Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

z/OS CL/SuperSession for ACF2 Security Technical Implementation Guide - V7R2

  • Version/Release: V7R2
  • Published: 2025-09-27
  • Released: 2025-10-01
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
CL/SuperSession profile options are set improperly.
AC-11 - Medium - CCI-000057 - V-224282 - SV-224282r1141407_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
ZCLS0040
Vuln IDs
  • V-224282
  • V-18014
Rule IDs
  • SV-224282r1141407_rule
  • SV-27197
Product configuration/parameters control the security and operational characteristics of products. If these parameter values are improperly specified, security and operational controls may be weakened. This exposure may threaten the availability of the product applications, and compromise the confidentiality of customer data.
Checks: C-25955r1141406_chk

The following steps are necessary for reviewing the CL/SuperSession options: Request online access from the site administrator to view CL/SuperSession parameter settings. Once access to the CL/SuperSession Main Menu has been obtained, select the option for the ADMINISTRATOR menu. From the ADMINISTRATOR menu, select the option for the PROFILE SELECTION menu. From the PROFILE SELECTION menu, select the View GLOBAL Profile option. After selection of the View GLOBAL Profile option, the Update GLOBAL Profile menu appears. From this menu, select the profile to be reviewed: - To view the Common profile, select: _Common - To view the SUPERSESSION profile, select: _SupSess Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ZCLS0040). Compare the security parameters as specified in the Required CL/SuperSession Common Profile Options and Required CL/SuperSession Profile Options Tables in the z/OS STIG Addendum against the settings in CL/SuperSession. If all options as specified in the Required CL/SuperSession Common Profile Options and Required CL/SuperSession Profile Options Tables in the z/OS STIG Addendum are in effect, this is not a finding.

Fix: F-25943r1041214_fix

The systems programmer and ISSO will review all session manager security parameters and control options for compliance with the requirements of the z/OS STIG Addendum Required CL/SuperSession Common Profile Options and Required CL/SuperSession Profile Options Tables. Verify that the options are set properly.

b
CL/SuperSession must be properly configured to generate SMF records for audit trail and accounting reports.
AU-12 - Medium - CCI-000172 - V-224283 - SV-224283r1141410_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
ZCLS0041
Vuln IDs
  • V-224283
  • V-22689
Rule IDs
  • SV-224283r1141410_rule
  • SV-27198
Product configuration/parameters control the security and operational characteristics of products. If these parameter values are improperly specified, security and operational controls may be weakened. This exposure may threaten the availability of the product applications and compromise the confidentiality of customer data.
Checks: C-25956r1141408_chk

Version 3 of CL/SuperSession Review the member KLKINNAF in the TLVPARM DD statement concatenation of the CL/SuperSession STC procedure to determine SMF number. (This member is located in SYS3.OMEGAMON.qualifier.RLSPARM.) Version 2 of CL/SuperSession Review the member KLVINNAF in the TLVPARM DD statement concatenation of the CL/SuperSession STC procedure to determine SMF number. (This member is located in SYS3.OMEGAMON.qualifier.RLSPARM.) Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(SMFOPTS). Refer to the following report produced by the z/OS Data Collection: - PDI(ZCLS0041). If the following guidance is true, this is not a finding. If the SMF= field specifies an SMF record number, review the SMFOPTS report to verify SMF is writing that record type. If SMF is writing the record number specified by SMF=, this is not a finding.

