z/OS IBM CICS Transaction Server for ACF2 Security Technical Implementation Guide
Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected].
Details
Version / Release: V6R8
Published: 2023-03-17
Updated At: 2023-05-04 00:38:55
Compare/View Releases
Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Actions
Download
Filter
Findings
| Severity | Open | Not Reviewed | Not Applicable | Not a Finding |
|---|---|---|---|---|
| Overall | 0 | 0 | 0 | 0 |
| Low | 0 | 0 | 0 | 0 |
| Medium | 0 | 0 | 0 | 0 |
| High | 0 | 0 | 0 | 0 |
Drop CKL or SCAP (XCCDF) results here.
| Vuln | Rule | Version | CCI | Severity | Title | Description | Status | Finding Details | Comments |
|---|---|---|---|---|---|---|---|---|---|
| SV-224302r520228_rule | ZCIC0010 | CCI-001499 | MEDIUM | CICS system data sets are not properly protected. | CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Unauthorized access to CICS system data sets (i.e., product, security, and application libraries) could result in the compromise of | ||||
| SV-224303r868095_rule | ZCIC0020 | CCI-000213 | MEDIUM | Sensitive CICS transactions are not protected in accordance with security requirements. | Sensitive CICS transactions offer the ability to circumvent transaction level controls for accessing resources under CICS. These transactions must be protected so that only authorized users can access them. Unauthorized use can result in the compromise of | ||||
| SV-224304r868098_rule | ZCIC0030 | CCI-000366 | MEDIUM | CICS System Initialization Table (SIT) parameter values must be specified in accordance with proper security requirements. | The CICS SIT is used to define system operation and configuration parameters of a CICS system. Several of these parameters control the security within a CICS region. Failure to code the appropriate values could result in unexpected operations and degraded | ||||
| SV-224305r520237_rule | ZCIC0040 | CCI-000764 | MEDIUM | CICS region logonid(s) must be defined and/or controlled in accordance with the security requirements. | CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Improperly defined or controlled CICS userids (i.e., region, default, and terminal users) may provide an exposure and vulnerability | ||||
| SV-224306r904341_rule | ZCIC0041 | CCI-000764 | MEDIUM | CICS default logonid(s) must be defined and/or controlled in accordance with the security requirements. | CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Improperly defined or controlled CICS userids (i.e., region, default, and terminal users) may provide an exposure and vulnerability | ||||
| SV-224307r520243_rule | ZCIC0042 | CCI-000057 | MEDIUM | CICS logonid(s) must be configured with proper timeout and signon limits. | CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Improperly defined or controlled CICS userids (i.e., region, default, and terminal users) may provide an exposure and vulnerability | ||||
| SV-224308r520246_rule | ZCICA011 | CCI-001499 | MEDIUM | ACF2/CICS parameter data sets are not protected in accordance with the proper security requirements. | CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Unauthorized access to ACF2/CICS parameter data sets (i.e., product, security) could result in the compromise of the confidentialit | ||||
| SV-224309r868103_rule | ZCICA021 | CCI-000035 | MEDIUM | IBM CICS Transaction Server SPI command resources must be properly defined and protected. | IBM CICS Transaction Server can run with sensitive system privileges, and potentially can circumvent system controls. Failure to properly control access to product resources could result in the compromise of the operating system environment, and compromis | ||||
| SV-224310r520252_rule | ZCICA022 | CCI-000366 | MEDIUM | CICS startup JCL statement is not specified in accordance with the proper security requirements. | The CICS SIT is used to define system operation and configuration parameters of a CICS system. Several of these parameters control the security within a CICS region. Failure to code the appropriate values could result in unexpected operations and degrad | ||||
| SV-224311r868106_rule | ZCICA023 | CCI-000366 | MEDIUM | Key ACF2/CICS parameters must be properly coded. | The ACF2/CICS parameters define the security controls in effect for CICS regions. Failure to code the appropriate values could result in degraded security. This exposure may result in unauthorized access impacting the confidentiality, integrity, and avail | ||||
| SV-224312r520258_rule | ZCICA024 | CCI-000366 | MEDIUM | Sensitive CICS transactions are not protected in accordance with the proper security requirements. | Sensitive CICS transactions offer the ability to circumvent transaction level controls for accessing resources under CICS. These transactions must be protected so that only authorized users can access them. Unauthorized use can result in the compromise | ||||
| SV-224313r855160_rule | ZCICA025 | CCI-002235 | MEDIUM | Sensitive CICS transactions are not protected in accordance with the proper security requirements. | Sensitive CICS transactions offer the ability to circumvent transaction level controls for accessing resources under CICS. These transactions must be protected so that only authorized users can access them. Unauthorized use can result in the compromise | ||||