IBM zSecure Suite Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2024-01-18
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected].
c
The IBM Security zSecure Suite products must use an external security manager (RACF, ACF2, or TSS) for all account management functions.
AC-2 - High - CCI-000015 - V-259727 - SV-259727r943215_rule
RMF Control
AC-2
Severity
High
CCI
CCI-000015
Version
ZSEC-00-000020
Vuln IDs
  • V-259727
Rule IDs
  • SV-259727r943215_rule
Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. A comprehensive application account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include but are not limited to using automation to take action on multiple accounts designated as inactive, suspended, or terminated or by disabling accounts in noncentralized account stores, such as multiple servers. This requirement applies to all account types, including individual/user, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. The application must be configured to automatically provide account management functions, and these functions must immediately enforce the organization's current account policy. The automated mechanisms may reside within the application or be offered by the operating system or other infrastructure providing automated account management capabilities. Automated mechanisms may be composed of differing technologies that when placed together contain an overall automated mechanism supporting an organization's automated account management requirements. Account management functions include assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example, using email or text messaging to automatically notify account managers when users are terminated or transferred, using the information system to monitor account usage, and using automated telephonic notification to report atypical system account usage.
Checks: C-63466r943213_chk

None of the zSecure functional profiles must allow general access by means of UACC(NONE), WARNING, or global access. Review profile(s) protecting CKF.** resources in XFACILIT class. If only profile CKF.** exists, this is a finding. If READ access to any other CKF.<focus> profiles is not restricted to security administrators, decentralized security administrators, batch jobs that perform External Security Manager (ESM) maintenance, and trusted STC users, this is a finding. Review profile(s) protecting CKN*.** resources in XFACILIT class. If only profile CKN*.** exists, this is a finding. If READ access to any other CKNADMIN.**, CKNDSN.** or CKNUMAP profiles is not restricted to security administrators (domain or decentralized), security batch jobs performing ESM maintenance, and trusted STC users, this is a finding. Review profile(s) protecting CKG.** resources in XFACILIT class. If only profile CKG.** exists, this is a finding. If READ access to any other CKG.CMD.**, CKG.RAC.**, CKG.SCHEDULE.**, CKG.SCP.**, CKG.UCAT.**, or CKG.USRDATA.** profiles is not restricted to security administrators (domain or decentralized), security batch jobs performing ESM maintenance, and trusted STC users, this is a finding. Review profile(s) protecting CKR.** resources in XFACILIT class. If only profile CKR.** exists, this is a finding. If READ access to any other CKR.ACTION.**, CKR.CKRCARLA.APF, CKR.CKXLOG.**, CKR.OPTION.**, or CKR.READALL profiles is not restricted to security administrators (domain or decentralized), security batch jobs performing ESM maintenance, and trusted STC users, this is a finding. Review profile(s) protecting C2R.** resources in XFACILIT class. If only profile C2R.** exists, this is a finding. If READ access to any other C2R.CLIENT.** or C2R.SERVER.ADMIN profiles is not restricted to security administrators (domain or decentralized), security batch jobs performing ESM maintenance, and trusted STC users, this is a finding. Review profile(s) protecting C2X.** resources in XFACILIT class. If only profile C2X.** exists, this is a finding. If UPDATE access to any other C2X.ICH* profile is not restricted to automated operation STCs/batch jobs or trusted STC users, this is a finding.

