z/OS CL/SuperSession for RACF Security Technical Implementation Guide

  • Version/Release: V6R14
  • Published: 2024-09-13
  • Released: 2024-10-24
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
CL/SuperSession profile options are set improperly.
AC-4 - Medium - CCI-000035 - V-224461 - SV-224461r987813_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-000035
Version
ZCLS0040
Vuln IDs
  • V-224461
  • V-18014
Rule IDs
  • SV-224461r987813_rule
  • SV-27197
Product configuration/parameters control the security and operational characteristics of products. If these parameter values are improperly specified, security and operational controls may be weakened. This exposure may threaten the availability of the product applications, and compromise the confidentiality of customer data.
Checks: C-26138r519737_chk

a) The following steps are necessary for reviewing the CL/SuperSession options: 1) Request on-line access from the site administrator to view CL/SuperSession parameter settings. 2) Once access to the CL/SuperSession Main Menu has been obtained, select the option for the ADMINISTRATOR menu. 3) From the ADMINISTRATOR menu, select the option for the PROFILE SELECTION menu. 4) From the PROFILE SELECTION menu, select the View GLOBAL Profile option. 5) After selection of the View GLOBAL Profile option, the Update GLOBAL Profile menu appears. From this menu select the profile to be reviewed: - To view the Common profile select: _Common - To view the SUPERSESSION profile select: _SupSess Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ZCLS0040) b) Compare the security parameters as specified in the Required CL/SuperSession Common Profile Options and Required CL/Superssion Profile Options Tables in the z/OS STIG Addendum against the CL/SuperSession Profile options. c) If all options as specified in the Required CL/SuperSession Common Profile Options and Required CL/Superssion Profile Options Tables in the z/OS STIG Addendum are in effect, there is NO FINDING. d) If any of the options as specified in the Required CL/SuperSession Common Profile Options and Required CL/Superssion Profile Options Tables in the z/OS STIG Addendum is not in effect, this is a FINDING.

Fix: F-26126r519738_fix

The Systems Programmer and IAO will review all session manager security parameters and control options for compliance with the requirements of the z/OS STIG Addendum Required CL/SuperSession Common Profile Options and Required CL/SuperSession Profile Options Tables. Verify that the options are set properly.

b
CL/SuperSession must be properly configured to generate SMF records for audit trail and accounting reports.
AC-4 - Medium - CCI-000035 - V-224462 - SV-224462r987813_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-000035
Version
ZCLS0041
Vuln IDs
  • V-224462
  • V-22689
Rule IDs
  • SV-224462r987813_rule
  • SV-27198
Product configuration/parameters control the security and operational characteristics of products. If these parameter values are improperly specified, security and operational controls may be weakened. This exposure may threaten the availability of the product applications and compromise the confidentiality of customer data.
Checks: C-26139r952250_chk

a) Version 3 of CL/SuperSession Review the member KLKINNAF in the TLVPARM DD statement concatenation of the CL/SuperSession STC procedure to determine SMF number. (This member is located in SYS3.OMEGAMON.qualifier.RLSPARM.) Version 2 of CL/SuperSession Review the member KLVINNAF in the TLVPARM DD statement concatenation of the CL/SuperSession STC procedure to determine SMF number. (This member is located in SYS3.OMEGAMON.qualifier.RLSPARM.) Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(SMFOPTS) Automated Analysis (Currently there is no automation for version 3 of CL/SuperSession) Refer to the following report produced by the z/OS Data Collection: - PDI(ZCLS0041) b) If the SMF= field specifies an SMF record number, review the SMFOPTS report to verify SMF is writing that record type. c) If SMF is writing the record number specified by SMF=, there is no finding. d) If the SMF= field does not specify an SMF record number, or SMF is not writing the record number specified by SMF=, this is a finding.

