IBM z/OS RACF Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]

Details

Version / Release: V7R3

Published: 2020-06-29

Updated At: 2020-08-15 20:22:40

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-107101r1_rule RACF-CE-000010 CCI-000764 MEDIUM Certificate Name Filtering must be implemented with appropriate authorization and documentation. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-107103r1_rule RACF-CE-000020 CCI-000185 MEDIUM Expired digital certificates must not be used. The longer and more often a key is used, the more susceptible it is to loss or discovery. This weakens the assurance provided to a relying Party that the unique binding between a key and its named subscriber is valid. Therefore, it is important that certi
    SV-107105r1_rule RACF-CE-000030 CCI-000185 MEDIUM All digital certificates in use must have a valid path to a trusted Certification authority. The origin of a certificate, the Certificate Authority (i.e., CA), is crucial in determining if the certificate should be trusted. An approved CA establishes grounds for confidence at both ends of communications sessions in ongoing identities of other par
    SV-107107r1_rule RACF-ES-000010 CCI-000213 HIGH IBM RACF must limit Write or greater access to SYS1.NUCLEUS to system programmers only. This data set contains a large portion of the system initialization (IPL) programs and pointers to the master and alternate master catalog. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data. Sa
    SV-107109r1_rule RACF-ES-000020 CCI-000213 LOW IBM RACF must limit Write or greater access to libraries that contain PPT modules to system programmers only. Specific PPT designated program modules possess significant security bypass capabilities. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data. Satisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000259-G
    SV-107111r1_rule RACF-ES-000030 CCI-000213 MEDIUM IBM RACF must limit WRITE or greater access to LINKLIST libraries to system programmers only. The primary function of the LINKLIST is to serve as a single repository for commonly used system modules. Failure to ensure that the proper set of libraries is designated for LINKLIST can impact system integrity, performance, and functionality. For this r
    SV-107113r1_rule RACF-ES-000040 CCI-001682 MEDIUM IBM RACF emergency USERIDs must be properly defined. Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these a
    SV-107115r1_rule RACF-ES-000050 CCI-000018 MEDIUM IBM RACF SETROPTS LOGOPTIONS must be properly configured. Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging th
    SV-107117r1_rule RACF-ES-000060 CCI-000213 MEDIUM IBM RACF must protect memory and privileged program dumps in accordance with proper security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107119r1_rule RACF-ES-000070 CCI-000213 MEDIUM IBM z/OS system commands must be properly protected. z/OS system commands provide a method of controlling the operating environment. Failure to properly control access to z/OS system commands could result in unauthorized personnel issuing sensitive system commands. This exposure may threaten the integrity a
    SV-107121r1_rule RACF-ES-000080 CCI-000213 MEDIUM IBM RACF must properly define users that have access to the CONSOLE resource in the TSOAUTH resource class. MCS consoles can be used to issue operator commands. Failure to properly control access to MCS consoles could result in unauthorized personnel issuing sensitive operator commands. This exposure may threaten the integrity and availability of the operating
    SV-107123r1_rule RACF-ES-000090 CCI-000213 MEDIUM The IBM RACF FACILITY resource class must be active. IBM Provides the FACILITY Class for use in protecting a variety of features/functions/products both IBM and third-party. The FACILITY Class is not dedicated to any one specific use and is intended as a multi-purpose RACF Class. Failure to activate this cl
    SV-107125r1_rule RACF-ES-000100 CCI-000213 MEDIUM The IBM RACF OPERCMDS resource class must be active. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107127r1_rule RACF-ES-000110 CCI-000213 MEDIUM The IBM RACF MCS consoles resource class must be active. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107129r1_rule RACF-ES-000120 CCI-000213 MEDIUM IBM RACF CLASSACT SETROPTS must be specified for the TEMPDSN class. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107131r1_rule RACF-ES-000130 CCI-000213 MEDIUM IBM RACF started tasks defined with the trusted attribute must be justified. Trusted Started tasks bypass RACF checking. It is vital that this attribute is NOT granted to unauthorized Started Tasks which could then obtain unauthorized access to the system. This could result in the compromise of the confidentiality, integrity, and
    SV-107133r1_rule RACF-ES-000140 CCI-000213 MEDIUM IBM RACF USERIDs possessing the Tape Bypass Label Processing (BLP) privilege must be justified. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107135r1_rule RACF-ES-000150 CCI-000213 MEDIUM IBM RACF DASD volume-level protection must be properly defined. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107137r1_rule RACF-ES-000160 CCI-000213 MEDIUM IBM Sensitive Utility Controls must be properly defined and protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107139r1_rule RACF-ES-000170 CCI-000213 MEDIUM IBM RACF Global Access Checking must be restricted to appropriate classes and resources. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107141r1_rule RACF-ES-000180 CCI-000213 HIGH IBM RACF access to the System Master Catalog must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107143r1_rule RACF-ES-000190 CCI-000213 HIGH IBM RACF must limit Write or greater access to SYS1.UADS to system programmers only, and WRITE or greater access must be limited to system programmer personnel and/or security personnel. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107145r1_rule RACF-ES-000200 CCI-000213 HIGH IBM z/OS must protect dynamic lists in accordance with proper security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107147r2_rule RACF-ES-000210 CCI-000213 MEDIUM IBM RACF allocate access to system user catalogs must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107149r2_rule RACF-ES-000220 CCI-000213 MEDIUM IBM RACF must limit WRITE or greater access to System backup files to system programmers and/or batch jobs that perform DASD backups. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107151r1_rule RACF-ES-000230 CCI-000213 MEDIUM IBM RACF must limit access to SYS(x).TRACE to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107153r1_rule RACF-ES-000240 CCI-000213 MEDIUM IBM RACF batch jobs must be properly secured. Batch jobs that are submitted to the operating system should inherit the USERID of the submitter. This will identify the batch job with a userid for the purpose of accessing resources. BATCHALLRACF ensures that a valid USERID is associated with batch jobs