Fix: F-25944r1141409_fix

Ensure the Session Manager generates SMF records for audit trail and accounting reports. To provide an audit trail of user activity in CL/SuperSession, configure the Network Accounting Facility (NAF) to require SMF recording of accounting and audit data. Accounting to the journal dataset is optional at the discretion of the site. Ensure that the NAF parameter options for member KLKINNAF for Version 3 of CL/SuperSession or KLVINNAF for Version 2 of CL/SuperSession RLSPARM initialization parameter library are coded to the below specifications. DSNAME= dsname - Name of the NAF journal dataset. Required only if the site is collecting accounting and audit data in the journal dataset in addition to the SMF data. MOD - If the journal dataset is used, this parameter should be set to ensure that logging data in the dataset is not overwritten. SMF=nnn - SMF record number. This field is mandatory to ensure that CL/SuperSession data is always written to the SMF files.

b
CL/SuperSession Install datasets must be properly protected.
CM-5 - Medium - CCI-001499 - V-224284 - SV-224284r1141413_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
ZCLSA000
Vuln IDs
  • V-224284
  • V-16932
Rule IDs
  • SV-224284r1141413_rule
  • SV-27073
CL/SuperSession Install datasets provide the capability to use privileged functions and/or have access to sensitive data. Failure to properly restrict access to their datasets could result in violating the integrity of the base product which could result in compromising the operating system or sensitive data.
Checks: C-25957r1141411_chk

Refer to the following report produced by the dataset and Resource Data Collection: - SENSITVE.RPT(KLSRPT). Automated Analysis Refer to the following report produced by the dataset and Resource Data Collection: - PDI(ZCLS0000). Verify that access to the CL/SuperSession Install datasets are properly restricted. If the following guidance is true, this is not a finding. The ACF2 dataset rules for the datasets restrict WRITE and/or greater access to systems programming personnel. The ACF2 dataset rules for the datasets do not specify that all (i.e., failures and successes) WRITE and/or greater access will be logged.

Fix: F-25945r1141412_fix

Ensure that WRITE and/or greater access to CL/SuperSession install datasets is limited to systems programmers only, and all WRITE and/or greater access is logged. Auditors should have READ access. The installing systems programmer will identify and document the product datasets, categorize them according to who will have WRITE and/or greater access, and if required, ensure that all WRITE and/or greater access is logged. The installing systems programmer will identify if any additional groups have UPDATE access for specific datasets, and once documented will work with the ISSO to ensure that they are properly restricted to the ACP (Access Control Program ) active on the system. The following datasets are an example of datasets to be protected: SYS2.OMEGAMON SYS2.OMEGAMON.V-.TLSLOAD SYS2.OMEGAMON.V-.TLVLOAD SYS3.OMEGAMON SYS3.OMEGAMON.RLSLOAD The following commands are provided as an example for implementing dataset controls: $KEY(SYS2) OMEGAMON.- UID(syspaudt) R(A) W(L) A(L) E(A) OMEGAMON.V-.TLSLOAD UID(syspaudt) R(A) W(L) A(L) E(A) OMEGAMON.V-.TLVLOAD UID(syspaudt) R(A) W(L) A(L) E(A) OMEGAMON.- UID(audtaudt) R(A) E(A) $KEY(SYS3) OMEGAMON.- UID(syspaudt) R(A) W(L) A(L) E(A) OMEGAMON.RLSLOAD UID(syspaudt) R(A) W(L) A(L) E(A) OMEGAMON.- UID(audtaudt) R(A) E(A)

b
CL/SuperSession STC datasets must be properly protected.
CM-5 - Medium - CCI-001499 - V-224285 - SV-224285r1141416_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
ZCLSA001
Vuln IDs
  • V-224285
  • V-17067
Rule IDs
  • SV-224285r1141416_rule
  • SV-27093
CL/SuperSession STC datasets provide the capability to use privileged functions and/or have access to sensitive data. Failure to properly restrict access to their datasets could result in violating the integrity of the base product which could result in compromising the operating system or sensitive data.
Checks: C-25958r1141414_chk

Refer to the following report produced by the dataset and Resource Data Collection: - SENSITVE.RPT(KLSSTC). Automated Analysis Refer to the following report produced by the dataset and Resource Data Collection: - PDI(ZCLS0001). Verify that the accesses to the CL/SuperSession STC datasets are properly restricted. If the following guidance is true, this is not a finding. The ACF2 dataset access authorizations restrict READ access to auditors and authorized users. The ACF2 dataset access authorizations restrict WRITE and/or greater access to systems programming personnel. The ACF2 dataset rules for the datasets restrict WRITE and/or greater access to the product STC(s) and/or batch job(s).