Fix: F-26127r952251_fix

Ensure that the Session Manager generates SMF records for audit trail and accounting reports. To provide an audit trail of user activity in CL/SuperSession, configure the Network Accounting Facility (NAF) to require SMF recording of accounting and audit data. Accounting to the journal data set is optional at the discretion of the site. To accomplish this for version 3 of CL/Supersession, configure the following NAF startup parameters in the KLKINNAF member of the RLSPARM initialization parameter library as follows: DSNAME= dsname - Name of the NAF journal data set. Required only if the site is collecting accounting and audit data in the journal data set in addition to the SMF data. MOD - If the journal data set is used, this parameter should be set to ensure that logging data in the data set is not overwritten. SMF=nnn - SMF record number. This field is mandatory to ensure that CL/SuperSession data is always written to the SMF files.

b
CL/SuperSession Install data sets must be properly protected.
AC-3 - Medium - CCI-000213 - V-224463 - SV-224463r958472_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZCLSR000
Vuln IDs
  • V-224463
  • V-16932
Rule IDs
  • SV-224463r958472_rule
  • SV-27091
CL/SuperSession Install data sets provide the capability to use privileged functions and/or have access to sensitive data. Failure to properly restrict access to their data sets could result in violating the integrity of the base product which could result in compromising the operating system or sensitive data.
Checks: C-26140r519743_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(KLSRPT) Automated Analysis: Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZCLS0000) b) Verify that access to the CL/SuperSession Install data sets are properly restricted. ___ The RACF data set rules for the data sets does not restrict UPDATE and/or ALTER access to systems programming personnel. ___ The RACF data set rules for the data sets does not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged. c) If all of the above are untrue, there is NO FINDING. d) If any of the above is true, this is a FINDING.

Fix: F-26128r519744_fix

Ensure that update and allocate access to CL/SuperSession install data sets are limited to system programmers only and all update and allocate access is logged. Auditors should be granted READ access. The installing systems programmer will identify and document the product data sets and categorize them according to who will have update and alter access and if required that all update and allocate access is logged. He will identify if any additional groups have update access for specific data sets, and once documented he will work with the ISSO to see that they are properly restricted to the ACP (Access Control Program ) active on the system. The following dataset are an example of data sets to be protected: sys2.omegamon.** /* product datasets */ sys2.omegamon.*.tlsload.** sys2.omegamon.*.tlvload.** sys3.omegamon.** sys3.omegamon.rlsload.** The following commands are provided as an example for implementing dataset controls: ad 'sys2.omegamon.**' uacc(none) owner(sys2) - audit(success(update) failures(read) - data('vendor DS Profile CL/Supersession') pe 'sys2.omegamon.**' id(syspaudt) acc(a) pe 'sys2.omegamon.**' id(audtaudt) ad 'sys2.omegamon.*.tlsload.**' uacc(none) owner(sys2) - audit(success(update) failures(read) - data('vendor DS fully qualified apf Profile CL/Supersession') pe 'sys2.omegamon.*.tlsload.**' id(syspaudt) acc(a) pe 'sys2.omegamon.*.tlsload.**' id(audtaudt) ad 'sys2.omegamon.*.tlvload.**' uacc(none) owner(sys2) - audit(success(update) failures(read) - data('vendor DS fully qualified apf Profile CL/Supersession') pe 'sys2.omegamon.*.tlvload.**' id(syspaudt) acc(a) pe 'sys2.omegamon.*.tlvload.**' id(audtaudt) ad 'sys3.omegamon.**' uacc(none) owner(sys3) - audit(success(update) failures(read) - data('vendor DS Profile CL/Supersession') pe 'sys3.omegamon.**' id(syspaudt) acc(a) pe 'sys3.omegamon.**' id(audtaudt) ad 'sys3.omegamon.rlsload.**' uacc(none) owner(sys3) - audit(success(update) failures(read) - data('site DS fully qualified apf Profile CL/Supersession') pe 'sys3.omegamon.rlsload.**' id(syspaudt) acc(a) pe 'sys3.omegamon.rlsload.**' id(audtaudt)

b
CL/SuperSession STC data sets must be properly protected.
CM-5 - Medium - CCI-001499 - V-224464 - SV-224464r958616_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
ZCLSR001
Vuln IDs
  • V-224464
  • V-17067
Rule IDs
  • SV-224464r958616_rule
  • SV-27097
CL/SuperSession STC data sets provide the capability to use privileged functions and/or have access to sensitive data. Failure to properly restrict access to their data sets could result in violating the integrity of the base product which could result in compromising the operating system or sensitive data.
Checks: C-26141r868331_chk

Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(KLSSTC) Automated Analysis: Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZCLS0001) Verify that the accesses to the CL/SuperSession STC data sets are properly restricted. If the following guidance is true, this is not a finding. ___ The RACF data set access authorizations restrict READ access to auditors and authorized users. ___ The RACF data set access authorizations restrict WRITE and/or greater access to systems programming personnel. ___ The RACF data set rules for the data sets does not restrict WRITE and/or greater access to the product STC(s) and/or batch job(s). ___ The RACF data set access authorizations for the data sets specify UACC(NONE) and NOWARNING.

Fix: F-26129r868332_fix

Ensure that WRITE and/or greater access to CL/SuperSession STC data sets are limited to systems programmers and CL/SuperSession STC only. Read access can be given to auditors and authorized users. The installing systems programmer will identify and document the product data sets and categorize them according to who will have WRITE and/or greater access and if required that all WRITE and/or greater access is logged. The installing systems programmer will identify if any additional groups have WRITE and/or greater access for specific data sets, and once documented will work with the ISSO to ensure they are properly restricted to the ACP (Access Control Program) active on the system. Note: The data sets and/or data set prefixes identified below are examples of a possible installation. The actual data sets and/or prefixes are determined when the product is actually installed on a system through the product's installation guide and can be site specific. The following are an example of data sets to be protected: SYS3.OMEGAMON.RLSNAF SYS3.OMEGAMON.RLSNAM SYS3.OMEGAMON.RLSTDB SYS3.OMEGAMON.RLSVLOG The following commands are provided as an example for implementing dataset controls: ad 'sys3.omegamon.rlsnaf.** uacc(none) owner(sys3) - audit(failures(read)) - data('Site Customized CL/Supersession VSAM') pe 'sys3.omegamon.rlsnaf.**' id(syspaudt) acc(a) pe 'sys3.omegamon.rlsnaf.**' id(kls) acc(a) pe 'sys3.omegamon.rlsnaf.**' id(audtaudt) acc(r) pe 'sys3.omegamon.rlsnaf.**' id(*) acc(r) ad 'sys3.omegamon.rlsnam.** uacc(none) owner(sys3) - audit(failures(read)) - data('Site Customized CL/Supersession VSAM') pe 'sys3.omegamon.rlsnam.**' id(syspaudt) acc(a) pe 'sys3.omegamon.rlsnam.**' id(kls) acc(a) pe 'sys3.omegamon.rlsnam.**' id(audtaudt) acc(r) pe 'sys3.omegamon.rlsnam.**' id(*) acc(r) ad 'sys3.omegamon.rlstdb.** uacc(none) owner(sys3) - audit(failures(read)) - data('Site Customized CL/Supersession VSAM') pe 'sys3.omegamon.rlstdb.**' id(syspaudt) acc(a) pe 'sys3.omegamon.rlstdb.**' id(kls) acc(a) pe 'sys3.omegamon.rlstdb.**' id(audtaudt) acc(r) pe 'sys3.omegamon.rlstdb.**' id(*) acc(r) ad 'sys3.omegamon.rlsvlog.** uacc(none) owner(sys3) - audit(failures(read)) - data('Site Customized CL/Supersession VSAM') pe 'sys3.omegamon.rlsvlog.**' id(syspaudt) acc(a) pe 'sys3.omegamon.rlsvlog.**' id(kls) acc(a) pe 'sys3.omegamon.rlsvlog.**' id(audtaudt) acc(r) pe 'sys3.omegamon.rlsvlog.**' id(*) acc(r)