    SV-107155r1_rule RACF-ES-000250 CCI-000213 MEDIUM IBM RACF batch jobs must be protected with propagation control. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107157r1_rule RACF-ES-000260 CCI-000213 HIGH IBM RACF must limit Write or greater access to SYS1.IMAGELIB to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107159r1_rule RACF-ES-000270 CCI-000213 HIGH IBM RACF must limit Write or greater access to SYS1.SVCLIB to appropriate authorized users. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107161r1_rule RACF-ES-000280 CCI-000213 HIGH IBM RACF must limit Write or greater access to SYS1.LPALIB to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107163r1_rule RACF-ES-000290 CCI-000213 HIGH IBM z/OS libraries included in the system REXXLIB concatenation must be properly protected. Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be empl
    SV-107165r1_rule RACF-ES-000300 CCI-000213 HIGH IBM RACF must limit write or greater access to all LPA libraries to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107167r1_rule RACF-ES-000310 CCI-000213 HIGH IBM RACF must limit Write or greater access to libraries containing EXIT modules to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107169r1_rule RACF-ES-000320 CCI-000213 MEDIUM IBM RACF must limit WRITE or greater access to all system-level product installation libraries to system programmers. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107171r1_rule RACF-ES-000330 CCI-000213 MEDIUM IBM RACF must limit access to SYSTEM DUMP data sets to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107173r1_rule RACF-ES-000340 CCI-000213 HIGH IBM RACF must limit WRITE or greater access to all APF-authorized libraries to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107175r1_rule RACF-ES-000350 CCI-000213 MEDIUM IBM RACF access to SYS1.LINKLIB must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107177r1_rule RACF-ES-000360 CCI-000213 HIGH The IBM RACF System REXX IRRPWREX security data set must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107179r1_rule RACF-ES-000370 CCI-000213 HIGH IBM RACF security data sets and/or databases must be properly protected. The External Security Manager (ESM) database files contain all access control information for the operating system environment and system resources. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer
    SV-107181r1_rule RACF-ES-000380 CCI-000213 MEDIUM IBM RACF must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107183r1_rule RACF-ES-000390 CCI-000213 HIGH IBM RACF must limit all system PROCLIB data sets to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107185r1_rule RACF-ES-000400 CCI-000213 MEDIUM IBM RACF must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107187r1_rule RACF-ES-000410 CCI-000213 MEDIUM IBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected. MCS consoles can be used to issue operator commands. Failure to properly control access to MCS consoles could result in unauthorized personnel issuing sensitive operator commands. This exposure may threaten the integrity and availability of the operating
    SV-107189r1_rule RACF-ES-000420 CCI-000213 MEDIUM IBM RACF must limit WRITE or greater access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107191r1_rule RACF-ES-000430 CCI-002235 MEDIUM The IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements. Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
    SV-107193r1_rule RACF-ES-000440 CCI-002233 MEDIUM The IBM RACF JES(BATCHALLRACF) SETROPTS value must be set to JES(BATCHALLRACF). In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invo
    SV-107197r1_rule RACF-ES-000460 CCI-002233 MEDIUM The IBM z/OS JES(XBMALLRACF) SETROPTS value must be set to JES(XBMALLRACF). In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invo
    SV-107199r1_rule RACF-ES-000470 CCI-002234 MEDIUM IBM RACF OPERAUDIT SETROPTS value must set to OPERAUDIT. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts
    SV-107201r1_rule RACF-ES-000480 CCI-000044 MEDIUM The IBM RACF PASSWORD(REVOKE) SETROPTS value must be specified to revoke the userid after three invalid logon attempts. By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
    SV-107203r1_rule RACF-ES-000490 CCI-002238 MEDIUM The IBM RACF PASSWORD(REVOKE) SETROPTS value must be set to automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur. By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
    SV-107205r1_rule RACF-ES-000500 CCI-000171 HIGH IBM z/OS SYS1.PARMLIB must be properly protected. Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming th
    SV-107207r1_rule RACF-ES-000510 CCI-000172 MEDIUM IBM z/OS SETROPTS Parm must be set to SAUDIT. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. SAUDIT speci
    SV-107209r1_rule RACF-ES-000520 CCI-000172 MEDIUM The IBM RACF SETROPTS SAUDIT value must be specified. Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit recor
    SV-107211r1_rule RACF-ES-000530 CCI-001487 MEDIUM The IBM RACF REALDSN SETROPTS value must be specified. Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event.
    SV-107213r1_rule RACF-ES-000540 CCI-000162 MEDIUM IBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing. SMF data collection is the system activity journaling facility of the z/OS system. Unauthorized access could result in the compromise of logging and recording of the operating system environment, ESM, and customer data. Unauthorized disclosure of audit r
    SV-107215r1_rule RACF-ES-000550 CCI-001813 MEDIUM IBM RACF SETROPTS RVARYPW values must be properly set. Failure to provide logical access restrictions associated with changes to system configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, it should be noted that
    SV-107217r1_rule RACF-ES-000560 CCI-000366 HIGH IBM RACF must define WARN = NO on all profiles. Failure to restrict system access to authenticated users negatively impacts operating system security.