Fix: F-63373r943214_fix

Ensure READ access to zSecure functional resources is restricted to the appropriate staff members. READ access can be given to security administrators (domain level and decentralized), security batch jobs that perform ESM maintenance, and trusted STC users. The following commands are provided as a sample for implementing zSecure functional resource controls: rdef xfacilit resource_profile_protecting_zSecure_CKF_ resource uacc(none) owner(zSecure owner) pe resource_profile_protecting_zSecure_CKF_ resource class(XFACILIT) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) rdef xfacilit CKNADMIN.TONODE.<node-name> uacc(none) owner(zSecure owner) pe CKNADMIN.TONODE.<node-name> class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) rdef xfacilit CKNADMIN.FROMNODE.<node-name> uacc(none) owner(zSecure owner) pe CKNADMIN.FROMNODE.<node-name> class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) rdef xfacilit CKNDSN.<dstype>.<node-name>.<systemname>.ACTIVE uacc(none) owner(zSecure owner) rdef xfacilit CKNDSN.<dstype>.<node-name>.<systemname>.BACKUP uacc(none) owner(zSecure owner) rdef xfacilit CKNDSN.<dstype>.<node-name>.<systemname>.MANAGED uacc(none) owner(zSecure owner) rdef xfacilit CKNDSN.<dstype>.<node-name>.<systemname>.PRIMARY uacc(none) owner(zSecure owner) pe CKNDSN.<dstype>.<node-name>.<systemname>.ACTIVE class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) pe CKNDSN.<dstype>.<node-name>.<systemname>.BACKUP class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) pe CKNDSN.<dstype>.<node-name>.<systemname>.MANAGED class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) pe CKNDSN.<dstype>.<node-name>.<systemname>.PRIMARY class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) pe CKNDSN.<dstype>.<node-name>.<systemname>.ACTIVE class(xfacilit) id(AUDTAUDT) access(UPDATE) pe CKNDSN.<dstype>.<node-name>.<systemname>.BACKUP class(xfacilit) id(AUDTAUDT) access(UPDATE) pe CKNDSN.<dstype>.<node-name>.<systemname>.MANAGED class(xfacilit) id(AUDTAUDT) access(UPDATE) pe CKNDSN.<dstype>.<node-name>.<systemname>.PRIMARY class(xfacilit) id(AUDTAUDT) access(UPDATE) rdef xfacilit CKNDSN.<dstype>.<node-name>.<systemname>.CKRCMD uacc(none) owner(zSecure owner) pe CKNDSN.<dstype>.<node-name>.<systemname>.CKRCMD class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) rdef xfacilit CKR.ACTION.** uacc(none) owner(zSecure owner) pe CKR.ACTION.** class(xfacilit) id(SYSPAUDT, SECAAUDT, SECBAUDT, SECDAUDT) access(READ) rdef xfacilit CKR.CKRCARLA.APF uacc(none) owner(zSecure owner) pe CKR.CKRCARLA.APF class(xfacilit) id(SECAUDT, SECBAUDT) access(READ) rdef xfacilit CKR.READALL uacc(none) owner(zSecure owner) pe CKR.READALL class(xfacilit) id(SECAAUDT, SECBAUDT, TSTCAUDT) access(READ)

b
Access to zSecure installation data must be properly restricted and logged.
CM-5 - Medium - CCI-001499 - V-259728 - SV-259728r943218_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
ZSEC-00-000040
Vuln IDs
  • V-259728
Rule IDs
  • SV-259728r943218_rule
If the zSecure application were to allow any user to make changes to software libraries, those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to applications with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components to initiate changes, including upgrades and modifications.
Checks: C-63467r943216_chk

Verify the accesses to zSecure installation data sets are properly restricted. - The RACF profile(s) protecting zSecure installation data sets must not allow general access by means of UACC, ID(*), WARNING, or global access. - The RACF profile(s) protecting zSecure installation data sets must restrict READ access to auditors, security administrators , decentralized security administrators, batch jobs that perform External Security Manager (ESM) maintenance, and trusted STC users. - The RACF profile(s) protecting zSecure installation data sets must restrict UPDATE and higher access to systems programmers. - All failures and successful UPDATE and higher access must be logged. If all of the above restrictions are true, this is not a finding.

Fix: F-63374r943217_fix

Ensure ALTER access to zSecure installation data sets is restricted to systems programmers, and all failures and successful UPDATE and higher access is logged. READ access can be permitted to auditors, security administrators (domain level and decentralized), batch jobs that perform ESM maintenance, and trusted STC users. The installing systems programmer will identify and document the product data sets and categorize them according to who will require UPDATE and higher access and if required that all successful UPDATE and higher access is logged. The installing systems programmer will identify if any additional groups need READ access for specific zSecure installation data sets, and once documented will work with the information system security officer (ISSO) to ensure they are properly restricted to the ESM active on the system. The following commands are provided as a sample for implementing zSecure installation data set controls: ad 'hlq.zsec.inst.dsn' uacc(none) owner(zSecure owner) - audit(success(update) failures(read)) pe 'hlq.zsec.inst.dsn' id(AUDTAUDT, SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) pe 'hlq.zsec.inst.dsn' id(SYSPAUDT) access(ALTER)

b
Access to IBM Security zSecure STC data sets must be properly restricted and logged.
CM-5 - Medium - CCI-001499 - V-259729 - SV-259729r943250_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
ZSEC-00-000060
Vuln IDs
  • V-259729
Rule IDs
  • SV-259729r943250_rule
IBM Security zSecure STC have the ability to use privileged functions and/or have access to sensitive data. Failure to properly restrict access to these zSecure STC data sets could result in violating the integrity of the base product, which could compromise the operating system or sensitive data.
Checks: C-63468r943250_chk

