z/OS RACF STIG

  • Version/Release: V6R42
  • Published: 2019-09-27
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

b
DFSMS resources must be protected in accordance with the proper security requirements.
AC-3 - Medium - CCI-000213 - V-31 - SV-7355r5_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZSMS0010
Vuln IDs
  • V-31
Rule IDs
  • SV-7355r5_rule
DFSMS provides data, storage, program, and device management functions for the operating system. Some DFSMS storage administration functions allow a user to obtain a privileged status and effectively bypass all ACP data set and volume controls. Failure to properly protect DFSMS resources may result in unauthorized access. This exposure could compromise the availability and integrity of the operating system environment, system services, and customer data.Information Assurance Officer
Checks: C-23254r4_chk

Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(ZSMS0010) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZSMS0010) Ensure that all SMS resources and/or generic equivalent are properly protected according to the requirements specified. If the following guidance is true, this is not a finding. ___ The STGADMIN.** profile in the FACILITY resource class has a default access of NONE and no access is granted at this level. ___ STGADMIN.DPDSRN.olddsname is restricted to System Programmers and all access is logged. ___ The STGADMIN.IGD.ACTIVATE.CONFIGURATION is restricted to System Programmers and all access is logged. ___ The STGADMIN.IGG.DEFDEL.UALIAS is restricted to Centralized and Decentralized Security personnel and System Programmers and all access is logged. ___ To avoid authorization failures once a base cluster is accessed via a PATH or AIX by a user or application that has authority to the PATH and AIX, but not the base cluster, APAR OA50118 must be applied. The resource STGADMIN.IGG.CATALOG.SECURITY.CHANGE is defined with access of NONE The resource STGADMIN.IGG.CATALOG.SECURITY.BOTH is defined with access of READ Note: the resource STGADMIN.IGG.CATALOG.SECURITY.CHANGE can be defined with read access for migration purposes. If it is, a detailed migration plan must be documented and filed by the ISSM that determines a definite migration period. All access must be logged. At the completion of migration this resource must be configured with access = NONE. If the resource STGADMIN.IGG.CATALOG.SECURITY.CHANGE and STGADMIN.IGG.CATALOG.SECURITY.BOTH are both defined, STGADMIN.IGG.CATALOG.SECURITY.BOTH takes precedence. ___ The following resources and prefixes may be available to the end-user. STGADMIN.ADR.COPY.CNCURRNT STGADMIN.ADR.COPY.FLASHCPY STGADMIN.ADR.COPY.TOLERATE.ENQF STGADMIN.ADR.DUMP.CNCURRNT STGADMIN.ADR.DUMP.TOLERATE.ENQF STGADMIN.ADR.RESTORE.TOLERATE.ENQF STGADMIN.ARC.ENDUSER. STGADMIN.IGG.ALTER.SMS ___ The following resource is restricted to Application Production Support Team members, Automated Operations, DASD managers, and System programmers. STGADMIN.IDC.DCOLLECT ___ The following resources are restricted to Application Production Support Team members, DASD managers, and System programmers. STGADMIN.ARC.CANCEL STGADMIN.ARC.LIST STGADMIN.ARC.QUERY STGADMIN.ARC.REPORT STGADMIN.DMO.CONFIG STGADMIN.IFG.READVTOC STGADMIN.IGG.DELGDG.FORCE ___ The following resource prefixes, at a minimum, are restricted to DASD managers and System programmers. STGADMIN.ADR STGADMIN.ANT STGADMIN.ARC STGADMIN.DMO STGADMIN.ICK STGADMIN.IDC STGADMIN.IFG STGADMIN.IGG STGADMIN.IGWSHCDS ___ The following Storage Administrator functions prefix is restricted to DASD managers and System programmers and all access is logged. STGADMIN.ADR.STGADMIN. ___ The RACF resource access authorizations are defined with UACC(NONE) and NOWARNING.