    SV-107219r1_rule RACF-ES-000570 CCI-000366 HIGH The IBM RACF PROTECTALL SETROPTS value specified must be properly set. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-107221r1_rule RACF-ES-000580 CCI-000366 MEDIUM The IBM RACF GRPLIST SETROPTS value must be set to ACTIVE. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-107223r1_rule RACF-ES-000590 CCI-000366 MEDIUM The IBM RACF RETPD SETROPTS value specified must be properly set. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-107225r1_rule RACF-ES-000600 CCI-000366 MEDIUM The IBM RACF TAPEDSN SETROPTS value specified must be properly set. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-107227r1_rule RACF-ES-000610 CCI-000366 MEDIUM The IBM RACF WHEN(PROGRAM) SETROPTS value specified must be active. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-107229r1_rule RACF-ES-000620 CCI-000366 MEDIUM IBM RACF use of the AUDITOR privilege must be justified. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-107231r1_rule RACF-ES-000630 CCI-000366 MEDIUM The IBM RACF database must be on a separate physical volume from its backup and recovery datasets. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-107233r1_rule RACF-ES-000640 CCI-000366 MEDIUM The IBM RACF database must be backed up on a scheduled basis. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-107235r1_rule RACF-ES-000650 CCI-000366 MEDIUM IBM z/OS Batch job user IDs must be properly defined. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-107237r1_rule RACF-ES-000660 CCI-000366 MEDIUM IBM RACF use of the RACF SPECIAL Attribute must be justified. The organization must perform a periodic scan/review of the application (as required by CCI-000384) and disable functions, ports, protocols, and services deemed to be unneeded or non-secure.
    SV-107239r1_rule RACF-ES-000670 CCI-000366 MEDIUM IBM RACF assignment of the RACF OPERATIONS attribute to individual userids must be fully justified. This requirement is intended to cover both traditional interactive logons to information systems and general accesses to information systems that occur in other types of architectural configurations (e.g., service-oriented architectures).
    SV-107241r1_rule RACF-ES-000680 CCI-000382 MEDIUM IBM z/OS must properly configure CONSOLxx members. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical po
    SV-107243r2_rule RACF-ES-000690 CCI-000382 MEDIUM IBM z/OS must properly protect MCS console userid(s). In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical po
    SV-107245r2_rule RACF-ES-000700 CCI-000764 MEDIUM IBM RACF users must have the required default fields. Ensure that Every USERID is uniquely identified to the system. Within the USERID record, the user's name, default group, the owner, and the user's passdate or phrasedate fields are completed. This will uniquely identify each user. If these fields are not
    SV-107247r1_rule RACF-ES-000710 CCI-000764 MEDIUM IBM interactive USERIDs defined to RACF must have the required fields completed. Interactive users are considered to be users of CICS, IMS, TSO/E, NetView, or other products that support logging on at a terminal. Improper assignments of attributes in the LOGONID record for interactive users may allow users excessive privileges resulti
    SV-107249r1_rule RACF-ES-000720 CCI-000764 MEDIUM IBM z/OS Started Tasks must be properly identified to RACF. Started procedures have system generated job statements that do not contain the user, group, or password statements. To enable the started procedure to access the same protected resources that users and groups access, started procedures must have an assoc
    SV-107251r1_rule RACF-ES-000730 CCI-000764 MEDIUM IBM z/OS Started Tasks must be properly defined to RACF. Started procedures have system generated job statements that do not contain the user, group, or password statements. To enable the started procedure to access the same protected resources that users and groups access, started procedures must have an assoc
    SV-107253r1_rule RACF-ES-000740 CCI-000764 MEDIUM The IBM RACF Automatic Data Set Protection (ADSP) SETROPTS value must be set to NOADSP. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-107255r1_rule RACF-ES-000750 CCI-000764 MEDIUM IBM RACF user accounts must uniquely identify system users. To assure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does
    SV-107257r1_rule RACF-ES-000760 CCI-000795 MEDIUM The IBM RACF INACTIVE SETROPTS value must be set to 35 days. Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user acco
    SV-107259r1_rule RACF-ES-000770 CCI-000192 MEDIUM IBM RACF PASSWORD(RULEn) SETROPTS value(s) must be properly set. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and bru
    SV-107261r1_rule RACF-ES-000780 CCI-000193 MEDIUM IBM RACF exit ICHPWX01 must be installed and properly configured. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Satisfies
    SV-107263r1_rule RACF-ES-000790 CCI-000198 MEDIUM The IBM RACF SETROPTS PASSWORD(MINCHANGE) value must be set to 1. Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeate
    SV-107265r1_rule RACF-ES-000800 CCI-000199 MEDIUM IBM RACF SETROPTS PASSWORD(INTERVAL) must be set to 60 days. Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the op
    SV-107267r1_rule RACF-ES-000810 CCI-000200 MEDIUM The IBM RACF PASSWORD(HISTORY) SETROPTS value must be set to 5 or more. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. HISTORY specifies the number of previous passwords that RACF saves for each USERID and compares with an intended n
    SV-107269r1_rule RACF-ES-000820 CCI-000196 HIGH NIST FIPS-validated cryptography must be used to protect passwords in the security database. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Operating system
    SV-107271r2_rule RACF-ES-000830 CCI-000186 MEDIUM IBM z/OS, for PKI-based authentication, must use the ESM to store keys. If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.
