IBM z/OS TSS Security Technical Implementation Guide

Checks: C-25544r998384_chk

Execute the CA-TSS SAFCRRPT using the following as SYSIN input: RECORDID(-) DETAIL TRUST FIELDS(ISSUER SUBJECT ACTIVE EXPIRE TRUST) If no certificate information is found, this is not a finding. NOTE: Certificates are only valid when their Status is TRUST. Therefore, you may ignore certificates with the NOTRUST status during the following check. If the digital certificate information indicates that the issuer's distinguished name leads to one of the following this is not a finding: a) A DOD PKI Root Certification Authority b) An External Root Certification Authority (ECA) c) An approved External Partner PKI's Root Certification Authority The DOD Cyber Exchange website contains information as to which certificates may be acceptable (https://public.cyber.mil/pki-pke/interoperability/ or https://cyber.mil/pki-pke/interoperability/). Examples of an acceptable DOD CA are: DOD PKI Class 3 Root CA DOD PKI Med Root CA

Fix: F-25532r998385_fix

Remove or replace certificates where the issuer's distinguished name does not lead to a DOD PKI Root Certification Authority; External Root Certification Authority (ECA); or an approved External Partner PKI's Root Certification Authority. The DOD Cyber Exchange website contains information as to which certificates may be acceptable (https://public.cyber.mil/pki-pke/interoperability/ or https://cyber.mil/pki-pke/interoperability/).

Generate Mitigation Statement:

Checks: C-25545r516015_chk

Execute the CA-TSS SAFCRRPT using the following as SYSIN input: RECORDID(-) DETAIL FIELDS(ISSUER SUBJECT ACTIVE EXPIRE TRUST) If no certificate information is found, this is not a finding. NOTE: Certificates are only valid when their Status is TRUST. Therefore, you may ignore certificates with the NOTRUST status during the following checks. Check the expiration for each certificate with a status of TRUST. If the expiration date has passed, this is a finding.

Fix: F-25533r516016_fix

If the certificate is a user or device certificate with a status of TRUST, follow procedures to obtain a new certificate or re-key certificate. If it is an expired CA certificate remove it.

Generate Mitigation Statement:

Checks: C-25546r516018_chk

If certificate name filtering is in use, the ISSM should document each active filter rule and have written approval to use the rule. Issue the following TSS command to list any certificate name filters defined to TSS: TSS LIST(SDT) CERTMAP(ALL) If there is nothing to list, this is not a finding. NOTE: Certificate name filters are only valid when their Status is TRUST. Therefore, you may ignore filters with the NOTRUST status. If certificate name filters are defined and they have a Status of TRUST, certificate name filtering is in use. If certificate name filtering is in use and filtering rules have been documented and approved by the ISSM, this is not a finding. If certificate name filtering is in use and filtering rules have not been documented and approved by the ISSM, this is a finding.

Fix: F-25534r516019_fix

Ensure any certificate name filtering rules in use are documented and approved by the ISSM.

Generate Mitigation Statement:

Checks: C-25548r516024_chk

From the ISPF Command Shell enter: TSS LIST(ACIDS) DATA(BASIC) If only authorized personnel have BLP access and documentation for access is on file with the ISSO, this is not a finding.

Fix: F-25536r516025_fix

Review all ACIDs with the BLP attribute. Evaluate the impact of removing BLP access from unauthorized personnel. Develop a plan of action and remove BLP access from unauthorized ACIDs.

Generate Mitigation Statement:

Checks: C-25550r516030_chk

From the ISPF Command Shell enter: TSS MODIFY STATUS If the NPWRTHRESH Control Option value is not set to NPWRTHRESH(02), this is a finding.

Fix: F-25538r516031_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option setting as specified following and proceed with the change. NPWRTHRESH(02)

Generate Mitigation Statement:

Checks: C-25551r516033_chk

From the ISPF Command Shell enter: TSS MODIFY STATUS If the NPPTHRESH Control Option value is not set to NPWRTHRESH(02), this is a finding.

Fix: F-25539r516034_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option setting as specified following and proceed with the change. NPPTHRESH(02)

Generate Mitigation Statement:

Checks: C-25552r516036_chk

From the ISPF Command Shell enter: TSS MODIFY STATUS If the PTHRESH Control Option value is not set to PTHRESH(02), this is a finding.

Fix: F-25540r516037_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option setting as specified following and proceed with the change. PTHRESH(02)

Generate Mitigation Statement:

Checks: C-25553r516039_chk

From the ISPF Command Shell enter: TSS MODIFY STATUS If the PTHRESH Control Option value is not set to NPPTHRESH(02), this is a finding.

Fix: F-25541r516040_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option setting as specified following and proceed with the change. NPPTHRESH(02)

Generate Mitigation Statement:

Checks: C-25554r516755_chk

Refer to the SMFPRMxx member in SYS1.PARMLIB. Determine the SMF and/or Logstream data set name. If the following statements are true, this is not a finding. -The ESM data set rules for the SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) restrict ALTER access to only z/OS systems programming personnel. -The ESM data set rules for the SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) restrict UPDATE access to z/OS systems programming personnel, and/or batch jobs that perform SMF dump processing and others as approved by ISSM. -The ESM data set rules for the SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) restrict READ access to auditors and others approved by the ISSM. -The ESM data set rules for SMF data collection files (e.g., SYS1.MAN* or IFASMF.SYS1.*) specify that all (i.e., failures and successes) UPDATE and/or ALTER access are logged.

Fix: F-25542r516756_fix

Ensure that allocate/alter authority to SMF collection files is limited to only systems programming staff and and/or batch jobs that perform SMF dump processing; access can be granted to others as determined by ISSM. Ensure that read access is limited to auditors. Access may be granted to others as determined by the ISSM. Ensure the accesses are being logged. Ensure that all (i.e., failures and successes) WRITE or greater access are logged. Ensure read access failures are logged.

Generate Mitigation Statement:

Checks: C-25556r877724_chk

Any keys or Certificates must be managed in ICSF or the external security manager and not in UNIX files. From the ISPF Command Shell enter: OMVS enter find / -name *.kdb and Find / -name *.jks If any files are present, this is a finding. OMVS enter find / -name *.kdb and Find / -name *.jks If any files are present, this is a finding.

Fix: F-25544r811041_fix

Define all Keys/Certificates to ICSF or the security database. Remove all .kdb and .jks key files.

Generate Mitigation Statement:

Checks: C-25558r516054_chk

From the ISPF Command Shell enter: TSS MODIFY STATUS If the NEWPHRASE Control Option conforms to the following requirements, this is not a finding. MA=1-32 MN=1-32 ID MAX=100 MIN=15-100 MINDAYS=1 NR=0-1 SC=1-32 WARN=1-10 If the PPSCHAR Control Option conform to the allowable list defined in CA Top Secret for z/OS Control Options Guide, this is not a finding. Note: These characters will be specified at a minimum. "40" represents the blank character. Characters can be identified by their character or hex equivalent.

Fix: F-25546r868928_fix

Note: Support of mixed case passwords can only be set when the security file has been copied by TSSXTEND with the option NEWPWBLOCK. Configure the NEWPHRASE Control Option values to the following requirements: MA=1-32 MN=1-32 ID MAX=100 MIN=15-100 MINDAYS=1 NR=0-1 SC=1-32 WARN=1-10 Configure the PPSCHAR Control Option to the allowable list defined in CA Top Secret for z/OS User Guide. Note: These characters will be specified at a minimum. "40" represents the blank character. Characters can be identified by their character or hex equivalent. Example: TSS MODIFY NEWPHRASE(MA=1,MN=1,ID,MAX=100,MIN=15,MINDAYS=1,NR=1,SC=1,WARN=10) TSS MODIFY PPSCHAR(c,c,c,c,...) (Use the allowable list defined in CA Top Secret for z/OS Control Options Guide.)

Generate Mitigation Statement:

Checks: C-25559r516057_chk

From the ISPF Command Shell enter: TSS MODIFY STATUS If the NEWPW Control Option values conform to the following requirements, this is not a finding. NEWPW(MIN=8,WARN=10, MINDAYS=1, NR=0, ID, TS, SC, RS, FA, FN, MC, UC, LC) NOTE: For the Option SC, the PASSCHAR control option should be set to the allowable list defined in CA Top Secret for z/OS Control Options Guide. NOTE: For the Option RS, at a minimum use the reserved word prefix list found in the site security plan.

Fix: F-25547r516058_fix

Note: Support of mixed case passwords can only be set when the security file has been copied by TSSXTEND with the option NEWPWBLOCK. Configure the NEWPW Control Option values conform to the following requirements: NEWPW(MIN=8,WARN=10, MINDAYS=1, NR=0, ID, TS, SC, RS, FA, FN, MC, UC, LC) NOTE: For the Option SC, the PASSCHAR control option should be set to the allowable list defined in CA Top Secret for z/OS Control Options Guide. NOTE: For the Option RS, at a minimum use the reserved word prefix list found in the site security plan.

Generate Mitigation Statement:

Checks: C-25561r516063_chk

From the ISPF Command Shell enter: TSS MODIFY STATUS If the PWEXP Control Option value is not set to PWEXP(60), this is a finding.

Fix: F-25549r516064_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the following control option setting as specified and proceed with the change. PWEXP(60)

Generate Mitigation Statement:

Checks: C-25562r516066_chk

From the ISPF Command Shell enter: TSS MODIFY STATUS If the PPEXP Control Option will conform to the following requirements, this is not a finding. PPEXP(60)

Fix: F-25550r516067_fix

Configure the PPEXP Control Option value to conform to the following requirements. PPEXP(60) Example: TSS MODIFY PPEXP(60)

Generate Mitigation Statement:

Checks: C-25563r516069_chk

From the ISPF Command Shell enter: TSS MODIFY STATUS If the PWHIST Control Option value is not set to PWHIST(10) or greater, this is a finding.

Fix: F-25551r516070_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the following control option setting as specified and proceed with the change. PWHIST(10) or greater

Generate Mitigation Statement:

Checks: C-25564r516072_chk

From the ISPF Command Shell enter: TSS MODIFY STATUS If the PPHIST Control Option conforms to the following requirements, this is not a finding. PPHIST(10-64)

Fix: F-25552r516073_fix

Configure the PPHIST Control Option value to conforms to the following requirements: PPHIST(10-64) Example: TSS MODIFY PPHIST(10)

Generate Mitigation Statement:

Checks: C-25565r516075_chk

From the ISPF Command Shell enter: TSS MODIFY STATUS If the NEWPW Control Option values conform to the following requirements, this is not a finding. NEWPW(MIN=8,WARN=10, MINDAYS=1, NR=0, ID, TS, SC, RS, FA, FN, MC, UC, LC) NOTE: For the Option SC, the PASSCHAR control option should be set to the allowable list defined in CA Top Secret for z/OS Control Options Guide. NOTE: For the Option RS, at a minimum use the reserved word prefix list found in the site security plan.

Fix: F-25553r516076_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option setting as specified and proceed with the change. (Support of mixed case passwords can only be set when the security file has been copied by TSSXTEND with the option NEWPWBLOCK.) Configure the NEWPW Control Option values to conform to the following requirements: NEWPW(MIN=8,WARN=10, MINDAYS=1, NR=0, ID, TS, SC, RS, FA, FN, MC, UC, LC) NOTE: For the Option SC, the PASSCHAR control option should be set to the allowable list defined in CA Top Secret for z/OS Control Options Guide. NOTE: For the Option RS, at a minimum use the reserved word prefix list found in the site security plan.

Generate Mitigation Statement:

Checks: C-25566r516078_chk

Execute a data set list of access to SYS1.LINKLIB. If the ESM data set rules for SYS1.LINKLIB allow inappropriate (e.g., global READ) access, this is a finding. If data set rules for SYS1.LINKLIB do not restrict READ, WRITE or greater access to only systems programming personnel, this is a finding. If data set rules for SYS1.LINKLIB do not restrict READ and UPDATE access to only domain level security administrators, this is a finding. If data set rules for SYS1.LINKLIB do not restrict READ access to only system Level Started Tasks, authorized Data Center personnel, and auditors, this is a finding. If data set rules for SYS1.LINKLIB do not specify that all (i.e., failures and successes) WRITE or greater access will be logged, this is a finding.

Fix: F-25554r516079_fix

Configure the ESM rules for SYS1.LINKLIB limit access to system programmers only and all WRITE or greater access is logged.

Generate Mitigation Statement:

Checks: C-25575r516105_chk

From any ISPF input line, enter TSO ISRDDN LINKLIST. If all of the following are untrue, this is not a finding. If any of the following is true, this is a finding. The ACP data set rules for LINKLIST libraries do not restrict WRITE or greater access to only z/OS systems programming personnel. The ACP data set rules for LINKLIST libraries do not specify that all (i.e., failures and successes) WRITE or greater access will be logged.

Fix: F-25563r516106_fix

Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect the LINKLIST libraries. Configure the WRITE or greater access to LINKLIST libraries to be limited to system programmers only and all WRITE or greater access is logged.

Generate Mitigation Statement:

Checks: C-25578r868933_chk

From the ISPF Command Shell enter: LISTCat USERCATALOG ALL NOPREFIX Review the ESM data set rules for each usercatalog defined. If the data set rules for User Catalogs do not restrict ALTER access to only z/OS systems programming personnel, this is a finding. If products or procedures requiring system programmer access for system-level maintenance meet the following specific case, this is not a finding: - The batch job or procedure must be documented in the SITE Security Plan. - Reside in a data set that is restricted to systems programmers' access only. If the data set rules for User Catalogs do not specify that all (i.e., failures and successes) ALTER access will be logged, this a finding. Note: If the USER CATALOGS contain SMS managed data sets, READ access is sufficient to allow user operations. If the USER CATALOGS do not contain SMS managed data sets, UPDATE access is required for user operation.

Fix: F-25566r868934_fix

Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect USER CATALOGS. Configure ESM rules for allocate access to USER CATALOGS, limited to system programmers only, and all allocate access is logged. Configure ESM rules for the USER CATALOGS to allow any products or procedures system programmer access for system-level maintenance that meet the following specific case: - The batch job or procedure must be documented in the SITE Security Plan. - Reside in a data set that is restricted to systems programmers' access only. Note: If the USER CATALOGS contain SMS managed data sets, READ access is sufficient to allow user operations. If the USER CATALOGS do not contain SMS managed data sets, UPDATE access is required for user operation.

Generate Mitigation Statement:

Checks: C-25579r516117_chk

Have the systems programmer for z/OS supply the following information: The data set name and associated SREL for each SMP/E CSI utilized to maintain this system. The data set name of all SMP/E TLIBs and DLIBs used for installation and production support. A comprehensive list of the SMP/E DDDEFs for all CSIs may be used if valid. The ACP data set rules for system-level product installation libraries (e.g., SMP/E CSIs) allow inappropriate access. The ACP data set rules for system-level product installation libraries (e.g., SMP/E CSIs) do not restrict WRITE or greater access to only z/OS systems programming personnel. If all of the above are untrue, this is not a finding. If any of the above is true, or if these data sets cannot be identified due to a lack of requested information, this is a finding.

Fix: F-25567r516118_fix

Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect System-level product installation libraries. Configure allocate access to all system-level product execution libraries to be limited to system programmers only.

Generate Mitigation Statement:

Checks: C-25580r516120_chk

The ESM data set rules for the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) do not restrict WRITE or greater access to only z/OS systems programming personnel. The ESM data set rules for the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) allow inappropriate access not documented and approved by ISSO. If both of the above are untrue, this is not a finding. If either of the above is true, this is a finding.

Fix: F-25568r516121_fix

Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect JES2 System data sets (spool, checkpoint, and parmlib data sets). Configure WRITE or greater access to JES2 System data sets (spool, checkpoint, and parmlib data sets) to be limited to system programmers only. Access other than this should be documented and approved by the ISSO. (Example: All SYS1.HASP* data sets.)

Generate Mitigation Statement:

Checks: C-25582r868936_chk

Obtain the procedures and collection specifics for SMF data sets and backup. If the ESM data set rules for the SMF dump/backup files do not restrict WRITE or greater access to authorized DISA and site personnel (e.g., systems programmers and batch jobs that perform SMF processing), this is a finding. If the ESM data set rules for the SMF dump/backup files do restrict update access as documented in the site security plan, this is a finding. If the ESM data set rules for the SMF dump/backup files do not restrict READ access to auditors and others approved by the ISSM, this is a finding. If the ESM data set rules for SMF dump/backup files do not specify that all (i.e., failures and successes) WRITE or greater access will be logged, this is a finding.

Fix: F-25570r868937_fix

Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect data sets used to backup and/or dump SMF Collection Files. Configure data set rules for the SMF dump/backup files to restrict WRITE or greater access to authorized DISA and site personnel (e.g., systems programmers and batch jobs that perform SMF processing). Configure data set rules for the SMF dump/backup files to restrict UPDATE access to others approved the ISSM. Configure data set rules for the SMF dump/backup files to restrict READ access to authorized auditors and others approved by the ISSM. Ensure that all update and alter access authority to SMF history files will be logged using the ESM's facilities.

Generate Mitigation Statement:

Checks: C-25583r516129_chk

Refer to data sets SYS1.DUMPxx, additionally, Dump data sets can be identified by reviewing the logical parmlib concatenation data sets for the current COMMNDxx member. Find the COM= which specifies the DUMPDS NAME (DD NAME=name-pattern) entry. The name-pattern is used to identify additional Dump data sets. If the ESM data set rules for System Dump data sets do not restrict READ, UPDATE, and/or ALTER access to only systems programming personnel, this is a finding. If the ESM data set rules for all System Dump data sets do not restrict READ access to personnel having justification to review these dump data sets, this is a finding.

Fix: F-25571r516130_fix

Configure data set rules for access to SYSTEM DUMP data set(s) to be limited to system programmers only, unless a letter justifying access is filed with the ISSO in the site security plan. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to restrict access to these data sets.

Generate Mitigation Statement:

Checks: C-25584r516132_chk

Collect from the storage management group the identification of the DASD backup files and all associated storage management ACIDs. If ESM data set rules for system DASD backup files do not restrict WRITE or greater access to z/OS systems programming and/or batch jobs that perform DASD backups this is a finding. If READ Access to system backup data sets is not limited to auditors and others approved by the ISSM this is a finding.

Fix: F-25572r516133_fix

Obtain the high level indexes to backup data sets names define their access to be restricted by the System's ESM to System Programmers and batch jobs that perform the backups. Define READ Access to system backup data sets to be limited to auditors and others approved by the ISSM.

Generate Mitigation Statement:

Checks: C-25585r516135_chk

Execute a dataset list of access for SYS(x).TRACE files. If the ESM data set rule for SYS1.TRACE restricts access to systems programming personnel and started tasks that perform GTF processing, this is not a finding. If the ESM data set rule for SYS1.TRACE restricts access to others as documented and approved by ISSM, this is not a finding.

Fix: F-25573r516136_fix

Configure the ESM access to SYS1.TRACE to be limited to system programmers or started tasks that perform GTF processing. Other user access can be granted as documented and approved by the ISSM.

Generate Mitigation Statement:

Checks: C-25586r516138_chk

Execute a dataset list of access for System page data sets (i.e., PLPA, COMMON, and LOCALx). If ESM data set rules for system page data sets (PLPA, COMMON, and LOCAL) restrict access to only systems programming personnel, this is not a finding. If ESM data set rules for system page data sets (PLPA, COMMON, and LOCAL) restrict auditors to READ only, this is not a finding.

Fix: F-25574r516139_fix

Configure the ESM data set rules for system page data sets (PLPA, COMMON, and LOCAL) to restrict access to only systems programming personnel. Auditors may be allowed READ Access as approved by the ISSM.

Generate Mitigation Statement:

Checks: C-25589r516147_chk

If the IEAABD. resource and/or generic equivalent is defined with no access and all access logged, this is not a finding. If the IEAABD.DMPAUTH. resource and/or generic equivalent is defined with READ access limited to authorized users, this is not a finding. If the IEAABD.DMPAUTH. resource and/or generic equivalent UPDATE or greater access is restricted to only systems personnel and all access is logged, this is not a finding. If the IEAABD.DMPAKEY resource and/or generic equivalent is defined and all access is restricted to systems personnel and that all access is logged, this is not a finding.

Fix: F-25577r868945_fix

Memory and privileged program dump resources are provided via resources in the FACILITY resource class. Ensure that the following are properly specified in the ESM. (Note: The resources and/or resource prefixes identified below are examples of a possible installation. The actual resources and/or resource prefixes are determined when the product is actually installed on a system through the product's installation guide and can be site specific.) Below is listed the access requirements for memory and privileged program dump resources. Ensure the guidelines for the resource type, resources, and/or generic equivalent are followed. When protecting the facilities for dumps lists via the FACILITY resource class, ensure that the following items are in effect: IEAABD. IEAABD.DMPAUTH. IEAABD.DMPAKEY. The RACF resource rules for the resources specify UACC(NONE) and NOWARNING. Ensure that no access is given to IEAABD. resource. Example RDEF FACILITY IEAABD.** UACC(NONE) OWNER(owner group) AUDIT(ALL(READ)) IEAABD.DMPAUTH. READ access is limited to authorized users that have a valid job duties requirement for access. UPDATE access will be restricted to system programming personnel and access will be logged. Example: RDEF FACILITY IEAABD.DMPAUTH.** UACC(NONE) OWNER(owner group) AUDIT(ALL(UPDATE)) PERMIT IEAABD.DMPAUTH.** CLASS(FACILITY) ID(authusers) ACCESS(READ) PERMIT IEAABD.DMPAUTH.** CLASS(FACILITY) ID(syspsmpl) ACCESS(UPDATE) IEAABD.DMPAKEY. access will be restricted to system programming personnel and access will be logged. Example: RDEF FACILITY IEAABD.DMPAKEY.** UACC(NONE) OWNER(owner group) AUDIT(ALL(READ)) PERMIT IEAABD.DMPAKEY.** CLASS(FACILITY) ID(syspsmpl) ACCESS(READ)

Generate Mitigation Statement:

Checks: C-25591r516153_chk

From a command screen enter: TSS WHOHAS OPERCMDS(MVS) If any of below is untrue for any z/OS system command resource, this is a finding. Access to MVS resource of the OPERCMDS class is restricted to a limited number of authorized users, and all access logged. Access to "MVS.**" is not allowed. Access to z/OS system commands as defined in the table entitled MVS commands, RACF access authorities, and resource names, in the IBM z/OS MVS System Commands manual, is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users). NOTE: Use the GROUP category specified in the table referenced above as a guideline to determine appropriate personnel access to system commands. NOTE: The (MVS.SEND) Command will not be a finding if used by all. Access to specific z/OS system commands is logged as indicated in the table entitled MVS commands, RACF access authorities, and resource names, in the IBM z/OS MVS System Commands manual.

