Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

z/OS IBM CICS Transaction Server for ACF2 Security Technical Implementation Guide - V7R2

  • Version/Release: V7R2
  • Published: 2025-09-23
  • Released: 2025-10-01
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
CICS system datasets are not properly protected.
CM-5 - Medium - CCI-001499 - V-224302 - SV-224302r1141375_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
ZCIC0010
Vuln IDs
  • V-224302
  • V-7516
Rule IDs
  • SV-224302r1141375_rule
  • SV-7978
CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Unauthorized access to CICS system datasets (i.e., product, security, and application libraries) could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data.
Checks: C-25979r1141373_chk

Refer to the following report produced by the dataset and Resource Data Collection: - SENSITVE.RPT(CICSRPT). Since it is possible to have multiple CICS regions running on an LPAR, it is recommended to go in to the z/OS STIG Addendum and fill out all the information in the "CICS Systems Programmer Worksheet" for each CICS region running on the LPAR. It is recommended to save this information for any other CICS vulnerabilities that will require it. If the following guidance is true, this is not a finding. WRITE and/or greater access to CICS system datasets is restricted to systems programming personnel.

Fix: F-25967r1141374_fix

Review the access authorizations for CICS system datasets for each region. Ensure they conform to the specifications below: A CICS environment may include several dataset types required for operation. Typically they are CICS product libraries, which are usually included in the STEPLIB concatenation but may be found in DD DFHRPL. CICS system datasets can be identified with DFH DD statements, other product system datasets, and application program libraries. Restrict WRITE and/or greater access to CICS program libraries and all system datasets to systems programmers only. Other access must be documented and approved by the ISSO. The site may determine access to application datasets included in the DD DFHRPL and CICS region startup JCL according to need. Ensure that procedures are established, documented, and followed that prevent the introduction of unauthorized or untested application programs into production application systems.

b
Sensitive CICS transactions are not protected in accordance with security requirements.
AC-3 - Medium - CCI-000213 - V-224303 - SV-224303r1141378_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZCIC0020
Vuln IDs
  • V-224303
  • V-251
Rule IDs
  • SV-224303r1141378_rule
  • SV-251
Sensitive CICS transactions offer the ability to circumvent transaction level controls for accessing resources under CICS. These transactions must be protected so that only authorized users can access them. Unauthorized use can result in the compromise of the confidentiality, integrity, and availability of the operating system or customer data.
Checks: C-25980r1141376_chk

Refer to the following report produced by the ACF2 Data Collection and dataset and Resource Data Collection: - SENSITVE.RPT(TRANS). - ACF2CMDS.RPT(RESOURCE) - Alternate report. Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. Browse the dataset allocated by the ACF2PARM DD statement in each CICS startup procedure. Determine the resource type for transactions. Example: CICSKEY OPTION=VALIDATE,TYPE=resource type, RESOURCE=TRANS Verify the following items are in effect for all CICS transactions for each resource type. If the following guidance is true, this is not a finding. Note: Authorized personnel include systems programming and security staffs. Additional guidance regarding authorized personnel for specific transactions is included in this z/OS STIG Addendum. For example, CEMT SPI provides a broader use of this sensitive transaction by restricting execution to inquiries. Transactions, listed in tables CICS CATEGORY 2 CICS AND OTHER PRODUCT TRANSACTIONS and CICS CATEGORY 4 COTS-SUPPLIED SENSITIVE TRANSACTIONS, in the z/OS STIG Addendum, are restricted to authorized personnel. Note: The exception to this is the CEOT and CSGM transactions, which can be made available to all users. Note: The exception to this is the CWBA transaction, which can be made available to the CICS Default user. Note: The transactions beginning with "CK" apply to regions running WebSphere MQ. Note: Category 1 transactions are internally restricted to CICS region userids.