    SV-107273r1_rule RACF-ES-000840 CCI-001090 MEDIUM The IBM RACF ERASE ALL SETROPTS value must be set to ERASE(ALL) on all systems. Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from bein
    SV-107275r1_rule RACF-ES-000850 CCI-000213 MEDIUM IBM RACF DASD Management USERIDs must be properly controlled. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107277r1_rule RACF-FT-000010 CCI-000067 MEDIUM IBM z/OS SMF recording options for the FTP Server must be configured to write SMF records for all eligible events. The FTP Server can provide audit data in the form of SMF records. The SMF data produced by the FTP Server provides transaction information for both successful and unsuccessful FTP commands. Failure to collect and retain audit data may contribute to the lo
    SV-107279r1_rule RACF-FT-000020 CCI-000213 MEDIUM IBM RACF permission bits and user audit bits for HFS objects that are part of the FTP server component must be properly configured. MVS data sets of the FTP Server provide the configuration and operational characteristics of this product. Failure to properly secure these data sets may lead to unauthorized access resulting in the compromise of the integrity and availability of customer
    SV-107281r1_rule RACF-FT-000030 CCI-000213 MEDIUM IBM z/OS data sets for the FTP server must be properly protected. MVS data sets of the FTP Server provide the configuration and operational characteristics of this product. Failure to properly secure these data sets may lead to unauthorized access resulting in the compromise of the integrity and availability of customer
    SV-107283r1_rule RACF-FT-000040 CCI-000048 MEDIUM IBM z/OS FTP.DATA configuration statements must have a proper BANNER statement with the Standard Mandatory DoD Notice and Consent Banner. Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations,
    SV-107285r1_rule RACF-FT-000050 CCI-001384 MEDIUM IBM z/OS FTP.DATA configuration statements for the FTP server must specify the BANNER statement. Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, po
    SV-107287r1_rule RACF-FT-000060 CCI-001384 MEDIUM The IBM z/OS warning banner for the FTP server must be properly specified. Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations,
    SV-107289r1_rule RACF-FT-000070 CCI-000366 MEDIUM IBM z/OS FTP.DATA configuration statements for the FTP Server must be specified in accordance with requirements. This requirement is intended to cover both traditional interactive logons to information systems and general accesses to information systems that occur in other types of architectural configurations (e.g., service-oriented architectures).
    SV-107291r1_rule RACF-FT-000080 CCI-001764 MEDIUM The IBM z/OS TFTP server program must be properly protected. Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This i
    SV-107293r1_rule RACF-FT-000090 CCI-000382 MEDIUM IBM z/OS user exits for the FTP server must not be used without proper approval and documentation. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical po
    SV-107295r1_rule RACF-FT-000100 CCI-000764 MEDIUM The IBM z/OS FTP server daemon must be defined with proper security parameters. The FTP Server daemon requires special privileges and access to sensitive resources to provide its system services. Failure to properly define and control the FTP Server daemon could lead to unauthorized access. This exposure may result in the compromise
    SV-107297r1_rule RACF-FT-000110 CCI-001133 MEDIUM IBM FTP.DATA configuration for the FTP server must have the INACTIVE statement properly set. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat
    SV-107299r1_rule RACF-FT-000120 CCI-000804 MEDIUM IBM z/OS startup parameters for the FTP server must have the INACTIVE statement properly set. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.
    SV-107301r1_rule RACF-JS-000010 CCI-000213 MEDIUM IBM z/OS RJE workstations and NJE nodes must be defined to the FACILITY resource class. Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be empl
    SV-107303r1_rule RACF-JS-000020 CCI-000213 MEDIUM IBM z/OS JES2 input sources must be controlled in accordance with the proper security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107305r1_rule RACF-JS-000030 CCI-000213 MEDIUM IBM z/OS JES2 input sources must be properly controlled. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107307r1_rule RACF-JS-000040 CCI-000213 MEDIUM IBM z/OS JES2 output devices must be controlled in accordance with the proper security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107309r1_rule RACF-JS-000050 CCI-000213 MEDIUM IBM z/OS JES2 output devices must be properly controlled for classified systems. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107311r1_rule RACF-JS-000060 CCI-000213 MEDIUM IBM z/OS JESSPOOL resources must be protected in accordance with security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107313r1_rule RACF-JS-000070 CCI-000213 MEDIUM IBM z/OS JESNEWS resources must be protected in accordance with security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107315r1_rule RACF-JS-000080 CCI-000213 MEDIUM IBM z/OS JESTRACE and/or SYSLOG resources must be protected in accordance with security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107317r1_rule RACF-JS-000090 CCI-000213 MEDIUM IBM z/OS JES2 spool resources must be controlled in accordance with security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107319r1_rule RACF-JS-000100 CCI-000213 MEDIUM IBM z/OS JES2 system commands must be protected in accordance with security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107321r1_rule RACF-JS-000110 CCI-000213 MEDIUM IBM z/OS surrogate users must be controlled in accordance with proper security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107323r1_rule RACF-JS-000120 CCI-000366 MEDIUM IBM z/OS RJE workstations and NJE nodes must be controlled in accordance with security requirements. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-107325r1_rule RACF-OS-000010 CCI-002361 MEDIUM IBM z/OS must configure system wait times to protect resource availability based on site priorities. Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, net
    SV-107327r1_rule RACF-OS-000020 CCI-000067 MEDIUM The IBM z/OS BPX.SMF resource must be properly configured. Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD
    SV-107329r1_rule RACF-OS-000030 CCI-000067 MEDIUM IBM z/OS SMF recording options for the TN3270 Telnet Server must be properly specified. The TN3270 Telnet Server can provide audit data in the form of SMF records. The SMF data produced provides information about individual sessions. This data includes the VTAM application, the remote and local IP addresses, and the remote and local IP port