Fix: F-25579r516154_fix

Ensure access to the MVS resource of the OPERCMDS class is restricted to a limited number of authorized users, and all access is logged. Ensure access to z/OS system commands as defined in the table entitled MVS commands, RACF access authorities, and resource names, in the IBM z/OS MVS System Commands manual is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users). Ensure no access is granted at level MVS.**. NOTE: Use the GROUP category specified in the table referenced above as a guideline to determine appropriate personnel access to system commands. NOTE: The (MVS.SEND) Command will not be a finding if used by all. Example: TSS ADDTO(deptacid) OPERCMDS(MVS.) TSS PERMIT(usracid) OPERCMDS(MVS.ACTIVATE) ACTION(AUDIT) TSS PERMIT(usracid) OPERCMDS(MVS.CANCEL.JOB.) ACTION(AUDIT) TSS PERMIT(usracid) OPERCMDS(MVS.CONTROL.) ACCESS(UPDATE) ACTION(AUDIT) TSS PERMIT(usracid) OPERCMDS(MVS.DISPLAY.) ACCESS(READ) TSS PERMIT(usracid) OPERCMDS(MVS.MONITOR) ACCESS(READ) TSS PERMIT(usracid) OPERCMDS(MVS.STOPMN) ACCESS(READ)

Generate Mitigation Statement:

Checks: C-25592r811046_chk

From the ISPF Command Shell enter: TSS WHOOWNS SYSCONS(*) For each Console defined enter: TSS WHOHAS SYSCONS(<console>) If the ACID associated with each console has READ access to the corresponding resource defined in the SYSCONS resource class, this is not a finding. If access authorization for SYSCONS resources restricts access to operations, the Master SCA, system programming personnel, or authorized personnel, this is not a finding. If the console defined is not defined to the TSS SYSCONS resource class enter: TSS LIST (RDT) RESCLASS(SYSCONS) If the SYSCONS resource class does not have the DEPROT attribute, this is a finding. For each Console defined enter: TSS WHOHAS(<CONSOLE>) If the console defined is not defined to the TSS SYSCONS resource class enter: TSS LIST (RDT) RESCLASS(SYSCONS) If the SYSCONS resource class does not have the DEPROT attribute, this is a finding.

Fix: F-25580r811047_fix

Ensure that all MCS consoles are defined to the SYSCONS resource class and READ access is limited to operators, and system programmers, or authorized personnel. Review the MCS console resources defined to z/OS and the ACP and ensure they conform to those outlined below. Each console defined in the CONSOLxx parmlib members is defined to TSS SYSCONS resource class and/or the SYSCONS resource class has the DEFPROT attribute. Example: TSS REPLACE(RDT) RESCLASS(SYSCONS) ATTR(DEFPROT) The ACID associated with each console has access to the corresponding resource defined in the SYSCONS resource class. Example: TSS PERMIT(MMGMST) SYSCONS(MMGMST) ACCESS(READ) Access authorization for SYSCONS resources restricts access to operations, the Master SCA, and system programming personnel. TSS PERMIT(opersmpl) SYSCONS(MMGMST) ACCESS(READ) TSS PERMIT(Master SCA) SYSCONS(MMGMST) ACCESS(READ) TSS PERMIT(syspsmpl) SYSCONS(MMGMST) ACCESS(READ)

Generate Mitigation Statement:

Checks: C-25593r516159_chk

TSS WHOOWNS TSOAUTH(*) If the Console is not defined to TSOAuth RESOURCE CLASS this is Not Applicable. Refer to the CONSOLxx member of SYS1.PARMLIB. For each Console defined if the following is true, this is not a finding. -User ACIDs are restricted to the INFO level in the MCSAUTH attribute. -User ACIDs are restricted to READ access to the MVS.MCSOPER.acid resource defined in the OPERCMDS resource class. -User ACIDs and/or profile ACIDs are restricted to the CONSOLE resource defined in the TSOAUTH resource class. If any of the above are untrue, this is a finding.

Fix: F-25581r516160_fix

Evaluate the impact of correcting any deficiencies. Develop a plan of action and implement the required changes. At the discretion of the ISSO, users may be allowed to issue z/OS system commands from a TSO session. With this in mind, ensure the following items are in effect for users granted the TSO CONSOLE privilege: -User ACIDs are restricted to the INFO level in the MCSAUTH attribute. -User ACIDs are restricted to READ access to the MVS.MCSOPER.acid resource defined in the OPERCMDS resource class. -User ACIDs and/or profile ACIDs are restricted to the CONSOLE resource defined in the TSOAUTH resource class. For Example: TSS ADDTO (userid) MCSAUTH(INFO) TSS PERMIT(userid) OPERCMDS(MVS.MCSOPER.userid) ACCESS(READ) ACTION(AUDIT) TSS PERMIT(oprprofileacid) TSOAUTH(CONSOLE) ACCESS(READ) ACTION(AUDIT)

Generate Mitigation Statement:

Checks: C-25594r516162_chk

From the ISPF Command Shell enter: TSS WHOOWNS OPERCMDS(MVS) If the (MVS) resource is owned, this is not a finding. If the (MVS) resource is not owned, this is a finding. TSS LIST RDT RESCLASS(OPERCMDS) If the (MVS) resource is not OWNED and the OPERCMDS class does not have DEFPROT as an attribute, this is a finding.

Fix: F-25582r516163_fix

z/OS system command controls are provided via resources in the OPERCMDS resource class. Configure (MVS) of the OPERCMDS resource class to be properly owned or at a minimum the OPERCMDS resource in the RDT specifies the DEFPROT attribute. Name the actual owning ACID specified for deptacid in accordance with installation recommendations. When protecting the facilities for z/OS system commands via the OPERCMDS class, use the following controls: (1) Prevent access to the z/OS resources by default, and log all access. Create generic and specific permissions with logging as required using the required controls for z/OS System Commands listed in ACP00282. For example: TSS ADDTO(deptacid) OPERCMDS(MVS.) TSS PERMIT(usracid) OPERCMDS(MVS.ACTIVATE) ACTION(AUDIT) TSS PERMIT(usracid) OPERCMDS(MVS.CANCEL.JOB.) ACTION(AUDIT) TSS PERMIT(usracid) OPERCMDS(MVS.CONTROL.) ACCESS(UPDATE) ACTION(AUDIT) TSS PERMIT(usracid) OPERCMDS(MVS.DISPLAY.) ACCESS(READ) TSS PERMIT(usracid) OPERCMDS(MVS.MONITOR) ACCESS(READ) TSS PERMIT(usracid) OPERCMDS(MVS.STOPMN) ACCESS(READ)

Generate Mitigation Statement:

Checks: C-25595r516165_chk

TSS MODIFY STATUS If the AUTH Control Option values are not set to AUTH(OVERRIDE, ALLOVER) or AUTH(MERGE, ALLOVER), this is a finding.

Fix: F-25583r516166_fix

Configure the AUTH control option is set to (OVERRIDE, ALLOVER) or (MERGE, ALLOVER). With (OVERRIDE, ALLOVER), TSS separately searches first the user, then profiles, and then the ALL record for its access authorization. With (MERGE, ALLOVER), TSS merges and searches the user and all profiles, and then the ALL record for its access authorization. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option setting to AUTH(OVERRIDE, ALLOVER) or AUTH(MERGE, ALLOVER) and proceed with the change.

Generate Mitigation Statement:

Checks: C-25597r516171_chk

From the ISPF Command Shell enter: TSS WHOOWNS data set(*) If data set masking characters. (*, %, and +, **) are owned by the MSCA, this is not a finding.

Fix: F-25585r516172_fix

Configure all data set masking characters to be owned the MSCA. Example TSS commands to protect masking characters: TSS ADD(msca) DSN(*) TSS ADD(msca) DSN(%) TSS ADD(msca) DSN(+)

Generate Mitigation Statement:

Checks: C-25599r516177_chk

From the ISPF Command Shell enter: TSS LIST(ACIDS) DATA(BASIC) If any ACID(s) is (are) assigned FACILITY(*ALL*), this is a finding.

Fix: F-25587r516178_fix

The ISSO will ensure that blanket access to all facilities; FACILITY(ALL), is never granted. Review all access to FACILITY(*ALL*). Evaluate the impact of correcting the deficiency. Develop a plan of action and remove access to FAC(*ALL*). Example: TSS REM(acid) FAC(ALL)

Generate Mitigation Statement:

Checks: C-25600r516180_chk

Review the ALL record for the assignment of FACILITY. If CA-Top Secret facilities are granted via the ALL record, with the exception of DFHSM/HSM, this is a finding. The DFHSM/HSM FACILITY can be determined by reviewing FACLIST for the FACILITY that contains INITPGM=ARC.

Fix: F-25588r516181_fix

Review ALL record for FACILITY access. Evaluate the impact of correcting the deficiency. Develop a plan of action and remove access.

Generate Mitigation Statement:

Checks: C-25601r868950_chk

Refer the accesses to the TSS masking character (*, *., and/or **) for data sets. If the following guidance is true, this is not a finding. If the TSS data set access authorizations restrict READ access to auditors, this is not a finding. If the TSS data set access authorizations restrict READ and/or greater access to DASD administrators, Trusted Started Tasks, emergency users, and DASD batch users, this is not a finding. If CA VTAPE is installed on the systems and the TSS data set access authorizations restrict READ access to CA VTAPE STCs and/or batch users, this is not a finding. If the TSS data set access authorizations specify that all (i.e., failures and successes) EXECUTE and/or greater accesses are logged, this is not a finding.

Fix: F-25589r868951_fix

Review access authorization to the TSS mask character (*, *., and/or **) for data sets. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to restrict access to the data set mask permissions. The installing Systems Programmer will identify and document the product data sets and categorize them according to who will have WRITE and/or greater access and, if required, that all WRITE and/or greater accesses are logged. The programmer will identify if any additional groups have WRITE and/or greater access for specific data sets, and once documented, will work with the ISSO to confirm that they are properly restricted to the ACP (Access Control Program) active on the system. (Note: The data sets and/or data set prefixes identified below are examples of a possible installation. The actual data sets and/or prefixes are determined when the product is actually installed on a system through the product's installation guide and can be site specific.) Auditors may require READ access to all data sets. DASD administrators, Trusted Started Tasks, emergency users, and DASD batch users that require READ and/or greater access to perform maintenance to all data sets. If CA VTAPE is installed on the system, READ access can be given to the CA VTAPE STCs and/or batch users. All accesses authorizations will be logged. The exception is the logging requirement is not required for Trusted Started Tasks. The following commands are provided as a sample for implementing data set controls: TSS ADDTO(msca) DATASET(*.) TSS PERMIT(smplsmpl) DATASET(*.) ACCESS(READ) ACTION(AUDIT) TSS PERMIT(CA VTape STC) DATASET(*.) ACCESS(READ) ACTION(AUDIT) TSS PERMIT(dasbsmpl) DATASET(*.) ACCESS(ALL) ACTION(AUDIT) TSS PERMIT(dasdsmpl) DATASET(*.) ACCESS(ALL) ACTION(AUDIT) TSS PERMIT(emersmpl) DATASET(*.) ACCESS(ALL) ACTION(AUDIT) TSS PERMIT(tstcsmpl) DATASET(*.) ACCESS(ALL)

Generate Mitigation Statement:

Checks: C-25603r868953_chk

Refer to the table of Sensitive Utilities resources and/or generic equivalent as detail in the table below. If the TSS resource access authorizations for the following sensitive utilities restrict access to the appropriate personnel, this is not a finding. Sensitive Utility Controls Program Product Function AHLGTF z/OS System Activity Tracing HHLGTF IHLGTF ICPIOCP z/OS System Configuration IOPIOCP IXPIOCP IYPIOCP IZPIOCP BLSROPTR z/OS Data Management DEBE OS/DEBE Data Management DITTO OS/DITTO Data Management FDRZAPOP FDR Product Internal Modification GIMSMP SMP/E Change Management Product ICKDSF z/OS DASD Management IDCSC01 z/OS IDCAMS Set Cache Module IEHINITT z/OS Tape Management IFASMFDP z/OS SMF Data Dump Utility IND$FILE z/OS PC to Mainframe File Transfer (Applicable only for classified systems) CSQJU003 IBM WebSphereMQ CSQJU004 CSQUCVX CSQ1LOGP CSQUTIL WHOIS z/OS Share MOD to identify user name from USERID. Restricted to data center personnel only. If the TSS resources are owned or DEFPROT is specified for the resource class, this is not a finding. If the TSS resource logging is correctly specified, this is not a finding.

Fix: F-25591r868954_fix

Ensure that the following are properly specified in the ACP. Note: The resources and/or resource prefixes identified below are examples of a possible installation. The actual resource type, resources, and/or resource prefixes are determined when the product is actually installed on a system through the product's installation guide and can be site specific. Ensure that all Sensitive Utility Controls resources and/or generic equivalent are properly protected according to the requirements specified in Sensitive Utility Controls table below. This table lists the resources, access requirements, and logging requirements for Sensitive Utilities, ensures the following guidelines are followed: Sensitive Utility Controls Program Product Function AHLGTF z/OS System Activity Tracing HHLGTF IHLGTF ICPIOCP z/OS System Configuration IOPIOCP IXPIOCP IYPIOCP IZPIOCP BLSROPTR z/OS Data Management DEBE OS/DEBE Data Management DITTO OS/DITTO Data Management FDRZAPOP FDR Product Internal Modification GIMSMP SMP/E Change Management Product ICKDSF z/OS DASD Management IDCSC01 z/OS IDCAMS Set Cache Module IEHINITT z/OS Tape Management IFASMFDP z/OS SMF Data Dump Utility IND$FILE z/OS PC to Mainframe File Transfer (Applicable only for classified systems) CSQJU003 IBM WebSphereMQ CSQJU004 CSQUCVX CSQ1LOGP CSQUTIL WHOIS z/OS Share MOD to identify user name from USERID. Restricted to data center personnel only. The TSS resources as designated in the above table are owned and/or DEFPROT is specified for the resource class. The TSS resource access authorizations restrict access to the appropriate personnel as designated in the above table. The following commands are provided as a sample for implementing resource controls: TSS ADD(dept-acid) PROGRAM(AHLGTF) TSS PERMIT(stcgsmpl) PROGRAM(AHLGTF) ACTION(AUDIT)

Generate Mitigation Statement:

Checks: C-25604r881330_chk

Refer to the site security plan, the system administrator, and system libraries to determine list of stated tasks available on the system. If the following guidance is true, this is not a finding. -All started tasks are assigned a unique user ACID or STC ACIDs that will be unique per product and function if supported by vendor documentation. -Every ACID with the STC Facility has a corresponding entry defined in the STC record. -Every ACID defined in the STC record has a corresponding user ACID defined to TSS with the STC Facility. -All STC ACIDs will have a password generated in accordance with STIG requirements. -All STC ACIDs will be sourced to the internal reader (e.g., ADD(stc-acid) SOURCE(INTRDR). -The STC ACIDs may have the NOSUSPEND attribute.

Fix: F-25592r516193_fix

Review the STC record and all associated ACIDs. Ensure STCs and associated ACIDs are defined to the STC record. Restrict access to required resources only. Evaluate the impact of correcting the deficiency. Ensure TSS started task table record contains an entry for each Started Proc that maps the proc to a unique userid, or STC ACIDs will be unique per product and function if supported by vendor documentation. Develop a plan of action and implement the changes as specified: All STC ACIDs will have the STC facility. An STC also may be granted the FAC(BATCH) if it requires the capability to submit batch jobs to the internal reader. It should be noted, however, that this also will allow the STC itself to be executed as a batch job. TSS ADD(stc-acid) FACILITY(STC BATCH) Each STC ACID will be defined with a password following the password requirement guidelines. The only exception is that these passwords will be defined as non-expiring. In addition, each STC will have its own unique password. Defining a password for started tasks prevents a user from logging onto a system with the STC ACID. TSS REP(stc-acid) PASSWORD(xxxxxxxx,0) Ensure the OPTIONS control option specifies a value of 4 to disable password checking for STCs. Otherwise operators will be forced to supply a password when STCs are started. All STC ACIDs will be sourced to the internal reader. This control will further protect the unauthorized use of STC ACIDs. TSS ADD(stc-acid) SOURCE(INTRDR) Every STC will be defined to the STC table, associated with a specific procedure, and granted minimum access. TSS ADD(STC) PROCNAME(stc-proc) ACID(stc-acid) Note: The STC ACIDs may have the NOSUSPEND attribute to exempt an STC ACID from suspension for excessive violations. Review the STC record and all associated ACIDs. Ensure STCs and associated ACIDs are defined to the STC record. Restrict access to required resources only. Evaluate the impact of correcting the deficiency. Ensure TSS started task table record contains an entry for each Started Proc that maps the proc to a unique userid, or STC ACIDs will be unique per product and function if supported by vendor documentation. Develop a plan of action and implement the changes as specified: All STC ACIDs will have the STC facility. An STC also may be granted the FAC(BATCH) if it requires the capability to submit batch jobs to the internal reader. It should be noted, however, that this also will allow the STC itself to be executed as a batch job. TSS ADD(stc-acid) FACILITY(STC BATCH) Each STC ACID will be defined with a password following the password requirement guidelines. The only exception is that these passwords will be defined as non-expiring. In addition, each STC will have its own unique password. Defining a password for started tasks prevents a user from logging onto a system with the STC ACID. TSS REP(stc-acid) PASSWORD(xxxxxxxx,0) Ensure the OPTIONS control option specifies a value of 4 to disable password checking for STCs. Otherwise operators will be forced to supply a password when STCs are started. All STC ACIDs will be sourced to the internal reader. This control will further protect the unauthorized use of STC ACIDs. TSS ADD(stc-acid) SOURCE(INTRDR) Every STC will be defined to the STC table, associated with a specific procedure, and granted minimum access. TSS ADD(STC) PROCNAME(stc-proc) ACID(stc-acid) Note: The STC ACIDs may have the NOSUSPEND attribute to exempt an STC ACID from suspension for excessive violations.

Generate Mitigation Statement:

Checks: C-25605r516195_chk

From the ISPF Command enter: TSS MODIFY STATUS If the CANCEL Control Option is not specified, this is not a finding.

Fix: F-25593r516196_fix

Remove the CANCEL sub-option from the Control Options list. TSS MODIFY(control_option [(suboption_list)])

Generate Mitigation Statement:

Checks: C-25606r516198_chk

From the ISPF Command enter: TSS MODIFY STATUS If the HPBPW Control Option value is set to (3) days maximum, this is not a finding. If the HPBPW Control Option value is set to greater than (3) days, this is a finding.

Fix: F-25594r516199_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the HPBPW control option setting to a maximum of 3 days.

Generate Mitigation Statement:

Checks: C-25607r516201_chk

From the ISPF Command enter: TSS MODIFY STATUS If the INSTDATA Control Option is set to NONE this is not a finding.

Fix: F-25595r516202_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to set the INSTDATA control option value to (0) and proceed with the change.

Generate Mitigation Statement:

Checks: C-25608r516204_chk

From the ISPF Command Shell enter: TSS MODIFY STATUS If the OPTIONS Control Option contains at a minimum option number (4), this is not a finding.

Fix: F-25596r516205_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option setting as specified following and proceed with the change. The OPTIONS Control Option must contain at a minimum option number (4). Example TSS PARMFILE Control Option entry: OPTIONS(4,5,6,12,14)

Generate Mitigation Statement:

Checks: C-25609r516207_chk

From the ISPF Command Shell enter: TSS MODIFY STATUS If the TEMPDS Control Option value is set to TEMPDS(YES), this not a finding.

Fix: F-25597r516208_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option setting to TEMPDS(YES), and proceed with the change.

Generate Mitigation Statement:

Checks: C-25610r868956_chk

From the ISPF Command Shell enter: TSS LIST(ACIDS) TYPE(SCA) DATA(BASIC) If the persons listed agree with the site security plan, this is not a finding.

Fix: F-25598r868957_fix

Review all security administrator ACIDs. Evaluate the impact of correcting the deficiency. Develop a plan of action and reduce the number of control ACIDs if not justified. Use information below as guidance. TYPE=CENTRAL, TYPE=MASTER or also known as "SCA" and "MSCA" level of ACIDS will adhere to the following restrictions based upon documented role/function an individual performs: -Domain level Information System Security Officer (ISSO) - full administrative authorities and access rights needed to perform required and documented role/responsibilities/function. -Assistance Domain Level Information System Security Officer or "backup" or ISSO (up to same access as 1). -DISA SRR Auditor, DoD IG Auditor, SAS70 Auditor - only "view" administrative authorities must be granted and only for those roles/functions that have been formally documented as DISA, DoD IG or SAS70 Auditors and approved by the DISA AO for those position/functions/roles. Exception: Until scoping is worked out and resolved, DISA OST team members may be defined as TYPE=CENTRAL with limited authority such as ACID(INFO,MAINTAIN). All OST Team member ACIDs will be changed to TYPE=LIMITED and scoped accordingly to allow password resets upon verification of users, yet to limit and eliminate any potential risk associated with resetting of MSCA or other SCA level accounts. NO other exceptions will exist.