Fix: F-25968r1141377_fix

The ISSO will ensure that each CICS region is associated with a unique userid and that userid is properly defined. Develop a plan to implement the required changes. Most transactions are protected in groups. An example would be "KT2", which would contain all Category 2 transactions. KT2 is defined to ACF2 as a resource and contains all the Category 2 transactions. An example of how to implement this within ACF2 is shown here: $KEY(CEMT) TYPE(KT2) UID(syspaudt) ALLOW UID(*) PREVENT Transactions groups should be defined and permitted in accordance with the CICS Transaction tables listed in the z/OS STIG Addendum.

b
CICS System Initialization Table (SIT) parameter values must be specified in accordance with proper security requirements.
AC-2 - Medium - CCI-000015 - V-224304 - SV-224304r1141381_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000015
Version
ZCIC0030
Vuln IDs
  • V-224304
  • V-302
Rule IDs
  • SV-224304r1141381_rule
  • SV-302
The CICS SIT is used to define system operation and configuration parameters of a CICS system. Several of these parameters control the security within a CICS region. Failure to code the appropriate values could result in unexpected operations and degraded security. This exposure may result in unauthorized access impacting the confidentiality, integrity, and availability of the CICS region, applications, and customer data.
Checks: C-25981r1141379_chk

Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(CICSPROC). Refer to the following report produced by the CICS Data Collection: - CICS.RPT(DFHSITxx). Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. Refer to the CICS region SYSLOG - (Alternate source of SIT parameters) Be sure to process DFHSIT based on the order specified. The system initialization parameters are processed in the following order, with later system initialization parameter values overriding those specified earlier. CICS system initialization parameters are specified in the following ways: - In the system initialization table, loaded from a library in the STEPLIB concatenation of the CICS startup procedure. - In the PARM parameter of the EXEC PGM=DFHSIP statement of the CICS startup procedure. - In the SYSIN dataset defined in the startup procedure (but only if SYSIN is coded in the PARM parameter). - In the ACF2PARM dataset defined in the startup procedure. Verify the following CICS System Initialization Table (SIT) parameter settings are specified for each CICS region. If the following guidance is true, this is not a finding. SEC=YES - If SEC is not coded in the CICS region startup JCL, go to offset x'117' from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the security byte flag. Below are the hex and bit settings for this flag. X'80' EQU B'10000000' External Security Requested DFLTUSER=<parameter> - If DFLTUSER is not coded in the CICS region startup JCL, go to offset x'118' from the beginning on the SIT dump (record sequence number - 6) for a length of 8 bytes. The value will be the CICS default userid. ACF2PARM overrides the CICS SIT DFLTUSER parameter value with the logonid supplied in the ACF2PARM DEFAULT TERMINAL= parameter. XUSER=YES - If XUSER is not coded in the CICS region startup JCL, go to offset x'117' from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the security byte flag. Below is the hex and bit settings for this flag. X'04' EQU B'00000100' Surrogate User Checking required The CICS interface now controls this DFHSIT keyword via the INITIAL XUSER= initialization parameter. The CICS interface dynamically sets this DFHSIT setting during initialization processing using the value specified via the ACF2PARM parameter file. This overrides any value specified by the CICS systems programmer via the CICS SYSIN file, execution parameter overrides, or the DFHSIT table so the security administrator and not the CICS systems programmer controls surrogate userid checking SNSCOPE=NONE|CICS|MVSIMAGE|SYSPLEX - If SNSCOPE is not coded in the CICS region startup JCL, go to offset x'124' from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the signon scope byte flag. Verify that users cannot sign on to more than one CICS production region within the scope of a single CICS region, a single z/OS image, or a sysplex. Below are listed the hex and bit settings for this flag: X'01' EQU 1 SIGNON SCOPE = NONE X'02' EQU 2 SIGNON SCOPE = CICS X'03' EQU 3 SIGNON SCOPE = MVSIMAGE X'04' EQU 4 SIGNON SCOPE = SYSPLEX Note: SNSCOPE=NONE is only allowed with test/development regions.

