z/OS IBM CICS Transaction Server for RACF Security Technical Implementation Guide

Description

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected].

Details

Version / Release: V6R9

Published: 2023-03-21

Updated At: 2023-05-04 00:38:55

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter

Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-224492r520264_rule ZCIC0010 CCI-001499 MEDIUM CICS system data sets are not properly protected. CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Unauthorized access to CICS system data sets (i.e., product, security, and application libraries) could result in the compromise of
    SV-224493r520267_rule ZCIC0020 CCI-000213 MEDIUM Sensitive CICS transactions are not protected in accordance with security requirements. Sensitive CICS transactions offer the ability to circumvent transaction level controls for accessing resources under CICS. These transactions must be protected so that only authorized users can access them. Unauthorized use can result in the compromise
    SV-224494r868325_rule ZCIC0030 CCI-000366 MEDIUM CICS System Initialization Table (SIT) parameter values must be specified in accordance with proper security requirements. The CICS SIT is used to define system operation and configuration parameters of a CICS system. Several of these parameters control the security within a CICS region. Failure to code the appropriate values could result in unexpected operations and degraded
    SV-224495r520273_rule ZCIC0040 CCI-000764 MEDIUM CICS region logonid(s) must be defined and/or controlled in accordance with the security requirements. CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Improperly defined or controlled CICS region userids may provide an exposure and vulnerability within the CICS environment. This c
    SV-224496r904396_rule ZCIC0041 CCI-000764 MEDIUM CICS default logonid(s) must be defined and/or controlled in accordance with the security requirements. CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. An improperly defined or controlled CICS default userid may provide an exposure and vulnerability within the CICS environment. This
    SV-224497r868330_rule ZCIC0042 CCI-000057 MEDIUM CICS logonid(s) must have time-out limit set to 15 minutes. CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Improperly defined or controlled CICS region userids may provide an exposure and vulnerability within the CICS environment. This co
    SV-224498r904393_rule ZCICR021 CCI-000035 MEDIUM IBM CICS Transaction Server SPI command resources must be properly defined and protected. IBM CICS Transaction Server can run with sensitive system privileges, and potentially can circumvent system controls. Failure to properly control access to product resources could result in the compromise of the operating system environment, and compromi
    SV-224499r520285_rule ZCICR038 CCI-000213 MEDIUM External RACF Classes are not active for CICS transaction checking. Implement CICS transaction security by utilizing two distinct and unique RACF resource classes (i.e., member and grouping) within each CICS region. If several CICS regions are grouped in an MRO environment, it is permissible for those grouped regions to s
    SV-224500r520288_rule ZCICR041 CCI-000213 MEDIUM CICS regions are improperly protected to prevent unauthorized propagation of the region userid. CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Improperly defined or controlled CICS userids (i.e., region, default, and terminal users) may provide an exposure and vulnerability