IBM z/OS TSS Security Technical Implementation Guide

Description

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]

Details

Version / Release: V8R9

Published: 2022-12-14

Updated At: 2023-01-25 00:41:24

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter

Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-223871r877712_rule TSS0-CE-000010 CCI-000185 MEDIUM All IBM z/OS digital certificates in use must have a valid path to a trusted Certification Authority (CA). Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entity represented via a public key and associated data. It is
    SV-223872r877713_rule TSS0-CE-000020 CCI-000185 MEDIUM Expired IBM z/OS digital certificates must not be used. Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entity represented via a public key and associated data. It is
    SV-223873r877714_rule TSS0-CE-000030 CCI-000764 MEDIUM IBM z/OS must have Certificate Name Filtering implemented with appropriate authorization and documentation. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-223874r877715_rule TSS0-ES-000010 CCI-000213 HIGH CA-TSS Security control ACIDs must be limited to the administrative authorities authorized and that require these privileges to perform their job duties. The use of security policy filters provides protection for the confidentiality of data by restricting the flow of data. A crucial part of any flow control solution is the ability to configure policy filters. This allows the operating system to enforce mul
    SV-223875r877716_rule TSS0-ES-000020 CCI-000213 MEDIUM The number of CA-TSS ACIDs possessing the tape Bypass Label Processing (BLP) privilege must be limited. The use of security policy filters provides protection for the confidentiality of data by restricting the flow of data. A crucial part of any flow control solution is the ability to configure policy filters. This allows the operating system to enforce mul
    SV-223876r877717_rule TSS0-ES-000030 CCI-000015 HIGH CA-TSS MODE Control Option must be set to FAIL. Enterprise environments make account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other errors. A comprehensive account management process that includes automation helps t
    SV-223877r877718_rule TSS0-ES-000040 CCI-000044 MEDIUM The CA-TSS NPWRTHRESH Control Option must be properly set. By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
    SV-223878r877719_rule TSS0-ES-000050 CCI-000044 MEDIUM The CA-TSS NPPTHRESH Control Option must be properly set. By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
    SV-223879r877720_rule TSS0-ES-000060 CCI-000044 MEDIUM The CA-TSS PTHRESH Control Option must be set to 2. By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
    SV-223880r877721_rule TSS0-ES-000070 CCI-000044 MEDIUM The CA-TSS NPPTHRESH Control Option must be properly set. By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
    SV-223881r877722_rule TSS0-ES-000080 CCI-000162 MEDIUM IBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing. SMF data collection is the system activity journaling facility of the z/OS system. Unauthorized access could result in the compromise of logging and recording of the operating system environment, ESM, and customer data. Unauthorized disclosure of audit r
    SV-223882r877723_rule TSS0-ES-000090 CCI-000171 HIGH IBM z/OS SYS1.PARMLIB must be properly protected. Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming th
    SV-223883r877725_rule TSS0-ES-000100 CCI-000186 MEDIUM IBM z/OS for PKI-based authentication must use ICSF or the ESM to store keys. If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the privat
    SV-223885r877726_rule TSS0-ES-000120 CCI-000192 MEDIUM The CA-TSS NEWPHRASE and PPSCHAR Control Options must be properly set. Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password
    SV-223886r877727_rule TSS0-ES-000130 CCI-000194 MEDIUM The CA-TSS NEWPW control options must be properly set. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. Satisfies: SRG-OS-
    SV-223887r877728_rule TSS0-ES-000140 CCI-000196 HIGH IBM z/OS must use NIST FIPS-validated cryptography to protect passwords in the security database. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-0
    SV-223888r877729_rule TSS0-ES-000150 CCI-000199 MEDIUM The CA-TSS PWEXP Control Option must be set to 60. Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the op
    SV-223889r877730_rule TSS0-ES-000160 CCI-000199 MEDIUM The CA-TSS PPEXP Control Option must be properly set. Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the op
    SV-223890r877731_rule TSS0-ES-000170 CCI-000200 MEDIUM The CA-TSS PWHIST Control Option must be set to 10 or greater. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password
    SV-223891r877732_rule TSS0-ES-000180 CCI-000200 MEDIUM The CA-TSS PPHIST Control Option must be properly set. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password
    SV-223892r877733_rule TSS0-ES-000190 CCI-000205 MEDIUM The IBM z/OS operating system must enforce a minimum eight-character password length. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and bru
    SV-223893r877734_rule TSS0-ES-000200 CCI-000213 MEDIUM CA-TSS access to SYS1.LINKLIB must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223894r877735_rule TSS0-ES-000210 CCI-000213 HIGH CA-TSS must limit Write or greater access to SYS1.SVCLIB to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223895r877736_rule TSS0-ES-000220 CCI-000213 HIGH CA-TSS must limit Write or greater access to SYS1.IMAGELIB to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223896r877737_rule TSS0-ES-000230 CCI-000213 HIGH CA-TSS must limit Write or greater access to SYS1.LPALIB to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223897r877738_rule TSS0-ES-000240 CCI-000213 HIGH CA-TSS must limit WRITE or greater access to all APF-authorized libraries to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223898r877739_rule TSS0-ES-000250 CCI-000213 HIGH IBM z/OS libraries included in the system REXXLIB concatenation must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223899r877740_rule TSS0-ES-000260 CCI-000213 HIGH CA-TSS must limit Write or greater access to all LPA libraries to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223900r877741_rule TSS0-ES-000270 CCI-000213 HIGH CA-TSS must limit Write or greater access to SYS1.NUCLEUS to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223901r877742_rule TSS0-ES-000280 CCI-000213 LOW CA-TSS must limit Write or greater access to libraries that contain PPT modules to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223902r877743_rule TSS0-ES-000290 CCI-000213 MEDIUM CA-TSS must limit WRITE or greater access to LINKLIST libraries to system programmers only. Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts,