Fix: F-25946r1141415_fix

Ensure that WRITE and/or greater access to CL/SuperSession STC datasets are limited to systems programmers and CL/SuperSession STC only. READ access can be given to auditors and authorized users. The installing systems programmer will identify and document the product datasets, categorize them according to who will have WRITE and/or greater access, and if required, ensure that all WRITE and/or greater access is logged. The installing systems programmer will identify if any additional groups have WRITE and/or greater access for specific datasets, and once documented will work with the ISSO to ensure they are properly restricted to the ACP (Access Control Program) active on the system. Note: The datasets and/or dataset prefixes identified below are examples of a possible installation. The actual datasets and/or prefixes are determined when the product is installed on a system through the product's installation guide and can be site specific. The following datasets are an example of datasets to be protected: SYS3.OMEGAMON.RLSNAF SYS3.OMEGAMON.RLSNAM SYS3.OMEGAMON.RLSTDB SYS3.OMEGAMON.RLSVLOG The following commands are provided as an example for implementing dataset controls: $KEY(SYS3) OMEGAMON.RLSNAF UID(*) R(A) E(A) OMEGAMON.RLSNAF UID(audtaudt) R(A) E(A) OMEGAMON.RLSNAF UID(syspaudt) R(A) W(A) A(A) E(A) OMEGAMON.RLSNAF UID(stc KLS) R(A) W(A) A(A) E(A) OMEGAMON.RLSNAM UID(*) R(A) E(A) OMEGAMON.RLSNAM UID(audtaudt) R(A) E(A) OMEGAMON.RLSNAM UID(syspaudt) R(A) W(A) A(A) E(A) OMEGAMON.RLSNAM UID(stc KLS) R(A) W(A) A(A) E(A) OMEGAMON.RLSTDB UID(*) R(A) E(A) OMEGAMON.RLSTDB UID(audtaudt) R(A) E(A) OMEGAMON.RLSTDB UID(syspaudt) R(A) W(A) A(A) E(A) OMEGAMON.RLSTDB UID(stc KLS) R(A) W(A) A(A) E(A) OMEGAMON.RLSVLOG UID(*) R(A) E(A) OMEGAMON.RLSVLOG UID(audtaudt) R(A) E(A) OMEGAMON.RLSVLOG UID(syspaudt) R(A) W(A) A(A) E(A) OMEGAMON.RLSVLOG UID(stc KLS) R(A) W(A) A(A) E(A)

b
CL/SuperSession Started Task name is not properly identified / defined to the system ACP.
IA-2 - Medium - CCI-000764 - V-224286 - SV-224286r1144190_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
ZCLSA030
Vuln IDs
  • V-224286
  • V-17452
Rule IDs
  • SV-224286r1144190_rule
  • SV-28590
CL/SuperSession requires a started task that will be restricted to certain resources, datasets, and other system functions. Defining the started task as a userid to the system ACP allows the ACP to control the access and authorized users that require these capabilities. Failure to properly control these capabilities could compromise the operating system environment, ACP, and customer data.
Checks: C-25959r1141417_chk

Refer to the following report produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ATTSTC). Verify that the logonid(s) for the CL/SUPERSESSION started task(s) is (are) properly defined. If the following attributes are defined, this is not a finding. STC MUSASS NO-SMC