Fix: F-25969r1141380_fix

Ensure that CICS System Initialization Table (SIT) parameter values are specified using the following guidance. The system initialization parameters are processed in the following order, with later system initialization parameter values overriding those specified earlier. CICS system initialization parameters are specified in the following ways: - In the system initialization table, loaded from a library in the STEPLIB concatenation of the CICS startup procedure. - In the PARM parameter of the EXEC PGM=DFHSIP statement of the CICS startup procedure. - In the SYSIN dataset defined in the startup procedure (but only if SYSIN is coded in the PARM parameter). - In the ACF2PARM dataset defined in the startup procedure. Ensure the following CICS System Initialization Table (SIT) parameter settings are specified for each CICS region: SEC=YES - If SEC is not coded in the CICS region startup JCL, go to offset x'117' from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the security byte flag. Below are listed the hex and bit settings for this flag. X'80' EQU B'10000000' External Security Requested <<=== X'40' EQU B'01000000' Resource Prefix Required X'10' EQU B'00010000' RACLIST class APPCLU required X'08' EQU B'00001000' ESM INSTLN data is required X'04' EQU B'00000100' Surrogate User Checking required X'02' EQU B'00000010' Always enact resource check X'01' EQU B'00000001' Always enact command check DFLTUSER=<parameter> - If DFLTUSER is not coded in the CICS region startup JCL, go to offset x'118' from the beginning on the SIT dump (record sequence number - 6) for a length of 8 bytes. The value will be the CICS default userid. XUSER=YES - If XUSER is not coded in the CICS region startup JCL, go to offset x'117' from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the security byte flag. Below are listed the hex and bit settings for this flag. X'80' EQU B'10000000' External Security Requested X'40' EQU B'01000000' Resource Prefix Required X'10' EQU B'00010000' RACLIST class APPCLU required X'08' EQU B'00001000' ESM INSTLN data is required X'04' EQU B'00000100' Surrogate User Checking required <<=== X'02' EQU B'00000010' Always enact resource check X'01' EQU B'00000001' Always enact command check SNSCOPE=NONE|CICS|MVSIMAGE|SYSPLEX - If SNSCOPE is not coded in the CICS region startup JCL, go to offset x'124' from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the signon scope byte flag. Ensure that users cannot sign on to more than one CICS production region within the scope of a single CICS region, a single z/OS image, or a sysplex. Below are listed the hex and bit settings for this flag: X'01' EQU 1 SIGNON SCOPE = NONE X'02' EQU 2 SIGNON SCOPE = CICS X'03' EQU 3 SIGNON SCOPE = MVSIMAGE X'04' EQU 4 SIGNON SCOPE = SYSPLEX Note: SNSCOPE=NONE is only allowed with test/development regions.

b
CICS region logonid(s) must be defined and/or controlled in accordance with the security requirements.
IA-2 - Medium - CCI-000764 - V-224305 - SV-224305r1141384_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
ZCIC0040
Vuln IDs
  • V-224305
  • V-44
Rule IDs
  • SV-224305r1141384_rule
  • SV-44
CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Improperly defined or controlled CICS userids (i.e., region, default, and terminal users) may provide an exposure and vulnerability within the CICS environment. This could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data.
Checks: C-25982r1141382_chk

Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(CICSPROC). Refer to the following report produced by the ACF2 Data Collection: - ACF2CMDS.RPT(LOGONIDS). Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. Verify the following items are in effect for each CICS region logonid. If the following guidance is true, this is not a finding. A unique logonid is associated with the CICS region. The CICS region logonid has the STC, ACF2CICS, MUSASS, and NO-SMC attributes specified. Note: The ACF2CICS privilege will be restricted to CICS region logonids only. If CICS region submits jobs on behalf of its users, the JOBFROM attribute is specified. If CICS region has a requirement to update information in the ACF2 database, the MUSUPDT attribute is specified. Not granted the ACF2 NON-CNCL privilege. No access to interactive online facilities (e.g., TSO) other than CICS.