    SV-223903r877744_rule TSS0-ES-000300 CCI-000213 HIGH CA-TSS security data sets and/or databases must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223904r877745_rule TSS0-ES-000310 CCI-000213 HIGH CA-TSS must limit access to the System Master Catalog to appropriate authorized users. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223905r877746_rule TSS0-ES-000320 CCI-000213 MEDIUM CA-TSS allocate access to system user catalogs must be limited to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223906r877747_rule TSS0-ES-000330 CCI-000213 MEDIUM CA-TSS must limit WRITE or greater access to all system-level product installation libraries to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223907r877748_rule TSS0-ES-000340 CCI-000213 MEDIUM CA-TSS must limit WRITE or greater access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223908r877749_rule TSS0-ES-000350 CCI-000213 HIGH CA-TSS must limit Write or greater access to SYS1.UADS to system programmers only, and Read and Update access must be limited to system programmer personnel and/or security personnel. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223909r877750_rule TSS0-ES-000360 CCI-000213 MEDIUM CA-TSS must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223910r877751_rule TSS0-ES-000370 CCI-000213 MEDIUM CA-TSS must limit access to SYSTEM DUMP data sets to system programmers only. System DUMP data sets are used to record system data areas and virtual storage associated with system task failures. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data. Satisfies: SRG-OS-000080-
    SV-223911r877752_rule TSS0-ES-000380 CCI-000213 MEDIUM CA-TSS WRITE or Greater access to System backup files must be limited to system programmers and/or batch jobs that perform DASD backups. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223912r877753_rule TSS0-ES-000390 CCI-000213 MEDIUM CA-TSS must limit access to SYS(x).TRACE to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223913r877754_rule TSS0-ES-000400 CCI-000213 MEDIUM CA-TSS must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223914r877755_rule TSS0-ES-000410 CCI-000213 HIGH CA-TSS must limit WRITE or greater access to libraries containing EXIT modules to system programmers only. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223915r877756_rule TSS0-ES-000420 CCI-000213 HIGH CA-TSS must limit all system PROCLIB data sets to system programmers only and appropriate authorized users. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223916r877757_rule TSS0-ES-000430 CCI-000213 MEDIUM CA-TSS must protect memory and privileged program dumps in accordance with proper security requirements. Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be empl
    SV-223917r877758_rule TSS0-ES-000440 CCI-000213 HIGH IBM z/OS must protect dynamic lists in accordance with proper security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223918r877759_rule TSS0-ES-000450 CCI-000213 MEDIUM IBM z/OS system commands must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223919r877760_rule TSS0-ES-000460 CCI-000213 MEDIUM IBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223920r877761_rule TSS0-ES-000470 CCI-000213 MEDIUM CA-TSS must properly define users that have access to the CONSOLE resource in the TSOAUTH resource class. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223921r877762_rule TSS0-ES-000480 CCI-000213 MEDIUM IBM z/OS Operating system commands (MVS.) of the OPERCMDS resource class must be properly owned. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223922r877763_rule TSS0-ES-000490 CCI-000213 MEDIUM CA-TSS AUTH Control Option values specified must be set to (OVERRIDE,ALLOVER) or (MERGE,ALLOVER). To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223923r877764_rule TSS0-ES-000500 CCI-000213 HIGH Access to the CA-TSS MODE resource class must be appropriate. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223924r877765_rule TSS0-ES-000505 CCI-000213 MEDIUM Data set masking characters must be properly defined to the CA-TSS security database. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223925r877766_rule TSS0-ES-000510 CCI-000213 HIGH CA-TSS Emergency ACIDs must be properly limited and must audit all resource access. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223926r877767_rule TSS0-ES-000520 CCI-000213 MEDIUM CA-TSS ACIDs must not have access to FAC(*ALL*). To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223927r877768_rule TSS0-ES-000530 CCI-000213 MEDIUM The CA-TSS ALL record must have appropriate access to Facility Matrix Tables. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223928r877769_rule TSS0-ES-000550 CCI-000213 MEDIUM Data set masking characters allowing access to all data sets must be properly restricted in the CA-TSS security database. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223929r877770_rule TSS0-ES-000560 CCI-000213 HIGH IBM z/OS DASD Volume access greater than CREATE found in the CA-TSS database must be limited to authorized information technology personnel requiring access to perform their job duties. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223930r877771_rule TSS0-ES-000570 CCI-000213 MEDIUM IBM z/OS Sensitive Utility Controls must be properly defined and protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223931r881331_rule TSS0-ES-000580 CCI-000366 MEDIUM IBM z/OS Started tasks must be properly defined to CA-TSS. Started procedures have system generated job statements that do not contain the user, group, or password statements. To enable the started procedure to access the same protected resources that users and groups access, started procedures must have an assoc