Generate Mitigation Statement:

Checks: C-25611r516213_chk

From the ISPF Command Shell enter: TSS LIST(ACIDS) DATA(ADMIN) If the ACIDs having MISC9(ALL) or MISC9(CONSOLE) authority are designated SCAs who are responsible for the security for the domain this is not a finding.

Fix: F-25599r516214_fix

Review all ACIDs with the MISC9 attribute. Evaluate the impact of removing MISC9(ALL) or MISC9(CONSOLE) access from ACIDs not required to assign the CONSOLE attribute. It is suggested that MISC9(CONSOLE) assignment privileges be limited to the MSCA. Develop a plan of action and implement the changes.

Generate Mitigation Statement:

Checks: C-25612r516216_chk

From the ISPF Command Shell enter: TSS MODIFY STATUS If the LUUPDONCE Control Option value is set to "YES", this is a finding.

Fix: F-25600r516217_fix

Configure LUUPDONCE control option is set to (NO). Evaluate the impact associated with implementation of the control option. Develop a plan of action to set the control option setting to NO and proceed with the change.

Generate Mitigation Statement:

Checks: C-25613r516219_chk

From the ISPF Command Shell enter: TSS MODIFY STATUS If the ADSP Control Option value is not set to "ADSP(NO)", this is a finding.

Fix: F-25601r516220_fix

Configure the ADSP control option is set to (NO) indicating that the RACF bit in the DSCB will not be set. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option setting to ADSP(NO) and proceed with the change.

Generate Mitigation Statement:

Checks: C-25614r516222_chk

From the ISPF Command Shell enter: TSS MODIFY STATUS If the RECOVER Control Option value is not set to "RECOVER(ON)", this is a finding.

Fix: F-25602r516223_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the following control option setting as specified and proceed with the change. RECOVER(ON)

Generate Mitigation Statement:

Checks: C-25615r516225_chk

Review each CONSOLxx parmlib member. If the following guidance is true, this is not a finding. The "DEFAULT" statement for each CONSOLxx member specifies "LOGON(REQUIRED)" or "LOGON(AUTO)". The "CONSOLE" statement for each console assigns a unique name using the "NAME" parameter. The "CONSOLE" statement for each console specifies "AUTH(INFO)". Exceptions are the "AUTH" parameter is not valid for consoles defined with "UNIT(PRT)" and specifying "AUTH(MASTER)" is permissible for the system console. Note: The site should be able to determine the system consoles. However, it is imperative that the site adhere to the "DEFAULT" statement requirement.

Fix: F-25603r516226_fix

Configure the "DEFAULT" statement to specify "LOGON(REQUIRED)" so that all operators are required to log on prior to entering z/OS system commands. At the discretion of the ISSO, "LOGON(AUTO)" may be used. If "LOGON(AUTO)" is used assure that the console userids are defined with minimal access. See ACP00292. Configure each "CONSOLE" statement to specify an explicit console NAME. And that "AUTH(INFO)" is specified, this also including extended MCS consoles. "AUTH(MASTER)" may be specified for systems console. Note: The site should be able to determine the system consoles. However, it is imperative that the site adhere to the "DEFAULT" statement requirement.

Generate Mitigation Statement:

Checks: C-25616r516228_chk

Refer to IEASYS00 to determine correct CONSOLxx member. Examine the CONSOLxx member. If the following guidance is true, this is not a finding. Each console defined in the currently active CONSOLxx parmlib member in EXAM.RPT(PARMLIB) is associated with a valid TSS ACID. Each console ACID has no special privileges and/or attributes (e.g., BYPASSING, CONSOLE, etc.; excluding VTAM SMCS consoles). Each console ACID has no accesses to interactive on-line facilities (e.g., TSO, CICS, etc.; excluding VTAM SMCS consoles). Each console can have the Facility of CONSOLE. Each console ACID will be restricted from accessing all data sets and resources except MVS.MCSOPER.consolename in the OPERCMDS resource class and consolename in the CONSOLE resource class. NOTE: If LOGON(AUTO) is specified in the currently active CONSOLxx parmlib member, additional access may be required. Permissions for the console ACIDs and/or console profile may be given with access READ to MVS.CONTROL, MVS.DISPLAY, MVS.MONITOR, and MVS.STOPMN OPERCMDS resource.

Fix: F-25604r516229_fix

Review the MCS console resources defined to z/OS and the ACP, and ensure they conform to those outlined below. Each console defined in the currently active CONSOLxx parmlib member in EXAM.RPT(PARMLIB) is associated with a valid TSS ACID. Each console ACID has no special privileges and/or attributes (e.g., BYPASSING, CONSOLE, etc.). Each console ACID has no accesses to interactive on-line facilities (e.g., TSO, CICS, etc.; excluding VTAM SMCS consoles). Each console can have the Facility of CONSOLE. Each console ACID will be restricted from accessing all data sets and resources except MVS.MCSOPER.consolename in the OPERCMDS resource class and consolename in the CONSOLE resource class. NOTE: If LOGON(AUTO) is specified in the currently active CONSOLxx parmlib member, additional access may be required. Permissions for the console ACIDs and/or console profile may be given with access READ to MVS.CONTROL, MVS.DISPLAY, MVS.MONITOR, and MVS.STOPMN OPERCMDS resource. Example: (These are only examples, not requirements.) TSS CREATE(consnoautolog) TYPE(PROFILE) NAME('MCS consoles with no autolog') DEPT('SYS1') TSS CREATE(consautolog) TYPE(PROFILE) - NAME('MCS consoles with autolog') - DEPT('SYS1') TSS CREATE(consname) NAME('MCS console name') - FACILITY(CONSOLE) PASSWORD(password,0) - PROFILE(consgroup) TSS PER(consautolog) OPERCMDS(MVS.CONTROL) ACCESS(READ) TSS PER(consautolog) OPERCMDS(MVS.DISPLAY) ACCESS(READ) TSS PER(consautolog) OPERCMDS(MVS.MONITOR) ACCESS(READ) TSS PER(consautolog) OPERCMDS(MVS.STOPMN) ACCESS(READ) TSS PER(consname) SYSCONS(consname) ACCESS(READ)

Generate Mitigation Statement:

Checks: C-25617r516231_chk

From the ISPF Command Shell enter: TSS MODIFY STATUS If the "CPFRCVUND" Control Option value is set to "YES", this is a finding.

Fix: F-25605r516232_fix

Configure the CPFRCVUND control option value to (NO). Evaluate the impact associated with implementation of the control option. Develop a plan of action to set the control option setting to "NO" and proceed with the change.

Generate Mitigation Statement:

Checks: C-25618r516234_chk

From the ISPF Command Shell enter: TSS MODIFY STATUS If the CPFTARGET Control Option value specified is not set to "LOCAL", this is a finding.

Fix: F-25606r516235_fix

Configure the CPFTARGET Control Option value specified set to LOCAL.

Generate Mitigation Statement:

Checks: C-25623r516249_chk

Refer to data obtained from the site installation identifying batch type ACIDs. If all static batch ACIDs (ACIDs whose passwords never change) originating from a physical reader, RJE, or NJE are sourced to those readers such as (INTRDR, N12.IR, etc.) with the appropriate source Syntax, this is not a finding.

Fix: F-25611r516250_fix

Ensure that all static batch ACIDs (ACIDs whose passwords never change) originating from a physical reader, RJE, or NJE are sourced to those readers such as (INTRDR, N12.IR, etc.) with the appropriate source Syntax. Example: TSS ADD(batch-acid) SOURCE(device) Develop a plan of action and implement the changes as specified.

Generate Mitigation Statement:

Checks: C-25624r516252_chk

Refer to data obtained from the site installation identifying DASD maintenance ACIDs. If each DASD Maintenance ACID has batch Facility, this is not a finding.

Fix: F-25612r516253_fix

Define all batch ACIDs to the BATCH facility.

Generate Mitigation Statement:

Checks: C-25625r516255_chk

Obtain a list of all userids that are shared among multiple users (i.e., not uniquely identified system users). If there are no shared userids on this domain, this is not a finding. If there are shared userids on this domain, this is a finding. NOTE: Userid

Fix: F-25613r516256_fix

Identify user accounts defined to the ESM that are being shared among multiple users. This may require interviews with appropriate system-level support personnel. Remove the shared user accounts from the ESM.

Generate Mitigation Statement:

Checks: C-25626r516258_chk

From the ISPF Command Shell enter: TSS LIST(ACIDS) If every user shows a LAST-USED=yy.ddd within the past "35" days, this is not a finding. NOTE: VALID FOR INTERACTIVE USERIDS, NOT VALID FOR STARTED TASK USERIDS AND BATCH USERIDS.

Fix: F-25614r998398_fix

Develop a procedure to check all userids for inactivity of more than "35" days. If found, the information system security officer (ISSO) must suspend an account, but not delete it until it is verified by the local ISSO that the user no longer requires access. If verification is not received within "60" days, the account may be deleted.

Generate Mitigation Statement:

Checks: C-25627r516261_chk

From the ISPF Command Shell enter: TSS MODIFY STATUS If the INACTIVE Control Option is set to a value of "0", this is not a finding.

Fix: F-25615r516262_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to set the INACTIVE Control Option to a value of "0" days and proceed with the change. The INACTIVE Control Option value is set properly with the command: TSS MODIFY INACTIVE(0)

Generate Mitigation Statement:

Checks: C-25628r516264_chk

From the ISPF Command Shell enter: TSS MODIFY STATUS If the AUTOERASE Control Option value is set to (ALL), this is not a finding.

Fix: F-25616r516265_fix

Configure the AUTOERASE control option is set to (ALL) for all systems to erase all residual information on DASD. Evaluate the impact associated with implementation of the control option. Develop a plan of action to set the AUTOERASE control option to (ALL) for all systems and implement.

Generate Mitigation Statement:

Checks: C-25629r516267_chk

From the ISPF Command Shell enter: TSS MODIFY STATUS If only systems personnel are defined in SYS1.UADS and the DOWN Control Option values are set to DOWN(BW,SB,TN,OW), this is not a finding. If non-systems personnel are defined in SYS1.UADS and the DOWN Control Option values are set to DOWN(BW,SB,TW,OW), this is not a finding.

Fix: F-25617r516268_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option setting as specified below and proceed with the change. Setting if ONLY systems personnel are defined in SYS1.UADS: DOWN(BW,SB,TN,OW) Setting if any non-systems personnel are defined in SYS1.UADS: DOWN(BW,SB,TW,OW)

Generate Mitigation Statement:

Checks: C-25631r998401_chk

Ask the system administrator (SA) for the procedures for creating new ACIDs. If the procedure contains the "EXP" option, this is not a finding.

Fix: F-25619r998402_fix

Ensure procedures to create New Acids include the "EXP" option. Example: TSS CREATE(USER02) NAME('ANDY POE') TYPE(USER) DEPARTMENT(PAYDEPT) PASSWORD(INITIAL,60,EXP) FACILITY(TSO)

Generate Mitigation Statement:

Checks: C-25632r516276_chk

From this ISPF Command Shell enter: TSS MODIFY STATUS If the SUBACID Control Option values are NOT set to "SUBACID(U,8)", this is a finding.

Fix: F-25620r516277_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option setting to "SUBACID(U,8)", and proceed with the change.

Generate Mitigation Statement:

Checks: C-25633r516279_chk

From the ISPF Command Shell enter: TSS MODIFY FACILITY(ALL) enter TSS MODIFY FACILITY(<FACILITY>) If no Facility is defined with both the "MULTIUSER" and "ASUBM" attributes further analysis is not needed. For each Facility with "MULTIUSER" and "ASUBM" attribute, review the @ACIDS report to determine which ACID(s) has (have) the following: -A Master Facility of the Facility with "MULTIUSER" and "ASUBM" attribute, and, -The Facility of "BATCH" If each ACID that has the Master Facility of the Facility with "MULTIUSER" and "ASUBM" attribute and the Facility of "BATCH" is defined to the "PROPCNTL" resource class, this is not a finding.

Fix: F-25621r516280_fix

Ensure an associated ACID exists for all batch jobs and propagation control is being used. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required. The following Example shows the CONTROL-M STC ACID being owned to the PROPCNTL resource class: TSS ADD(deptacid) PROPCNTL(control-m-acid)

Generate Mitigation Statement:

Checks: C-25634r516282_chk

Refer to the documentation of the processes used for submission of batch jobs via an automated process (i.e., scheduler or other sources) and each of the associated userids. Ensure that each identified batch ACID is sourced to a specific submission process used only for batch processing. If the following guidance is true, this is not a finding. -The job scheduler is cross-authorized to the batch ACIDs. -The Facility of BATCH is specified for each batch ACID. -Batch ACIDs with facilities other than BATCH should be questioned to ensure they are truly used for batch processing only, especially if a non-expiring password is used. -The batch ACIDS may have the NOSUSPEND attribute.

Fix: F-25622r516283_fix

Ensure associated ACIDs exist for all batch jobs and documentation justifying access to system resources is maintained and filed with the ISSO. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the required changes.

Generate Mitigation Statement:

Checks: C-25635r516285_chk

From ISPF Command Shell enter: TSS MODIFY STATUS If the ADMINBY Control Option value is not set or set to "NOADMBY", this is a finding.

Fix: F-25623r516286_fix

Ensure ADMINBY control option is set to "ADMINBY" to record who when and where information in the ACID security record for administrative changes. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option setting "ADMINBY" and proceed with the change.

Generate Mitigation Statement:

Checks: C-25636r516288_chk

From the ISPF Command Shell enter: TSS MODIFY STATUS If the LOG Control Option is NOT set to (SMF,INIT, SEC9, MSG), this is a finding.

Fix: F-25624r516289_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option setting as specified below and proceed with the change. LOG(SMF,INIT, SEC9, MSG)

Generate Mitigation Statement:

Checks: C-25637r516291_chk

From ISPF Command Shell enter: Exec the CA-TSS TSSAUDIT Utility using CHANGES Control Statement. Note: If running Quest NC-Pass, validate that the MSCA ACID has the FACILITY of NCPASS and SECURID resource in the ABSTRACT resource class. If the MSCA password changes are documented in the change log, this is not a finding.

Fix: F-25625r516292_fix

Ensure that the MSCA password changes are documented with comments in the TSS Recovery file. The TSS Recovery file will be of sufficient size to ensure that the change is documented.

Generate Mitigation Statement:

Checks: C-25638r516294_chk

From the ISPF Command Shell enter: TSS WHOOWNS IBMFAC(IEASYMUP) If the TSS resources are owned or DEFPROT is specified for the resource class, this is not a finding. Enter TSS WHOHAS IBMFAC(IEASYMUP) If TSS resource access authorizations restrict UPDATE and/or greater access to DASD administrators, Tape Library personnel, and system programming personnel, this is not a finding.

Fix: F-25626r516295_fix

Ensure that the System level symbolic resources are defined to the FACILITY resource class and protected. UPDATE access to the System level symbolic resources are limited to System Programmers, DASD Administrators, and/or Tape Library personnel. All access is logged. Ensure the guidelines for the resources and/or generic equivalent are followed. Limit access to the IEASYMUP resources to above personnel with UPDATE and/or greater access. The following commands are provided as a sample for implementing resource controls: TSS ADD(ADMIN) IBMFAC(IEASYMUP) TSS PERMIT(<dasdsmpl>) IBMFAC(IEASYMUP) ACC(U) ACTION(AUDIT) TSS PERMIT(<syspsmpl>) IBMFAC(IEASYMUP) ACC(U) ACTION(AUDIT) TSS PERMIT(<tapesmpl>) IBMFAC(IEASYMUP) ACC(U) ACTION(AUDIT)

Generate Mitigation Statement:

Checks: C-25639r516297_chk

From the ISPF Command Shell enter: TSS LIST STC If *DEF* has action of *FAIL* this is not a finding. If the default ACID is defined enter: TSS List(&lt;defined ACID&gt;) If the ACID has no access to resources and no facility access and sourced to the internal reader, this is not a finding. If any of the above is untrue, this is a finding.

Fix: F-25627r516298_fix

Ensure the default STC ACID is defined in accordance with the following restrictions. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as specified. All STCs not defined to TSS will fail upon initiation. The following command may be used to associate all undefined STCs with a default action of FAIL: TSS ADD(STC) PROCNAME(DEFAULT) ACID(FAIL) If a valid requirement exists to establish a default STC, the following restrictions also apply: a. The ISSO will maintain the written request, justification, and authorization. b. The STC's ACID will have no other facilities permitted to it. c. The STC's ACID will have a permission of DSN(*****) ACCESS(NONE). TSS PERMIT(stc-acid) DSN(*****) ACCESS(NONE) d. The STC's ACID will not have any permission to the resources available to TSS. e. The STC's ACID will be sourced to the internal reader: ADD(stc-acid) SOURCE(INTRDR) f. An entry will be made in the STC table identifying the default ACID name as follows ("stc-acid" site defined): TSS ADD(STC) PROCNAME(DEFAULT) ACID(stc-acid)

Generate Mitigation Statement:

Checks: C-25641r868959_chk

From the ISPF Command Shell enter: TSS LIST(ACIDS) DATA(ALL,PA) TYPE(SCA) If the MSCA ACID has access limited to performing security administration functions only, this is not a finding. Below is an example of allowed setup for MSCA account and authorities. "MSCA" as the Accessorid is merely an example here, which is site determined. List is not all inclusive. The primary SCA for the domain will be listed within the "NAME" field since they are responsible for the MSCA ACID. ACCESSORID = MSCA NAME = "primary SCA" TYPE = MASTER FACILITY = BATCH PROFILES = SECURID ATTRIBUTES = AUDIT,CONSOLE,NOATS data set = %. *. data set = ***** +. VOLUMES = *(G) XA data set = SYS3.TSS.BACKUP ACCESS = UPDATE ACTION = AUDIT ----------- ADMINISTRATION AUTHORITIES RESOURCE = *ALL* ACCESS = ALL ACID = *ALL* FACILITIES = *ALL* LIST DATA = *ALL*,PROFILES,PASSWORD,SESSKEY MISC1 = *ALL* MISC2 = *ALL* MISC4 = *ALL* MISC8 = *ALL* MISC9 = *ALL* NOTE 1: Update access to the backup security database is required by the MSCA account anytime the ISSO needs to run/submit the TSS Utility called TSSFAR. MSCA account may from time to time be required to have additional access for the period of project such as Extending the Security Database. NOTE 2: MSCA account must be used for such items as: TSSFAR, EXTENDING Security Database, creating SCA/LSCA accounts, working with LSCA accounts (scoping, admin rights, etc.). Most often the ISSO staff will utilize their normal SCA account. The MSCA account will not be anyone's primary security administrative account.

Fix: F-25629r868960_fix

The ISSO will review the MSCA and ensure access granted is limited to those resources necessary to support the security administration function. Evaluate the impact of correcting the deficiency and develop a plan of action to implement the changes. Below is an example of allowed setup for MSCA account and authorities. "MSCA" as the Accessorid is merely an example here, which is site determined. List is not all inclusive. The primary SCA for the domain will be listed within the "NAME" field since they are responsible for the MSCA ACID. ACCESSORID = MSCA NAME = "primary SCA" TYPE = MASTER FACILITY = BATCH PROFILES = SECURID ATTRIBUTES = AUDIT,CONSOLE,NOATS data set = %. *. data set = ***** +. VOLUMES = *(G) XA data set = SYS3.TSS.BACKUP ACCESS = UPDATE ACTION = AUDIT ----------- ADMINISTRATION AUTHORITIES RESOURCE = *ALL* ACCESS = ALL ACID = *ALL* FACILITIES = *ALL* LIST DATA = *ALL*,PROFILES,PASSWORD,SESSKEY MISC1 = *ALL* MISC2 = *ALL* MISC4 = *ALL* MISC8 = *ALL* MISC9 = *ALL* NOTE 1: Update access to the backup security database is required by the MSCA account anytime the ISSO needs to run/submit the TSS Utility called TSSFAR. MSCA account may from time to time be required to have additional access for the period of project such as Extending the Security Database. NOTE 2: MSCA account must be used for such items as: TSSFAR, EXTENDING Security Database, creating SCA/LSCA accounts, working with LSCA accounts (scoping, admin rights, etc). Most often the ISSO staff will utilize their normal SCA account. The MSCA account will not be anyone's primary security administrative account. NOTE 3: MSCA account must be limited in access, to least privileged access of resources required to function. NOTE 4: If running Quest NC-Pass, validate in ZNCP0020 that the MSCA ACID has the FACILITY of NCPASS and SECURID resource in the ABSTRACT resource class.

Generate Mitigation Statement:

Checks: C-25643r516309_chk

Execute TSS Report TSS AUDIT with PRIVILEGES control statement PRIVILEGES [SHORT]. For more information TSSAUDIT reports refer to the CA-TSS Report and Tracking Guide. Refer to the resulting report. If all security administrators have the "NOATS" attribute, this is not a finding.

Fix: F-25631r516310_fix

Review all security administrator ACIDs. Ensure the "NOATS" attribute has been assigned. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes. NOTE: The NOATS attribute may be added to an ACID or an ACID's PROFILE. The following command may be issued to determine if the NOATS attribute is defined to an ACID or an ACID's PROFILE: tss list(<acid>) data(basic,profile)

Generate Mitigation Statement:

Checks: C-25644r516312_chk

From the ISPF Command Shell enter: TSS MODIFY STATUS If the PTHRESH Control Option value is not set to "PTHRESH(2)", this is a finding.

Fix: F-25632r516313_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option setting as specified following and proceed with the change. PTHRESH(2)

Generate Mitigation Statement:

Checks: C-25645r516315_chk

From the ISPF Control Shell enter: TSS MODIFY STATUS If the VTHRESH Control Option values are not set to "VTHRRESH(10,NOT,CAN)", this is a finding.

