account can be used.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-UT-000020
- Vuln IDs
-
- V-98437
- Rule IDs
-
- SV-107541r1_rule
Checks: C-97273r1_chk
From the ISPF Command Shell enter: omvs At the input line enter cd /usr enter ls -alW If the following File permission and user Audit Bits are true, this is not a finding. /usr/sbin/otelnetd 1740 fff cd /etc ls -alW If the following file permission and user Audit Bits are true, this is not a finding. /etc/banner 0744 faf The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing
Fix: F-104113r1_fix
With the assistance of a systems programmer with UID(0) and/or SUPERUSER access, will review the UNIX permission bits and user audit bits on the HFS directories and files for the z/OS UNIX Telnet Server. Ensure they conform to the specifications below: z/OS UNIX TELNET Server HFS Object Security Settings File Permission Bits User Audit Bits /usr/sbin/otelnetd 1740 fff /etc/banner 0744 faf NOTE: The /usr/sbin/otelnetd object is a symbolic link to /usr/lpp/tcpip/sbin/otelnetd. The permission and user audit bits on the target of the symbolic link must have the required settings. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing The following commands can be used (from a user account with an effective UID(0)) to update the permission bits and audit bits: chmod 1740 /usr/lpp/tcpip/sbin/otelnetd chaudit rwx=f /usr/lpp/tcpip/sbin/otelnetd chmod 0744 /etc/banner chaudit w=sf,rx+f /etc/banner
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-000048
- Version
- RACF-UT-000030
- Vuln IDs
-
- V-98439
- Rule IDs
-
- SV-107543r1_rule
Checks: C-97275r1_chk
From UNIX System Services ISPF Shell enter path "/etc/banner/" If the /etc/banner file contains banner below, this is not a finding. This banner is mandatory and deviations are not permitted except as authorized in writing by the DoD Chief Information Officer. The thrust of this new policy is to make it clear that there is no expectation of privacy when using DoD information systems and all use of DoD information systems is subject to searching, auditing, inspecting, seizing, and monitoring, even if some personal use of a system is permitted: STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
Fix: F-104115r1_fix
Configure the /etc/banner file and ensure the text specifies a logon banner in accordance with DISA requirements. STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
- RMF Control
- CM-6
- Severity
- M
- CCI
- CCI-000366
- Version
- RACF-UT-000040
- Vuln IDs
-
- V-98441
- Rule IDs
-
- SV-107545r1_rule
Checks: C-97277r1_chk
From the ISPF Command Shell enter: ISHELL Enter /etc/ for a pathname - you may need to issue a CD /etc/ select FILE NAME inetd.conf If Option -D login is included on the otelnetd command, this is not a finding. If Option -c 900 is included on the otelnetd command, this is not a finding. NOTE: "900" indicates a session timeout value of "15" minutes and is currently the maximum value allowed.
Fix: F-104117r1_fix
Configure the startup parameters in the inetd.conf file for otelnetd to conform to the specifications below. The otelnetd startup command includes the options -D login and -c 900, where: -D login indicates that messages should be written to the syslogd facility for login and logout activity. -c 900 indicates that the Telnet session should be terminated after "15" minutes of inactivity. NOTE: "900" is the maximum value; any value between "1" and "900" is acceptable.
- RMF Control
- AC-8
- Severity
- M
- CCI
- CCI-001384
- Version
- RACF-UT-000050
- Vuln IDs
-
- V-98443
- Rule IDs
-
- SV-107547r1_rule
Checks: C-97279r1_chk
From the ISPF Command Shell enter: ISHELL Enter /etc/ for a pathname - you may need to issue a CD /etc/ select FILE NAME inetd.conf If Option -h is included on the otelnetd command, this is a finding.
Fix: F-104119r1_fix
Configure the startup parameters in the inetd.conf file for otelnetd to exclude option -h. Note: -h indicates that the logon banner should not be displayed.