Fix: F-19904r4_fix

Ensure that the following are properly specified in the ACP. (Note: The resources and/or resource prefixes identified below are examples of a possible installation. The actual resource type, resources, and/or resource prefixes are determined when the product is actually installed on a system through the product’s installation guide and can be site specific.) Below is listed the access requirements for SMS Resources. Ensure the guidelines for the resources and/or generic equivalent are followed. The RACF resources are defined with a default access of NONE. The RACF resource rules for the resources specify UACC(NONE) and NOWARNING. Ensure that no access is given to the high-level STGADMIN resource. Example: RDEF FACILITY STGADMIN.** OWNER(ADMIN) - UACC(NONE) AUDIT(ALL(READ)) Configure STGADMIN.IGG.CATALOG.SECURITY.CHANGE to have no access. Example: RDEF FACILITY STGADMIN.IGG.CATALOG.SECURITY.CHANGE OWNER(ADMIN) – UACC(NONE) AUDIT(ALL(READ)) Configure STGADMIN.IGG.CATALOG.SECURITY.BOTH resource to have READ for all. Example: RDEF FACILITY STGADMIN.IGG.CATALOG.SECURITY.BOTH OWNER(ADMIN) – UACC(NONE) AUDIT(ALL(READ)) The STGADMIN.DPDSRN.olddsname is restricted to System Programmers and all access is logged. Example: RDEF FACILITY STGADMIN.DPDSRN.olddsname OWNER(ADMIN) - UACC(NONE) AUDIT(ALL(READ)) PE STGADMIN.DPDSRN.olddsname CL(FACILITY) ID(syspaudt) The STGADMIN.IGD.ACTIVATE.CONFIGURATION is restricted to System Programmers and all access is logged. Example: RDEF FACILITY STGADMIN.IGD.ACTIVATE.CONFIGURATION OWNER(ADMIN) - UACC(NONE) AUDIT(ALL(READ)) PE STGADMIN.IGD.ACTIVATE.CONFIGURATION CL(FACILITY) ID(syspaudt) The STGADMIN.IGG.DEFDEL.UALIAS is restricted to System Programmers and Security personnel and all access is logged. Example: RDEF FACILITY STGADMIN.IGG.DEFDEL.UALIAS OWNER(ADMIN) - UACC(NONE) AUDIT(ALL(READ)) PE STGADMIN.IGG.DEFDEL.UALIAS CL(FACILITY) ID(secaaudt) PE STGADMIN.IGG.DEFDEL.UALIAS CL(FACILITY) ID(secdaudt) PE STGADMIN.IGG.DEFDEL.UALIAS CL(FACILITY) ID(syspaudt) The following resources and prefixes may be available to the end-user. STGADMIN.ADR.COPY.CNCURRNT STGADMIN.ADR.COPY.FLASHCPY STGADMIN.ADR.COPY.TOLERATE.ENQF STGADMIN.ADR.DUMP.CNCURRNT STGADMIN.ADR.DUMP.TOLERATE.ENQF STGADMIN.ADR.RESTORE.TOLERATE.ENQF STGADMIN.ARC.ENDUSER. STGADMIN.IGG.ALTER.SMS Example: RDEF FACILITY STGADMIN.ADR.COPY.CNCURRNT.** OWNER(ADMIN) - UACC(NONE) AUDIT(FAILURE(READ)) PE STGADMIN.ADR.COPY.CNCURRNT.** CL(FACILITY) ID(endusers) The following resource is restricted to Application Production Support Team members, Automated Operations, DASD managers, and System programmers. STGADMIN.IDC.DCOLLECT Example: RDEF FACILITY STGADMIN.IDC.DCOLLECT.** OWNER(ADMIN) - UACC(NONE) AUDIT(FAILURE(READ)) PE STGADMIN.IDC.DCOLLECT.** CL(FACILITY) ID(appsaudt) PE STGADMIN.IDC.DCOLLECT.** CL(FACILITY) ID(autoaudt) PE STGADMIN.IDC.DCOLLECT.** CL(FACILITY) ID(dasbaudt) PE STGADMIN.IDC.DCOLLECT.** CL(FACILITY) ID(dasdaudt) PE STGADMIN.IDC.DCOLLECT.** CL(FACILITY) ID(syspaudt) The following resources are restricted to Application Production Support Team members, DASD managers, and System programmers. STGADMIN.ARC.CANCEL STGADMIN.ARC.LIST STGADMIN.ARC.QUERY STGADMIN.ARC.REPORT STGADMIN.DMO.CONFIG STGADMIN.IFG.READVTOC STGADMIN.IGG.DELGDG.FORCE Example: RDEF FACILITY STGADMIN.ARC.CANCEL.** OWNER(ADMIN) - UACC(NONE) AUDIT(FAILURE(READ)) PE STGADMIN.ARC.CANCEL.** CL(FACILITY) ID(appsaudt) PE STGADMIN.ARC.CANCEL.** CL(FACILITY) ID(dasbaudt) PE STGADMIN.ARC.CANCEL.** CL(FACILITY) ID(dasdaudt) PE STGADMIN.ARC.CANCEL.** CL(FACILITY) ID(syspaudt) The following resource prefixes, at a minimum, are restricted to DASD managers and System programmers. STGADMIN.ADR STGADMIN.ANT STGADMIN.ARC STGADMIN.DMO STGADMIN.ICK STGADMIN.IDC STGADMIN.IFG STGADMIN.IGG STGADMIN.IGWSHCDS Example: RDEF FACILITY STGADMIN.ADR.** OWNER(ADMIN) - UACC(NONE) AUDIT(FAILURE(READ)) PE STGADMIN.ADR.** CL(FACILITY) ID(dasbaudt) PE STGADMIN.ADR.** CL(FACILITY) ID(dasdaudt) PE STGADMIN.ADR.** CL(FACILITY) ID(syspaudt) The following Storage Administrator functions prefix is restricted to DASD managers and System programmers and all access is logged. STGADMIN.ADR.STGADMIN. Example: RDEF FACILITY STGADMIN.ADR.STGADMIN.** OWNER(ADMIN) - UACC(NONE) AUDIT(ALL(READ)) PE STGADMIN.ADR.STGADMIN.** CL(FACILITY) ID(dasbaudt) PE STGADMIN.ADR.STGADMIN.** CL(FACILITY) ID(dasdaudt) PE STGADMIN.ADR.STGADMIN.** CL(FACILITY) ID(syspaudt)