    SV-223932r877773_rule TSS0-ES-000590 CCI-000366 MEDIUM The CA-TSS CANCEL Control Option must not be specified. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-223933r877774_rule TSS0-ES-000600 CCI-000366 MEDIUM The CA-TSS HPBPW Control Option must be set to three days maximum. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-223934r877775_rule TSS0-ES-000610 CCI-000366 MEDIUM The CA-TSS INSTDATA Control Option must be set to 0. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-223935r877776_rule TSS0-ES-000620 CCI-000366 MEDIUM The CA-TSS OPTIONS Control Option must include option 4 at a minimum. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-223936r877777_rule TSS0-ES-000630 CCI-000366 MEDIUM CA-TSS TEMPDS Control Option must be set to YES. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-223937r877778_rule TSS0-ES-000640 CCI-000366 MEDIUM The number of CA-TSS control ACIDs must be justified and properly assigned. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-223938r877779_rule TSS0-ES-000650 CCI-000366 MEDIUM The number of CA-TSS ACIDs with MISC9 authority must be justified. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impactin
    SV-223939r877780_rule TSS0-ES-000660 CCI-000366 MEDIUM The CA-TSS LUUPDONCE Control Option value specified must be set to NO. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-223940r877781_rule TSS0-ES-000670 CCI-000366 MEDIUM The CA-TSS Automatic Data Set Protection (ADSP) Control Option must be set to NO. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-223941r877782_rule TSS0-ES-000680 CCI-000366 MEDIUM CA-TSS RECOVER Control Option must be set to ON. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-223942r877783_rule TSS0-ES-000690 CCI-000382 MEDIUM IBM z/OS must properly configure CONSOLxx members. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical po
    SV-223943r877784_rule TSS0-ES-000700 CCI-000382 MEDIUM IBM z/OS must properly protect MCS console userid(s). In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical po
    SV-223944r877785_rule TSS0-ES-000710 CCI-000764 MEDIUM The CA-TSS CPFRCVUND Control Option value specified must be set to NO. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-223945r877786_rule TSS0-ES-000720 CCI-000764 MEDIUM The CA-TSS CPFTARGET Control Option value specified must be set to LOCAL. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-223946r877787_rule TSS0-ES-000730 CCI-000764 LOW CA-TSS User ACIDs and Control ACIDs must have the NAME field completed. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-223947r877788_rule TSS0-ES-000740 CCI-000764 HIGH The CA-TSS PASSWORD(NOPW) option must not be specified for any ACID type. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-223948r877789_rule TSS0-ES-000750 CCI-000764 LOW Interactive ACIDs defined to CA-TSS must have the required fields completed. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-223950r877791_rule TSS0-ES-000770 CCI-000764 MEDIUM CA-TSS Batch ACID(s) submitted through RJE and NJE must be sourced. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-223951r877792_rule TSS0-ES-000780 CCI-000764 MEDIUM IBM z/OS DASD management ACIDs must be properly defined to CA-TSS. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-223952r877793_rule TSS0-ES-000790 CCI-000770 MEDIUM CA-TSS user accounts must uniquely identify system users. To assure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does
    SV-223953r877794_rule TSS0-ES-000800 CCI-000795 MEDIUM CA-TSS security administrator must develop a process to suspend userids found inactive for more than 35 days. Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user acco
    SV-223954r877795_rule TSS0-ES-000810 CCI-000795 MEDIUM The CA-TSS INACTIVE Control Option must be properly set. Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user acco
    SV-223955r877796_rule TSS0-ES-000820 CCI-001090 MEDIUM The CA-TSS AUTOERASE Control Option must be set to ALL for all systems. Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from bein
    SV-223956r877797_rule TSS0-ES-000830 CCI-001190 MEDIUM CA-TSS DOWN Control Option values must be properly specified. Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. Operating systems that fail suddenly and with no incorporated failure state planning may leave the system a
    SV-223957r877798_rule TSS0-ES-000840 CCI-001774 HIGH The CA-TSS Facility Control Option must specify the sub option of MODE=FAIL. Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. The organization must identify aut
    SV-223958r877799_rule TSS0-ES-000850 CCI-002041 MEDIUM CA-TSS ACID creation must use the EXP option. Without providing this capability, an account may be created without a password. Non-repudiation cannot be guaranteed once an account is created if a user is not forced to change the temporary password upon initial logon. Temporary passwords are typicall
    SV-223959r877800_rule TSS0-ES-000860 CCI-002233 MEDIUM The CA-TSS SUBACID Control Option must be set to U,8. In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invo
    SV-223960r877801_rule TSS0-ES-000870 CCI-002233 MEDIUM CA-TSS must use propagation control to eliminate ACID inheritance. In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invo
    SV-223961r877802_rule TSS0-ES-000880 CCI-002233 MEDIUM IBM z/OS scheduled production batch ACIDs must specify the CA-TSS BATCH Facility, and the Batch Job Scheduler must be authorized to the Scheduled production CA-TSS batch ACID. In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invo
    SV-223962r877803_rule TSS0-ES-000890 CCI-002234 MEDIUM CA-TSS ADMINBY Control Option must be set to ADMINBY. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts
    SV-223963r877804_rule TSS0-ES-000900 CCI-002234 MEDIUM CA-TSS LOG Control Option must be set to (SMF,INIT, SEC9, MSG). Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts
    SV-223964r877805_rule TSS0-ES-000910 CCI-002234 MEDIUM CA-TSS MSCA ACID password changes must be documented in the change log. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts
    SV-223965r877806_rule TSS0-ES-000920 CCI-002235 MEDIUM The IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumvent
    SV-223966r877807_rule TSS0-ES-000930 CCI-002235 MEDIUM CA-TSS Default ACID must be properly defined. Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
    SV-223967r877808_rule TSS0-ES-000940 CCI-002235 HIGH The CA-TSS BYPASS attribute must be limited to trusted STCs only. Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts,
    SV-223968r877809_rule TSS0-ES-000950 CCI-002235 MEDIUM CA-TSS MSCA ACID must perform security administration only. Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts,
    SV-223969r877810_rule TSS0-ES-000960 CCI-002235 HIGH CA-TSS ACIDs granted the CONSOLE attribute must be justified. Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts,
    SV-223970r877811_rule TSS0-ES-000970 CCI-002235 MEDIUM CA-TSS ACIDs defined as security administrators must have the NOATS attribute. Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts,
    SV-223971r877812_rule TSS0-ES-000980 CCI-002238 MEDIUM The CA-TSS PTHRESH Control Option must be properly set. By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
    SV-223972r877813_rule TSS0-ES-000990 CCI-002361 MEDIUM CA-TSS VTHRESH Control Option values specified must be set to (10,NOT,CAN). Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, net
    SV-223973r877814_rule TSS0-FT-000010 CCI-000048 MEDIUM IBM z/OS FTP.DATA configuration statements must have a proper banner statement with the Standard Mandatory DoD Notice and Consent Banner. Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations,
    SV-223974r877815_rule TSS0-FT-000020 CCI-000067 MEDIUM IBM z/OS SMF recording options for the FTP server must be configured to write SMF records for all eligible events. Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD
    SV-223975r877816_rule TSS0-FT-000030 CCI-000213 MEDIUM CA-TSS permission bits and user audit bits for HFS objects that are part of the FTP server component must be properly configured. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223976r877817_rule TSS0-FT-000040 CCI-000213 MEDIUM IBM z/OS data sets for the FTP server must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223977r877818_rule TSS0-FT-000050 CCI-000202 MEDIUM IBM z/OS FTP Control cards must be properly stored in a secure PDS file. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impactin
    SV-223978r877819_rule TSS0-FT-000060 CCI-000382 MEDIUM IBM z/OS user exits for the FTP server must not be used without proper approval and documentation. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical po
    SV-223979r877820_rule TSS0-FT-000070 CCI-000764 MEDIUM The IBM z/OS FTP server daemon must be defined with proper security parameters. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-223980r877821_rule TSS0-FT-000080 CCI-001133 MEDIUM IBM z/OS FTP.DATA configuration for the FTP server must have the INACTIVE statement properly set. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat
    SV-223981r877822_rule TSS0-FT-000090 CCI-001133 MEDIUM IBM z/OS startup parameters for the FTP server must have the INACTIVE statement properly set. Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminat
    SV-223982r877823_rule TSS0-FT-000100 CCI-001384 MEDIUM IBM z/OS FTP.DATA configuration statements for the FTP server must specify the Standard Mandatory DoD Notice and Consent Banner statement. Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, po
    SV-223983r877824_rule TSS0-FT-000110 CCI-001384 MEDIUM The IBM z/OS warning banner for the FTP server must be properly specified. Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations,
    SV-223984r877825_rule TSS0-FT-000120 CCI-001764 MEDIUM The IBM z/OS TFTP server program must be properly protected. Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This i
    SV-223985r877826_rule TSS0-JS-000010 CCI-000213 MEDIUM IBM z/OS JES2.** resource must be properly protected in the CA-TSS database. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223986r877827_rule TSS0-JS-000020 CCI-000213 MEDIUM IBM z/OS RJE workstations and NJE nodes must be controlled in accordance with STIG requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223987r877828_rule TSS0-JS-000030 CCI-000213 MEDIUM IBM z/OS JES2 input sources must be controlled in accordance with the proper security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223988r877829_rule TSS0-JS-000040 CCI-000213 MEDIUM IBM z/OS JES2 input sources must be properly controlled. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223989r877830_rule TSS0-JS-000050 CCI-000213 MEDIUM IBM z/OS JES2 output devices must be controlled in accordance with the proper security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223990r877831_rule TSS0-JS-000060 CCI-000213 MEDIUM IBM z/OS JES2 output devices must be properly controlled for classified systems. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223991r877832_rule TSS0-JS-000070 CCI-000213 MEDIUM IBM z/OS JESSPOOL resources must be protected in accordance with security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223992r877833_rule TSS0-JS-000080 CCI-000213 MEDIUM IBM z/OS JESNEWS resources must be protected in accordance with security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223993r877834_rule TSS0-JS-000090 CCI-000213 MEDIUM IBM z/OS JESTRACE and/or SYSLOG resources must be protected in accordance with security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223994r877835_rule TSS0-JS-000100 CCI-000213 MEDIUM IBM z/OS JES2 spool resources must be controlled in accordance with security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223995r877836_rule TSS0-JS-000110 CCI-000213 MEDIUM IBM z/OS JES2 system commands must be protected in accordance with security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223996r877837_rule TSS0-JS-000120 CCI-000213 MEDIUM IBM z/OS Surrogate users must be controlled in accordance with proper security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-223997r877838_rule TSS0-OS-000010 CCI-000381 MEDIUM Duplicated IBM z/OS sensitive utilities and/or programs must not exist in APF libraries. Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources.