Fix: F-25633r516316_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option setting to "VTHRESH(10,NOT,CAN)", and proceed with the change.

Generate Mitigation Statement:

Checks: C-25646r516318_chk

Refer to the FTP.DATA file specified on the SYSFTPD DD statement in the FTP started task JCL. The SYSFTPD DD statement is optional. The search order for FTP.DATA is: /etc/ftp.data SYSFTPD DD statement jobname.FTP.DATA SYS1.TCPPARMS(FTPDATA) tcpip.FTP.DATA Examine the BANNER statement. If the BANNER statement in the FTP Data configuration file specifies an HFS file or data set that contains a logon banner, this is not a finding. The below banner is mandatory and deviations are not permitted except as authorized in writing by the DoD Chief Information Officer. The thrust of this new policy is to make it clear that there is no expectation of privacy when using DoD information systems and all use of DoD information systems is subject to searching, auditing, inspecting, seizing, and monitoring, even if some personal use of a system is permitted: STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

Fix: F-25634r516319_fix

Ensure the BANNER statement in the FTP Data configuration file specifies an HFS file or z/OS data set that contains a logon banner. The below banner is mandatory and deviations are not permitted except as authorized in writing by the DoD Chief Information Officer. The thrust of this new policy is to make it clear that there is no expectation of privacy when using DoD information systems and all use of DoD information systems is subject to searching, auditing, inspecting, seizing, and monitoring, even if some personal use of a system is permitted: STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.

Generate Mitigation Statement:

Checks: C-25647r516321_chk

If FTPDATA is configured with the following SMF statements, this is not a finding. FTP.DATA Configuration Statements SMF TYPE119 SMFJES TYPE119 SMFSQL TYPE119 SMFAPPE [Not coded or commented out] SMFDEL [Not coded or commented out] SMFEXIT [Not coded or commented out] SMFLOGN [Not coded or commented out] SMFREN [Not coded or commented out] SMFRETR [Not coded or commented out] SMFSTOR [Not coded or commented out]

Fix: F-25635r868962_fix

Configure SMF options to conform to the specifications in the FTPDATA Configuration Statements below or that they are commented out. SMF TYPE119 SMFJES TYPE119 SMFSQL TYPE119 SMFAPPE [Not coded or commented out] SMFDEL [Not coded or commented out] SMFEXIT [Not coded or commented out] SMFLOGN [Not coded or commented out] SMFREN [Not coded or commented out] SMFRETR [Not coded or commented out] SMFSTOR [Not coded or commented out] The FTP Server can provide audit data in the form of SMF records. SMF record type 119, the TCP/IP Statistics record, can be written with the following subtypes: 70 - Append 70 - Delete and Multiple Delete 72 - Invalid Logon Attempt 70 - Rename 70 - Get (Retrieve) and Multiple Get 70 - Put (Store and Store Unique) and Multiple Put SMF data produced by the FTP Server provides transaction information for both successful and unsuccessful FTP commands. This data may provide valuable information for security audit activities. Type 119 records use a more standard format and provide more information.

Generate Mitigation Statement:

Checks: C-25648r516324_chk

From the ISPF Command Shell enter: omvs At the input line enter: cd /usr/sbin/ enter ls -alW If the following File permission and user Audit Bits are true, this is not a finding. /usr/sbin/ftpd 1740 fff /usr/sbin/ftpdns 1755 fff /usr/sbin/tftpd 0644 faf cd ls -alW If the following file permission and user Audit Bits are true, this is not a finding. /etc/ftp.data 0744 faf /etc/ftp.banner 0744 faf NOTES: Some of the files listed above are not used in every configuration. The absence of a file is not considered a finding. The /usr/sbin/ftpd and /usr/sbin/ftpdns objects are symbolic links to /usr/lpp/tcpip/sbin/ftpd and /usr/lpp/tcpip/sbin/ftpdns respectively. The permission and user audit bits on the targets of the symbolic links must have the required settings. The /etc/ftp.data file may not be the configuration file the server uses. It is necessary to check the SYSFTPD DD statement in the FTP started task JCL to determine the actual file. The TFTP Server does not perform any user identification or authentication, allowing any client to connect to the TFTP Server. Due to this lack of security, the TFTP Server will not be used. The TFTP Client is not secured from use. The permission bits for /usr/sbin/tftpd should be set to 644. The /etc/ftp.banner file may not be the banner file the server uses. It is necessary to check the BANNER statement in the FTP Data configuration file to determine the actual file. Also, the permission bit setting for this file must be set as indicated in the table above. A more restrictive set of permissions is not permitted. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing

Fix: F-25636r516325_fix

With the assistance of a systems programmer with UID(0) and/or SUPERUSER access, configure the UNIX permission bits and user audit bits on the HFS directories and files for the FTP Server to conform to the specifications in the table below: FTP Server HFS Object Security Settings File Permission Bits User Audit Bits /usr/sbin/ftpd 1740 fff /usr/sbin/ftpdns 1755 fff /usr/sbin/tftpd 0644 faf /etc/ftp.data 0744 faf /etc/ftp.banner 0744 faf The /usr/sbin/ftpd and /usr/sbin/ftpdns objects are symbolic links to /usr/lpp/tcpip/sbin/ftpd and /usr/lpp/tcpip/sbin/ftpdns respectively. The permission and user audit bits on the targets of the symbolic links must have the required settings. The TFTP Server does not perform any user identification or authentication, allowing any client to connect to the TFTP Server. Due to this lack of security, the TFTP Server will not be used. The TFTP Client is not secured from use. The /etc/ftp.data file may not be the configuration file the server uses. It is necessary to check the SYSFTPD DD statement in the FTP started task JCL to determine the actual file. The /etc/ftp.banner file may not be the banner file the server uses. It is necessary to check the BANNER statement in the FTP Data configuration file to determine the actual file. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing Some of the files listed above (e.g., /etc/ftp.data) are not used in every configuration. While the absence of a file is generally not a security issue, the existence of a file that has not been properly secured can often be an issue. Therefore, all files that do exist should have the specified permission and audit bit settings. The following commands can be used (from a user account with an effective UID(0)) to update the permission bits and audit bits: chmod 1740 /usr/lpp/tcpip/sbin/ftpd chaudit rwx=f /usr/lpp/tcpip/sbin/ftpd chmod 1755 /usr/lpp/tcpip/sbin/ftpdns chaudit rwx=f /usr/lpp/tcpip/sbin/ftpdns chmod 0744 /etc/ftp.data chaudit w=sf,rx+f /etc/ftp.data chmod 0744 /etc/ftp.banner chaudit w=sf,rx+f /etc/ftp.banner

Generate Mitigation Statement:

Checks: C-25649r516327_chk

If WRITE and ALLOCATE access to the data set containing the FTP Data configuration file is restricted to systems programming personnel this is not a finding. Note: READ access to all authenticated users is permitted. If WRITE and ALLOCATE access to the data set containing the FTP Data configuration file is logged this is not a finding. If WRITE and ALLOCATE access to the data set containing the FTP banner file is restricted to systems programming personnel this is not a finding. Note: READ access to the data set containing the FTP banner file is permitted to all authenticated users. Notes: The MVS data sets mentioned above are not used in every configuration. Absence of a data set will not be considered a finding. The data set containing the FTP Data configuration file is determined by checking the SYSFTPD DD statement in the FTP started task JCL. The data set containing the FTP banner file is determined by checking the BANNER statement in the FTP Data configuration file.

Fix: F-25637r516328_fix

Review the data set access authorizations defined to the ACP for the FTP.DATA and FTP.BANNER files. Configure these data sets to be protected as follows:

Generate Mitigation Statement:

Checks: C-25650r516330_chk

Ask the System administrator fora list(s) of the locations for all FTP Control cards within a given application/AIS, ensuring no FTP control cards are within in-stream JCL, JCL libraries or any open access data sets. If access to PDS files where FTP Control cards are stored are not restricted to appropriate personnel this is a finding.

Fix: F-25638r516331_fix

Make sure that the FTP control Cards for each FTP are stored in a secure PDS and that they are not placed in the JCL libraries or in the in-stream JCL for each FTP.

Generate Mitigation Statement:

Checks: C-25651r868964_chk

Refer to the Data configuration file specified on the SYSFTPD DD statement in the FTP started task JCL. Refer to the file(s) allocated by the STEPLIB DD statement in the FTP started task JCL. Refer to the libraries specified in the system Linklist and LPA. If any FTP Server exits are in use, identify them and validate that they were reviewed for integrity and approved by the site AO. Refer to the following items are in effect for FTP Server user exits: The FTCHKCMD, FTCHKIP, FTCHKJES, FTCHKPWD, FTPSMFEX and FTPOSTPR modules are not located in the FTP daemon's STEPLIB, Linklist, or LPA. NOTE: The ISPF ISRFIND utility can be used to search the system Linklist and LPA for specific modules. If both of the above are true, this is not a finding. If any FTP Server user exits are implemented and the site has not had the site systems programmer verify the exit was securely written and installed, this is a finding.

Fix: F-25639r516334_fix

Review the configuration statements in the FTP.DATA file. Review the FTP daemon STEPLIB, system Linklist, and Link Pack Area libraries. If FTP Server exits are enabled or present, and have not been approved by the site ISSM and not securely written and implemented by the site systems programmer, they should not be installed. Verify that none of the following exits are installed unless they have met the requirements listed above: FTCHKCMD FTCHKIP FTCHKJES FTCHKPWD FTPOSTPR FTPSMFEX

Generate Mitigation Statement:

Checks: C-25652r868966_chk

From the ISPD Command Shell enter: TSS LIST(FTPD) SEGMENT(OMVS) NOTE: The JCL member is typically named FTPD If the FTPD ACID has the STC facility, this is not a finding. If the FTPD ACID has the following z/OS UNIX attributes, this is not a finding. UID(0), HOME directory '/', shell program /bin/sh.

Fix: F-25640r868967_fix

Configure FTP daemon with the following items: -The FTP daemon is started from a JCL procedure library defined to JES2. NOTE: The JCL member is typically named FTPD. -The FTP daemon ACID is FTPD. -The FTPD ACID has the STC facility. -The FTPD ACID has the following z/OS UNIX attributes: UID(0), HOME directory '/', shell program /bin/sh. For example: TSS CREATE(FTPD) TYPE(USER) NAME(FTPD) DEPT(existing-dept) FACILITY(STC) PASSWORD(password,0) TSS ADD(FTPD) DFLTGRP(STCTCPX) GROUP(STCTCPX) TSS ADD(FTPD) SOURCE(INTRDR) TSS ADD(FTPD) UID(0) HOME(/) OMVSPGM(/bin/sh) TSS ADD(FTPD) MASTFAC(TCP) TSS ADD(STC) PROCNAME(FTPD) ACID(FTPD) TSS PERMIT(FTPD) IBMFAC(BPX.DAEMON) ACCESS(READ) TSS PERMIT(FTPD) IBMFAC(BPX.POE) ACCESS(READ) TSS PERMIT(FTPD) SERVAUTH(EZB.STACKACCESS.)ACCESS(READ)

Generate Mitigation Statement:

Checks: C-25653r516339_chk

Refer to the file specified on the SYSFTPD DD statement in the FTP started task JCL. If the INACTIVE statement is coded with a value greater than "600", this is a finding. If the INACTIVE statement is coded with a value of "0", this is a finding. If there is no INACTIVE statement coded or the INACTIVE statement is commented out, this is a finding.

Fix: F-25641r516340_fix

Code the FTPD configuration file to include the INACTIVE statement with a value between "1" and "600".

Generate Mitigation Statement:

Checks: C-25654r868969_chk

Refer to the Profile configuration file specified on the PROFILE DD statement in the TCPIP started task JCL. If all the items below are true, this is not a finding. If any of the items below are untrue, this is a finding. The following items are in effect for the FTP daemon's started task JCL: -The SYSTCPD and SYSFTPD DD statements specify the TCP/IP Data and FTP Data configuration files respectively. -The ANONYMOUS keyword is not coded on the PARM parameter on the EXEC statement. -The ANONYMOUS=logonid combination is not coded on the PARM parameter on the EXEC statement. -The INACTIVE keyword is not coded on the PARM parameter on the EXEC statement. The AUTOLOG statement block can be configured to have TCP/IP start the FTP Server. The FTP entry (e.g., FTPD) can include the PARMSTRING parameter to pass parameters to the FTP procedure when started. NOTE: Parameters passed on the PARMSTRING parameter override parameters specified in the FTP procedure. If an FTP entry is configured in the AUTOLOG statement block in the TCP/IP Profile configuration file, ensure the following items are in effect: -The ANONYMOUS keyword is not coded on the PARMSTRING parameter. -The ANONYMOUS=logonid combination is not coded on the PARMSTRING parameter. -The INACTIVE keyword is not coded on PARMSTRING parameter.

Fix: F-25642r868970_fix

Review the FTP daemon's started task JCL. Ensure that the ANONYMOUS and INACTIVE startup parameters are not specified and configuration file names are specified on the appropriate DD statements. The FTP daemon program can accept parameters in the JCL procedure that is used to start the daemon. The ANONYMOUS and ANONYMOUS= keywords are designed to allow anonymous FTP connections. The INACTIVE keyword is designed to set the timeout value for inactive connections. Control of these options is recommended through the configuration file statements rather than the startup parameters. The systems programmer responsible for supporting ICS will ensure that the startup parameters for the FTP daemon does not include the ANONYMOUS, ANONYMOUS=, or INACTIVE keywords. During initialization the FTP daemon searches multiple locations for the TCPIP.DATA and FTP.DATA files according to fixed sequences. In the daemon's started task JCL, Data Definition (DD) statements will be used to specify the locations of the files. The SYSTCPD DD statement identifies the TCPIP.DATA file and the SYSFTPD DD statement identifies the FTP.DATA file. The systems programmer responsible for supporting ICS will ensure that the FTP daemon's started task JCL specifies the SYSTCPD and SYSFTPD DD statements for configuration files.

Generate Mitigation Statement:

Checks: C-25655r516345_chk

Refer to the file specified on the SYSFTPD DD statement in the FTP started task JCL. If the BANNER statement is not coded or is commented out, this is a finding.

Fix: F-25643r516346_fix

Code the FTPD configuration file to include the BANNER statement that points to the Standard Mandatory DoD Notice and Consent Banner statement.

Generate Mitigation Statement:

Checks: C-25656r516348_chk

Refer to the FTP.DATA file specified on the SYSFTPD DD statement in the FTP started task JCL. The SYSFTPD DD statement is optional. The search order for FTP.DATA is: /etc/ftp.data SYSFTPD DD statement jobname.FTP.DATA SYS1.TCPPARMS(FTPDATA) tcpip.FTP.DATA Examine the BANNER statement. If the BANNER statement in the FTP Data configuration file specifies an HFS file or data set that contains a logon banner, this is not a finding. The below banner is mandatory and deviations are not permitted except as authorized in writing by the DoD Chief Information Officer. The thrust of this new policy is to make it clear that there is no expectation of privacy when using DoD information systems and all use of DoD information systems is subject to searching, auditing, inspecting, seizing, and monitoring, even if some personal use of a system is permitted: STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

Fix: F-25644r516349_fix

Ensure the BANNER statement in the FTP Data configuration file specifies an HFS file or z/OS data set that contains a logon banner. The below banner is mandatory and deviations are not permitted except as authorized in writing by the DoD Chief Information Officer. The thrust of this new policy is to make it clear that there is no expectation of privacy when using DoD information systems and all use of DoD information systems is subject to searching, auditing, inspecting, seizing, and monitoring, even if some personal use of a system is permitted: STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.

Generate Mitigation Statement:

Checks: C-25657r516351_chk

From the ISPF Command Shell enter: TSS WHOOWNS PROGRAM(*) If the Program resources TFTPD and EZATD are owned appropriately in the PROGRAM resource class, this is not a finding. Enter TSS WHOHAS(TFTPD) TSS WHOHAS(EZATD) If no access to the program resources TFTPD and EZATD is permitted, this is not a finding.

Fix: F-25645r516352_fix

Evaluate the impact of implementing the following change. Develop a plan of action and implement the change as required. Ensure that the EZATD program and its alias TFTPD are defined to CA-TSS and no access to the program resources TFTPD and EZATD is permitted. The following commands provide a sample of how to protect the TFTP server program by assigning ownership and no permissions: TSS ADD(ADMIN) PROGRAM(TFTPD,EZATD)

Generate Mitigation Statement:

Checks: C-25658r516354_chk

From the ISPF Command Shell enter: WHOOWNS OPERCMDS(JES2) NOTE: JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem. If the JES2. resource is not owned, or is owned inappropriately, in the OPERCMDS class, this is a finding.

Fix: F-25646r516355_fix

The JES2. resource must be owned in the OPERCMDS class. NOTE: JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem. Extended MCS support allows the installation to control the use of JES2 system commands through the ACP. These commands are subject to various types of potential abuse. For this reason, it is necessary to place restrictions on the JES2 system commands that can be entered by particular operators. To control access to JES2 system commands, the following recommendations will be applied when implementing security: For Example: The following command may be used to establish default protection for JES2 system commands defined to the OPERCMDS resource class: TSS ADDTO(deptacid) OPERCMDS(JES2.)

Generate Mitigation Statement:

Checks: C-25659r516357_chk

Refer to SYS1.PARMLIB (JES2PARM) For each node entry If all JES2 defined NJE nodes and RJE workstations have a profile defined in the IBMFAC resource class, this is not a finding. Notes: Nodename is the NAME parameter value specified on the NODE statement. Review the JES2 parameters for NJE node definitions by searching for "NODE(" in the report. Workstation is RMTnnnn, where nnnn is the number on the RMT statement. Review the JES2 parameters for RJE workstation definitions by searching for "RMT(" in the report. NJE. and RJE. definitions will force logonid and password protection of all NJE and RJE connections respectively. This method is acceptable in lieu of using discrete profiles. If any JES2 defined NJE node or RJE workstation is not owned in the IBMFAC class, this is a finding.

Fix: F-25647r516358_fix

Ensure associated USERIDs exist for all RJE/NJE sources and review the authorizations for these remote facilities. Develop a plan of action and implement the changes as required by the OS/390 STIG.

Generate Mitigation Statement:

Checks: C-25660r516360_chk

Refer the JES2PARM member of SYS1.PARMLIB Review the following resources in the JESINPUT resource class: NOTE: If any of the following are not defined within the JES2 parameters, the resource in the JESINPUT resource class does not have to be owned. INTRDR (internal reader for batch jobs) nodename (NJE node) OFFn.* (spool offload receiver) Rnnnn (RJE workstation) RDRnn (local card reader) STCINRDR (internal reader for started tasks) TSUINRDR (internal reader for TSO logons) Note 1: Nodename is the NAME parameter in the NODE statement. Review the NJE node definitions by searching for "NODE(" in the report. Note 2: OFFn, where n is the number of the offload receiver. Review the spool offload receiver definitions by searching for "OFF(" in the report. Note 3: Rnnnn, where nnnn is the number of the remote workstation. Review the RJE node definitions by searching for "RMT(" in the report. Note 4: RDRnn, where nn is the number of the reader. Review the reader definitions by searching for "RDR(" in the report. From the ISPF Command Shell enter: TSS WHOOWNS JESINPUT(*) If all of the resources above are owned by generic and/or fully qualified entries in the JESINPUT resource class, this is not a finding. If any of the above resources are not owned, or are owned inappropriately, in the JESINPUT resource class, this is a finding.

Fix: F-25648r516361_fix

Review the following resources in the JESINPUT resource class: INTRDR (internal reader for batch jobs) nodename (NJE node) OFFn.* (spool offload receiver) Rnnnn (RJE workstation) RDRnn (local card reader) STCINRDR (internal reader for started tasks) TSUINRDR (internal reader for TSO logons) Note: If any of the following are not defined within the JES2 parameters, the resource in the JESINPUT resource class does not have to be defined. Note 1: Nodename is the NAME parameter in the NODE statement. Review the JES2 parameters for NJE node definitions by searching for "NODE(" in the report. Note 2: OFFn, where n is the number of the offload receiver. Review the JES2 parameters for spool offload receiver definitions by searching for "OFF(" in the report. Note 3: Rnnnn, where nnnn is the number of the remote workstation. Review the JES2 parameters for RJE node definitions by searching for "RMT(" in the report. Note 4: RDRnn, where nn is the number of the reader. Review the JES2 parameters for reader definitions by searching for "RDR(" in the report. Ensure all of the defined resources above are owned by generic and/or fully qualified entries in the JESINPUT resource class. For Example: The following commands may be used to establish default protection for resources defined to the JESINPUT resource class: TSS ADDTO(deptacid) JESINPUT(OFFn.) Grant read access to authorized users for each of the resources defined to the JESINPUT resource class. The following is an example of granting operators with a profile ACID of jesopracid permission to restore jobs into any SPOOL off load processor after obtaining permission from the ISSO: TSS PERMIT(jesopracid) JESINPUT(OFF*.) ACCESS(READ) ACTION(AUDIT) The resource definition should be generic if all of the resources of the same type have identical access controls (e.g., if all off load receivers are equivalent).

Generate Mitigation Statement:

Checks: C-25661r516363_chk

From the ISPF Command Shell enter: TSS WHOOWNS JESINPUT(*) For each resource owned If all of the TSS resources and/or generic equivalent identified above are defined with access restricted to the appropriate personnel, this is not a finding. If any of the TSS resources and/or generic equivalent identified above are not defined with access restricted to the appropriate personnel, this is a finding. From the ISPF Command Shell enter: TSS LIST RDT(*) If the JESINPT RESOURCE does not have DEFPROT as an attribute, this is a finding.

Fix: F-25649r516364_fix

Configure access authorization for resources defined to the JESINPUT resource class to be restricted to the appropriate personnel. Grant read access to authorized users for each of the following input sources: INTRDR nodename OFFn.* OFFn.JR OFFn.SR Rnnnn.RDm RDRnn STCINRDR TSUINRDR and/or TSOINRDR The resource definition will be generic if all of the resources of the same type have identical access controls (e.g., if all off load receivers are equivalent). The default access will be NONE except for sources that are permitted to submit jobs for all users. Those resources may be defined as either NONE or READ.