    SV-107331r1_rule RACF-OS-000040 CCI-000015 HIGH IBM RACF must be installed and active on the system. Enterprise environments make account management for operating systems challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other errors. IBM z/OS requires an external security manager to assu
    SV-107333r1_rule RACF-OS-000050 CCI-001682 MEDIUM The IBM z/OS System Administrator (SA) must develop a process to disable emergency accounts after the crisis is resolved or 72 hours. Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these a
    SV-107335r1_rule RACF-OS-000060 CCI-001683 MEDIUM The IBM z/OS System Administrator (SA) must develop a process to notify appropriate personnel when accounts are created. Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create a new account. Notification of account creation is one method for
    SV-107337r1_rule RACF-OS-000070 CCI-001684 MEDIUM The IBM z/OS System Administrator (SA) must develop a process to notify appropriate personnel when accounts are modified. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
    SV-107339r1_rule RACF-OS-000080 CCI-001685 MEDIUM The IBM z/OS System Administrator (SA) must develop a process to notify appropriate personnel when accounts are deleted. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
    SV-107341r1_rule RACF-OS-000090 CCI-001686 MEDIUM The IBM z/OS System Administrator (SA) must develop a process to notify appropriate personnel when accounts are removed. When operating system accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual operating system users or for identifying the operating system processes themselves. Sending notification of account removal event
    SV-107343r1_rule RACF-OS-000100 CCI-002132 MEDIUM The IBM z/OS System Administrator (SA) must develop a process to notify Information System Security Officers (ISSOs) of account enabling actions. Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable an existing disabled account. Sending notification of account ena
    SV-107345r1_rule RACF-OS-000110 CCI-000018 MEDIUM IBM z/OS required SMF data record types must be collected. Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging th
    SV-107347r1_rule RACF-OS-000120 CCI-000048 MEDIUM IBM z/OS must employ a session manager to manage display of the Standard Mandatory DoD Notice and Consent Banner. Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations,
    SV-107349r1_rule RACF-OS-000130 CCI-000131 MEDIUM IBM z/OS must specify SMF data options to assure appropriate activation. SMF data collection is the basic unit of tracking of all system functions and actions. Included in this tracking data are the audit trails from each of the ACPs. If the control options for the recording of this tracking are not properly maintained, then a
    SV-107351r1_rule RACF-OS-000140 CCI-001849 MEDIUM IBM z/OS SMF collection files (system MANx datasets or LOGSTREAM DASD) must have storage capacity to store at least one weeks worth of audit data. In order to ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually perform
    SV-107353r1_rule RACF-OS-000150 CCI-001851 MEDIUM IBM z/OS system administrators must develop an automated process to collect and retain SMF data. Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
    SV-107355r1_rule RACF-OS-000160 CCI-000139 MEDIUM IBM z/OS BUFUSEWARN in the SMFPRMxx must be properly set. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system oper
    SV-107357r1_rule RACF-OS-000170 CCI-000140 MEDIUM IBM z/OS NOBUFFS in SMFPRMxx must be properly set (default is MSG). It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include: software/hardware errors; failures in the audit capturing mechanisms; and au
    SV-107359r1_rule RACF-OS-000180 CCI-001891 MEDIUM The IBM z/OS SNTP daemon (SNTPD) must be active. Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. S
    SV-107361r1_rule RACF-OS-000190 CCI-001891 MEDIUM IBM z/OS SNTP daemon (SNTPD) permission bits must be properly configured. Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time, a particular event occurred on a system is critical when conducting forensic analysis and investigating system events.
    SV-107363r1_rule RACF-OS-000200 CCI-002046 MEDIUM IBM z/OS PARMLIB CLOCKxx must have the Accuracy PARM properly coded. Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events.
    SV-107365r1_rule RACF-OS-000210 CCI-001774 HIGH IBM RACF must define UACC of NONE on all profiles. The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
    SV-107367r1_rule RACF-OS-000220 CCI-000366 MEDIUM IBM z/OS PASSWORD data set and OS passwords must not be used. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-107369r1_rule RACF-OS-000230 CCI-000366 MEDIUM The IBM z/OS System Administrator (SA) must develop a process to notify Information System Security Officers (ISSOs) of account enabling actions. Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable an existing disabled account. Sending notification of account ena
    SV-107371r1_rule RACF-OS-000240 CCI-000366 MEDIUM The IBM z/OS Policy Agent must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems. Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data.
    SV-107373r1_rule RACF-OS-000250 CCI-001764 HIGH Unsupported system software must not be installed and/ or active on the system. Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This i
    SV-107375r1_rule RACF-OS-000260 CCI-001764 MEDIUM IBM z/OS must not allow nonexistent or inaccessible LINKLIST libraries. Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This i
    SV-107377r1_rule RACF-OS-000270 CCI-001764 MEDIUM IBM z/OS must not allow nonexistent or inaccessible Link Pack Area (LPA) libraries. Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This i
    SV-107379r1_rule RACF-OS-000280 CCI-000381 MEDIUM IBM z/OS must not have inaccessible APF libraries defined. It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the ri
    SV-107381r1_rule RACF-OS-000290 CCI-000381 MEDIUM IBM zOS inapplicable PPT entries must be invalidated. It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the ri
    SV-107383r1_rule RACF-OS-000300 CCI-000381 MEDIUM IBM z/OS LNKAUTH=APFTAB must be specified in the IEASYSxx member(s) in the currently active parmlib data set(s). Failure to specify LINKAUTH=APFTAB allows libraries other than those designated as APF to contain authorized modules which could bypass security and violate the integrity of the operating system environment. This expanded authorization list inhibits the a
    SV-107385r1_rule RACF-OS-000310 CCI-000381 LOW IBM z/OS must not have duplicated sensitive utilities and/or programs existing in APF libraries. Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources.