    SV-223998r877839_rule TSS0-OS-000020 CCI-000018 MEDIUM IBM z/OS required SMF data record types must be collected. Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging th
    SV-223999r877840_rule TSS0-OS-000030 CCI-000057 MEDIUM IBM z/OS Session manager must properly configure wait time limits. A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user t
    SV-224000r877841_rule TSS0-OS-000040 CCI-000067 MEDIUM The IBM z/OS BPX.SMF resource must be properly configured. Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD
    SV-224001r877842_rule TSS0-OS-000050 CCI-000131 MEDIUM IBM z/OS must specify SMF data options to ensure appropriate activation. Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security
    SV-224002r877843_rule TSS0-OS-000060 CCI-000139 MEDIUM IBM z/OS BUFUSEWARN in the SMFPRMxx must be properly set. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system oper
    SV-224003r877844_rule TSS0-OS-000070 CCI-000366 MEDIUM IBM z/OS PASSWORD data set and OS passwords must not be used. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-224004r877845_rule TSS0-OS-000080 CCI-000366 MEDIUM The CA-TSS database must be on a separate physical volume from its backup and recovery data sets. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-224005r877846_rule TSS0-OS-000090 CCI-000366 MEDIUM The CA-TSS database must be backed up on a scheduled basis. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-224006r877847_rule TSS0-OS-000100 CCI-000366 MEDIUM The IBM z/OS Policy Agent must be configured to deny-all, allow-by-exception firewall policy for allowing connections to other systems. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impactin
    SV-224007r877848_rule TSS0-OS-000110 CCI-000381 MEDIUM IBM z/OS must not have Inaccessible APF libraries defined. It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the ri
    SV-224008r877849_rule TSS0-OS-000120 CCI-000381 MEDIUM IBM z/OS inapplicable PPT entries must be invalidated. It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the ri
    SV-224009r877850_rule TSS0-OS-000130 CCI-000381 MEDIUM IBM z/OS LNKAUTH=APFTAB must be specified in the IEASYSxx member(s) in the currently active parmlib data set(s). It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the ri
    SV-224010r877851_rule TSS0-OS-000140 CCI-001090 MEDIUM IBM z/OS sensitive and critical system data sets must not exist on shared DASD. Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from bein
    SV-224011r877852_rule TSS0-OS-000150 CCI-001095 MEDIUM The IBM z/OS Policy Agent must contain a policy that manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.
    SV-224013r877853_rule TSS0-OS-000170 CCI-001683 MEDIUM The IBM z/OS System Administrator must develop a process to notify appropriate personnel when accounts are created. Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create a new account. Notification of account creation is one method for
    SV-224014r877854_rule TSS0-OS-000180 CCI-001684 MEDIUM The IBM z/OS System Administrator must develop a process to notify appropriate personnel when accounts are modified. Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create a new account. Notification of account creation is one method for
    SV-224015r877855_rule TSS0-OS-000190 CCI-001685 MEDIUM The IBM z/OS System Administrator must develop a process to notify appropriate personnel when accounts are deleted. When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual operating system users or for identifying the operating system processes themselves. Sending notification of account disabling ev
    SV-224016r877856_rule TSS0-OS-000200 CCI-001686 MEDIUM The IBM z/OS System Administrator must develop a process to notify appropriate personnel when accounts are removed. When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual operating system users or for identifying the operating system processes themselves. Sending notification of account disabling ev
    SV-224017r877857_rule TSS0-OS-000210 CCI-001764 HIGH Unsupported IBM z/OS system software must not be installed and/or active on the system. Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This i
    SV-224018r877858_rule TSS0-OS-000220 CCI-001764 MEDIUM IBM z/OS must not allow nonexistent or inaccessible Link Pack Area (LPA) libraries. Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This i
    SV-224019r877859_rule TSS0-OS-000225 CCI-001764 MEDIUM IBM z/OS must not allow nonexistent or inaccessible LINKLIST libraries. Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This i
    SV-224020r877860_rule TSS0-OS-000230 CCI-001813 HIGH CA-TSS must be installed and properly configured. Failure to provide logical access restrictions associated with changes to system configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, it should be noted that
    SV-224021r877861_rule TSS0-OS-000240 CCI-001849 MEDIUM IBM z/OS SMF collection files (system MANx data sets or LOGSTREAM DASD) must have storage capacity to store at least one weeks worth of audit data. In order to ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually perform
    SV-224022r877862_rule TSS0-OS-000250 CCI-001851 MEDIUM IBM z/OS System Administrators must develop an automated process to collect and retain SMF data. Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
    SV-224023r877863_rule TSS0-OS-000270 CCI-001891 MEDIUM The IBM z/OS SNTP daemon (SNTPD) must be active. Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. S
    SV-224024r877864_rule TSS0-OS-000280 CCI-001891 MEDIUM IBM z/OS SNTP daemon (SNTPD) permission bits must be properly configured. Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. S
    SV-224025r877865_rule TSS0-OS-000290 CCI-002046 MEDIUM IBM z/OS PARMLIB CLOCKxx must have the Accuracy PARM coded properly. Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events.