Generate Mitigation Statement:

Checks: C-25662r516366_chk

Refer the JES2PARM member of SYS1.PARMLIB Review the WRITER resource in the JESINPUT resource class: NOTE: If the WRITER resource is not defined within the JES2 parameters, the resource in the JESINPUT resource class does not have to be owned. From the ISPF Command Shell enter: TSS WHOOWNS JESINPUT(WRITER) If the WRITER resource is owned by generic and/or fully qualified entries in the JESINPUT resource class, this is not a finding.

Fix: F-25650r516367_fix

Ensure the following items are in effect: -The JES2. resource is owned in the WRITER resource class. For Example: The following command may be used to establish default protection for resources defined to the WRITER resource class: TSS ADDTO(deptacid) WRITER(JES2.) -The ownership of all WRITER resources is appropriate. Grant read access to authorized users for each of the following WRITER resource class output destinations: JES2.LOCAL.devicename JES2.LOCAL.OFF*.JT JES2.LOCAL.OFF*.ST JES2.LOCAL.PRT* JES2.LOCAL.PUN* JES2.NJE.nodename JES2.RJE.devicename The following is an example of granting operators with a profile ACID of jesopracid permission to off load SYSOUT data sets into any SPOOL off load processor after obtaining permission from the ISSO: TSS PERMIT(jesopracid) WRITER(JES2.LOCAL.OFF*.ST) - ACCESS(READ) ACTION(AUDIT) The resource definition should be generic if all of the resources of the same type have identical access controls (e.g., if all off load transmitters are equivalent).

Generate Mitigation Statement:

Checks: C-25663r516369_chk

If the Classification of the system is unclassified, this is not applicable. From the ISPF Command Shell enter: TSS WHOHAS WRITER(JES2.) If the TSS WRITER resource or generic equivalent identified above is defined with access restricted to the appropriate personnel, this is not a finding. If the TSS WRITER resource or generic equivalent identified above is not defined with access restricted to the appropriate personnel, this is a finding. From the ISPF Command Shell enter: TSS LIST RDT(*) If the JESINPUT RESOURCE does not have DEFPROT as an attribute, this is a finding.

Fix: F-25651r868975_fix

Configure access authorization for resources defined to the WRITER resource class to be restricted to the operators and system programmers on a classified system only. Define resources in the ACP's respective WRITER class for each of the following output destinations: JES2.LOCAL.devicename JES2.LOCAL.OFFn.* JES2.LOCAL.OFFn.JT JES2.LOCAL.OFFn.ST JES2.LOCAL.PRTn JES2.LOCAL.PUNn JES2.NJE.nodename JES2.RJE.devicename The resource definition will be generic if all of the resources of the same type have identical access controls (e.g., if all off load transmitters are equivalent). If all users are permitted to route output to a specific destination, the resource controlling it may be defined with a default access of either NONE or READ. Otherwise it will be defined with a default access of NONE.

Generate Mitigation Statement:

Checks: C-25664r516372_chk

Refer the JES2PARM member of SYS1.PARMLIB. Review the JESSPOOL resource in the JESINPUT resource class: NOTE: If the JESSPOOL resource is not defined within the JES2 parameters, the resource in the JESINPUT resource class does not have to be owned. From the ISPF Command Shell enter: TSS WHOOWNS JESINPUT(JESSPOOL) If the JESSPOOL resource is owned by generic and/or fully qualified entries in the JESINPUT resource class, this is not a finding.

Fix: F-25652r516373_fix

Review the JES2 parameters to determine the localnodeid by searching for OWNNODE in the NJEDEF statement, and then searching for NODE(nnnn) (where nnnn is the value specified by OWNNODE). The NAME parameter value specified on this NODE statement is the localnodeid. The following command may be used to establish default protection for resources defined to the JESSPOOL resource class: TSS ADDTO(deptacid) JESSPOOL(localnodeid.) Due to the protection established with the previous command, the following command should be issued to ensure users are able to access their own spool data: TSS PERMIT(ALL) JESSPOOL(localnodeid.%) ACCESS(ALL)

Generate Mitigation Statement:

Checks: C-25665r516375_chk

From the ISPF Command Shell enter: TSS WHOHAS OPERCMDS(JES2.) NOTE: JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem. If access authorization to the JES2.UPDATE.JESNEWS resource in the OPERCMDS class restricts CONTROL access to the appropriate personnel (i.e., users responsible for maintaining the JES News data set) and all access is logged, this is not a finding.

Fix: F-25653r868977_fix

Configure access authorization to the JES2.UPDATE.JESNEWS resource in the OPERCMDS class to restrict CONTROL access to the appropriate personnel (i.e., users responsible for maintaining the JES News data set) and ensure all access is logged. NOTE: JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem. For example: The following command example may be used to allow all valid TOP SECRET users read access to the JES News data set: TSS PERMIT(ALL) JESSPOOL(localnodeid.jesid.$JESNEWS.*.*.JESNEWS) - ACCESS(READ) The following is a sample command to allow production control personnel with a profile ACID of prodacid to update the JES News data set: TSS PERMIT(prodacid) OPERCMDS(JES2.UPDATE.JESNEWS) - ACCESS(CONTROL) ACTION(AUDIT)

Generate Mitigation Statement:

Checks: C-25666r516378_chk

From the ISPF Command Shell enter: TSS WHOOWNS JESSPOOL(*) If JESSPOOL localnodeid resource is not defined, this is a finding. Enter TSS WHOHAS JESSPOOL(localnodeid.) Review the following resources defined to the JESSPOOL resource class: localnodeid.JES2.$TRCLOG.taskid.*.JESTRACE localnodeid.+MASTER+.SYSLOG.jobid.*.SYSLOG or localnodeid.+BYPASS+.SYSLOG.jobid.-.SYSLOG NOTE: These resource profiles may be more generic as long as they pertain directly to the JESTRACE and SYSLOG data sets. For example: localnodeid.JES2.*.*.*.JESTRACE localnodeid.+MASTER+.*.*.*.SYSLOG or localnodeid.+BYPASS+.*.*.*.SYSLOG NOTE: Review the JES2 parameters to determine the localnodeid by searching for OWNNODE in the NJEDEF statement, and then searching for NODE(nnnn) (where nnnn is the value specified by OWNNODE). The NAME parameter value specified on this NODE statement is the localnodeid. Another method is to issue the JES2 command $D NODE,NAME,OWNNODE=YES to obtain the NAME of the OWNNODE. If the access authorization for the resources mentioned above is restricted to the following, this is not a finding. -ACID(s) associated with external writer(s) can have complete access. NOTE: An external writer is an STC that removes data sets from the JES spool. In this case, it is responsible for archiving the JESTRACE and SYSLOG data sets. The STC default name is XWTR and the external writer program is called IASXWR00. -Systems personnel and security administrators responsible for diagnosing JES2 and z/OS problems can have complete access. -Application Development and Application Support personnel responsible for diagnosing application problems can have READ access to the SYSLOG resource.

Fix: F-25654r516379_fix

Configure the access authorization for resources defined to the JESTRACE and SYSLOG resources in the JESSPOOL resource class to be restricted to the appropriate personnel. Review the following resources defined to the JESSPOOL resource class: localnodeid.JES2.$TRCLOG.taskid.*.JESTRACE localnodeid.+MASTER+.SYSLOG.jobid.*.SYSLOG or localnodeid.+BYPASS+.SYSLOG.jobid.*.SYSLOG NOTE: These resource profiles may be more generic as long as they pertain directly to the JESTRACE and SYSLOG data sets. For example: localnodeid.JES2.$TRCLOG. localnodeid.+MASTER+.SYSLOG. or localnodeid.+BYPASS+.SYSLOG. NOTE: Review the JES2 parameters to determine the localnodeid by searching for OWNNODE in the NJEDEF statement, and then searching for NODE(nnnn) (where nnnn is the value specified by OWNNODE). The NAME parameter value specified on this NODE statement is the localnodeid. Another method is to issue the JES2 command $D NODE,NAME,OWNNODE=YES to obtain the NAME of the OWNNODE. Ensure that access authorization for the resources mentioned above is restricted to the following: -ACID(s) associated with external writer(s) can have complete access. NOTE: An external writer is a STC that removes data sets from the JES spool. In this case, it is responsible for archiving the JESTRACE and SYSLOG data sets. The STC default name is XWTR and the external writer program is called IASXWR00. -Systems personnel and security administrators responsible for diagnosing JES2 and z/OS problems can have complete access. -Application Development and Application Support personnel responsible for diagnosing application problems can have READ access to the SYSLOG resource. For Example: TSS ADD(dept-acid) JESSPOOL(localnodeid) TSS PERMIT(<syspsmpl>) JESSPOOL(localnodeid.JES2.$TRCLOG.) ACCESS(ALL) TSS PERMIT(<secasmpl>) JESSPOOL(localnodeid.JES2.$TRCLOG.) ACCESS(ALL) TSS PERMIT(<syspsmpl>) JESSPOOL(localnodeid.+MASTER+.SYSLOG.) ACCESS(ALL) TSS PERMIT(<secasmpl>) JESSPOOL(localnodeid.+MASTER+.SYSLOG.) ACCESS(ALL) TSS PERMIT(<appdsmpl>) JESSPOOL(localnodeid.+MASTER+.SYSLOG.) ACCESS(READ) TSS PERMIT(<appssmpl>) JESSPOOL(localnodeid.+MASTER+.SYSLOG.) ACCESS(READ) or TSS PERMIT(<syspsmpl>) JESSPOOL(localnodeid.+BYPASS+.SYSLOG.) ACCESS(ALL) TSS PERMIT(<secasmpl>) JESSPOOL(localnodeid.+BYPASS+.SYSLOG.) ACCESS(ALL) TSS PERMIT(<appdsmpl>) JESSPOOL(localnodeid.+BYPASS+.SYSLOG.) ACCESS(READ) TSS PERMIT(<appssmpl>) JESSPOOL(localnodeid.+BYPASS+.SYSLOG.) ACCESS(READ)

Generate Mitigation Statement:

Checks: C-25667r516381_chk

From the ISPF Command Shell enter: TSS WHOHAS JESSPOOL(localnodeid.) If the following guidance is true, this is not a finding. Review the JESSPOOL report for resource permissions with the following naming convention. These permissions may be fully qualified, be specified as generic, or be specified with masking as indicated below: localnodeid.useracid.jobname.jobid.dsnumber.name localnodeid - The name of the node on which the SYSIN or SYSOUT data set currently resides. useracid - The user ACID associated with the job. This is the user ACID TSS uses for validation purposes when the job runs. jobname - The name that appears in the name field of the JOB statement. jobid - The job number JES2 assigned to the job. dsnumber - The unique data set number JES2 assigned to the spool data set. A D is the first character of this qualifier. name - The name of the data set specified in the DSN= parameter of the DD statement. If the JCL did not specify DSN= on the DD statement that creates the spool data set, JES2 uses a question mark (?). All users must have access to their own JESSPOOL resources. Permission can be granted by resource permission JESSPOOL(localnodeid.%.) ACCESS(ALL). This permission can be given to profiles, individual user, and/or the ALL record. Access to this resource does not require logging. Ensure the following items are in effect: The localnodeid. resource will be restricted to only system programmers, operators, and automated operations personnel, with access of ALL. All access will be logged. (localnodeid. resource includes all generic and/or masked permissions, example: localnodeid.**, localnodeid.*, etc.) The JESSPOOL localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked, can be made available to users, when approved by the ISSO. Access will be identified at the minimum access for the user to accomplish the users function. All access will be logged. An example is team members within a team, providing the capability to view, help, and/or debug other team member jobs/processes. CSSMTP will be restricted to localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked when approved by the ISSO. All access will be logged. Spooling products users (CA-SPOOL, CA View, etc.) will be restricted to localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked when approved by the ISSO. Logging of access is not required.

Fix: F-25655r868979_fix

Configure the following items to be in effect for JESSPOOL resources. The JESSPOOL may have more restrictive security at the direction of the ISSO. The JESSPOOL resources may be fully qualified, be specified as generic, or be specified with masking as indicated below: localnodeid.userid.jobname.jobid.dsnumber.name localnodeid - The name of the node on which the SYSIN or SYSOUT data set currently resides. userid - The userid associated with the job. This is the userid used for validation purposes when the job runs. jobname - The name that appears in the name field of the JOB statement. jobid - The job number JES2 assigned to the job. dsnumber - The unique data set number JES2 assigned to the spool data set. A D is the first character of this qualifier. name - The name of the data set specified in the DSN= parameter of the DD statement. If the JCL did not specify DSN= on the DD statement that creates the spool data set, JES2 uses a question mark (?). All users must have access to their own JESSPOOL resources. Permission can be granted by resource permission JESSPOOL(localnodeid.%.) ACCESS(ALL). This permission can be given to profiles, individual user, and/or the ALL record. Access to this resource does not require logging. Example: TSS ADDTO(deptacid) JESSPOOL(localnode.) TSS PERMIT(ALL) JESSPOOL(localnode.%.) ACCESS(ALL) The localnodeid. resource will be restricted to only system programmers, operators, and automated operations personnel, with access of ALL. All access will be logged. (localnodeid. resource includes all generic and/or masked permissions, example: localnodeid.**, localnodeid.*, etc.) Example: TSS PERMIT(syspsmpl) JESSPOOL(localnodeid.) ACCESS(ALL) ACTION(AUDIT) The JESSPOOL localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked, can be made available to users, when approved by the ISSO. Access will be identified at the minimum access for the user to accomplish the users function. All access will be logged. An example is team members within a team, providing the capability to view, help, and/or debug other team member jobs/processes. If frequent situations occur where users working on a common project require selective access to each other's jobs, then the installation may delegate to the individual users the authority to grant access, but only with the approval of the ISSO. Example: TSS PERMIT(Project1-profile) JESSPOOL(localnodeid.UMO) ACCESS(ALL) If IBM's SDSF product is installed on the system, resources defined to the JESSPOOL resource class control functions related to jobs, output groups, and SYSIN/SYSOUT data sets on various SDSF panels. CSSMTP will not be granted to the JESSPOOL resource of the high level "node." or "localnodeid.". CSSMTP can have access to the specific approved JESSPOOL resources, minimally qualified to the "node.userid." and all access will be logged. This will ensure system records who (userid) sent traffic to CSSMTP, when and what job/process. Spooling products users (CA-SPOOL, CA View, etc.) will be restricted to localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked when approved by the ISSO. Logging of access is not required. The ISSO will review JESSPOOL resource rules. If a rule has been determined not to have been used within the last two years, the rule will be removed.

Generate Mitigation Statement:

Checks: C-25668r516384_chk

From the ISPF Command Shell enter: TSS WHOHAS OPERCMDS(JES2.) If the JES2.** resource is defined to the OPERCMDS class with an access of NONE and all access is logged, this is not a finding. If access to JES2 system commands defined in the IBM z/OS JES2 commands is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users), this is not a finding. NOTE: Use the GROUP category specified in the table referenced above as a guideline to determine appropriate personnel access to system commands.

Fix: F-25656r516385_fix

Extended MCS support allows the installation to control the use of JES2 system commands through the ESM. These commands are subject to various types of potential abuse. For this reason, it is necessary to place restrictions on the JES2 system commands that can be entered by particular operators. Some commands are particularly dangerous and should only be used when less drastic options have been exhausted. Misuse of these commands can create a situation in which the only recovery is an IPL. To control access to JES2 system commands, apply the following: implementing security: Define the JES2.** resource in the OPERCMDS class with an access of NONE and all access is logged. Define the JES2 system commands as specified in the IBM z/OS JES2 Commands to be restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users), as determined in the documented site Security Plan. Define the JES2 system commands with proper logging as determined in the documented site Security Plan. Note: Display commands and others as deemed by the site IAW site security plan may be allowed for all users with no logging. Build a command file based on the referenced JES2 Command Table. A sample of the commands in the command file is provided here: RDEF OPERCMDS JES2.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('REQUIRED BY SRR PDI ZJES0052') RDEF OPERCMDS JES2.<command>.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('REQUIRED BY SRR PDI ZJES0052') PE JES2.<command>.** CL(OPERCMDS) ID(<syspsmpl>) ACC(U) SETR RACL(OPERCMDS) REF

Generate Mitigation Statement:

Checks: C-25669r516387_chk

From the ISPF Command Shell enter: TSS LIST(ACIDS) DATA(XA) If no XA ACID entries exist in the above reports, this is not applicable. For each ACID identified in the XA ACID entries, if the following items are true regarding ACID permissions, this is not a finding. -ACID permission (XA ACID) is logged (ACTION = AUDIT), only for Privileged USERIDS (MASTER, SCA, DCA, VCA, ZCA) if they are XAUTH; at the discretion of the ISSM/ISSO scheduling tasks may be exempted from logging. -Access authorization is restricted to scheduling tools, started tasks or other system applications required for running production jobs. -Other users may have minimal access required for running production jobs with documentation properly approved and filed with the site security official (ISSM or equivalent).

Fix: F-25657r516388_fix

For each ACID identified in the XA ACID entries, ensure the following items are in effect regarding ACID permissions: -ACID permission (XA ACID) is logged (ACTION = AUDIT), at the discretion of the ISSM/ISSO scheduling tasks may be exempted from logging. -ACID permission (XA ACID) is logged (ACTION = AUDIT), for Privileged users (MSCA, SCA, DCA, VCA, ZCA). -Access authorization is restricted to scheduling tools, started tasks, or other system applications required for running production jobs. Other users may have minimal access required for running production jobs with documentation properly approved and filed with the site security official (ISSM or equivalent). Consider the following recommendations when implementing security for Cross-Authorized ACIDs: Keep ACID cross authorization of ACIDs outside of those granted to the scheduling software to a minimum number of individuals. The simplest configuration is to have no ACID Cross Authorization except for the appropriate Scheduling task/software for production scheduling purposes as documented. Temporary Cross Authorization of the production batch ACID to the scheduling tasks may be allowed for a period for testing by the appropriate specific production Support Team members. Authorization, eligibility, and test period is determined by site policy. Access authorization is restricted to the minimum number of personnel required for running production jobs. However, ACID Cross Authorization usage must not become the default for all jobs submitted by individual userids (i.e., system programmer will use their assigned individual userids for software installation, duties, whereas a Cross-Authorized ACID would normally be utilized for scheduled batch production only and as such must normally be limited to the scheduling task such as CONTROLM) and not granted as a normal daily basis to individual users. Grant access to the user ACID for each cross-authorized ACID required: For Example: TSS PERMIT(ACID) ACID(Cross-Authorized ACID) ACTION(AUDIT) For production ACIDs being used by CONTROLM: TSS PER(CONTROLM)ACID(production user ACID)

Generate Mitigation Statement:

Checks: C-25670r516390_chk

From an ISPF Command line enter: TSO ISRDDN APF An APF List results. On the Command line enter: DUPlicates (Make sure there is appropriate access. If there is not, you may receive insufficient access errors.) If any of the list of Sensitive Utilities exist in the duplicate APF modules returned, this is a finding. The following list contains Sensitive Utilities that will be checked. AHLGTF AMASPZAP AMAZAP AMDIOCP AMZIOCP BLSROPTR CSQJU003 CSQJU004 CSQUCVX CSQUTIL CSQ1LOGP DEBE DITTO FDRZAPOP GIMSMP HHLGTF ICKDSF ICPIOCP IDCSC01 IEHINITT IFASMFDP IGWSPZAP IHLGTF IMASPZAP IND$FILE IOPIOCP IXPIOCP IYPIOCP IZPIOCP WHOIS L052INIT TMSCOPY TMSFORMT TMSLBLPR TMSMULV TMSREMOV TMSTPNIT TMSUDSNB

Fix: F-25658r516391_fix

Review and ensure that duplicate sensitive utility(ies) and/or program(s) do not exist in APF-authorized libraries. Identify all versions of the sensitive utilities contained in APF-authorized libraries listed in the above check. In cases where duplicates exist, ensure no exposure has been created and written justification has been filed with the ISSO. Comparisons among all the APF libraries will be done to ensure that an exposure is not created by the existence of identically named modules. Address any sensitive utility concerns so that the function can be restricted as required.