Verify that access to the zSecure STC data sets is properly restricted. If the following guidance is true, this is not a finding. - The RACF profiles protecting zSecure STC data sets do not allow general access by means of UACC, ID(*), WARNING, or global access. - READ and higher access to zAlert CKFREEZE data sets is restricted to trusted STC users and systems programmers. - READ access to Access Monitor output data sets is restricted to auditors, decentralized security administrators, security administrators, automated operation STCs/batch jobs, batch jobs performing ESM maintenance, trusted STC users, and systems programmers. - UPDATE access to Access Monitor output data sets is restricted to automated operation STCs/batch jobs, batch jobs performing ESM maintenance, trusted STC users, and systems programmers. - CONTROL and higher access to Access Monitor output data sets is restricted to trusted STC users and systems programmers. - All failures and successful UPDATE and higher access to zSecure STC data sets is logged. DASD-only CKXLOG log stream resources in the LOGSTRM class: - READ is restricted to security administrators, auditors, batch jobs performing ESM maintenance - ALTER restricted to CKXLOG task, system programmers, and batch jobs performing ESM maintenance * For Coupling-Facility CKXLOG log streams, the above applies in addition to checking the IXLSTR.model_structure_name profiles in the FACILITY class: - UPDATE and higher trusted STC users, and systems programmers.

Fix: F-63375r943220_fix

Ensure that READ and higher access to zSecure STC data sets is restricted to authorized users, and all failures and successful UPDATE and higher access is logged. Appropriate access can be permitted to auditors, decentralized security administrators, security administrators, automated operation STCs/batch jobs, batch jobs performing ESM maintenance, trusted STC users and systems programmers. The following commands are provided as a sample for implementing zSecure STC data set controls: ad 'hlq.zsec.alert.ckfreeze' uacc(none) owner(zSecure owner) - audit(success(update) failures(read)) pe 'hlq.zsec.alert.ckfreeze' id(SYSPAUDT, TSTCAUDT) access(READ) ad 'hlq.zsec.access.monitor.dsn' uacc(none) owner(zSecure owner) - audit(success(UPDATE) failures(READ)) pe 'hlq.zsec.access.monitor.dsn' id(AUDTAUDT, SECAAUDT, SECDAUDT, SECBAUDT) access(READ) pe 'hlq.zsec.access.monitor.dsn' id(SECBAUDT, access(UPDATE) pe 'hlq.zsec.access.monitor.dsn' id(SYSPAUDT, TSTCAUDT) access(ALTER) rdef logstrm LSName uacc(none) owner(zSecure owner) - audit(success(UPDATE) failures(read)) pe LSName class(logstrm) id(AUDTAUDT, SECAAUDT, SECDAUDT) access(READ) pe LSName class(logstrm) id(CKXLOG, SECBAUDT, AUTOAUDT, SYSPAUDT) access(ALTER) rdef facility IXLSTR. <modelstrname> uacc(none) owner(zSecure owner) - audit(success(UPDATE) failures(READ)) pe IXLSTR.<modelstrname> class(facility) id(SYSPAUDT, TSTCAUDT) access(ALTER)

b
IBM Security zSecure access to user data sets must be properly restricted and logged.
CM-5 - Medium - CCI-001499 - V-259730 - SV-259730r943224_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
ZSEC-00-000080
Vuln IDs
  • V-259730
Rule IDs
  • SV-259730r943224_rule
If zSecure were to allow inappropriate reading or updating of user data sets, sensitive information could be disclosed, or changes might result in incorrect results reported by the product. Only qualified and authorized individuals must be allowed to create, read, update, and delete zSecure user data sets.
Checks: C-63469r943222_chk