Fix: F-25970r1141383_fix

The ISSO will ensure that each CICS region is associated with a unique userid and that userid is properly defined. Review all CICS region, default, and end-user userids to ensure they are defined and controlled as required. Ensure that the following is defined for each CICS region: A unique userid is defined. Use the ACF2 insert command to accomplish this. A sample command is provided here: INSERT <cicsregionid> NAME('STC, CICS Region') JOBFROM MUSASS NO-SMC STC ACF2CICS

b
CICS default logonid(s) must be defined and/or controlled in accordance with the security requirements.
IA-2 - Medium - CCI-000764 - V-224306 - SV-224306r1141387_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
ZCIC0041
Vuln IDs
  • V-224306
  • V-7119
Rule IDs
  • SV-224306r1141387_rule
  • SV-7523
CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Improperly defined or controlled CICS userids (i.e., region, default, and terminal users) may provide an exposure and vulnerability within the CICS environment. This could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data.
Checks: C-25983r1141385_chk

Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(CICSPROC). Refer to the following report produced by the ACF2 Data Collection: - ACF2CMDS.RPT(LOGONIDS). - ACF2CMDS.RPT(RESOURCE). Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. Verify the following items are in effect for the CICS default logonid(s) (i.e., Browse the ACF2PARM DD statement for DEFAULT TERMINAL=&lt;parameter&gt; and DEFAULT NONTERMINAL=nnnnnnnn). If the following guidance is true, this is not a finding. Not granted the ACF2 NON-CNCL privilege. No access to interactive online facilities (e.g., TSO) other than CICS. IDLE(15) field is set to 15 minutes. A system's default time for terminal lockout or session termination may be lengthened to 30 minutes at the discretion of the ISSM. The ISSM will maintain the documentation for each system with a timeout adjusted beyond the 15-minute recommendation to explain the basis for this decision. Restricted from accessing all datasets and resources with the following exceptions: Non-restricted CICS transactions (e.g., CESF, CESN, "good morning" transaction, etc.) If applicable, resources necessary to operate in an intersystem communication (ISC) environment (i.e., LU6.1, LU6.2, and MRO) Note: Refer to the IBM CICS Transaction Server Resource Definition Guide for latest and most accurate definition for the Default CICS User. Note: Any exceptions to these guidelines must be approved by the site ISSO and documented in the site security plan.

Fix: F-25971r1141386_fix

Ensure that the default CICS user is restricted and properly defined. Ensure the following items are in effect for the CICS default logonid(s) (i.e., Browse the ACF2PARM DD statement for DEFAULT TERMINAL=<parameter> and DEFAULT NONTERMINAL=nnnnnnnn): Not granted the ACF2 NON-CNCL privilege. Use the ACF2 LIST command to display the default CICS userid. Example: SET LID LIST CICS CHANGE CICS NONON-CNCL No access to interactive online facilities (e.g., TSO) other than CICS. Use the ACF2 LIST command to display the default CICS userid. Example: SET LID LIST CICS CHANGE CICS NOTSO IDLE(15) field is set to 15 minutes, up to 30 with justification. Use the ACF2 LIST command to display the default CICS userid. Example: SET LID LIST CICS CHANGE CICS IDLE(15) up to 30 with justification Restricted from accessing all datasets and resources with the following exceptions: Non-restricted CICS transactions (e.g., CESF, CESN, 'good morning' transaction, etc.) If applicable, resources necessary to operate in an intersystem communication (ISC) environment (i.e., LU6.1, LU6.2, and MRO) Use the ACF2 ACFRPTRX or ACFRPTXR reports to verify if the CICS default userid has access to any resources or datasets.