Generate Mitigation Statement:

Checks: C-25671r868981_chk

Refer to IEASYS00 member in SYS1.PARMLIB Concatenation. Determine proper SMFPRMxx member. If all of the required SMF record types identified below are collected, this is not a finding. IBM SMF Records to be collected at a minimum: 0 (00) - IPL 6 (06) - External Writer/ JES Output Writer/ Print Services Facility (PSF) 7 (07) - [SMF] Data Lost 14 (0E) - INPUT or RDBACK Data Set Activity 15 (0F) - OUTPUT, UPDAT, INOUT, or OUTIN Data Set Activity 17 (11) - Scratch Data Set Status 18 (12) - Rename Non-VSAM Data Set Status 24 (18) - JES2 Spool Offload 25 (19) - JES3 Device Allocation 26 (1A) - JES Job Purge 30 (1E) - Common Address Space Work 32 (20) - TSO/E User Work Accounting 41 (29) - DIV Objects and VLF Statistics 42 (2A) - DFSMS statistics and configuration 43 (2B) - JES Start 45 (2D) - JES Withdrawal/Stop 47 (2F) - JES SIGNON/Start Line (BSC)/LOGON 48 (30) - JES SIGNOFF/Stop Line (BSC)/LOGOFF 49 (31) - JES Integrity 52 (34) - JES2 LOGON/Start Line (SNA) 53 (35) - JES2 LOGOFF/Stop Line (SNA) 54 (36) - JES2 Integrity (SNA) 55 (37) - JES2 Network SIGNON 56 (38) - JES2 Network Integrity 57 (39) - JES2 Network SYSOUT Transmission 58 (3A) - JES2 Network SIGNOFF 60 (3C) - VSAM Volume Data Set Updated 61 (3D) - Integrated Catalog Facility Define Activity 62 (3E) - VSAM Component or Cluster Opened 64 (40) - VSAM Component or Cluster Status 65 (41) - Integrated Catalog Facility Delete Activity 66 (42) - Integrated Catalog Facility Alter Activity 80 (50) - RACF/TOP SECRET Processing 81 (51) - RACF Initialization 82 (52) - ICSF Statistics 83 (53) - RACF Audit Record For Data Sets 90 (5A) - System Status 92 (5C) except subtypes 10, 11 - OpenMVS File System Activity 102 (66) - DATABASE 2 Performance 103 (67) - IBM HTTP Server 110 (6E) - CICS/ESA Statistics 118 (76) - TCP/IP Statistics 119 (77) - TCP/IP Statistics 199 (C7) - TSOMON 230 (E6) - ACF2 or as specified in ACFFDR (vendor-supplied default is 230) 231 (E7) - TSS logs security events under this record type

Fix: F-25659r868982_fix

Ensure that SMF recording options are consistent with those outlined below. IBM SMF Records to be collected at a minimum: 0 (00) - IPL 6 (06) - External Writer/ JES Output Writer/ Print Services Facility (PSF) 7 (07) - [SMF] Data Lost 14 (0E) - INPUT or RDBACK Data Set Activity 15 (0F) - OUTPUT, UPDAT, INOUT, or OUTIN Data Set Activity 17 (11) - Scratch Data Set Status 18 (12) - Rename Non-VSAM Data Set Status 24 (18) - JES2 Spool Offload 25 (19) - JES3 Device Allocation 26 (1A) - JES Job Purge 30 (1E) - Common Address Space Work 32 (20) - TSO/E User Work Accounting 41 (29) - DIV Objects and VLF Statistics 42 (2A) - DFSMS statistics and configuration 43 (2B) - JES Start 45 (2D) - JES Withdrawal/Stop 47 (2F) - JES SIGNON/Start Line (BSC)/LOGON 48 (30) - JES SIGNOFF/Stop Line (BSC)/LOGOFF 49 (31) - JES Integrity 52 (34) - JES2 LOGON/Start Line (SNA) 53 (35) - JES2 LOGOFF/Stop Line (SNA) 54 (36) - JES2 Integrity (SNA) 55 (37) - JES2 Network SIGNON 56 (38) - JES2 Network Integrity 57 (39) - JES2 Network SYSOUT Transmission 58 (3A) - JES2 Network SIGNOFF 60 (3C) - VSAM Volume Data Set Updated 61 (3D) - Integrated Catalog Facility Define Activity 62 (3E) - VSAM Component or Cluster Opened 64 (40) - VSAM Component or Cluster Status 65 (41) - Integrated Catalog Facility Delete Activity 66 (42) - Integrated Catalog Facility Alter Activity 80 (50) - RACF/TOP SECRET Processing 81 (51) - RACF Initialization 82 (52) - ICSF Statistics 83 (53) - RACF Audit Record For Data Sets 90 (5A) - System Status 92 (5C) except subtypes 10, 11 - OpenMVS File System Activity 102 (66) - DATABASE 2 Performance 103 (67) - IBM HTTP Server 110 (6E) - CICS/ESA Statistics 118 (76) - TCP/IP Statistics 119 (77) - TCP/IP Statistics 199 (C7) - TSOMON 230 (E6) - ACF2 or as specified in ACFFDR (vendor-supplied default is 230) 231 (E7) - TSS logs security events under this record type

Generate Mitigation Statement:

Checks: C-25672r516396_chk

If the session manager in use initiates a session lock after a 15-minute period of inactivity for all connection types, this is not a finding.

Fix: F-25660r516397_fix

Configure the session manager in use to initiate a session lock after a 15-minute period of inactivity for all connection types.

Generate Mitigation Statement:

Checks: C-25673r868984_chk

Review the FACILITY resource class for BPX.SMF. If the RACF rules are as follows, this is not a finding. BPX.SMF.119.94 - READ allowed for users running the ssh, sftp, or scp client commands. BPX.SMF.119.96 - READ allowed for users running the scp or sftp-server server commands. BPX.SMF.119.97 - READ allowed for users running the scp or sftp client commands. The following profile grants the permitted users the authority to write or test for any SMF record being recorded. Access should be permitted as follows: BPX.SMF - READ access only when documented and justified in Site Security Plan. Documentation should include a reason why a more specific profile is not acceptable.

Fix: F-25661r868985_fix

Configure Facility resource class for BPX.SMF as follows: BPX.SMF.119.94 - READ allowed for users running the ssh, sftp, or scp client commands. BPX.SMF.119.96 - READ allowed for users running the scp or sftp-server server commands. BPX.SMF.119.97 - READ allowed for users running the scp or sftp client commands. The following profile grants the permitted users the authority to write or test for any SMF record being recorded. Access should be permitted as follows: BPX.SMF - READ access only when documented and justified in Site Security Plan. Documentation should include a reason why a more specific profile is not acceptable.

Generate Mitigation Statement:

Checks: C-25674r516402_chk

Refer to IEASYS00 member in SYS1.PARMLIB Concatenation. Determine proper SMFPRMxx member. SUBSYS(STC,EXITS(IEFU29,IEFU83,IEFU84,IEFUJP,IEFUSO), INTERVAL(SMF,SYNC),NODETAIL) If the SMF collection options are specified as stated below with exception of those specified in the above NOTEs, this is not a finding. The settings for several parameters are critical to the collection process: ACTIVE Activates the collection of SMF data. MAXDORM(0500) Specifies the amount of real time that SMF allows data to remain in an SMF buffer before it is written to a recording data set. Value is site defined. SID Specifies the system ID to be recorded in all SMF records. SYS(DETAIL) Controls the level of detail recorded. SYS(INTERVAL) Ensures the periodic recording of data for long running jobs. SYS Specifies the types and sub types of SMF records that are to be collected. SYS(TYPE) indicates that the supplied list is inclusive (i.e., specifies the record types to be collected). Record types not listed are not collected. SYS(NOTYPE) indicates that the supplied list is exclusive (i.e., specifies those record types not to be collected). Record types listed are not collected. The site may use either form of this parameter to specify SMF record type collection. However, at a minimum, all record types are listed.

Fix: F-25662r516403_fix

Ensure that collection options for SMF Data are consistent with options specified below. Review all SMF recording specifications found in SMFPRMxx members. Ensure that SMF recording options used are consistent with those outlined below. The settings for several parameters are critical to the collection process: ACTIVE Activates the collection of SMF data. MAXDORM(mmss) Specifies the amount of real time that SMF allows data to remain in an SMF buffer before it is written to a recording data set. Use the MAXDORM parameter to minimize the amount of data lost because of system failure. This value is site determined and should be carefully configured. SID Specifies the system ID to be recorded in all SMF records. SYS(DETAIL) Controls the level of detail recorded. SYS(INTERVAL) Ensures the periodic recording of data for long running jobs. SYS Specifies the types and sub types of SMF records that are to be collected. SYS(TYPE) indicates that the supplied list is inclusive (i.e., specifies the record types to be collected). Record types not listed are not collected. SYS(NOTYPE) indicates that the supplied list is exclusive (i.e., specifies those record types not to be collected). Record types not listed are not collected. The site may use either form of this parameter to specify SMF record type collection. However, at a minimum all record types are listed.

Generate Mitigation Statement:

Checks: C-25675r516405_chk

Refer to IEASYS00 member in SYS1.PARMLIB Concatenation. Determine proper SMFPRMxx member in SYS1.PARMLIB. If BUFUSEWARN is set for "75" (75%) or less, this is not a finding.

Fix: F-25663r516406_fix

Configure the BUFUSEWARN statement in SMFPRMxx to "75" (75%) or less.

Generate Mitigation Statement:

Checks: C-25676r516408_chk

Ask the system administrator to determine if the system PASSWORD data set and OS passwords are being used. If, based on the information provided, it can be determined that the system PASSWORD data set and OS passwords are not used, this is not a finding. If it is evident that OS passwords are utilized, this is a finding.

Fix: F-25664r516409_fix

System programmers will ensure that the old OS Password Protection is not used and any data protected by the old OS Password technology is removed and protection is replaced by the ACP. Review the contents of the PASSWORD data set. Ensure that any protections it provides are provided by the ACP and delete the PASSWORD data set. Access to data sets on z/OS systems can be protected using the OS password capability of MVS. This capability has been available in MVS for many years, and its use is commonly found in data centers. Since the advent of ACPs, the use of OS passwords for file protection has diminished, and is commonly considered archaic and of little use. The use of z/OS passwords is not supported by all the ACPs.

Generate Mitigation Statement:

Checks: C-25677r516411_chk

Refer to the System proclibs for the TSS STC. If the Security database is located on the same volume as either the backup, Alternate or Recovery file, this is a finding.

Fix: F-25665r516412_fix

Configure the placement of ESM files are on a separate volume from its backup and recovery data sets to provide backup and recovery in the event of physical damage to a volume. Identify the ESM database(s), backup database(s), and recovery data set(s). Develop a plan to keep these data sets on different physical volumes. Implement the movement of these critical ESM files. File location is an often overlooked factor in system integrity. It is important to ensure that the effects of hardware failures on system integrity and availability are minimized. Avoid collocation of files such as primary and alternate databases. For example, the loss of the physical volume containing the ESM database should not also cause the loss of the ESM backup database as a result of their collocation. Files that will be segregated from each other on separate physical volumes include, but are not limited to, the ESM database and its alternate or backup file.

Generate Mitigation Statement:

Checks: C-25678r516414_chk

Refer to the TSS Proclib PARMFILE DD to determine the PARM member. If the BACKUP is missing or coded with blank or OFF this is a finding. Note: If the security data base is shared only one of the systems is required to configure the BACKUP option in the PARMFILE. Determine that the option is properly coded on one of the systems that share the security database. From the ISPF Command Shell enter: TSS MODIFY(Status) If the backup parameter is active with a valid time this is not a finding.

Fix: F-25666r516415_fix

Configure the TSS PARMLIB BACKUP parameter to include BACKUP statement with a valid time. Additionally, configure the BACKUP parameter in the TSS Parmfile to include BACKUP statement with a valid time for nightly backups.

Generate Mitigation Statement:

Checks: C-25679r516417_chk

Examine the policy agent policy statements. If it can be determined that the policy agent employs a deny-all, allow-by exception firewall policy for allowing connections to other systems this is not a finding.

Fix: F-25667r516418_fix

Develop a policy application and policy agent to employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.

Generate Mitigation Statement:

Checks: C-25680r516420_chk

Refer to IEASYS00 member in SYS1.PARMLIB Concatenation. Determine proper APF and/or PROG member. Examine each entry and verify that it exists on the specified volume. If inaccessible APF libraries exist, this is a finding. ISRDDN APF

Fix: F-25668r516421_fix

Review the entire list of APF authorized libraries and remove those that are no longer valid designations.

Generate Mitigation Statement:

Checks: C-25681r868987_chk

Review program entries in the IBM Program Properties Table (PPT). You may use a third-party product to examine these entries; however, to determine program entries, issue the following command from an ISPF command line: TSO ISRDDN LOAD IEFSDPPT Press Enter. Interpret the display as follows: Examine contents at offset 8 Hex 'x2' - Bypass Password Protection Hex 'x3' - Bypass Password Protection Hex 'x4' - No data set Integrity Hex 'x5' - No data set Integrity Hex 'x6' - Both Hex 'x7' - Both Determine Privilege Key at offset 9. A value of hex '70' or less indicates an elevated privilege. For each module identified in the "eyecatcher" that has BYPASS Password Protection, No data set Integrity, an elevated Privilege Key, or any combination thereof, determine if there is a valid loaded module. Again, you may use a third-party product; otherwise, execute the following steps: From an ISPF command line TSO ISRDDN LOAD &lt;privileged module&gt; Press Enter. If the return message is "Load Failed", make sure there is an entry in PARMLIB member SCHEDxx that revokes the excessive privilege. If this is not true, this is a finding.

Fix: F-25669r868988_fix

Review the PPT and define all entries associated with nonexistent or inapplicable modules as invalidated. Nullify the invalid IEFSDPPT entry by ensuring that there is a corresponding SCHED entry, which confers no special attributes. Use the following recommendations and techniques to provide protection for the PPT: Review the IEFSDPPT module and all programs that IBM has, by default, placed in the PPT to validate their applicability to the execution system. Refer to the IBM z/OS MVS Initialization and Tuning Reference documentation for the version and release of z/OS installed at the individual site for the actual contents of the default IEFSDPPT. Modules for products not in use on the system will have their special privileges explicitly revoked. Do this by placing a PPT entry for each module in the SYS1.PARMLIB(SCHEDxx) member, specifying no special privileges. The PPT entry for each overridden program will be in the following format, accepting the default (unprivileged) values for the sub parameters: PPT PGMNAME(<program name>) Assemble documentation regarding these PPT entries, and the ISSO will keep it on file. Include the following in the documentation: -The product and release for which the PPT entry was made -The last date this entry was reviewed to authenticate status -The reason the module's privileges are being revoked

Generate Mitigation Statement:

Checks: C-25682r516426_chk

Refer to IEASYS00 member in SYS1.PARMLIB Concatenation. If "LNKAUTH=APFTAB" is not specified, this is a finding.

Fix: F-25670r516427_fix

Configure LNKAUTH=APFTAB in the IEASYS00 member of PARMLIB.

Generate Mitigation Statement:

Checks: C-25683r516429_chk

Check HMC, VM, and z/OS on how to validate and determine a DASD volume(s) is shared. Note: In VM issue the command "QUEUE DASD SYSTEM" this display will show shared volume(s) and indicates the number of systems sharing the volume. Validate all machines that require access to these shared volume(s) have the volume(s) mounted. Obtain a map or list VTOC of the shared volume(s). Check if shared volume(s) contain any critical or sensitive data sets. Identify shared and critical or sensitive data sets on the system being audited. These data sets can be APF, LINKLIST, LPA, Catalogs, etc, as well as product data sets. If all of the critical or sensitive data sets identified on shared volume(s) are protected and justified to be on shared volume(s), this is not a finding. List critical or sensitive data sets are possible security breaches, if not justified and not protected on systems having access to the data set(s) and on shared volume(s).

Fix: F-25671r516430_fix

Configure all identified volumes of shared DASD to be valid within the following. HMC VM z/OS If the shared volume(s) are valid and systems having access to these shared volume(s) are valid, map disk/VTOC list to obtain data sets on the shared volume(s). From this list obtain a list of sensitive and critical system data sets that are found on the shared volume(s). Ensure that the data sets are justified to be shared on the system and to reside on the shared volume(s). The ISSO will review all access requirements to validate that sensitive and critical system data sets are protected from unauthorized access across all systems that have access to the shared volume(s). Protecting the data set(s) whether the data set(s) are used or not used on the systems that have the shared volume(s) available to them.

Generate Mitigation Statement:

Checks: C-25684r516432_chk

Examine the Policy Agent policy statements. If it can be determined that there are policy statements that manages excess capacity, this is not a finding.

Fix: F-25672r516433_fix

Develop Policy application and Policy agent to manage excess capacity.

Generate Mitigation Statement:

Checks: C-25686r998405_chk

Ask the SA for the documented process to notify appropriate personnel when accounts are created. If there is no documented process, this is a finding.

Fix: F-25674r516439_fix

Develop a documented process to notify appropriate personnel when accounts are created.

Generate Mitigation Statement:

Checks: C-25687r998407_chk

Ask the SA for the documented process to notify appropriate personnel when accounts are modified. If there is no documented process, this is a finding.

Fix: F-25675r516442_fix

Develop a documented process to notify appropriate personnel when accounts are modified.

Generate Mitigation Statement:

Checks: C-25688r998409_chk

Ask the SA for the documented process to notify appropriate personnel when accounts are deleted. If there is no documented process, this is a finding.

Fix: F-25676r516445_fix

Develop a documented process to notify appropriate personnel when accounts are deleted.

Generate Mitigation Statement:

Checks: C-25689r998411_chk

Ask the SA for the documented process to notify appropriate personnel when accounts are removed. If there is no documented process, this is a finding.

Fix: F-25677r516448_fix

Develop a documented process to notify appropriate personnel when accounts are removed.

Generate Mitigation Statement:

Checks: C-25691r516453_chk

From an ISPF Command line enter: TSO ISRDDN LPA Review the list. If there are any DUMMY entries, i.e., inaccessible LPA libraries, this is a finding.

Fix: F-25679r516454_fix

Review all entries contained in the LPA members for the actual existence of each library. Develop a plan of action to correct deficiencies. The system Link Pack Area (LPA) is the component of MVS that maintains core operating system functions resident in main storage. A security concern exists when libraries from which LPA modules are obtained require APF authorization. Control over residence in the LPA is specified within the operating system in the following members of the data set SYS1.PARMLIB: - LPALSTxx specifies the names of libraries to be concatenated to SYS1.LPALIB when the LPA is generated at IPL in an MVS/XA or MVS/ESA system. (The xx is the suffix designated by the LPA parameter in the IEASYSxx member of SYS1.PARMLIB or overridden by the computer operator at system initial program load [IPL].) - IEAFIXxx specifies the names of modules from SYS1.SVCLIB, the LPALSTxx concatenation, and the LNKLSTxx concatenation that are to be temporarily fixed in central storage in the Fixed LPA (FLPA) for the duration of an IPL. (The xx is the suffix designated by the FIX parameter in the IEASYSxx member of SYS1.PARMLIB or overridden by the computer operator at IPL.) - IEALPAxx specifies the names of modules that will be loaded from the following: ? SYS1.SVCLIB ? The LPALSTxx concatenation ? The LNKLSTxx concatenation as a temporary extension to the existing Pageable LPA (PLPA) in the Modified LPA (MLPA) for the duration of an IPL. (The xx is the suffix designated by the MLPA parameter in the IEASYSxx member of SYS1.PARMLIB or overridden by the computer operator at IPL.) Use the following recommendations and techniques to control the exposures created by the LPA facility: -The LPALSTxx, IEAFIXxx, and IEALPAxx members will contain only required libraries. On a semiannual basis, Software Support should review the volume serial numbers and verify them in accordance with the system catalog. Software Support will remove all non-existent libraries. The ISSO should modify and/or delete the rules associated with these libraries.

Generate Mitigation Statement:

Checks: C-25692r516456_chk

From and ISPF Command line enter: TSO ISRDDN LINKLIST Review the list, if there are any DUMMY entries i.e., inaccessible LINKLIST libraries, this is a finding.

Fix: F-25680r516457_fix

Review all entries contained in the LINKLIST for the actual existence of each library. Develop a plan of action to correct deficiencies. The Linklist is a default set of libraries that MVS searches for a specified program. This facility is used so that a user does not have to know the library names in which utility types of programs are stored. Control over membership in the Linklist is specified within the operating system. The data set SYS1.PARMLIB(LNKLSTxx) is used to specify the library names. (The xx is the suffix designated by the LNK parameter in the IEASYSxx member of SYS1.PARMLIB, or overridden by the computer operator at IPL.) Use the following recommendations and techniques to control the exposures created by the LINKLIST facility: 441-1Avoid inclusion of sensitive libraries in the LNKLSTxx member unless absolutely required. -The LNKLSTxx and PROGxx (LNKLST entries) members will contain only required libraries. On a semiannual basis, Software Support should review the volume serial numbers, and should verify them in accordance with the system catalog. Software Support will remove all nonexistent libraries. The ISSO should modify and/or delete the rules associated with these libraries.

Generate Mitigation Statement:

Checks: C-25694r516462_chk

Review the SMF dump procedure in there system. If the output data sets in the procedure have storage capacity to store at least one weeks' worth of audit data, this is not a finding.

Fix: F-25682r516463_fix

The system Link Pack Area (LPA) is the component of MVS that maintains core operating system functions resident in main storage. A security concern exists when libraries from which LPA modules are obtained require APF authorization.

Generate Mitigation Statement:

Checks: C-25695r516465_chk

Ask the system administrator if there is an automated process is in place to collect and retain all SMF data produced on the system. If, based on the information provided, it can be determined that an automated process is in place to collect and retain all SMF data produced on the system, this is not a finding. If it cannot be determined this process exists and is being adhered to, this is a finding.

Fix: F-25683r516466_fix

Ensure that an automated process is in place to collect SMF data. Review SMF data collection and retention processes. Develop processes that are automatically started to dump SMF collection files immediately upon their becoming full. To ensure that all SMF data is collected in a timely manner, and to reduce the risk of data loss, ensure that automated mechanisms are in place to collect and retain all SMF data produced on the system. Dump the SMF files (MANx) in systems based on the following guidelines: -Dump each SMF file as it fills up during the normal course of daily processing. -Dump all remaining SMF data at the end of each processing day. Establish a process using Audit logging.

Generate Mitigation Statement:

Checks: C-25696r868993_chk

From UNIX System Services ISPF Shell, navigate to ribbon select tools. Select option 1 - Work with Processes. If SNTP Daemon (SNTPD) is not active, this is a finding.