- RMF Control
- AC-3
- Severity
- M
- CCI
- CCI-000213
- Version
- RACF-VT-000010
- Vuln IDs
-
- V-98445
- Rule IDs
-
- SV-107549r1_rule
Checks: C-97281r1_chk
Determine data set names containing all VTAM start options, configuration lists, network resource definitions, commands, procedures, exit routines, all SMP/E TLIBs, and all SMP/E DLIBs used for installation and in development/production VTAM environments. If RACF data set rules for all VTAM system data sets restrict access to only network systems programming staff, this is not a finding. If RACF data set rules for all VTAM system data sets all READ access to auditors only, this is not a finding.
Fix: F-104121r1_fix
Configure RACF data set rules for all VTAM system data sets restrict access to only network systems programming staff. These data sets include libraries containing VTAM load modules and exit routines, and VTAM start options and definition statements. Auditors may have READ access as documented by and approved by the ISSM. The following sample RACF commands show proper definitions/permissions for VTAM datasets: AD 'SYS1.VTAM*.**' UACC(NONE) OWNER(SYS1) - AUDIT(SUCCESS(UPDATE) FAILURES(READ)) - DATA('IBM VTAM DS PROFILE: REF SRR PDI ZVTM0018') PE 'SYS1.VTAM.**' ID(<syspsmpl>) ACC(A) AD 'SYS1.VTAMLIB.**' UACC(NONE) OWNER(SYS1) - AUDIT(SUCCESS(UPDATE) FAILURES(READ)) - DATA('IBM VTAM APF DS PROFILE: REF SRR PDI ZVTM0018') PE 'SYS1.VTAMLIB.**' ID(<syspsmpl>) ACC(A) AD 'SYS1.VTAM.SISTCLIB.**' UACC(NONE) OWNER(SYS1) - AUDIT(SUCCESS(UPDATE) FAILURES(READ)) - DATA('IBM VTAM APF DS PROFILE: REF SRR PDI ZVTM0018') PE 'SYS1.VTAM.SISTCLIB.**' ID(<syspsmpl>) ACC(A) AD 'SYS3.VTAM.**' UACC(NONE) OWNER(SYS3) - AUDIT(SUCCESS(UPDATE) FAILURES(READ)) - DATA('VTAM CUSTOMIZED DS: REF SRR PDI ZVTM0018') PE 'SYS3.VTAM.**' ID(<syspsmpl>) ACC(A) AD 'SYS3.VTAMLIB.**' UACC(NONE) OWNER(SYS3) - AUDIT(SUCCESS(UPDATE) FAILURES(READ)) - DATA('IBM VTAM APF DS PROFILE: REF SRR PDI ZVTM0018') PE 'SYS3.VTAMLIB.**' ID(<syspsmpl>) ACC(A) SETR GENERIC(DATASET) REFRESH
- RMF Control
- CM-5
- Severity
- M
- CCI
- CCI-001499
- Version
- RACF-VT-000020
- Vuln IDs
-
- V-98447
- Rule IDs
-
- SV-107551r1_rule
Checks: C-97283r1_chk
Ask the system administrator to supply the following information: - Documentation regarding terminal naming standards. - Documentation of all procedures controlling terminal logons to the system. - A complete list of all USS commands used by terminal users to log on to the system. - Members and data set names containing USSTAB and LOGAPPL definitions of all terminals that can log on to the system (e.g., SYS1.VTAMLST). - Members and data set names containing logon mode parameters. If USSTAB definitions are only used for secure terminals (e.g., terminals that are locally attached to the host or connected to the host via secure leased lines), this is not a finding. If USSTAB definitions are used for any unsecured terminals (e.g., dial up terminals or terminals attached to the Internet such as TN3270 or KNET 3270 emulation), this is a finding.
Fix: F-104123r1_fix
Configure USSTAB definitions to be only used for secure terminals. Only terminals that are locally attached to the host or connected to the host via secure leased lines located in a secured area. Only authorized personnel may enter the area where secure terminals are located. USSTAB or LOGAPPL definitions are used to control logon from secure terminals. These terminals can log on directly to any VTAM application (e.g., TSO, CICS, etc.) of their choice and bypass Session Manager services. Secure terminals are usually locally attached to the host or connected to the host via a private LAN without access to an external network. Only authorized personnel may enter the area where secure terminals are located.