b
CL/SuperSession Started Task name is not properly identified / defined to the system ACP.
IA-2 - Medium - CCI-000764 - V-224465 - SV-224465r958482_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
ZCLSR030
Vuln IDs
  • V-224465
  • V-17452
Rule IDs
  • SV-224465r958482_rule
  • SV-28591
CL/SuperSession requires a started task that will be restricted to certain resources, datasets and other system functions. By defining the started task as a userid to the system ACP, It allows the ACP to control the access and authorized users that require these capabilities. Failure to properly control these capabilities, could compromise of the operating system environment, ACP, and customer data.
Checks: C-26142r519749_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(LISTUSER) b) If the userid for the CL/SUPERSESSION started task is defined to the security database, there is NO FINDING. c) If the userid for the CL/SUPERSESSION started task is not defined to the security database, this is a FINDING.

Fix: F-26130r519750_fix

The Systems Programmer and IAO will ensure that the started task for CL/SuperSession is properly defined. Review all session manager security parameters and control options for compliance. Develop a plan of action and implement the changes as specified. Define the started task userid KLS for CL/SuperSession. Example: AU KLS NAME('STC, SUPERSESSION') NOPASS - OWNER(STC) DFLTGRP(STC) - DATA('START CL SUPERSESSION')

b
CL/SuperSession Started task(s) must be properly defined to the STARTED resource class for RACF.
IA-2 - Medium - CCI-000764 - V-224466 - SV-224466r958482_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
ZCLSR032
Vuln IDs
  • V-224466
  • V-17454
Rule IDs
  • SV-224466r958482_rule
  • SV-27191
Access to product resources should be restricted to only those individuals responsible for the application connectivity and who have a requirement to access these resources. Improper control of product resources could potentially compromise the operating system, ACP, and customer data.
Checks: C-26143r519752_chk

Refer to the following report produced by the RACF Data Collection: - DSMON.RPT(RACSPT) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(ZCLS0032) Verify that the CL/SUPERSESSION started task(s) is (are) defined to the STARTED resource class profile and/or ICHRIN03 table entry.

Fix: F-26131r519753_fix

The CL/SUPERSESSION system programmer and the IAO will ensure that a product's started sask(s) is (are) properly identified and/or defined to the System ACP. A unique userid must be assigned for the CL/SUPERSESSION started task(s) thru a corresponding STARTED class entry. The following sample set of commands is shown here as a guideline: rdef started KLS.** uacc(none) owner(admin) audit(all(read)) stdata(user(KLS) group(stc)) setr racl(started) ref

b
CL/SuperSessions Resouce Class must be defined or active in the ACP.
CM-4 - Medium - CCI-000336 - V-224467 - SV-224467r987853_rule
RMF Control
CM-4
Severity
Medium
CCI
CCI-000336
Version
ZCLSR038
Vuln IDs
  • V-224467
  • V-18011
Rule IDs
  • SV-224467r987853_rule
  • SV-27189
Failure to use a robust ACP to control a product could compromise the integrity and availability of the MVS operating system and user data.
Checks: C-26144r952253_chk

Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis (Currently there is no automation for version 3 of CL/SuperSession) Refer to the following report produced by the RACF Data Collection: - PDI(ZCLSR038) If the CL/SuperSession resource class(es) is (are) active, this is not a finding.

Fix: F-26132r952254_fix

Ensure that the CL/SuperSession Resource Class(es) is (are) active. The SYS3.OMEGAMON.qualifier.RLSPARM(KLKINNAM) member for Version 3 of CL/Supersession or the SYS3.OMEGAMON.qualifier.RLSPARM(KLVINNAM) member for version 2 of CL/Superssion contains a "CLASSES=" entry, this entry identifies the member that contains the "VGWAPLST EXTERNAL=" entry. The "VGWAPLST EXTERNAL=" entry identifies the resource class that is used by CL/SuperSession and this resource class will be active. Current guidance identifies that APPL is the resource class identified in the above location. Use the following commands as an example: SETROPTS CLASSACT(APPL)

b
CL/SuperSession KLVINNAM member must be configured in accordance with security requirements.
AC-4 - Medium - CCI-000035 - V-224468 - SV-224468r1028302_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-000035
Version
ZCLSR042
Vuln IDs
  • V-224468
  • V-22690
Rule IDs
  • SV-224468r1028302_rule
  • SV-27257
CL/SuperSession configuration/parameters control the security and operational characteristics of products. If these parameter values are improperly specified, security and operational controls may be weakened. This exposure may threaten the availability of the product applications and compromise the confidentiality of customer data.
Checks: C-26145r1028301_chk