Fix: F-25684r868994_fix

Obtain a copy of this sample procedure from SEZAINST and store it in one of your PROCLIB concatenation data sets. Perform the following step to start SNTPD as a procedure: Invoke the procedure using the system operator start command. The following sample, SEZAINST(SNTPD), shows how to start SNTPD as a procedure: //* //* Sample procedure for the Simple Network Time Protocol (SNTP) //* //* z/OS Communications Server Version 1 Release 13 //* SMP/E Distribution Name: SEZAINST(EZASNPRO) //* //* Copyright: Licensed Materials - Property of IBM //* 5650-ZOS //* Copyright IBM Corp. 2002, 2015 //* //* Status: CSV2R2 //* //SNTPD EXEC PGM=SNTPD,REGION=4096K,TIME=NOLIMIT, // PARM='/ -d' //SYSPRINT DD SYSOUT=*,DCB=(RECFM=F,LRECL=132,BLKSIZE=132) //SYSIN DD DUMMY //SYSERR DD SYSOUT=* //SYSOUT DD SYSOUT=*,DCB=(RECFM=F,LRECL=132,BLKSIZE=132) //CEEDUMP DD SYSOUT=* //SYSABEND DD SYSOUT=*

Generate Mitigation Statement:

Checks: C-25697r516471_chk

From the ISPF Command Shell enter: cd /usr/sbin ls -al If the following File permission and user Audit Bits are true, this is not a finding. /usr/sbin/sntpd 1740 faf The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing

Fix: F-25685r516472_fix

With the assistance of a systems programmer with UID(0) and/or SUPERUSER access, configure the UNIX permission bits and user audit bits on the SNTPD to conform to the specifications below: /usr/sbin/sntpd 1740 faf

Generate Mitigation Statement:

Checks: C-25698r516474_chk

Refer to the CLOCKxx member of PARMLIB. If the ACCURACY parm is not coded, this is a finding. If the ACCURACY parm is coded to "1000", this is not a finding.

Fix: F-25686r516475_fix

Define the CLOCKxx statement to include the ACCURACY parm set to "1000".

Generate Mitigation Statement:

Checks: C-25699r516477_chk

Examine the "Policy Agent" policy statements. If it can be determined that the policy that protects against or limits the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces, this is not a finding.

Fix: F-25687r516478_fix

Develop "Policy Agent" statements to protect against or limit the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.

Generate Mitigation Statement:

Checks: C-25704r868996_chk

Refer to IEASYS00 member in SYS1.PARMLIB Concatenation. Determine proper SMFPRMxx member. Examine the JWT, SWT, and TWT values. If the JWT parameter is greater than "15" minutes, and the system is processing unclassified information, review the following items. If any of these items is true, this is not a finding. -If a session is not terminated, but instead is locked out after 15 minutes of inactivity, a process must be in place that requires user identification and authentication before the session is unlocked. Session lock-out will be implemented through system controls or terminal screen protections. -A system's default time for terminal lock-out or session termination may be lengthened to 30 minutes at the discretion of the ISSM or ISSO. The ISSM and/or ISSO will maintain the documentation for each system with a time-out adjusted beyond the 15-minute recommendation to explain the basis for this decision. -The ISSM and/or ISSO may set selected userids to have a time-out of up to 60 minutes in order to complete critical reports or transactions without timing out. Each exception must meet the following criteria: -The time-out exception cannot exceed 60 minutes. -A letter of justification fully documenting the user requirement(s) must be submitted and approved by the site ISSM or ISSO. In addition, this letter must identify an alternate means of access control for the terminal(s) involved (e.g., a room that is locked at all times, a room with a cipher lock to limit access, a password protected screen saver set to 30 minutes or less, etc.). -The requirement must be revalidated on an annual basis. If the TWT and SWT values are equal or less than the JWT value, this is not a finding.

Fix: F-25692r868997_fix

Configure the SMFPRMxx JWT to "15" minutes for classified systems. The JWT parameter can be greater than "15" minutes if the system is processing unclassified information and the following items are reviewed. -If a session is not terminated, but instead is locked out after "15" minutes of inactivity, a process must be in place that requires user identification and authentication before the session is unlocked. Session lock-out will be implemented through system controls or terminal screen protections. -A system's default time for terminal lock-out or session termination may be lengthened to "30" minutes at the discretion of the ISSM or ISSO. The ISSM and/or ISSO will maintain the documentation for each system with a time-out adjusted beyond the 15-minute recommendation to explain the basis for this decision. -The ISSM and/or ISSO may set selected userids to have a time-out of up to "60" minutes in order to complete critical reports or transactions without timing out. Each exception must meet the following criteria: -The time-out exception cannot exceed "60" minutes. -A letter of justification fully documenting the user requirement(s) must be submitted and approved by the site ISSM or ISSO. In addition, this letter must identify an alternate means of access control for the terminal(s) involved (e.g., a room that is locked at all times, a room with a cipher lock to limit access, a password protected screen saver set to 30 minutes or less, etc.). -The requirement must be revalidated on an annual basis. Configure any TWT and or SWT to be equal or less than the JWT.

Generate Mitigation Statement:

Checks: C-25705r516495_chk

Ask the system administrator for the configuration parameters for the session manager in use. If there is no session manager in use, this is a finding. If the session manager is not configured to conceal, via the session lock, information previously visible on the display with a publicly viewable image, this is a finding.

Fix: F-25693r516496_fix

Configure the session manager to conceal, via the session lock, information previously visible on the display with a publicly viewable image.

Generate Mitigation Statement:

Checks: C-25706r516498_chk

Ask the system administrator for the configuration parameters for the session manager in use. If there is no session manager in use, this is a finding. If the session manager is not configured to initiate a session lock after a 15-minute period of inactivity, this is a finding.

Fix: F-25694r516499_fix

Configure the session manager to initiate a session lock after a 15-minute period of inactivity.

Generate Mitigation Statement:

Checks: C-25707r516501_chk

Ask the system administrator for the configuration parameters for the session manager in use. If there is no session manager in use, this is a finding. If the session manager is not configured to retain a user's session lock until that user reestablishes access using established identification and authentication procedures, this is a finding.

Fix: F-25695r516502_fix

LPA (PLPA) in the Modified LPA (MLPA) for the duration of an IPL. (The xx is the suffix designated by the MLPA parameter in the IEASYSxx member of SYS1.PARMLIB or overridden by the computer operator at IPL.)

Generate Mitigation Statement:

Checks: C-25708r998416_chk

Ask the SA for the procedure to automatically remove or disable temporary user accounts after 72 hours. If there is no procedure, this is a finding.

Fix: F-25696r516505_fix

Develop a procedure to remove or disable emergency user accounts after the crisis is resolved or 72 hours.

Generate Mitigation Statement:

Checks: C-25709r998418_chk

Ask the SA for the procedure to automatically remove or disable emergency accounts after the crisis is resolved or 72 hours. If there is no procedure, this is a finding.

Fix: F-25697r998419_fix

Develop a procedure to remove or disable emergency user accounts after the crisis is resolved or 72 hours.

Generate Mitigation Statement:

Checks: C-25710r998421_chk

Ask the SA for the procedure to notify system administrators and ISSOs of account enabling actions. If there is no procedure, this is a finding.

Fix: F-25698r998422_fix

Develop a documented procedure to notify SAs and ISSOs of account enabling actions.

Generate Mitigation Statement:

Checks: C-25711r516513_chk

Ask the system administrator for the procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner. If there is no procedure, this is a finding.

Fix: F-25699r516514_fix

Develop a procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner.

Generate Mitigation Statement:

Checks: C-25713r516519_chk

Ask the system administrator for the procedure to remove all software components after updated versions have been installed. If there is no procedure, this is a finding.

Fix: F-25701r516520_fix

Develop a procedure to remove all software components after updated versions have been installed.

Generate Mitigation Statement:

Checks: C-25714r516522_chk

Ask the system administrator for the procedure to shut down the information system, restart the information system, and/or notify the system administrator when anomalies occur. If a procedure does not exist, this is a finding. If the procedure does not properly shut down the information system, restart the information system, and/or notify the system administrator when anomalies occur, this is a finding.

Fix: F-25702r516523_fix

Develop a procedure to shut down the information system, restart the information system, and/or notify the system administrator when anomalies occur.

Generate Mitigation Statement:

Checks: C-25715r516525_chk

Ask the system administrator for the procedure to offload SMF files to a different system or media than the system being audited. If the procedure does not exist, this is a finding.

Fix: F-25703r516526_fix

Develop a procedure to offload SMF files to a different system or media than the system being audited.

Generate Mitigation Statement:

Checks: C-25716r516528_chk

Ask the system administrator for the configuration parameters for the session manager in use. If there is no session manager in use this is a finding. If the session manager in use does not allow users to directly initiate a session lock for all connection types, this is a finding.

Fix: F-25704r516529_fix

Configure the session manager to allow users to directly initiate a session lock for all connection types.

Generate Mitigation Statement:

Checks: C-25719r516537_chk

From an ISPF Enter cd /usr/sbin Enter ls -alW If File Permission Bits and User Audit Bits for SYSLOG Daemon HFS directories and files are as below this is not a finding. /usr/sbin/syslogd 1740 fff Enter cd /etc/ Enter ls -alW If File Permission Bits and User Audit Bits for Output log file defined in the configuration file are as below this is not a finding. /etc/syslog.conf 0744 faf 0744 fff Notes: The /usr/sbin/syslogd object is a symbolic link to /usr/lpp/tcpip/sbin/syslogd. The permission and user audit bits on the target of the symbolic link must have the required settings. The /etc/syslog.conf file may not be the configuration file the daemon uses. It is necessary to check the script or JCL used to start the daemon to determine the actual configuration file. For example, in /etc/rc: _BPX_JOBNAME='SYSLOGD' /usr/sbin/syslogd -f /etc/syslog.conf For example, in the SYSLOGD started task JCL: //SYSLOGD EXEC PGM=SYSLOGD,REGION=30M,TIME=NOLIMIT // PARM='POSIX(ON) ALL31(ON)/ -f /etc/syslogd.conf' //SYSLOGD EXEC PGM=SYSLOGD,REGION=30M,TIME=NOLIMIT // PARM='POSIX(ON) ALL31(ON) /-f //''SYS1.TCPPARMS(SYSLOG)''' The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing

Fix: F-25707r516538_fix

Configure the UNIX permission bits and user audit bits on the HFS directories and files for the Syslog daemon to conform to the specifications in the SYSLOG Daemon HFS Object Security Settings table below. Log files should have security that prevents anyone except the syslogd process and authorized maintenance jobs from writing to or deleting them. A maintenance process to periodically clear the log files is essential. Logging stops if the target file system becomes full. SYSLOG Daemon HFS Object Security Settings File Permission Bits User Audit Bits /usr/sbin/syslogd 1740 fff [Configuration File] /etc/syslog.conf 0744 faf [Output log file defined in the configuration file] 0744 fff The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing NOTES: The /usr/sbin/syslogd object is a symbolic link to /usr/lpp/tcpip/sbin/syslogd. The permission and user audit bits on the target of the symbolic link must have the required settings. The /etc/syslog.conf file may not be the configuration file the daemon uses. It is necessary to check the script or JCL used to start the daemon to determine the actual configuration file. For example, in /etc/rc: _BPX_JOBNAME='SYSLOGD' /usr/sbin/syslogd -f /etc/syslog.conf For example, in the SYSLOGD started task JCL: //SYSLOGD EXEC PGM=SYSLOGD,REGION=30M,TIME=NOLIMIT // PARM='POSIX(ON) ALL31(ON)/ -f /etc/syslogd.conf' //SYSLOGD EXEC PGM=SYSLOGD,REGION=30M,TIME=NOLIMIT // PARM='POSIX(ON) ALL31(ON) /-f //''SYS1.TCPPARMS(SYSLOG)''' The following commands can be used (from a user account with an effective UID(0)) to update the permission bits and audit bits: chmod 1740 /usr/lpp/tcpip/sbin/syslogd chaudit rwx=f /usr/lpp/tcpip/sbin/syslogd chmod 0744 /etc/syslog.conf chaudit w=sf,rx+f /etc/syslog.conf chmod 0744 /log_dir/log_file chaudit rwx=f /log_dir/log_file

Generate Mitigation Statement:

Checks: C-25720r516540_chk

SYSLOGD may be started from the shell, a cataloged procedure (STC), or the BPXBATCH program. Additionally, other mechanisms (e.g., a job scheduler) may be used to automatically start the Syslog daemon. To thoroughly analyze this requirement you may need to view the OS SYSLOG using SDSF, find the last IPL, and look for the initialization of SYSLOGD. If the Syslog daemon SYSLOGD is started automatically during the initialization of the z/S/ system, this is not a finding.

Fix: F-25708r516541_fix

Review the files used to initialize tasks during system IPL (e.g., /etc/rc, SYS1.PARMLIB, any job scheduler definitions) configure the Syslog daemon to start automatically during z/OS system initialization. It is important that syslogd be started during the initialization phase of the z/OS system to ensure that significant messages are not lost. As with other z/OS UNIX daemons, there is more than one way to start SYSLOGD. It can be started as a process in the /etc/rc file or as a z/OS started task.

Generate Mitigation Statement:

Checks: C-25721r868999_chk

From the ISPF Command Shell enter: TSS LIST(SYSLOGD) SEGMENT(OMVS) If the following guidance is true, this is not a finding. -The Syslog daemon userid is SYSLOGD. -The SYSLOGD userid has the STC facility. -The SYSLOGD userid has UID(0), HOME('/'), and PROGRAM('/bin/sh') specified in the OMVS segment. -The SYSLOGD started proc is assigned the SYSLOGD userid is in the Started Task Table. If Syslog daemon is started from /etc/rc then from the ISPF Command Shell enter: OMVS cd /etc cat rc If Syslog daemon is started from /etc/rc then ensure that the "_BPX_JOBNAME" and "_BPX_USERID" environment variables are assigned a value of SYSLOGD. If the Syslog daemon is started from /etc/rc and the "_BPX_JOBNAME" and "_BPX_USERID" environment variables are not assigned a value of SYSLOGD, this is a finding.

Fix: F-25709r869000_fix

Configure so that the Syslog daemon runs under its own user account. Specifically, it does not share the account defined for the z/OS UNIX kernel. The Syslog daemon userid is SYSLOGD. The SYSLOGD userid has the STC facility. The SYSLOGD userid has UID(0), HOME('/'), and PROGRAM('/bin/sh') specified in the OMVS segment. To set up and use as an MVS Started Proc, the following sample commands are provided: TSS CREATE(SYSLOGD) TYPE(USER) NAME(SYSLOGD) - DEPT(existing-dept) FACILITY(STC) - PASSWORD(password,0) TSS ADD(SYSLOGD) DFLTGRP(stctcpx) GROUP(stctcpx) TSS ADD(SYSLOGD) SOURCE(INTRDR) TSS ADD(SYSLOGD) UID(0) HOME(/) OMVSPGM(/bin/sh) The SYSLOGD started proc is assigned the SYSLOGD userid is in the Started Task Table. TSS ADD(STC) PROCNAME(SYSLOGD) ACID(SYSLOGD) If /etc/rc is used to start the Syslog daemon, ensure that the _BPX_JOBNAME and _BPX_ USERID environment variables are assigned a value of SYSLOGD.

Generate Mitigation Statement:

Checks: C-25722r869002_chk

If all SMS resources and/or generic equivalent are properly protected according to the requirements specified and the following guidance is true, this is not a finding. The TSS resources are owned or DEFPROT is specified for the resource class. To avoid authorization failures once a base cluster is accessed via a PATH or AIX by a user or application that has authority to the PATH and AIX, but not the base cluster, APAR OA50118 must be applied. The resource STGADMIN.IGG.CATALOG.SECURITY.CHANGE is defined with access of NONE. The resource STGADMIN.IGG.CATALOG.SECURITY.BOTH is defined with access of READ. Note: The resource STGADMIN.IGG.CATALOG.SECURITY.CHANGE can be defined with read access for migration purposes. If it is, a detailed migration plan must be documented and filed by the ISSM that determines a definite migration period. All access must be logged. At the completion of migration, this resource must be configured with access of NONE. If the resource STGADMIN.IGG.CATALOG.SECURITY.CHANGE and STGADMIN.IGG.CATALOG.SECURITY.BOTH are both defined, ADMIN.IGG.CATALOG.SECURITY.BOTH takes precedence. STGADMIN.DPDSRN.olddsname is restricted to system programmers and all access is logged. The STGADMIN.IGD.ACTIVATE.CONFIGURATION is restricted to system programmers and all access is logged. The STGADMIN.IGG.DEFDEL.UALIAS is restricted to centralized and decentralized security personnel and system programmers and all access is logged. The following resources and prefixes may be available to the end user. STGADMIN.ADR.COPY.CNCURRNT STGADMIN.ADR.COPY.FLASHCPY STGADMIN.ADR.COPY.TOLERATE.ENQF STGADMIN.ADR.DUMP.CNCURRNT STGADMIN.ADR.DUMP.TOLERATE.ENQF STGADMIN.ADR.RESTORE.TOLERATE.ENQF STGADMIN.ARC.ENDUSER. STGADMIN.IGG.ALTER.SMS The following resource is restricted to Application Production Support Team members, Automated Operations, DASD managers, and system programmers. STGADMIN.IDC.DCOLLECT The following resources are restricted to Application Production Support Team members, DASD managers, and system programmers. STGADMIN.ARC.CANCEL STGADMIN.ARC.LIST STGADMIN.ARC.QUERY STGADMIN.ARC.REPORT STGADMIN.DMO.CONFIG STGADMIN.IFG.READVTOC STGADMIN.IGG.DELGDG.FORCE The following resource prefixes, at a minimum, are restricted to DASD managers and system programmers. STGADMIN.ADR STGADMIN.ANT STGADMIN.ARC STGADMIN.DMO STGADMIN.ICK STGADMIN.IDC STGADMIN.IFG STGADMIN.IGG STGADMIN.IGWSHCDS The following Storage Administrator functions prefix is restricted to DASD managers and system programmers and all access is logged. STGADMIN.ADR.STGADMIN.

Fix: F-25710r869003_fix

Ensure that the following are properly specified in the ESM. Note: The resources and/or resource prefixes identified below are examples of a possible installation. The actual resource type, resources, and/or resource prefixes are determined when the product is actually installed on a system through the product's installation guide and can be site specific. Below is listed the access requirements for SMS Resources. Ensure the guidelines for the resources and/or generic equivalent are followed. The TSS resources are owned and/or DEFPROT is specified for the resource class. Configure resource STGADMIN.IGG.CATALOG.SECURITY.CHANGE with no access. Note: The resource STGADMIN.IGG.CATALOG.SECURITY.CHANGE can be defined with read access for migration purposes. If it is, a detailed migration plan must be documented and filed with the ISSM that determines a definite migration period. All access must be logged. At the completion of migration this resource must be configured with access = NONE. Configure STGADMIN.IGG.CATALOG.SECURITY.BOTH to have READ access for all. TSS ADD(ADMIN) IBMFAC(STGADMIN) or TSS REPLACE(RDT) RESCLASS(IBMFAC) ATTR(DEFPROT) The STGADMIN.DPDSRN.olddsname is restricted to System Programmers and all access is logged. Example: TSS PERMIT(syspsmpl) IBMFAC(STGADMIN.DPDSRN.olddsname) - ACCESS(READ) ACTION(AUDIT) The STGADMIN.IGD.ACTIVATE.CONFIGURATION is restricted to system programmers and all access is logged. Example: TSS PERMIT(syspsmpl) IBMFAC(STGADMIN.IGD.ACTIVATE.CONFIGURATION) - ACCESS(READ) ACTION(AUDIT) The STGADMIN.IGG.DEFDEL.UALIAS is restricted to system programmers and security personnel and all access is logged. Example: TSS PERMIT(secasmpl) IBMFAC(STGADMIN.IGG.DEFDEL.UALIAS) - ACCESS(READ) ACTION(AUDIT) TSS PERMIT(secdsmpl) IBMFAC(STGADMIN.IGG.DEFDEL.UALIAS) - ACCESS(READ) ACTION(AUDIT) TSS PERMIT(syspsmpl) IBMFAC(STGADMIN.IGG.DEFDEL.UALIAS) - ACCESS(READ) ACTION(AUDIT) The following resources and prefixes may be available to the end user. Example: STGADMIN.ADR.COPY.CNCURRNT STGADMIN.ADR.COPY.FLASHCPY STGADMIN.ADR.COPY.TOLERATE.ENQF STGADMIN.ADR.DUMP.CNCURRNT STGADMIN.ADR.DUMP.TOLERATE.ENQF STGADMIN.ADR.RESTORE.TOLERATE.ENQF STGADMIN.ARC.ENDUSER. STGADMIN.IGG.ALTER.SMS Example: TSS PERMIT(endusers) IBMFAC(STGADMIN.ADR.COPY.CNCURRNT.) - ACCESS(READ) The following resource is restricted to Application Production Support Team members, Automated Operations, DASD managers, and system programmers. STGADMIN.IDC.DCOLLECT Example: TSS PERMIT(appssmpl) IBMFAC(STGADMIN.IDC.DCOLLECT) ACCESS(READ) TSS PERMIT(autosmpl) IBMFAC(STGADMIN.IDC.DCOLLECT) ACCESS(READ) TSS PERMIT(dasbsmpl) IBMFAC(STGADMIN.IDC.DCOLLECT) ACCESS(READ) TSS PERMIT(dasdsmpl) IBMFAC(STGADMIN.IDC.DCOLLECT) ACCESS(READ) TSS PERMIT(syspsmpl) IBMFAC(STGADMIN.IDC.DCOLLECT) ACCESS(READ) The following resources are restricted to Application Production Support Team members, DASD managers, and system programmers. Example: STGADMIN.ARC.CANCEL STGADMIN.ARC.LIST STGADMIN.ARC.QUERY STGADMIN.ARC.REPORT STGADMIN.DMO.CONFIG STGADMIN.IFG.READVTOC STGADMIN.IGG.DELGDG.FORCE Example: TSS PERMIT(appssmpl) IBMFAC(STGADMIN.ARC.CANCEL) ACCESS(READ) TSS PERMIT(dasbsmpl) IBMFAC(STGADMIN.ARC.CANCEL) ACCESS(READ) TSS PERMIT(dasdsmpl) IBMFAC(STGADMIN.ARC.CANCEL) ACCESS(READ) TSS PERMIT(syspsmpl) IBMFAC(STGADMIN.ARC.CANCEL) ACCESS(READ) The following resource prefixes, at a minimum, are restricted to DASD managers and system programmers. STGADMIN.ADR STGADMIN.ANT STGADMIN.ARC STGADMIN.DMO STGADMIN.ICK STGADMIN.IDC STGADMIN.IFG STGADMIN.IGG STGADMIN.IGWSHCDS Example: TSS PERMIT(dasbsmpl) IBMFAC(STGADMIN.ADR) ACCESS(READ) TSS PERMIT(dasdsmpl) IBMFAC(STGADMIN.ADR) ACCESS(READ) TSS PERMIT(syspsmpl) IBMFAC(STGADMIN.ADR) ACCESS(READ) The following Storage Administrator functions prefix is restricted to DASD managers and system programmers and all access is logged. STGADMIN.ADR.STGADMIN. Example: TSS PERMIT(dasbsmpl) IBMFAC(STGADMIN.ADR.STGADMIN.) ACCESS(READ) - ACTION(AUDIT) TSS PERMIT(dasdsmpl) IBMFAC(STGADMIN.ADR.STGADMIN.) ACCESS(READ) - ACTION(AUDIT) TSS PERMIT(syspsmpl) IBMFAC(STGADMIN.ADR.STGADMIN.) ACCESS(READ) - ACTION(AUDIT)

Generate Mitigation Statement:

Checks: C-25723r869005_chk

Refer to the load modules residing in the following Load libraries to determine program resource definitions: v SYS1.DGTLLIB for DFSMSdfp/ISMF v SYS1.DGTLLIB for DFSMSdss/ISMF v SYS1.DFQLLIB for DFSMShsm If the installation moves these modules to another load library the installation-defined load library must be used in the program protection. If the TSS resources are owned or DEFPROT is specified for the resource class, this is not a finding. If the TSS resource access authorizations restrict access to the appropriate personnel, this is not a finding.