Verify the accesses to the zSecure user data sets are properly restricted. If the following guidance is true, this is not a finding. - The RACF profiles protecting zSecure user data sets do not allow general access by means of UACC, ID(*), WARNING, or global access. - READ access to ASSERTION, CKFREEZE, and UNLOAD data sets is restricted to auditors, automated operation STCs/batch jobs, decentralized security administrators, security administrators, batch jobs performing ESM maintenance, system programmers and trusted STC users. - UPDATE and higher access to ASSERTION, CKFREEZE, and UNLOAD data sets is restricted to decentralized security administrators, security administrators, batch jobs performing ESM maintenance, and system programmers. - All failures and successful UPDATE and higher access to ASSERTION, CKFREEZE, and UNLOAD data sets is logged. - READ access to Access Monitor output data sets is restricted to auditors, decentralized security administrators, security administrators, batch jobs performing ESM maintenance, automated operation STCs/batch jobs, and trusted STC users, and system programmers. - UPDATE and higher access to the Access Monitor output data sets is restricted to automated operation STCs/batch jobs, batch jobs performing ESM maintenance, trusted STC users, and system programmers. - All failed and all successful UPDATE and higher access to Access Monitor output data sets is logged. - READ access to CKACUST and CKACUSV data sets is restricted to auditors, batch jobs that perform ESM maintenance, decentralized security administrators, security administrators, automated operation STCs/batch jobs, trusted STC users, and systems programmers. - UPDATE access to CKACUST and CKACUSV data sets is restricted to decentralized security administrators, security administrators, automated operation STCs/batch jobs, batch jobs performing ESM maintenance, trusted STC users, and systems programmers. - CONTROL and higher access to CKACUST and CKACUSV data sets is restricted to systems programmers. - All failed and all successful UPDATE and higher access to CKACUST and CKACUSV data sets is logged. - READ access to CKXLOG log stream is restricted to auditors, decentralized security administrators, security administrators, automated operation STCs/batch jobs, trusted STC users, and system programmers. - UPDATE and higher access to CKXLOG log stream is restricted to automated operation STCs/batch jobs, trusted STC users, and system programmers. - All failed access to CKXLOG log stream is logged.

Fix: F-63376r943223_fix

The following commands are provided as a sample for implementing zSecure user data set controls: ad 'hlq.zsec.user.assert/ckfreeze/unload.dsn' uacc(none) owner(zSecure owner) - audit(success(update) failures(read)) pe 'hlq.zsec.user.assert/ckfreeze/unload.dsn' id(AUDTAUDT, AUTOAUDT, SECAAUDT, SECDAUDT, SECBAUDT, TSTCAUDT) access(READ) pe 'hlq.zsec.user.assert/ckfreeze/unload.dsn' id(SECAAUDT, SECDAUDT, SECBAUDT, SYSPAUDT) access(ALTER) ad 'hlq.zsec.accmon.user.dsn' uacc(none) owner(zSecure owner) - audit(success(update) failures(read)) pe 'hlq.zsec.accmon.user.dsn' id(AUDTAUDT, AUTOAUDT, SECAAUDT, SECDAUDT, SECBAUDT, TSTCAUDT) access(READ) pe 'hlq.zsec.accmon.user.dsn' id(AUTOAUDT, SECBAUDT, TSTCAUDT, SYSPAUDT) access(ALTER) ad ' hlq.zsec.user.ckcus* audit(success(UPDATE) failures(READ)) pe 'hlq.zsec.user.ckcus*' id(AUDTAUDT, AUTOAUDT, SECAAUDT, SECDAUDT, SECBAUDT, TSTCAUDT) access(UPDATE) pe 'hlq.zsec.user.ckcus*' id(SYSPAUDT) access(ALTER) rdef logstrm LSName uacc(none) owner(zSecure owner) - audit(success(UPDATE) failures(read)) pe LSName class(logstrm) id(AUDTAUDT, AUTOAUDT, SECAAUDT, SECDAUDT, TSTCAUDT, SYSPAUDT) access(READ) pe LSName class(logstrm) id(AUTOAUDT, TSTCAUDT, SYSPAUDT) access(ALTER)

b
Started tasks for zSecure products must be properly defined.
IA-2 - Medium - CCI-000764 - V-259731 - SV-259731r943252_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
ZSEC-00-000100
Vuln IDs
  • V-259731
Rule IDs
  • SV-259731r943252_rule
Started tasks and batch job IDs can be automatically revoked accidentally if not properly protected. When properly protected STCs prevent any attempts to log on with a password, it eliminates the possibility of revocation due to excessive invalid password attempts (denial of service).
Checks: C-63470r943251_chk