    SV-224026r877866_rule TSS0-OS-000300 CCI-002385 MEDIUM The IBM z/OS Policy Agent must contain a policy that protects against or limits the effects of denial-of-service (DoS) attacks by ensuring IBM z/OS is implementing rate-limiting measures on impacted network interfaces. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of the operating system t
    SV-224029r877867_rule TSS0-OS-000330 CCI-000366 MEDIUM IBM z/OS must employ a session manager to manage retaining a users session lock until that user reestablishes access using established identification and authentication procedures. A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented a
    SV-224030r877868_rule TSS0-OS-000340 CCI-000366 MEDIUM The IBM z/OS System Administrator must develop a process to notify Information System Security Officers (ISSOs) of account enabling actions. Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable an existing disabled account. Sending notification of account ena
    SV-224031r877869_rule TSS0-OS-000350 CCI-000366 MEDIUM IBM z/OS must configure system wait times to protect resource availability based on site priorities. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-224032r877870_rule TSS0-OS-000360 CCI-000060 MEDIUM IBM z/OS must employ a session manager to conceal, via the session lock, information previously visible on the display with a publicly viewable image. A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. The session lock is implemented at the po
    SV-224033r877871_rule TSS0-OS-000370 CCI-000057 MEDIUM IBM z/OS must employ a session manager to initiate a session lock after a 15-minute period of inactivity for all connection types. A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user t
    SV-224034r877872_rule TSS0-OS-000380 CCI-000056 MEDIUM IBM z/OS must employ a session manager to manage retaining a users session lock until that user reestablishes access using established identification and authentication procedures. A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented a
    SV-224035r877873_rule TSS0-OS-000390 CCI-000016 MEDIUM IBM z/OS system administrator must develop a procedure to remove or disable temporary user accounts after 72 hours. If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. T
    SV-224036r877874_rule TSS0-OS-000400 CCI-001682 MEDIUM IBM z/OS system administrator must develop a procedure to remove or disable emergency accounts after the crisis is resolved or 72 hours. Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these a
    SV-224037r877875_rule TSS0-OS-000410 CCI-002132 MEDIUM IBM z/OS system administrator must develop a procedure to notify System Administrators and ISSOs of account enabling actions. Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable an existing disabled account. Sending notification of account ena
    SV-224038r877876_rule TSS0-OS-000420 CCI-001744 MEDIUM IBM z/OS system administrator must develop a procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner. Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be
    SV-224039r877877_rule TSS0-OS-000440 CCI-000879 MEDIUM IBM z/OS system administrator must develop a procedure to terminate all sessions and network connections related to nonlocal maintenance when nonlocal maintenance is completed. If a maintenance session or connection remains open after maintenance is completed, it may be hijacked by an attacker and used to compromise or damage the system. Some maintenance and test tools are either standalone devices with their own operating sys
    SV-224040r877878_rule TSS0-OS-000450 CCI-002617 MEDIUM IBM z/OS system administrator must develop a procedure to remove all software components after updated versions have been installed. Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the
    SV-224041r877879_rule TSS0-OS-000460 CCI-002702 MEDIUM IBM z/OS system administrator must develop a procedure to shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered. If anomalies are not acted upon, security functions may fail to secure the system. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the
    SV-224042r877880_rule TSS0-OS-000470 CCI-001851 MEDIUM IBM z/OS system administrator must develop a procedure to offload SMF files to a different system or media than the system being audited. The task of allocating audit record storage capacity is usually performed during initial installation of the operating system.
    SV-224043r877881_rule TSS0-OS-000480 CCI-000058 MEDIUM IBM z/OS must employ a session manager for users to directly initiate a session lock for all connection types. A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented a
    SV-224044r877882_rule TSS0-SH-000020 CCI-000068 HIGH The SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or
    SV-224045r877883_rule TSS0-SH-000030 CCI-000382 HIGH IBM z/OS SSH daemon must be configured to only use the SSHv2 protocol. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical po
    SV-224046r877884_rule TSS0-SL-000010 CCI-000213 MEDIUM IBM z/OS permission bits and user audit bits for HFS objects that are part of the Syslog daemon component must be configured properly. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-224047r877885_rule TSS0-SL-000020 CCI-000764 MEDIUM The IBM z/OS Syslog daemon must not be started at z/OS initialization. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-224048r877886_rule TSS0-SL-000030 CCI-000764 MEDIUM The IBM z/OS Syslog daemon must be properly defined and secured. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-224049r877887_rule TSS0-SM-000010 CCI-000213 MEDIUM IBM z/OS DFSMS resources must be protected in accordance with the proper security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-224050r877888_rule TSS0-SM-000020 CCI-000213 MEDIUM IBM z/OS DFSMS Program Resources must be properly defined and protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-224051r877889_rule TSS0-SM-000030 CCI-000213 MEDIUM IBM z/OS DFSMS control data sets must be protected in accordance with security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-224052r877890_rule TSS0-SM-000040 CCI-000366 MEDIUM IBM z/OS using DFSMS must properly specify SYS(x).PARMLIB(IGDSMSxx), SMS parameter settings. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-224053r877891_rule TSS0-SM-000050 CCI-000366 MEDIUM IBM z/OS DFSMS control data sets must be properly protected. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-224054r877892_rule TSS0-SS-000010 CCI-000067 MEDIUM IBM z/OS SMF recording options for the SSH daemon must be configured to write SMF records for all eligible events. SMF data collection is the basic unit of tracking of all system functions and actions. Included in this tracking data are the audit trails from each of the ACPs. If the control options for the recording of this tracking are not properly maintained, then a