b
CICS logonid(s) must be configured with proper timeout and signon limits.
AC-11 - Medium - CCI-000057 - V-224307 - SV-224307r1141390_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
ZCIC0042
Vuln IDs
  • V-224307
  • V-7120
Rule IDs
  • SV-224307r1141390_rule
  • SV-7524
CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Improperly defined or controlled CICS userids (i.e., region, default, and terminal users) may provide an exposure and vulnerability within the CICS environment. This could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data.
Checks: C-25984r1141388_chk

Refer to the following report produced by the ACF2 Data Collection: - ACF2CMDS.RPT(LOGONIDS). Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. Note: Any logonid that does not have an IDLE value specified will obtain its IDLE value from the default value set in ZCIC0041. Any logonid that specifies an IDLE value must meet the requirements specified below. For all logonids with the CICS attribute that have IDLE(15) specified, this is not a finding. Note: If the timeout limit is greater than 15 minutes, and the system is processing unclassified information, review the following items. If any of these is true, this is not a finding. If a session is not terminated, but instead is locked out after 15 minutes of inactivity, a process must be in place that requires user identification and authentication before the session is unlocked. Session lockout will be implemented through system controls or terminal screen protection. A system's default time for terminal lockout or session termination may be lengthened to 30 minutes at the discretion of the ISSM. The ISSM will maintain the documentation for each system with a timeout adjusted beyond the 15-minute recommendation to explain the basis for this decision. The ISSM may set selected userids to have a timeout of up to 60 minutes to complete critical reports or transactions without timing out If each exception meets the following criteria, this is not a finding. The time-out exception cannot exceed 60 minutes. A letter of justification fully documenting the user requirement(s) must be submitted and approved by the site ISSM. In addition, this letter must identify an alternate means of access control for the terminal(s) involved (e.g., a room that is locked at all times, a room with a cipher lock to limit access, a password protected screen saver set to 30 minutes or less, etc.). The requirement must be revalidated on an annual basis. If the MULTSIGN option in the logonid record field is restricted to test or development use, this is not a finding.

Fix: F-25972r1141389_fix

Ensure that all userids with a CICS segment have the TIMEOUT parameter set to 15 minutes. Ensure that all LIDs authorized to access a CICS facility restrict MULTSIGN to test and development use. Examples: SET LID LIST CICS CHANGE CICS IDLE(15)

b
ACF2/CICS parameter datasets are not protected in accordance with the proper security requirements.
CM-5 - Medium - CCI-001499 - V-224308 - SV-224308r1141393_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
ZCICA011
Vuln IDs
  • V-224308
  • V-7091
Rule IDs
  • SV-224308r1141393_rule
  • SV-7475
CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Unauthorized access to ACF2/CICS parameter datasets (i.e., product, security) could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data.
Checks: C-25985r1141391_chk

Refer to the following report produced by the ACF2 Data Collection: - SENSITVE.RPT(CICSRPT). Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. WRITE and/or greater access to the ACF2/CICS parameter dataset, specified on the ACF2PARM DD statement, is restricted to systems programming personnel and security personnel. If this guidance is true, this is not a finding.

Fix: F-25973r1141392_fix

The ISSO will ensure that WRITE and/or greater access to the ACF2/CICS parameter dataset is limited to systems programmers and security personnel. Review the access authorizations for CICS system datasets. WRITE and/or greater access to the ACF2/CICS parameter dataset, specified on the ACF2PARM DD statement, is restricted to systems programming personnel and security personnel. Example: $KEY(S3C) $PREFIX(SYS3) CICSTS.SYSIN UID(syspaudt) R(A) W(L) A(L) E(A) CICSTS.SYSIN UID(secaaudt) R(A) W(L) A(L) E(A) CICSTS.SYSIN UID(*) PREVENT SET RULE COMPILE 'ACF2.MVA.DSNRULES(S3C)' STORE

b
IBM CICS Transaction Server SPI command resources must be properly defined and protected.
AC-3 - Medium - CCI-000213 - V-224309 - SV-224309r1041212_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZCICA021
Vuln IDs
  • V-224309
  • V-17982
Rule IDs
  • SV-224309r1041212_rule
  • SV-43206
IBM CICS Transaction Server can run with sensitive system privileges, and potentially can circumvent system controls. Failure to properly control access to product resources could result in the compromise of the operating system environment, and compromise the confidentiality of customer data. Many utilities assign resource controls that can be granted to systems programmers only in greater than read authority. Resources are also granted to certain non systems personnel with read only authority.
Checks: C-25986r868102_chk