If user IDs assigned to zSecure started tasks and scheduled batch jobs are not assigned the PROTECTED attribute and/or defined as an STC, this is a finding. The default zSecure STC names (that may be changed by installation) are as follows: - STC C2PACMON runs program C2PACMON. - STC C2POLICE runs program C2POLICE. - STC C2PCOLL runs program CKFCOLL. (CKFCOLL is also run as a step in batch jobs.) - STC C2RSERVE runs program BPXBATCH. - STC CKCS1154 runs program CKCS1154. - STC CKNSERVE runs program CKNSERVE. - STC CKCCEF runs program CKRCARLX. - STC CKQCLEEF runs program CKRCARLX. - STC CKQEXSMF runs program CKQEXSMF. - STC CKQRADAR runs program CKRCARLA. - STC CKXLOG runs program CKXLOG. Verify the naming conventions for the zSecure STCs and batch jobs with the responsible systems programmers. Check which user IDs are assigned in the STDATA segment of the zSecure STCs. For these user IDs, verify they are assigned the PROTECTED attribute.

Fix: F-63377r943226_fix

Ensure user IDs assigned to zSecure started tasks and scheduled batch jobs are assigned the PROTECTED attribute and/or defined as a STC. The following command is provided as a sample for adding the PROTECTED attribute. - ALTUSER <stuser> NOPASSWORD NOPHRASE - ALTUSER <batch user ID> NOPASSWORD NOPHRASE

b
Access to IBM Security zSecure program resources must be limited to authorized users.
SC-2 - Medium - CCI-001082 - V-259732 - SV-259732r943254_rule
RMF Control
SC-2
Severity
Medium
CCI
CCI-001082
Version
ZSEC-00-000120
Vuln IDs
  • V-259732
Rule IDs
  • SV-259732r943254_rule
Functional access (which is controlled with access to XFACILIT profiles) must not commingle multiple functions under a single resource profile.
Checks: C-63471r943253_chk

If the profiles protecting zSecure program resources do not allow general access by means of UACC, ID(*),WARNING, or global access, this is not a finding. Review profile(s) protecting CKF.** resources in XFACILIT class. If READ and higher access to any other CKF.&lt;focus&gt; profiles is not restricted to security administrators, decentralized security administrators, security batch jobs performing External Security Manager (ESM) maintenance, and trusted STC users, this is a finding. Review profile(s) protecting CKN*.** resources in XFACILIT class. If READ and higher access to any other CKNADMIN.**, and CKNDSN.**, profiles is not restricted to security administrators, decentralized security administrators, security batch jobs performing ESM maintenance, and trusted STC users, this is a finding. Review profile(s) protecting CKG.** resources in XFACILIT class. If READ and higher access to any other CKG.CMD.**, CKG.RAC.**, CKG.SCHEDULE.**, CKG.SCP.**, CKG.SCPASK.**,CKG.UCAT.**, or CKG.USRDATA.** profiles is not restricted to security administrators, decentralized security administrators, security batch jobs performing ESM maintenance, and trusted STC users, this is a finding. Review profile(s) protecting CKR.** resources in XFACILIT class. If READ and higher access to any other CKR.ACTION.**, CKR.CKRCARLA.APF, CKR.CKXLOG.**, CKR.OPTION.**, or CKR.READALL profiles is not restricted to security administrators, decentralized security administrators, security batch jobs performing ESM maintenance, and trusted STC users, this is a finding. If zSecure is used, review profile(s) protecting C2R.** resources in XFACILIT class. If READ and higher access to any other C2R.CLIENT.** or C2R.SERVER.ADMIN profiles is not restricted to security administrators, decentralized security administrators, security batch jobs performing ESM maintenance, and trusted STC users, this is a finding. Review profile(s) protecting C2X.** resources in XFACILIT class. If UPDATE access to any other C2X.ICH* profile is not restricted to automated operation STCs/batch jobs or trusted STC users, this is a finding. If all failures and successful UPDATE and higher access attempts are logged, this is not a finding.