Fix: F-25947r1141418_fix

The systems programmer and ISSO will ensure that the started task for CL/SuperSession is properly defined. Review all session manager security parameters and control options for compliance. Develop a plan of action and implement the changes as specified. Define the started task userid KLS for CL/SuperSession. Example: INSERT KLS NAME(STC, CL/SuperSession) MUSASS NO-SMC STC

b
CL/SuperSession KLVINNAM member must be configured in accordance with security requirements.
CM-7 - Medium - CCI-000381 - V-224287 - SV-224287r1141422_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
ZCLSA042
Vuln IDs
  • V-224287
  • V-22690
Rule IDs
  • SV-224287r1141422_rule
  • SV-27256
CL/SuperSession configuration/parameters control the security and operational characteristics of products. If these parameter values are improperly specified, security and operational controls may be weakened. This exposure may threaten the availability of the product applications, and compromise the confidentiality of customer data.
Checks: C-25960r1141420_chk

Version 3 of CL/SuperSession Review the member KLKINNAM in the TLVPARM DD statement concatenation of the CL/SuperSession STC procedure. (This member is located in SYS3.OMEGAMON.qualifier.RLSPARM.) Version 2 of CL/SuperSession Review the member KLVINNAM in the TLVPARM DD statement concatenation of the CL/SuperSession STC procedure. (This member is located in SYS3.OMEGAMON.qualifier.RLSPARM.) Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ZCLS0042). If one of the following configuration settings is specified for each control point defined in the KLKINNAM member for version 3 of CL/SuperSession or KLVINNAM member for version 2 of CL/SuperSession, this is not a finding. DEFAULT DSNAME(SYS3.OMEGAMON.qualifier.RLSNAM) - NORACF - CLASSES=APPCLASS - NODB - EXIT=KLSA2NEV (The following is for z/OS CAC logon processing) DEFAULT DSNAME(SYS3.OMEGAMON.qualifier.RLSNAM) - SAF - CLASSES=APPCLASS - NODB - EXIT=KLSSFPTX

Fix: F-25948r1141421_fix

Ensure that the parameter options for member KLKINNAM for Version 3 of CL/SuperSession or KLVINNAM for Version 2 of CL/SuperSession are coded to the below specifications. (Note: The dataset identified below is an example of a possible installation. The actual dataset is determined when the product is installed on a system through the product's installation guide and can be site specific.) Review the member KLKINNAM or KLVINNAM in the TLVPARM DD statement concatenation of the CL/SuperSession STC procedure. (This member is located in SYS3.OMEGAMON.qualifier.RLSPARM.) Ensure all session manager security parameters and control options are in compliance according to the following: DEFAULT DSNAME(SYS3.OMEGAMON.qualifier.RLSNAM) - NORACF - CLASSES=APPCLASS - NODB - EXIT=KLSA2NEV (The following is for z/OS CAC logon processing) DEFAULT DSNAME(SYS3.OMEGAMON.qualifier.RLSNAM) - SAF - CLASSES=APPCLASS - NODB - EXIT=KLSSFPTX

b
CL/SuperSession APPCLASS member is not configured in accordance with the proper security requirements.
CM-7 - Medium - CCI-000381 - V-224288 - SV-224288r1141424_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
ZCLSA043
Vuln IDs
  • V-224288
  • V-22691
Rule IDs
  • SV-224288r1141424_rule
  • SV-27259
CL/SuperSession configuration/parameters control the security and operational characteristics of products. If these parameter values are improperly specified, security and operational controls may be weakened. This exposure may threaten the availability of the product applications, and compromise the confidentiality of customer data.
Checks: C-25961r1141423_chk

Review the member APPCLASS in the TLVPARM DD statement concatenation of the CL/SuperSession STC procedure. (This member is located in SYS3.OMEGAMON.qualifier.RLSPARM.) Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ZCLS0043). If the parameters for the member APPCLASS are configured as follows, this is not a finding. VGWAPLST EXTERNAL=APL

Fix: F-25949r1041224_fix

The systems programmer and ISSO will ensure that the parameter options for member APPCLASS are coded to the below specifications. Review the member APPCLASS in the TLVPARM DD statement concatenation of the CL/SuperSession STC procedure. (This member is located in SYS3.OMEGAMON.qualifier.RLSPARM.) Ensure all session manager security parameters and control options are in compliance according to the following: VGWAPLST EXTERNAL=APL