Refer to the following report produced by the ACF2 Data Collection and Data Set and Resource Data Collection: - SENSITVE.RPT(XCMD) - ACF2CMDS.RPT(RESOURCE) - Alternate report Automated Analysis: Refer to the following report produced by the ACF2 Data Collection Checklist: - PDI (ZCIC0021) Ensure that all IBM CICS Transaction Server SPI command resources defined in the IBM CICS-RACF Security Guide are properly protected according to the requirements specified in the site security plan, use CICS SPI Resources table in the zOS STIG Addendum as a guide. If the following guidance is true, this is not a finding. The ACF2 resources and/or generic equivalent as designated in the above table are defined with a default access of PREVENT. The ACF2 resource access authorizations restrict access to the appropriate personnel as designated in the above table.

Fix: F-25974r520248_fix

Ensure that the IBM CICS Transaction Server SPI command resources defined in the IBM CICS-RACF Security Guide access is in accordance with those outlined in the site security plan use CICS SPI Resources table in the zOS STIG Addendum as a guide. These tables list the resources and access requirements for IBM CICS Transaction Server; ensure the following guidelines are followed: The ACF2 resources and/or generic equivalent as designated in the above table are defined with a default access of PREVENT. The ACF2 resource access authorizations restrict access to the appropriate personnel as designated in the above table. The following commands are provided as a sample for implementing resource controls: $KEY(ASSOCIATION) TYPE(XCD) - UID(CICSAUDT) SERVICE(READ) ALLOW - UID(CICUAUDT) SERVICE(READ) ALLOW - UID(SYSCAUDT) SERVICE(READ) ALLOW - UID(*) PREVENT

b
CICS startup JCL statement is not specified in accordance with the proper security requirements.
CM-6 - Medium - CCI-000366 - V-224310 - SV-224310r1141396_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
ZCICA022
Vuln IDs
  • V-224310
  • V-6893
Rule IDs
  • SV-224310r1141396_rule
  • SV-7188
The CICS SIT is used to define system operation and configuration parameters of a CICS system. Several of these parameters control the security within a CICS region. Failure to code the appropriate values could result in unexpected operations and degraded security. This exposure may result in unauthorized access impacting the confidentiality, integrity, and availability of the CICS region, applications, and customer data.
Checks: C-25987r1141394_chk

Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(CICSPROC). Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. If every CICS region on the system has the ACF2PARM DD statement in the CICS startup JCL, this is not a finding.

Fix: F-25975r1141395_fix

The ISSO will ensure that each CICS region procedure has the ACF2/CICS parameter dataset specified. Ensure every CICS region on the system has the ACF2PARM DD statement in the CICS startup JCL. View the started task proc for each CICS region in SYS3.PROCLIB using ISPF.

b
Key ACF2/CICS parameters must be properly coded.
CM-6 - Medium - CCI-000366 - V-224311 - SV-224311r1141399_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
ZCICA023
Vuln IDs
  • V-224311
  • V-7554
Rule IDs
  • SV-224311r1141399_rule
  • SV-8031
The ACF2/CICS parameters define the security controls in effect for CICS regions. Failure to code the appropriate values could result in degraded security. This exposure may result in unauthorized access impacting the confidentiality, integrity, and availability of the CICS region, applications, and customer data.
Checks: C-25988r1141397_chk

Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(CICSPROC). Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. Refer to the CICS region SYSLOG - (Alternate source of SIT parameters). Browse the ACF2/CICS dataset allocated by the ACF2PARM DD statement in the JCL of each CICS procedure. If all key ACF2/CICS parameters for every CICS region are coded as stated in the table titled ACF2/CICS Parameters in the z/OS STIG Addendum, this is not a finding. Note: The DEFAULT TERMINAL=parameter must be specified. CICSKEY OPTION=VALIDATE,TYPE=resource type,RESOURCE=TRANS will specify a unique resource type for each CICS region.