Fix: F-25711r869006_fix

Configure the following to be properly specified in the ACP. Note: The resource type, resources, and/or resource prefixes identified below are examples of a possible installation. The actual resource type, resources, and/or resource prefixes are determined when the product is actually installed on a system through the product's installation guide and can be site specific. Reference the SMS Program Resources as provided by the following libraries: v SYS1.DGTLLIB for DFSMSdfp/ISMF v SYS1.DGTLLIB for DFSMSdss/ISMF v SYS1.DFQLLIB for DFSMShsm If the installation moves these modules to another load library the installation-defined load library must be used in the program protection. The TSS resources as designated in the above are owned and/or DEFPROT is specified for the resource class. The TSS resource access authorizations restrict access to the appropriate personnel as designated in the above. The following commands are provided as a sample for implementing resource controls: Example: TSS ADD(dept-acid) PROGRAM(ACBFUTO2) TSS PERMIT(smplsmpl) PROGRAM(ACBFUTO2) TSS PERMIT(dasdsmpl) PROGRAM(ACBFUTO2) TSS PERMIT(secasmpl) PROGRAM(ACBFUTO2) TSS PERMIT(syspsmpl) PROGRAM(ACBFUTO2) TSS PERMIT(tstcsmpl) PROGRAM(ACBFUTO2)

Generate Mitigation Statement:

Checks: C-25724r516552_chk

Refer to the logical parmlib data sets, example: SYS1.PARMLIB(IGDSMSxx), to identify the fully qualified file names for the following SMS data sets: Source Control Data Set (SCDS) Active Control Data Set (ACDS) Communications Data Set (COMMDS) Automatic Class Selection Routine Source Data Sets (ACS) ACDS Backup COMMDS Backup If the TSS data set rules for the SCDS, ACDS, COMMDS, and ACS data sets restrict UPDATE and ALL access to only systems programming personnel, this is not a finding. If the TSS data set rules for the SCDS, ACDS, COMMDS, and ACS data sets do not restrict UPDATE and ALL access to only systems programming personnel, this is a finding. Note: At the discretion of the ISSM, DASD administrators are allowed UPDATE access to the control data sets.

Fix: F-25712r516553_fix

Review the logical parmlib data sets, example: SYS1.PARMLIB(IGDSMSxx), to identify the fully qualified file names for the following SMS data sets: Source Control Data Set (SCDS) Active Control Data Set (ACDS) Communications Data Set (COMMDS) Automatic Class Selection Routine Source Data Sets (ACS) ACDS Backup COMMDS Backup Assign ownership of the data sets, replacing user-id with a user, department, or division that administer access to the SMS control data sets, and data name with the prefix of the SMS control data sets: TSS ADD(user-id) DSN(data name) Ensure the TSS data set rules for the SCDS, ACDS, COMMDS, and ACS data sets restrict UPDATE and ALL access to only z/OS systems programming personnel. Note: At the discretion of the ISSM, DASD administrators are allowed UPDATE access to the control data sets. Permit access to those personnel who manage the SMS environment, replacing user-id with the userid of the user or a Group profile: TSS PERMIT(user-id) DSN(data name) ACC(UPDATE) ACTION(AUDIT) Permit access to those personnel that perform maintenance on these data sets: TSS PERMIT(user-id) DSN(data name) ACC(ALL) ACTION(AUDIT)

Generate Mitigation Statement:

Checks: C-25725r516555_chk

Review the logical parmlib data sets, example: SYS1.PARMLIB(IGDSMSxx), for the following SMS parameter settings: Parameter Key SMS ACDS(ACDS data set name) COMMDS(COMMDS data set name) If the required parameters are defined, this is not a finding.

Fix: F-25713r516556_fix

Configure the DFSMS-related PDS members and statements specified in the system parmlib concatenation as outlined below: Parameter Key SMS ACDS(ACDS data set name) COMMDS(COMMDS data set name)

Generate Mitigation Statement:

Checks: C-25726r516558_chk

Review the logical parmlib data sets, example: SYS1.PARMLIB(IGDSMSxx), to identify the fully qualified file names for the following SMS data sets: Source Control Data Set (SCDS) Active Control Data Set (ACDS) Communications Data Set (COMMDS) Automatic Class Selection Routine Source Data Sets (ACS) ACDS Backup COMMDS Backup If the TSS data set rules for the SCDS, ACDS, COMMDS, and ACS data sets restrict UPDATE and ALL access to only systems programming personnel, this is not a finding. If the TSS data set rules for the SCDS, ACDS, COMMDS, and ACS data sets do not restrict UPDATE and ALL access to only systems programming personnel, this is a finding. Note: At the discretion of the ISSM, DASD administrators are allowed UPDATE access to the control data sets.

Fix: F-25714r516559_fix

Review the logical parmlib data sets, example: SYS1.PARMLIB(IGDSMSxx), to identify the fully qualified file names for the following SMS data sets: Source Control Data Set (SCDS) Active Control Data Set (ACDS) Communications Data Set (COMMDS) Automatic Class Selection Routine Source Data Sets (ACS) ACDS Backup COMMDS Backup Assign ownership of the data sets, replacing user-id with a user, department, or division that administer access to the SMS control data sets, and data name with the prefix of the SMS control data sets: TSS ADD(user-id) DSN(data name) Ensure the TSS data set rules for the SCDS, ACDS, COMMDS, and ACS data sets restrict UPDATE and ALL access to only z/OS systems programming personnel. Note: At the discretion of the ISSM, DASD administrators are allowed UPDATE access to the control data sets. Permit access to those personnel who manage the SMS environment, replacing user-id with the userid of the user or a Group profile: TSS PERMIT(user-id) DSN(data name) ACC(UPDATE) ACTION(AUDIT) Permit access to those personnel that perform maintenance on these data sets: TSS PERMIT(user-id) DSN(data name) ACC(ALL) ACTION(AUDIT)

Generate Mitigation Statement:

Checks: C-25727r904398_chk

Locate the SSH daemon configuration file, which may be found in /etc/ssh/ directory. Alternately: From UNIX System Services ISPF Shell, navigate to ribbon select tools. Select option 1 - Work with Processes. If SSH Daemon is not active, this is not a finding. Examine SSH daemon configuration file. If ServerSMF is not coded with ServerSMF TYPE119_U83 or is commented out, this is a finding.

Fix: F-25715r904399_fix

Configure the SERVERSMF statement in the SSH Daemon configuration file to TYPE119_U83.

Generate Mitigation Statement:

Checks: C-25728r516564_chk

Locate the SSH daemon configuration file. May be found in /etc/ssh/ directory. Alternately: From UNIX System Services ISPF Shell navigate to ribbon select tools. Select option 1 - Work with Processes. If SSH Daemon is not active, this is not a finding. Examine SSH daemon configuration file. If Banner statement is missing or configured to none, this is a finding. Ensure that the contents of the file specified on the banner statement contain a logon banner. The below banner is mandatory and deviations are not permitted except as authorized in writing by the DoD Chief Information Officer. If there is any deviation this is a finding. STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

Fix: F-25716r516565_fix

Configure the banner statement to a file that contains the Department of Defense (DoD) logon banner. Ensure that the contents of the file specified on the banner statement contain a logon banner. The below banner is mandatory and deviations are not permitted except as authorized in writing by the DoD Chief Information Officer. STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

Generate Mitigation Statement:

Checks: C-25729r877894_chk

Refer to the Profile configuration file specified on the PROFILE DD statement in the TCPIP started task JCL. If the following items are in effect for the configuration statements specified in the TCP/IP Profile configuration file, this is not a finding. NOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. -The SMFPARMS statement is not coded or commented out. -The DELETE statement is not coded or commented out for production systems. -The SMFCONFIG statement is coded with (at least) the FTPCLIENT and TN3270CLIENT operands. -The TCPCONFIG and UDPCONFIG statements are coded with (at least) the RESTRICTLOWPORTS operand. If the TCPCONFIG does not have the TTLS statement coded, this is a finding. NOTE: If the INCLUDE statement is coded, the data set specified will be checked for access authorization compliance.

Fix: F-25717r877895_fix

Ensure the following items are in effect for the configuration statements specified in the TCP/IP Profile configuration file: NOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. -The SMFPARMS statement is not coded or commented out. -The DELETE statement is not coded or commented out for production systems. -The SMFCONFIG statement is coded with (at least) the FTPCLIENT and TN3270CLIENT operands. -The TCPCONFIG and UDPCONFIG statements are coded with (at least) the RESTRICTLOWPORTS operand. NOTE: If the INCLUDE statement is coded, the data set specified will be checked for access authorization compliance in STIG ID ITCP0070. BASE TCP/IP PROFILE.TCPIP CONFIGURATION STATEMENTS FUNCTIONS INCLUDE- Specifies the name of an MVS data set that contains additional PROFILE.TCPIP statements to be used - Alters the configuration specified by previous statements SMFPARMS- Specifies SMF logging options for some TCP applications; replaced by SMFCONFIG - Controls collection of audit data DELETE- Specifies some previous statements, including PORT and PORTRANGE, that are to be deleted - Alters the configuration specified by previous statements SMFCONFIG- Specifies SMF logging options for Telnet, FTP, TCP, API, and stack activity - Controls collection of audit data TCPCONFIG- Specifies various settings for the TCP protocol layer of TCP/IP - Controls port access TCPCONFIG coded with TTLS - Specifies that the AT-TLS function is activated for the TCP/IP stack. The AT-TLS function provides invocation of System SSL in the TCP transport layer of the stack. Note: If AT-TLS is enabled, you must activate the SERVAUTH class, define the INITSTACK resource profile, and permit users to it. NOTE: If the INCLUDE statement is coded, the data set specified will be checked for access authorization compliance.

Generate Mitigation Statement:

Checks: C-25730r516570_chk

From the ISPF Command Shell enter: omvs At the input line enter: cd /etc enter ls -alW If the following File permission and user Audit Bits are true this is not a finding. /etc/hosts 0744 faf /etc/protocol 0744 faf /etc/resolv.conf 0744 faf /etc/services 0740 faf cd /usr ls -alW If the following file permission and user Audit Bits are true this is not a finding. /usr/lpp/tcpip/sbin 0755 faf /usr/lpp/tcpip/bin 0755 faf Notes: Some of the files listed above are not used in every configuration. The absence of a file is not considered a finding. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing

Fix: F-25718r516571_fix

With the assistance of a systems programmer with UID(0) and/or SUPERUSER access, configure the UNIX permission bits and user audit bits on the HFS directories and files for the FTP Server to conform to the specifications in the table below: BASE TCP/IP HFS Object Security Settings File Permission Bits User Audit Bits /etc/hosts 0744 faf /etc/protocol 0744 faf /etc/resolv.conf 0744 faf /etc/services 0740 faf /usr/lpp/tcpip/sbin 0755 faf /usr/lpp/tcpip/bin 0755 faf Some of the files listed above (e.g., /etc/resolv.conf) are not used in every configuration. While the absence of a file is generally not a security issue, the existence of a file that has not been properly secured can often be an issue. Therefore, all directories and files that do exist will have the specified permission and audit bit settings. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing The following commands can be used (from a user account with an effective UID(0)) to update the permission bits and audit bits: chmod 0744 /etc/hosts chaudit w=sf,rx+f /etc/hosts chmod 0744 /etc/protocol chaudit w=sf,rx+f /etc/protocol chmod 0744 /etc/resolv.conf chaudit w=sf,rx+f /etc/resolv.conf chmod 0740 /etc/services chaudit w=sf,rx+f /etc/services chmod 0755 /usr/lpp/tcpip/bin chaudit w=sf,rx+f /usr/lpp/tcpip/bin chmod 0755 /usr/lpp/tcpip/sbin chaudit w=sf,rx+f /usr/lpp/tcpip/sbin

Generate Mitigation Statement:

Checks: C-25731r869008_chk

If the following guidance is true, this is not a finding. -The EZA, EZB, and IST resources of the SERVAUTH resource class are properly owned and/or DEFPROT is specified in the SERVAUTH resource class. -No access is given to the EZA, EZB, and IST high level resources of the SERVAUTH resource class. -If the product CSSMTP is on the system, no access is given to EZB.CSSMTP of the SERVAUTH resource class. -If the product CSSMTP is on the system, EZB.CSSMTP.sysname.writername.JESnode will be specified and made available to the CSSMTP started task and authenticated users that require access to use CSSMTP for e-mail services. -Authenticated users that require access will be permitted access to the second level of the resources in the SERVAUTH resource class. Examples are the network (NETACCESS), port (PORTACCESS), stack (STACKACCESS), and FTP resources in the SERVAUTH resource class. -The EZB.STACKACCESS. resource access authorizations restrict access to those started tasks with valid requirements and users with valid FTP access requirements. -The EZB.FTP.*.*.ACCESS.HFS) resource access authorizations restrict access to FTP users with specific written documentation showing a valid requirement exists to access OMVS files and directories. -The EZB.INITSTACK.sysname.tcpname resource access authorizations restrict access before policies have been installed, to users authorized by the system security plan requiring access to the TCP/IP stack.

Fix: F-25719r869009_fix

Develop a plan of action to implement the required changes. Ensure the following items are in effect for TCP/IP resources. Note: The resource class, resources, and/or resource prefixes identified below are examples of a possible installation. The actual resource class, resources, and/or resource prefixes are determined when the product is actually installed on a system through the product's installation guide and can be site specific. -Ensure that the EZA, EZB, and IST resources of the SERVAUTH resource class are properly owned and/or DEFPROT is specified in the SERVAUTH resource class. -No access is given to the EZA, EZB, and IST resources of the SERVAUTH resource class. -If the product CSSMTP is on the system, no access is given to EZB.CSSMTP of the SERVAUTH resource class. EZB.CSSMTP.sysname.writername.JESnode will be specified and made available to the CSSMTP started task and authenticated users that require access to use CSSMTP for e-mail services. -Only authenticated users that require access are permitted access to the second level of the resources in the SERVAUTH resource class. Examples are the network (NETACCESS), port (PORTACCESS), stack (STACKACCESS), and FTP resources in the SERVAUTH resource class. -The EZB.STACKACCESS. resource access authorizations restrict access to those started tasks with valid requirements and users with valid FTP access requirements. -The EZB.FTP.*.*.ACCESS.HFS) resource access authorizations restrict access to FTP users with specific written documentation showing a valid requirement exists to access OMVS files and Directories. The EZB.INITSTACK.sysname.tcpname resource access authorizations restrict access to TCP/IP stack before policies have been installed to users authorized by the system security plan. The following commands are provided as a sample for implementing resource controls: TSS ADD(ADMIN) SERVAUTH(EZB) or TSS REPLACE(RDT) RESCLASS(SERVAUTH) ATTR(DEFPROT) TSS PER(authusers) SERVAUTH(EZB.CSSMTP.sysname.writername.JESnode) ACCESS(READ) TSS PER(authusers) SERVAUTH(EZB.FTP.) ACCESS(READ) TSS PER(ftpprofile)SERVAUTH(EZB.FTP.sysname.ftpstc.ACCESS.HFS)ACC(READ) TSS PER(authusers) SERVAUTH(EZB.NETACCESS.) ACCESS(READ) TSS PER(authusers) SERVAUTH(EZB.PORTACCESS.) ACCESS(READ) TSS PER(authusers) SERVAUTH(EZB.STACKACCESS.) ACCESS(READ) TSS PER(authusers) SERVAUTH(EZB.INITSTACK.) ACCESS(READ) TSS PER(ftpprofile)SERVAUTH(EZB.STACKACCESS.sysname.TCPIP)ACC(READ)

Generate Mitigation Statement:

Checks: C-25732r516576_chk

Execute a data set access list for all TCP/IP base components. If all of the following items are true, this is not a finding. WRITE and ALLOCATE access to product data sets is restricted to systems programming personnel (i.e., SMP/E distribution data sets with the prefix SYS1.TCPIP.AEZA and target data sets with the prefix SYS1.TCPIP.SEZA). WRITE and ALLOCATE access to the data set(s) containing the Data and Profile configuration files is restricted to systems programming personnel. Note: If any INCLUDE statements are specified in the Profile configuration file, the named MVS data sets have the same access authorization requirements. WRITE and ALLOCATE access to the data set(s) containing the Data and Profile configuration files is logged. Note: If any INCLUDE statements are specified in the Profile configuration file, the named MVS data sets have the same logging requirements. WRITE and ALLOCATE access to the data set(s) containing the configuration files shared by TCP/IP applications is restricted to systems programming personnel. Note: For systems running the TSS ACP replace the WRITE and ALLOCATE with WRITE, UPDATE, CREATE, CONTROL, SCRATCH, and ALL.

Fix: F-25720r516577_fix

Review the data set access authorizations defined to the ACP for the Base TCP/IP component. Configure these data sets to be protected in accordance with the following rules: WRITE and ALLOCATE access to product data sets is restricted to systems programming personnel (i.e., SMP/E distribution data sets with the prefix SYS1.TCPIP.AEZA and target data sets with the prefix SYS1.TCPIP. SEZA). WRITE and ALLOCATE access to the data set(s) containing the Data and Profile configuration files is restricted to systems programming personnel. Note: If any INCLUDE statements are specified in the Profile configuration file, the named MVS data sets have the same access authorization requirements. WRITE and ALLOCATE access to the data set(s) containing the Data and Profile configuration files is logged. Note: If any INCLUDE statements are specified in the Profile configuration file, the named MVS data sets have the same logging requirements. WRITE and ALLOCATE access to the data set(s) containing the configuration files shared by TCP/IP applications is restricted to systems programming personnel. Note: For systems running the TSS ACP replace the WRITE and ALLOCATE with WRITE, UPDATE, CREATE, CONTROL, SCRATCH, and ALL.

Generate Mitigation Statement:

Checks: C-25733r869011_chk

Refer to the procedure libraries defined to JES2 and locate the TCPIP JCL member. Note: If GLOBALTCPIPDATA is specified, any TCPIP.DATA statements contained in the specified file or data set take precedence over any TCPIP.DATA statements found using the appropriate environment's (native MVS or z/OS UNIX) search order. If GLOBALTCPIPDATA is not specified, the appropriate environment's (Native MVS or z/OS UNIX) search order is used to locate TCPIP.DATA. If the PROFILE and SYSTCPD DD statements specify the TCP/IP Profile and Data configuration files respectively, this not a finding. If the RESOLVER_CONFIG variable on the EXEC statement is set to the same file name specified on the SYSTCPD DD statement, this is not a finding.

Fix: F-25721r869012_fix

Review the TCP/IP started task JCL to ensure the configuration file names are specified on the appropriate DD statements and parameter option. During initialization, the TCP/IP stack uses fixed search sequences to locate the PROFILE.TCPIP and TCPIP.DATA files. However, uncertainty is reduced and security auditing is enhanced by explicitly specifying the locations of the files. In the TCP/IP started task's JCL, Data Definition (DD) statements can be used to specify the locations of the files. The PROFILE DD statement identifies the PROFILE.TCPIP file and the SYSTCPD DD statement identifies the TCPIP.DATA file. The location of the TCPIP.DATA file can also be specified by coding the RESOLVER_CONFIG environment variable as a parameter of the ENVAR option in the TCP/IP started task's JCL. In fact, the value of this variable is checked before the SYSTCPD DD statement by some processes. However, not all processes (e.g., TN3270 Telnet Server) will access the variable to get the file location. Therefore, specifying the file location explicitly, both on a DD statement and through the RESOLVER_CONFIG environment variable, reduces ambiguity. Note: If GLOBALTCPIPDATA is specified, any TCPIP.DATA statements contained in the specified file or data set take precedence over any TCPIP.DATA statements found using the appropriate environment's (native MVS or z/OS UNIX) search order. If GLOBALTCPIPDATA is not specified, the appropriate environment's (Native MVS or z/OS UNIX) search order is used to locate TCPIP.DATA. The systems programmer responsible for supporting ICS will ensure that the TCP/IP started task's JCL specifies the PROFILE and SYSTCPD DD statements for the PROFILE.TCPIP and TCPIP.DATA configuration files and TCP/IP started task's JCL includes the RESOLVER_CONFIG variable, set to the name of the file specified on the SYSTCPD DD statement.

Generate Mitigation Statement:

Checks: C-25734r869014_chk