Fix: F-63378r943254_fix

Ensure READ and higher access to zSecure program resources is restricted to the appropriate staff members. READ and higher access can be given to security administrators, decentralized security administrators, security batch jobs that perform ESM maintenance, and trusted STC users. The following commands are provided as a sample for implementing zSecure functional resource controls: rdef CKF.<focus> uacc(none) owner(zSecure owner) pe CKF.<focus> class(XFACILIT) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) rdef xfacilit CKNADMIN.<type>.<node-name> uacc(none) owner(zSecure owner) pe CKNADMIN.<type>.<node-name> class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) rdef xfacilit CKNDSN.<dstype>.<node-name>.<systemname>.<type> uacc(none) owner(zSecure owner) pe CKNDSN.<dstype>.<node-name>.<systemname>.<type> class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) rdef xfacilit CKG.<type>.** uacc(none) owner(zSecure owner) pe CKG.<type>.** class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUD) access(READ) rdef xfacilit CKR.<type> uacc(none) owner(zSecure owner) pe CKR.<type>.** class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUD) access(READ) rdef xfacilit C2R.SERVER.ADMIN uacc(none) owner(zSecure owner) pe C2R.SERVER.ADMIN class(xfacilit) id(SECAAUDT, SECBAUDT, TSTCAUD) access(READ) rdef xfacilit C2R.CLIENT.** uacc(none) owner(zSecure owner) pe C2R.CLIENT.** class(xfacilit) id(SECAAUDT, SECBAUDT, TSTCAUD) access(READ) rdef xfacilit C2X.ICH* uacc(none) owner(zSecure owner) pe C2X.ICH* class(xfacilit) id(AUTOAUDT, TSTCAUDT) access(UPDATE)

b
zSecure must prevent nonprivileged users from executing privileged zSecure functions.
AC-6 - Medium - CCI-002235 - V-259733 - SV-259733r943233_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-002235
Version
ZSEC-00-000140
Vuln IDs
  • V-259733
Rule IDs
  • SV-259733r943233_rule
Preventing nonprivileged users from executing privileged zSecure functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, running COLLECT jobs, generating audit reports, and adjusting RACF security settings. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users.
Checks: C-63472r943231_chk

If READ access to zSecure functional resources is not restricted to privileged users, this is a finding. If the following high-level qualifier profiles are defined in the configured zSecure class, by default XFACILIT, with UACC (NONE) and not in WARNING mode, this is not a finding. CKF.** CKN*.** CKG.** CKR.** C2R.** (if you use zSecure Visual) C2X.** If a minimum of all failed access is logged, this is not a finding.

Fix: F-63379r943232_fix

Ensure that the following high-level qualifier profiles are defined in the configured zSecure class, by default XFACILIT, with UACC (NONE) and not in WARNING mode: CKF.** CKN*.** CKG.** CKR.** C2R.** (if you use zSecure Visual) C2X.** A minimum of all failed access must be logged. rdef xfacilit CKF.** uacc(none) owner(zSecure owner) rdef xfacilit CKN*.** uacc(none) owner(zSecure owner) rdef xfacilit CKG.** uacc(none) owner(zSecure owner)

b
The zSecure programs CKFCOLL and CKGRACF, and the APF-authorized version of program CKRCARLA, must be restricted to security administrators, security batch jobs performing External Security Manager (ESM) maintenance, auditors, and systems programmers, and audited.
AC-6 - Medium - CCI-002233 - V-259734 - SV-259734r943255_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-002233
Version
ZSEC-00-000160
Vuln IDs
  • V-259734
Rule IDs
  • SV-259734r943255_rule
Users authorized to use the zSecure program CKFCOLL can collect z/OS system information that is not accessible to regular users. Users authorized to use the zSecure program CKGRACF can change certain permitted RACF profile definitions that otherwise would not be allowed. Users authorized to use the zSecure program CKRCARLX can fake SMF records. Allowing inappropriate users to use the CKFCOLL, CKGRACF, and CKRCARLX programs could result in disclosure of z/OS installation and configuration information or inappropriate RACF profile or SMF record changes. Satisfies: SRG-APP-000342-MFP-000090,SRG-APP-000343-MFP-000091
Checks: C-63473r943255_chk

If this is not a RACF system, the presence of CKGRACF is not applicable. Verify the access and log settings of the profiles that protect the use of the CKFCOLL and CKGRACF programs and the APF-authorized version of the CKRCARLA program. If the CKF.** and CKG.** profiles that protect the use of the CKFCOLL, CKGRACF, and CKRCARLA programs allow general access (UACC, ID(*), WARNING, or global access) or do not log successful READ access, this is a finding. If READ or higher access to profile(s) protecting CKF.** resources in XFACILIT class is not restricted to security administrators (domain or decentralized), batch jobs performing ESM maintenance, auditors, or systems programmers, this is a finding. If READ or higher access to profile(s) protecting CKG.** resources in XFACILIT class is not restricted to security administrators (domain or decentralized) or batch jobs performing ESM maintenance, this is a finding. Review auditing of the profile protecting the CKR.CKRCARLA.APF resource in XFACILIT class. If successful READs are not audited, this is a finding.