    SV-224055r877893_rule TSS0-SS-000040 CCI-001384 MEDIUM The IBM z/OS SSH daemon must be configured with the Standard Mandatory DoD Notice and Consent Banner. Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations,
    SV-224056r877896_rule TSS0-TC-000010 CCI-000067 MEDIUM IBM z/OS PROFILE.TCPIP configuration statements for the TCP/IP stack must be properly coded. Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD
    SV-224057r877897_rule TSS0-TC-000020 CCI-000213 MEDIUM IBM z/OS permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be configured properly. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-224058r877898_rule TSS0-TC-000030 CCI-000213 MEDIUM IBM z/OS TCP/IP resources must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-224059r877899_rule TSS0-TC-000040 CCI-000213 MEDIUM IBM z/OS data sets for the Base TCP/IP component must be properly protected. MVS data sets of the Base TCP/IP component provide the configuration, operational, and executable properties of IBMs TCP/IP system product. Failure to properly secure these data sets may lead to unauthorized access resulting in the compromise of the integ
    SV-224060r877900_rule TSS0-TC-000050 CCI-000366 MEDIUM IBM z/OS Configuration files for the TCP/IP stack must be properly specified. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-224061r877901_rule TSS0-TC-000060 CCI-000764 MEDIUM IBM z/OS started tasks for the Base TCP/IP component must be defined in accordance with security requirements. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-224062r877902_rule TSS0-TC-000070 CCI-002314 MEDIUM IBM z//OS must be configured to restrict all TCP/IP ports to ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments. Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD no
    SV-224065r877903_rule TSS0-TN-000010 CCI-000048 MEDIUM IBM z/OS TN3270 Telnet server configuration statement MSG10 text must have the Standard Mandatory DoD Notice and Consent Banner. Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations,
    SV-224066r877904_rule TSS0-TN-000020 CCI-000067 MEDIUM IBM z/OS SMF recording options for the TN3270 Telnet server must be properly specified. Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD
    SV-224067r877905_rule TSS0-TN-000030 CCI-000068 MEDIUM IBM z/OS SSL encryption options for the TN3270 Telnet server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS. Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) co
    SV-224068r877906_rule TSS0-TN-000040 CCI-000366 MEDIUM IBM z/OS VTAM session setup controls for the TN3270 Telnet server must be properly specified. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-224069r877907_rule TSS0-TN-000050 CCI-001133 MEDIUM IBM z/OS PROFILE.TCPIP configuration for the TN3270 Telnet server must have the INACTIVE statement properly specified. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple
    SV-224070r877908_rule TSS0-TN-000060 CCI-001384 MEDIUM The IBM z/OS warning banner for the TN3270 Telnet server must be properly specified. Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations,
    SV-224071r877909_rule TSS0-TN-000070 CCI-002420 MEDIUM IBM z/OS TELNETPARMS or TELNETGLOBALS must specify a SECUREPORT statement for systems requiring confidentiality and integrity. Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modific
    SV-224072r877910_rule TSS0-TS-000010 CCI-000213 MEDIUM IBM Z/OS TSOAUTH resources must be restricted to authorized users. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-224073r877911_rule TSS0-TS-000020 CCI-002235 HIGH CA-TSS LOGONIDs must not be defined to SYS1.UADS for non-emergency use. Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts,
    SV-224074r877912_rule TSS0-US-000010 CCI-000366 MEDIUM IBM z/OS UNIX HFS MapName file security parameters must be properly specified. Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources.
    SV-224075r877913_rule TSS0-US-000020 CCI-000140 MEDIUM IBM z/OS NOBUFFS in SMFPRMxx must be properly set (default is MSG). It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system oper
    SV-224076r877914_rule TSS0-US-000030 CCI-000213 MEDIUM IBM z/OS BPX resource(s) must be protected in accordance with security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-224077r877915_rule TSS0-US-000040 CCI-000213 MEDIUM IBM z/OS UNIX resources must be protected in accordance with security requirements. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-224078r877916_rule TSS0-US-000050 CCI-000213 HIGH IBM z/OS UNIX SUPERUSER resources must be protected in accordance with guidelines. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-224079r877917_rule TSS0-US-000060 CCI-000213 MEDIUM IBM z/OS UNIX MVS data sets or HFS objects must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-224080r877918_rule TSS0-US-000070 CCI-000213 MEDIUM IBM z/OS UNIX MVS data sets with z/OS UNIX components must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-224081r877919_rule TSS0-US-000080 CCI-000213 MEDIUM IBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-224082r877920_rule TSS0-US-000090 CCI-000213 MEDIUM IBM z/OS UNIX HFS permission bits and audit bits for each directory must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-224083r877921_rule TSS0-US-000100 CCI-000213 MEDIUM IBM z/OS UNIX system file security settings must be properly protected or specified. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-224084r877922_rule TSS0-US-000110 CCI-000213 MEDIUM IBM z/OS UNIX MVS HFS directory(s) with OTHER write permission bit set must be properly defined. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-224085r877923_rule TSS0-US-000120 CCI-000213 HIGH The CA-TSS HFSSEC resource class must be defined with DEFPROT. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-224086r877924_rule TSS0-US-000130 CCI-000366 MEDIUM IBM z/OS UNIX OMVS parameters in PARMLIB must be properly specified. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-224087r877925_rule TSS0-US-000140 CCI-000366 MEDIUM IBM z/OS UNIX BPXPRMxx security parameters in PARMLIB must be properly specified. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-224088r877926_rule TSS0-US-000150 CCI-000213 MEDIUM IBM z/OS UNIX security parameters in etc/profile must be properly specified. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-224089r877927_rule TSS0-US-000160 CCI-000213 MEDIUM IBM z/OS UNIX security parameters in /etc/rc must be properly specified. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impactin