    SV-107387r1_rule RACF-OS-000320 CCI-002450 MEDIUM The IBM z/OS systems requiring data at rest protection must properly employ IBM DS8880 for full disk encryption for classified systems. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provide
    SV-107389r1_rule RACF-OS-000330 CCI-001199 MEDIUM The IBM z/OS systems requiring data-at-rest protection must properly employ IBM DS8880 for full disk encryption. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system.
    SV-107391r1_rule RACF-OS-000340 CCI-002475 MEDIUM IBM z/OS must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest on all operating system components. Operating systems handling data requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Satisfies: SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184
    SV-107393r1_rule RACF-OS-000350 CCI-001090 MEDIUM IBM z/OS sensitive and critical system data sets must not exist on shared DASDs. Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from bein
    SV-107395r1_rule RACF-OS-000360 CCI-002385 MEDIUM The IBM z/OS Policy Agent must contain a policy that protects against or limits the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
    SV-107397r1_rule RACF-OS-000370 CCI-001095 MEDIUM The IBM z/OS Policy Agent must contain a policy that manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
    SV-107399r1_rule RACF-OS-000400 CCI-000060 MEDIUM The IBM z/OS must employ a session manager that conceals, via the session lock, information previously visible on the display with a publicly viewable image. A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. The session lock is implemented at the po
    SV-107401r1_rule RACF-OS-000410 CCI-000057 MEDIUM IBM z/OS must employ a session manager to manage session lock after a 15-minute period of inactivity. A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user t
    SV-107403r1_rule RACF-OS-000420 CCI-000058 MEDIUM IBM z/OS must employ a session for users to directly initiate a session lock for all connection types. A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented a
    SV-107405r1_rule RACF-OS-000430 CCI-000056 MEDIUM IBM z/OS must employ a session manager to manage retaining a users session lock until that user reestablishes access using established identification and authentication procedures. A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented a
    SV-107407r1_rule RACF-OS-000440 CCI-000016 MEDIUM IBM z/OS system administrator must develop a procedure to remove or disable temporary user accounts after 72 hours. Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these a
    SV-107409r1_rule RACF-OS-000450 CCI-001682 MEDIUM IBM z/OS system administrator must develop a procedure to remove or disable emergency accounts after the crisis is resolved or 72 hours. IBM z/OS system administrator must develop a procedure to remove or disable emergency accounts after the crisis is resolved or 72 hours.
    SV-107411r1_rule RACF-OS-000460 CCI-001744 MEDIUM IBM z/OS system administrator must develop a procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be
    SV-107413r1_rule RACF-OS-000470 CCI-001876 MEDIUM IBM z/OS system administrator must develop a procedure to provide an audit reduction capability that supports on-demand reporting requirements. The ability to generate on-demand reports, including after the audit data has been subjected to audit reduction, greatly facilitates the organization's ability to generate incident reports as needed to better handle larger-scale or more complex security i
    SV-107415r1_rule RACF-OS-000480 CCI-000879 MEDIUM IBM z/OS system administrator must develop a procedure to terminate all sessions and network connections related to nonlocal maintenance when nonlocal maintenance is completed. If a maintenance session or connection remains open after maintenance is completed, it may be hijacked by an attacker and used to compromise or damage the system. Some maintenance and test tools are either standalone devices with their own operating syst
    SV-107417r1_rule RACF-OS-000490 CCI-002617 MEDIUM IBM z/OS system administrator must develop a procedure to remove all software components after updated versions have been installed. Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the
    SV-107419r1_rule RACF-OS-000500 CCI-002702 MEDIUM IBM z/OS must shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered. If anomalies are not acted upon, security functions may fail to secure the system. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the
    SV-107421r1_rule RACF-OS-000510 CCI-001851 MEDIUM IBM z/OS system administrator must develop a procedure to offload SMF files to a different system or media than the system being audited. Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
    SV-107423r1_rule RACF-SH-000010 CCI-000067 MEDIUM IBM z/OS SMF recording options for the SSH daemon must be configured to write SMF records for all eligible events. SMF data collection is the basic unit of tracking of all system functions and actions. Included in this tracking data are the audit trails from each of the ACPs. If the control options for the recording of this tracking are not properly maintained, then a
    SV-107425r2_rule RACF-SH-000020 CCI-000068 HIGH The IBM RACF SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Cryptographic modules must adhere to the higher standards approved by the federal government since this provides assurance they have been tested
    SV-107427r1_rule RACF-SH-000030 CCI-001453 HIGH The IBM z/OS must implement DoD-approved encryption to protect the confidentiality of remote access sessions. Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating throu
    SV-107429r1_rule RACF-SH-000040 CCI-001384 MEDIUM The SSH daemon must be configured with the Standard Mandatory DoD Notice and Consent Banner. Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, po
    SV-107431r1_rule RACF-SH-000050 CCI-000382 HIGH IBM z/OS SSH daemon must be configured to only use the SSHv2 protocol. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical po
    SV-107433r1_rule RACF-SH-000060 CCI-000187 MEDIUM IBM z/OS, for PKI-based authentication, must use the ESM for key management. Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.