Fix: F-63380r943235_fix

If this is not a RACF system, the presence of CKGRACF is not applicable. Ensure READ access to zSecure functional resources is restricted to the appropriate staff members. READ access can be given to auditors, security administrators (domain level and decentralized), security batch jobs that perform ESM maintenance, and trusted STC users. The following commands are provided as a sample for implementing zSecure functional resource controls: rdef xfacilit resource_profile_protecting_zSecure_CKF_ resource uacc(none) owner(zSecure owner) pe resource_profile_protecting_zSecure_CKF_ resource class(xfacilit) id(SYSPAUDT, SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) rdef xfacilit CKG.CMD.** uacc(none) owner(zSecure owner) pe CKG.CMD.** class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT) access(READ) rdef xfacilit CKG.RAC.** uacc(none) owner(zSecure owner) pe CKG.RAC.** class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT) access(READ) rdef xfacilit CKG.SCHEDULE.** uacc(none) owner(zSecure owner) pe CKG.SCHEDULE.** class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT) access(READ) rdef xfacilit CKG.SCP.** uacc(none) owner(zSecure owner) pe CKG.SCP.** class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT) access(READ) rdef xfacilit CKG.UCAT.** uacc(none) owner(zSecure owner) pe CKG.UCAT.** class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT) access(READ) rdef xfacilit CKG.USRDATA.** uacc(none) owner(zSecure owner) pe CKG.USRDATA.** class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT) access(READ) rdef xfacilit CKNADMIN.TONODE.<node-name> uacc(none) owner(zSecure owner) pe CKNADMIN.TONODE.<node-name> class(xfacilit) id(SYSPAUDT, SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) rdef xfacilit CKNADMIN.FROMNODE.<node-name> uacc(none) owner(zSecure owner) pe CKNADMIN.FROMNODE.<node-name> class(xfacilit) id(SYSPAUDT, SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) rdef xfacilit CKNDSN.<dstype>.<node-name>.<systemname>.ACTIVE uacc(none) owner(zSecure owner) rdef xfacilit CKNDSN.<dstype>.<node-name>.<systemname>.BACKUP uacc(none) owner(zSecure owner) rdef xfacilit CKNDSN.<dstype>.<node-name>.<systemname>.MANAGED uacc(none) owner(zSecure owner) rdef xfacilit CKNDSN.<dstype>.<node-name>.<systemname>.PRIMARY uacc(none) owner(zSecure owner) pe CKNDSN.<dstype>.<node-name>.<systemname>.ACTIVE class(xfacilit) id(SYSPAUDT, SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) pe CKNDSN.<dstype>.<node-name>.<systemname>.BACKUP class(xfacilit) id(SYSPAUDT, SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) pe CKNDSN.<dstype>.<node-name>.<systemname>.MANAGED class(xfacilit) id(SYSPAUDT, SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) pe CKNDSN.<dstype>.<node-name>.<systemname>.PRIMARY class(xfacilit) id(SYSPAUDT, SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) pe CKNDSN.<dstype>.<node-name>.<systemname>.ACTIVE class(xfacilit) id(AUDTAUDT) access(UPDATE) pe CKNDSN.<dstype>.<node-name>.<systemname>.BACKUP class(xfacilit) id(AUDTAUDT) access(UPDATE) pe CKNDSN.<dstype>.<node-name>.<systemname>.MANAGED class(xfacilit) id(AUDTAUDT) access(UPDATE) pe CKNDSN.<dstype>.<node-name>.<systemname>.PRIMARY class(xfacilit) id(AUDTAUDT) access(UPDATE) rdef xfacilit CKNDSN.<dstype>.<node-name>.<systemname>.CKRCMD uacc(none) owner(zSecure owner) pe CKNDSN.<dstype>.<node-name>.<systemname>.CKRCMD class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT) access(READ) rdef xfacilit CKR.READALL uacc(none) owner(zSecure owner) pe CKR.READALL class(xfacilit) id(SYSPAUDT, SECAAUDT, SECBAUDT, TSTCAUDT) access(READ) rdef xfacilit CKR.CKRCARLA.APF uacc(none) owner(zSecure owner) pe CKR.CKRCARLA.APF class(xfacilit) id(SYSPAUDT, SECBAUDT) access(READ) rdef xfacilit C2X.ICH* uacc(none) owner(zSecure owner) pe C2X.ICH* class(xfacilit) id(AUTOAUDT, TSTCAUDT) access(UPDATE) rdef xfacilit C2R.SERVER.ADMIN uacc(none) owner(zSecure owner) pe C2R.SERVER.ADMIN class(xfacilit) id(SECAAUDT) access(READ) rdef xfacilit C2R.CLIENT.SETROPTS uacc(none) owner(zSecure owner) pe C2R.CLIENT.SETROPTS class(xfacilit) id(AUDTAUDT, SYSPAUDT, SECAAUDT) access(READ)