Version 3 of CL/SuperSession Review the member KLKINNAM in the TLVPARM DD statement concatenation of the CL/SuperSession STC procedure. (This member is located in SYS3.OMEGAMON.qualifier.RLSPARM.) Version 2 of CL/SuperSession Review the member KLVINNAM in the TLVPARM DD statement concatenation of the CL/SuperSession STC procedure. (This member is located in SYS3.OMEGAMON.qualifier.RLSPARM.) Automated Analysis (Currently there is no automation for version 3 of CL/SuperSession) Refer to the following report produced by the z/OS Data Collection: - PDI(ZCLS0042) If one of the following configuration settings is specified for each control point defined in the KLVINNAM or KLKINNAM member, this is not a finding. DEFAULT DSNAME(SYS3.OMEGAMON.qualifier.RLSNAM) - RACF - CLASSES=APPCLASS - NODB EXIT=KLVRACVR (The following is for z/OS CAC logon processing) DEFAULT DSNAME(SYS3.OMEGAMON.qualifier.RLSNAM) - SAF - (RACF is also acceptable) CLASSES=APPCLASS - NODB - EXIT=KLSNFPTX

Fix: F-26133r952257_fix

Ensure that the parameter options for member KLKINNAM for version 3 of CL/Supersession or KLVINNAM for version 2 of CL/Superssion are coded to the below specifications. (Note: The data set identified below is an example of a possible installation. The actual data set is determined when the product is actually installed on a system through the product's installation guide and can be site specific.) Review the member KLKINNAM or KLVINNAM in the TLVPARM DD statement concatenation of the CL/SuperSession STC procedure. (This member is located in SYS3.OMEGAMON.qualifier.RLSPARM.) Ensure all session manager security parameters and control options are in compliance according to the following: DEFAULT DSNAME(SYS3.OMEGAMON.qualifier.RLSNAM) - RACF - CLASSES=APPCLASS - NODB EXIT=KLVRACVR (The following is for z/OS CAC logon processing) DEFAULT DSNAME(SYS3.OMEGAMON.qualifier.RLSNAM) - SAF - (RACF is also acceptable) CLASSES=APPCLASS - NODB - EXIT=KLSNFPTX

b
CL/SuperSession APPCLASS member is not configured in accordance with the proper security requirements.
AC-4 - Medium - CCI-000035 - V-224469 - SV-224469r987813_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-000035
Version
ZCLSR043
Vuln IDs
  • V-224469
  • V-22691
Rule IDs
  • SV-224469r987813_rule
  • SV-27260
Product configuration/parameters control the security and operational characteristics of products. If these parameter values are improperly specified, security and operational controls may be weakened. This exposure may threaten the availability of the product applications, and compromise the confidentiality of customer data.
Checks: C-26146r519761_chk

a) Review the member APPCLASS in the TLVPARM DD statement concatenation of the CL/Supersession STC procedure. (This member is located in SYS3.OMEGAMON.qualifier.RLSPARM.) Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ZCLS0043) b) If the parameters for the member APPCLASS are configured as follows, there is NO FINDING: VGWAPLST EXTERNAL=APPL c) If the parameters for the member APPCLASS are not configured as specified in (b) above, this is a FINDING.

Fix: F-26134r519762_fix

The Systems Programmer and IAO will ensure that the parameter options for member APPCLASS are coded to the below specifications. Review the member APPCLASS in the TLVPARM DD statement concatenation of the CL/SuperSession STC procedure. (This member is located in SYS3.OMEGAMON.qualifier.RLSPARM.) Ensure all session manager security parameters and control options are in compliance according to the following: VGWAPLST EXTERNAL=APPL