    SV-107435r1_rule RACF-SL-000010 CCI-000213 MEDIUM IBM z/OS permission bits and user audit bits for HFS objects that are part of the Syslog daemon component must be properly configured. HFS directories and files of the Syslog daemon provide the configuration and executable properties of this product. Failure to properly secure these objects could lead to unauthorized access. This exposure may result in the compromise of the integrity and
    SV-107437r1_rule RACF-SL-000020 CCI-000764 MEDIUM The IBM z/OS Syslog daemon must be started at z/OS initialization. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-107439r1_rule RACF-SL-000030 CCI-000764 MEDIUM The IBM z/OS Syslog daemon must be properly defined and secured. The Syslog daemon, known as syslogd, is a zOS UNIX daemon that provides a central processing point for log messages issued by other zOS UNIX processes. It is also possible to receive log messages from other network-connected hosts. Some of the IBM Communi
    SV-107441r1_rule RACF-SM-000010 CCI-000213 MEDIUM IBM z/OS DFSMS Program Resources must be properly defined and protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107443r1_rule RACF-SM-000020 CCI-000213 MEDIUM IBM z/OS DFSMS control data sets must be protected in accordance with security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107445r1_rule RACF-SM-000030 CCI-000213 MEDIUM IBM z/OS DFSMS-related RACF classes must be active. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107447r2_rule RACF-SM-000040 CCI-000213 MEDIUM IBM z/OS DFSMS resources must be protected in accordance with the proper security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107449r1_rule RACF-SM-000050 CCI-000366 MEDIUM IBM z/OS using DFSMS must properly specify SYS(x).PARMLIB(IGDSMSxx), SMS parameter settings. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-107451r1_rule RACF-TC-000010 CCI-000067 MEDIUM IBM z/OS PROFILE.TCPIP configuration statements for the TCP/IP stack must be coded properly. Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD
    SV-107453r1_rule RACF-TC-000020 CCI-002314 MEDIUM IBM z/OS must be configured to restrict all TCP/IP ports to ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments. Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD no
    SV-107455r1_rule RACF-TC-000030 CCI-000213 MEDIUM IBM z/OS permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be properly configured. HFS directories and files of the Base TCP/IP component provide the configuration, operational, and executable properties of IBMs TCP/IP system product. Failure to properly secure these objects may lead to unauthorized access resulting in the compromise of
    SV-107457r1_rule RACF-TC-000040 CCI-000213 MEDIUM IBM z/OS TCP/IP resources must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107459r1_rule RACF-TC-000050 CCI-000213 MEDIUM The IBM RACF SERVAUTH resource class must be active for TCP/IP resources. IBM Provides the SERVAUTH Class for use in protecting a variety of TCP/IP features/functions/products both IBM and third-party. Failure to activate this class will result in unprotected resources. This exposure may threaten the integrity of the operating
    SV-107461r1_rule RACF-TC-000060 CCI-000213 MEDIUM The IBM RACF SERVAUTH resource class must be active for TCP/IP resources. Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be empl
    SV-107463r2_rule RACF-TC-000070 CCI-000213 MEDIUM IBM z/OS data sets for the Base TCP/IP component must be properly protected. MVS data sets of the Base TCP/IP component provide the configuration, operational, and executable properties of IBMs TCP/IP system product. Failure to properly secure these data sets may lead to unauthorized access resulting in the compromise of the integ
    SV-107465r1_rule RACF-TC-000080 CCI-000366 MEDIUM IBM z/OS Configuration files for the TCP/IP stack must be properly specified. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-107467r1_rule RACF-TC-000090 CCI-002884 MEDIUM The IBM z/OS PROFILE.TCPIP configuration statement must include a SMFPARMS and/or SMFCONFIG statement for each TCP/IP stack. If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. This requirement addresses auditing-related issues associated with maintenance to
    SV-107469r1_rule RACF-TC-000100 CCI-002468 MEDIUM The IBM z/OS TCPIP.DATA configuration statement must contain the DOMAINORIGIN or DOMAIN specified for each TCP/IP defined. If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records
    SV-107471r1_rule RACF-TN-000010 CCI-002361 MEDIUM The IBM z/OS PROFILE.TCPIP configuration for the TN3270 Telnet server must have the INACTIVE statement properly specified. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.
    SV-107473r1_rule RACF-TN-000020 CCI-000068 MEDIUM IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS. During the SSL connection process a mutually acceptable encryption algorithm is selected by the server and client. This algorithm is used to encrypt the data that subsequently flows between the two. However, the level or strength of encryption can vary gr
    SV-107475r1_rule RACF-TN-000030 CCI-000048 MEDIUM IBM z/OS TN3270 Telnet Server configuration statement MSG10 text must have the Standard Mandatory DoD Notice and Consent Banner. Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations,
    SV-107477r1_rule RACF-TN-000040 CCI-001384 MEDIUM The IBM z/OS warning banner for the TN3270 Telnet server must be properly specified. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
    SV-107479r1_rule RACF-TN-000050 CCI-000366 MEDIUM IBM z/OS VTAM session setup controls for the TN3270 Telnet server must be properly specified. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-107481r1_rule RACF-TN-000060 CCI-001133 MEDIUM The IBM z/OS PROFILE.TCPIP configuration for the TN3270 Telnet server must have the INACTIVE statement properly specified. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat
    SV-107483r1_rule RACF-TS-000010 CCI-000213 MEDIUM IBM Z/OS TSOAUTH resources must be restricted to authorized users. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107485r1_rule RACF-TS-000020 CCI-002235 HIGH IBM RACF LOGONIDs must not be defined to SYS1.UADS for non-emergency use. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumvent
    SV-107487r1_rule RACF-US-000010 CCI-000213 HIGH The IBM z/OS UNIX SUPERUSER resource must be protected in accordance with guidelines. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107489r1_rule RACF-US-000020 CCI-000213 MEDIUM IBM z/OS BPX resource(s) must be protected in accordance with security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107491r1_rule RACF-US-000030 CCI-000213 MEDIUM IBM z/OS UNIX MVS HFS directories with other write permission bit set must be properly defined. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107493r1_rule RACF-US-000040 CCI-000213 MEDIUM IBM RACF classes required to properly secure the z/OS UNIX environment must be ACTIVE. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107495r1_rule RACF-US-000050 CCI-000213 MEDIUM IBM z/OS UNIX security parameters in etc/profile must be properly specified. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-107497r1_rule RACF-US-000060 CCI-000213 MEDIUM IBM z/OS UNIX security parameters in /etc/rc must be properly specified. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-107499r1_rule RACF-US-000070 CCI-000213 MEDIUM IBM z/OS UNIX resources must be protected in accordance with security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107501r1_rule RACF-US-000080 CCI-000213 MEDIUM IBM z/OS UNIX MVS data sets or HFS objects must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107503r1_rule RACF-US-000090 CCI-000213 MEDIUM IBM z/OS UNIX MVS data sets WITH z/OS UNIX COMPONENTS must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107505r1_rule RACF-US-000100 CCI-000213 MEDIUM IBM z/OS UNIX HFS permission bits and audit bits for each directory must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107507r1_rule RACF-US-000110 CCI-000213 MEDIUM IBM z/OS UNIX SYSTEM FILE SECURITY SETTINGS must be properly protected or specified. If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. Satisfies: SRG-OS-
    SV-107509r1_rule RACF-US-000120 CCI-000213 MEDIUM IBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107511r1_rule RACF-US-000130 CCI-002233 MEDIUM The IBM RACF classes required to properly secure the z/OS UNIX environment must be ACTIVE. In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invo
    SV-107513r1_rule RACF-US-000140 CCI-000366 MEDIUM IBM z/OS UNIX OMVS parameters in PARMLIB must be properly specified. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-107515r1_rule RACF-US-000150 CCI-000366 MEDIUM IBM z/OS UNIX BPXPRMxx security parameters in PARMLIB must be properly specified. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-107517r1_rule RACF-US-000160 CCI-000366 MEDIUM IBM z/OS default profiles must be defined in the corresponding FACILITY Class Profile for classified systems. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-107519r1_rule RACF-US-000170 CCI-000366 MEDIUM IBM z/OS UNIX HFS MapName files security parameters must be properly specified. Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources. The organization must perform a periodic
    SV-107521r1_rule RACF-US-000180 CCI-000382 MEDIUM IBM z/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf must be properly specified. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical po
    SV-107523r1_rule RACF-US-000190 CCI-000764 HIGH IBM z/OS UID(0) must be properly assigned. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-107525r1_rule RACF-US-000200 CCI-000764 MEDIUM IBM z/OS attributes of z/OS UNIX user accounts must have a unique GID in the range of 1-99. RACF userid groups, and started tasks that use z/OS UNIX facilities are defined to an ACP with attributes including UID and GID. If these attributes are not correctly defined, data access or command privilege controls could be compromised.
    SV-107527r1_rule RACF-US-000210 CCI-000764 MEDIUM IBM z/OS UNIX groups must be defined with a unique GID. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-107529r1_rule RACF-US-000220 CCI-000764 MEDIUM The IBM z/OS user account for the UNIX kernel (OMVS) must be properly defined to the security database. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
    SV-107531r1_rule RACF-US-000230 CCI-000764 MEDIUM The IBM z/OS user account for the z/OS UNIX SUPERUSER userid must be properly defined. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-107533r1_rule RACF-US-000240 CCI-000764 MEDIUM The IBM z/OS user account for the UNIX (RMFGAT) must be properly defined. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-107535r1_rule RACF-US-000250 CCI-000764 MEDIUM IBM z/OS UNIX user accounts must be properly defined. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-107537r1_rule RACF-US-000260 CCI-000764 MEDIUM IBM z/OS attributes of UNIX user accounts used for account modeling must be defined in accordance with security requirements. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-107539r1_rule RACF-UT-000010 CCI-000213 MEDIUM The IBM z/OS startup user account for the z/OS UNIX Telnet Server must be properly defined. The PROFILE.TCPIP configuration file provides system operation and configuration parameters for the TN3270 Telnet Server. Several of these parameters have potential impact to system security. Failure to code the appropriate values could result in unexpect
    SV-107541r1_rule RACF-UT-000020 CCI-000213 MEDIUM IBM z/OS HFS objects for the z/OS UNIX Telnet Server must be properly protected. HFS directories and files of the z/OS UNIX Telnet Server provide the configuration and executable properties of this product. Failure to properly secure these objects may lead to unauthorized access resulting in the compromise of the integrity and availab
    SV-107543r1_rule RACF-UT-000030 CCI-000048 MEDIUM The IBM z/OS UNIX Telnet Server etc/banner file must have the Standard Mandatory DoD Notice and Consent Banner. A logon banner can be used to inform users about the environment during the initial logon. Logon banners are used to warn users against unauthorized entry and the possibility of legal action for unauthorized users, and advise all users that system use con
    SV-107545r1_rule RACF-UT-000040 CCI-000366 MEDIUM IBM z/OS UNIX Telnet server Startup parameters must be properly specified. The z/OS UNIX Telnet Server (i.e., otelnetd) provides interactive access to the z/OS UNIX shell. During the initialization process, startup parameters are read to define the characteristics of each otelnetd instance. Some of these parameters have an impac
    SV-107547r1_rule RACF-UT-000050 CCI-001384 MEDIUM The IBM z/OS UNIX Telnet server warning banner must be properly specified. Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, po
    SV-107549r1_rule RACF-VT-000010 CCI-000213 MEDIUM IBM z/OS System datasets used to support the VTAM network must be properly secured. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-107551r1_rule RACF-VT-000020 CCI-001499 MEDIUM IBM z/OS VTAM USSTAB definitions must not be used for unsecured terminals. If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.