b
IBM Security zSecure must implement organization-defined automated security responses if baseline zSecure configurations are changed in an unauthorized manner.
CM-3 - Medium - CCI-001744 - V-259735 - SV-259735r943239_rule
RMF Control
CM-3
Severity
Medium
CCI
CCI-001744
Version
ZSEC-00-000200
Vuln IDs
  • V-259735
Rule IDs
  • SV-259735r943239_rule
Unauthorized changes to the zSecure baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the system. Changes to information system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the application. Examples of security responses include but are not limited to the following: halting application processing, halting selected application functions, or issuing alerts/notifications to organizational personnel when there is an unauthorized modification of a configuration item.
Checks: C-63474r943237_chk

Verify that a (daily) scheduled batch job is defined and used or a custom alert is configured and activated to inform appropriate personnel, such as auditors and compliance officers, about successful changes to the zSecure configuration data sets on their z/OS systems. If SMF records regarding successful UPDATE(s) to zSecure configuration data sets are not reported to the information system security manager (ISSM), this is a finding.

Fix: F-63381r943238_fix

The recipients of the SMF reports or alert messages must investigate whether the UPDATE is legitimate (e.g., is documented and approved in a change management request). If it is not, they must restore the original configuration setting.

b
IBM Security zSecure must remove all upgraded/replaced zSecure software components that are no longer required for operation after updated versions have been installed.
SI-2 - Medium - CCI-002617 - V-259736 - SV-259736r943242_rule
RMF Control
SI-2
Severity
Medium
CCI
CCI-002617
Version
ZSEC-00-000220
Vuln IDs
  • V-259736
Rule IDs
  • SV-259736r943242_rule
Previous versions of zSecure products and components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.
Checks: C-63475r943240_chk

Examine the inventory of installed software components for zSecure. If software components that are no longer required for operation exist, this is a finding.

Fix: F-63382r943241_fix

Remove all upgraded/replaced software components that are no longer required for operation.

b
IBM Security zSecure system administrators must install security-relevant zSecure software updates within the time period directed by an authoritative source (e.g., IAVMs, CTOs, DTMs, and STIGs).
SI-2 - Medium - CCI-002605 - V-259737 - SV-259737r943249_rule
RMF Control
SI-2
Severity
Medium
CCI
CCI-002605
Version
ZSEC-00-000240
Vuln IDs
  • V-259737
Rule IDs
  • SV-259737r943249_rule
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.
Checks: C-63476r943249_chk

Ask the system administrator for the procedure to install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVMs, CTOs, DTMs, and STIGs. If there is no procedure, this a finding.

Fix: F-63383r943244_fix

Develop a procedure to install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVMs, CTOs, DTMs, and STIGs).

b
XFACILIT class, or alternate class if specified in module CKRSITE, must be active.
CM-6 - Medium - CCI-000366 - V-259738 - SV-259738r943248_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
ZSEC-00-000260
Vuln IDs
  • V-259738
Rule IDs
  • SV-259738r943248_rule
The zSecure resource class that is configured for the zSecure access checks must be active to receive valid Allow/Deny responses from external security manager (ESM) resource checks. Activation is outside of zSecure, in the ESM.
Checks: C-63477r943246_chk

Run the CARLa command SHOW CKRSITE. The output of this command reveals which resource class is configured for handling the zSecure security checks. The default resource class is XFACILIT. Verify in the class descriptor table that the configured zSecure resource class is active. If the configured zSecure resource class is not active, this is a finding.

Fix: F-63384r943247_fix

Ensure the resource class that is configured in CKRSITE for zSecure security checks is active in the RACF class descriptor table. The default class is XFACILIT. IBM Security zSecure recommends the generic be activated. Following is a sample command: SETROPTS CLASSACT(XFACILIT) or SETROPTS CLASSACT(<configured resource class for access checks>)