Fix: F-25976r1141398_fix

Ensure the ACF2/CICS parameters are coded with values specified in the table titled ACF2/CICS Parameters, in the zOS STIG Addendum. Browse the ACF2/CICS dataset allocated by the ACF2PARM DD statement in the JCL of each CICS procedure. Ensure that all key ACF2/CICS parameters for every CICS region are coded as stated in the table titled ACF2/CICS Parameters, in the zOS STIG Addendum.

b
Sensitive CICS transactions are not protected in accordance with the proper security requirements.
CM-6 - Medium - CCI-000366 - V-224312 - SV-224312r1141402_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
ZCICA024
Vuln IDs
  • V-224312
  • V-6894
Rule IDs
  • SV-224312r1141402_rule
  • SV-7189
Sensitive CICS transactions offer the ability to circumvent transaction-level controls for accessing resources under CICS. These transactions must be protected so that only authorized users can access them. Unauthorized use can result in the compromise of the confidentiality, integrity, and availability of the operating system or customer data.
Checks: C-25989r1141400_chk

Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(CICSPROC). Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. Browse the ACF2/CICS dataset allocated by the ACF2PARM DD statement in the JCL of each CICS procedure. If the following items are in effect for entries specified in the SAFELIST parameter, this is not a finding. Transactions are uniquely identified. Transactions are not masked. Sensitive transactions are not included. Note: For information on transactions that are eligible for exemption from security checking, refer to Category 3 Transactions for CICS TS 3.1 - 5.1 in the z/OS STIG addendum. If the above items are true for all entries specified in the SAFELIST parameter for each CICS region, this is not a finding.

Fix: F-25977r1141401_fix

The systems programmer and ISSO will ensure the ACF2/CICS parameter SAFELIST are coded with the values specified below. Browse the ACF2/CICS dataset allocated by the ACF2PARM DD statement in the JCL of each CICS procedure. Ensure the following items are in effect for entries specified in the SAFELIST parameter: Transactions are uniquely identified. Transactions are not masked. Sensitive transactions are not included. Note: For information on transactions that are eligible for exemption from security checking, refer to Category 3 Transactions for CICS TS 3.1 - 5.1 in the z/OS STIG addendum.

b
Sensitive CICS transactions are not protected in accordance with the proper security requirements.
AC-6 - Medium - CCI-002235 - V-224313 - SV-224313r1141405_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-002235
Version
ZCICA025
Vuln IDs
  • V-224313
  • V-6896
Rule IDs
  • SV-224313r1141405_rule
  • SV-7191
Sensitive CICS transactions offer the ability to circumvent transaction-level controls for accessing resources under CICS. These transactions must be protected so that only authorized users can access them. Unauthorized use can result in the compromise of the confidentiality, integrity, and availability of the operating system or customer data.
Checks: C-25990r1141403_chk

Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(CICSPROC). Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. Browse the ACF2/CICS dataset allocated by the ACF2PARM DD statement in the JCL of each CICS procedure. If the PROTLIST parameter is not specified for all CICS regions, this is not a finding.

Fix: F-25978r1141404_fix

The systems programmer and ISSO will ensure the ACF2/CICS parameter PROTLIST is not coded. Browse the ACF2/CICS dataset allocated by the ACF2PARM DD statement in the JCL of each CICS procedure. Make sure the PROTLIST parameter is not specified for all CICS regions.