    SV-224090r877928_rule TSS0-US-000170 CCI-000366 MEDIUM IBM z/OS Default profiles must not be defined in TSS OMVS UNIX security parameters for classified systems. Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive secur
    SV-224091r877929_rule TSS0-US-000180 CCI-000382 MEDIUM IBM z/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf must be properly specified. In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical po
    SV-224092r877930_rule TSS0-US-000190 CCI-000764 MEDIUM IBM z/OS attributes of z/OS UNIX user accounts must have a unique GID in the range of 1-99. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-224093r877931_rule TSS0-US-000200 CCI-000764 MEDIUM The IBM z/OS user account for the UNIX kernel (OMVS) must be properly defined to the security database. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-224094r877932_rule TSS0-US-000210 CCI-000764 MEDIUM The IBM z/OS user account for the z/OS UNIX SUPERUSER userid must be properly defined. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-224095r877933_rule TSS0-US-000220 CCI-000764 MEDIUM The IBM z/OS user account for the UNIX (RMFGAT) must be properly defined. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-224096r877934_rule TSS0-US-000230 CCI-000764 HIGH IBM z/OS UID(0) must be properly assigned. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-224097r877935_rule TSS0-US-000240 CCI-000764 MEDIUM IBM z/OS UNIX user accounts must be properly defined. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-224098r877936_rule TSS0-US-000250 CCI-000764 MEDIUM IBM z/OS attributes of UNIX user accounts used for account modeling must be defined in accordance with security requirements. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the orga
    SV-224099r877939_rule TSS0-UT-000010 CCI-000048 MEDIUM The IBM z/OS UNIX Telnet server etc/banner file must have the Standard Mandatory DoD Notice and Consent Banner. Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations,
    SV-224100r877940_rule TSS0-UT-000020 CCI-000213 MEDIUM The IBM z/OS startup user account for the z/OS UNIX Telnet server must be properly defined. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-224101r877941_rule TSS0-UT-000030 CCI-000213 MEDIUM IBM z/OS HFS objects for the z/OS UNIX Telnet server must be properly protected. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-224102r877942_rule TSS0-UT-000040 CCI-000366 MEDIUM The IBM z/OS UNIX Telnet server Startup parameters must be properly specified. Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations,
    SV-224103r877943_rule TSS0-UT-000050 CCI-001384 MEDIUM The IBM z/OS UNIX Telnet server warning banner must be properly specified. Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations,
    SV-224104r877944_rule TSS0-VT-000010 CCI-000213 MEDIUM IBM z/OS System data sets used to support the VTAM network must be properly secured. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods
    SV-224105r877945_rule TSS0-VT-000020 CCI-001499 MEDIUM IBM z/OS VTAM USSTAB definitions must not be used for unsecured terminals. If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement a
    SV-245537r877948_rule TSS0-TC-000080 CCI-000366 MEDIUM The IBM z/OS TCPIP.DATA configuration statement must contain the DOMAINORIGIN or DOMAIN specified for each TCP/IP defined. If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercepted without the resolver's knowledge, or resource records
    SV-251108r877949_rule TSS0-OS-000320 CCI-002476 MEDIUM The IBM z/OS systems requiring data at rest protection must properly employ IBM DS8880 or equivalent hardware solutions for full disk encryption. This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of info
    SV-252554r816962_rule TSS0-TC-000100 CCI-000067 MEDIUM IBM z/OS TCP/IP AT-TLS policy must be properly configured in Policy Agent. If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. This requirement addresses auditing-related issues associated with maintenance to
    SV-255896r877951_rule TSS0-FT-000130 CCI-000366 MEDIUM IBM z/OS FTP.DATA configuration statements for the FTP Server must be specified in accordance with requirements. This requirement is intended to cover both traditional interactive logons to information systems and general accesses to information systems that occur in other types of architectural configurations (e.g., service-oriented architectures).
    SV-255940r881312_rule TSS0-IC-000010 CCI-000366 MEDIUM IBM Integrated Crypto Service Facility (ICSF) Configuration parameters must be correctly specified. IBM Integrated Crypto Service Facility (ICSF) product has the ability to use privileged functions and/or have access to sensitive data. Failure to properly configure parameter values could potentially the integrity of the base product which could result i
    SV-255941r881315_rule TSS0-IC-000020 CCI-000213 MEDIUM IBM Integrated Crypto Service Facility (ICSF) install data sets are not properly protected. IBM Integrated Crypto Service Facility (ICSF) product has the ability to use privileged functions and/or have access to sensitive data. Failure to properly restrict access to their data sets could result in violating the integrity of the base product whic
    SV-255942r881318_rule TSS0-IC-000040 CCI-000764 MEDIUM IBM Integrated Crypto Service Facility (ICSF) Started Task name is not properly identified / defined to the system ACP. IBM Integrated Crypto Service Facility (ICSF) requires a started task that will be restricted to certain resources, datasets and other system functions. By defining the started task as a userid to the system ACP, It allows the ACP to control the access an
    SV-255943r881321_rule TSS0-IC-000050 CCI-000764 MEDIUM IBM Integrated Crypto Service Facility (ICSF) Started task(s) must be properly defined to the Started Task Table ACID for Top Secret. Access to product resources should be restricted to only those individuals responsible for the application connectivity and who have a requirement to access these resources. Improper control of product resources could potentially compromise the operating
    SV-255944r881324_rule TSS0-IC-000030 CCI-001499 MEDIUM IBM Integrated Crypto Service Facility (ICSF) STC data sets must be properly protected. IBM Integrated Crypto Service Facility (ICSF) STC data sets have the ability to use privileged functions and/or have access to sensitive data. Failure to properly restrict access to their data sets could result in violating the integrity of the base prod