b
System programs (e.g., exits, SVCs, etc.) must have approval of appropriate authority and/or documented correctly.
CA-6 - Medium - CCI-000271 - V-34 - SV-34r3_rule
RMF Control
CA-6
Severity
Medium
CCI
CCI-000271
Version
AAMV0450
Vuln IDs
  • V-34
Rule IDs
  • SV-34r3_rule
Many vendor products and applications require or provide operating system exits, SVCs, I/O appendages, special PPT privileges, and APF authorization. Without proper review, approval and adequate documentation of these system programs, the integrity and availability of the operating system, ACP, and customer data are subject to compromise.Information Assurance OfficerDCCS-1, DCCS-2, DCPD-1
Checks: C-17878r2_chk

Refer to the following reports produced by the z/OS Data Collection: - EXAM.RPT(APFXRPT) - EXAM.RPT(APFTSO) - EXAM.RPT(IOAPPEND) - EXAM.RPT(MVSXRPT) - EXAM.RPT(PPTXRPT) - EXAM.RPT(SVCIBM) - EXAM.RPT(SVCUSER) - EXAM.RPT(SVCESR) If the following items are in effect, this is not a finding: ___ The acquisition of any new IA and IA-enabled Commercial-Off-the-Shelf (COTS) products or any major upgrade meets the applicable Common Criteria, NIAP, or FIPS evaluation and validation requirements specified in CNSSP No. 11 and DODD 8500.1 or receives DAA approval. ___ All locally developed extensions to the operating system environment (i.e., operating system exits, SVCs, I/O appendages, modules requiring special PPT privileges and APF authorization) have been reviewed by the site’s system programmer to assure that requirements of CNSSP No. 11 and DODD 8500.1 are met and/or approved by site DAA.

Fix: F-188r2_fix

Ensure any new system software or major upgrade of software that performs any of the following actions: - Runs authorized or with special privileges so it can use z/OS facilities restricted to authorized programs. - Requires the use of a new Supervisor Call routine (SVC), Program Call routine (PC), installation exit routine, or I/O appendage routine. - Modifies MVS in any way. - Requires the use of the Authorized Program Facility (APF). - Requires that the name of the program be placed in the MVS Program Properties Table (PPT). - Runs in Supervisor State. - Runs with a program status word (PSW) protection key between 0 through 7. - Runs with a userid that has special security privileges within the ACP. Has been approved by Common Criteria, NIAP, or FIPS evaluation and validation requirements specified in CNSSP No. 11 and DODD 8500.1 or receives DAA approval.

c
Dynamic lists must be protected in accordance with proper security requirements.
AC-3 - High - CCI-000213 - V-36 - SV-6409r8_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
ACP00270
Vuln IDs
  • V-36
Rule IDs
  • SV-6409r8_rule
Dynamic lists provide a method of making z/OS system changes without interrupting the availability of the operating system. Failure to properly control access to these facilities could result in unauthorized personnel modifying sensitive z/OS lists. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.Information Assurance OfficerSystems Programmer
Checks: C-834r4_chk

Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(FACILITY) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00270) Verify that the accesses for CSV-prefixed resources are properly restricted. If the following guidance is true, this is not a finding. ___ The RACF resources and/or generic equivalent are defined with a default access of NONE. ___ The RACF resources and/or generic equivalent identified below will be defined with AUDIT(ALL(READ)) and UPDATE access restricted to system programming personnel: CSVAPF. CSVAPF.MVS.SETPROG.FORMAT.DYNAMIC CSVAPF.MVS.SETPROG.FORMAT.STATIC CSVDYLPA. CSVDYNEX. CSVDYNEX.LIST CSVDYNL. CSVDYNL.UPDATE.LNKLST CSVLLA. ___ The RACF CSVDYNEX.LIST resource and/or generic equivalent will be defined with AUDIT(FAILURE(READ)SUCCESS(UPDATE)) and UPDATE access restricted to system programming personnel. ___ The RACF CSVDYNEX.LIST resource and/or generic equivalent will be defined with READ access restricted to auditors. ___ If the products CICS and/or CONTROL-O are on the system, the RACF access to the CSVLLA resource and/or generic equivalent will be defined with AUDIT(ALL) and UPDATE access restricted to the CICS and CONTROL-O STC userids. ___ ___ If any software product requires access to dynamic LPA updates on the system, the RACF access to the CSVDYLPA resource and/or generic equivalent will be defined with LOG and SERVICE(UPDATE) only after the product has been validated with the appropriate STIG or SRG for compliance AND receives documented and filed authorization that details the need and any accepted risks from the site ISSM or equivalent security authority. Note: In the above, UPDATE access can be substituted with ALTER or CONTROL. Review the permissions in the IBM documentation when specifying UPDATE.

Fix: F-259r7_fix

Ensure that the Dynamic List resources are defined to the FACILITY resource class and protected. Only system programmers and a limited number of authorized users and Approved authorized Started Tasks are able to issue these commands. All access is logged. The required CSV-prefixed Facility Class resources are listed below. These resources or generic equivalents should be defined and permitted as required with only z/OS systems programmers and logging enabled. Minimum required list of CSV-prefixed resources: CSVAPF.** CSVAPF.MVS.SETPROG.FORMAT.DYNAMIC CSVAPF.MVS.SETPROG.FORMAT.STATIC CSVDYLPA.** CSVDYLPA.ADD.** CSVDYLPA.DELETE.** CSVDYNEX.** CSVDYNEX.LIST CSVDYNL.** CSVDYNL.UPDATE.LNKLST CSVLLA.** Limit authority to those resources to z/OS systems programmers. Restrict to the absolute minimum number of personnel with AUDIT(ALL(READ)) and UPDATE access. Sample commands are shown here to accomplish this: RDEF FACILITY CSVAPF.** UACC(NONE) OWNER(syspaudt) AUDIT(ALL(READ)) RDEF FACILITY CSVAPF.MVS.SETPROG.FORMAT.DYNAMIC.** UACC(NONE) OWNER(syspaudt) AUDIT(ALL(READ)) RDEF FACILITY CSVAPF.MVS.SETPROG.FORMAT.STATIC.** UACC(NONE) OWNER(syspaudt) AUDIT(ALL(READ)) PERMIT CSVAPF.** CLASS(FACILITY) ID(syspaudt) ACCESS(UPDATE) PERMIT CSVAPF.MVS.SETPROG.SETPROG.FORMAT.DYNAMIC.** CLASS(FACILITY) ID(syspaudt) ACCESS(UPDATE) PERMIT CSVAPF.MVS.SETPROG.SETPROG.FORMAT.STATIC.** CLASS(FACILITY) ID(syspaudt) ACCESS(UPDATE) The CSVDYLPA.ADD resource will be permitted to products BMC Mainview, CA 1, and CA Common Services STC userids with AUDIT(ALL(READ)) and UPDATE access. The CSVDYLPA.DELETE resource will be permitted to products CA 1 and CA Common Services STC userids with AUDIT(ALL(READ)) and UPDATE access. Sample commands are shown here to accomplish one set of resources: RDEF FACILITY CSVDYLPA.** UACC(NONE) OWNER(syspaudt) AUDIT(ALL(READ)) RDEF FACILITY CSVDYLPA.ADD.** UACC(NONE) OWNER(syspaudt) AUDIT(ALL(READ)) RDEF FACILITY CSVDYLPA.DELETE.** UACC(NONE) OWNER(syspaudt) AUDIT(ALL(READ)) PERMIT CSVDYLPA.** CLASS(FACILITY) ID(syspaudt) ACCESS(UPDATE) PERMIT CSVDYLPA.** CLASS(FACILITY) ID(BMC Mainview STC userid) ACCESS(UPDATE) PERMIT CSVDYLPA.** CLASS(FACILITY) ID(CA 1 STC userid) ACCESS(UPDATE) PERMIT CSVDYLPA.** CLASS(FACILITY) ID(CCS STC userid) ACCESS(UPDATE) PERMIT CSVDYLPA.ADD.** CLASS(FACILITY) ID(syspaudt) ACCESS(UPDATE) PERMIT CSVDYLPA.ADD.** CLASS(FACILITY) ID(BMC Mainview STC userid) ACCESS(UPDATE) PERMIT CSVDYLPA.ADD.** CLASS(FACILITY) ID(CA 1 STC userid) ACCESS(UPDATE) PERMIT CSVDYLPA.ADD.** CLASS(FACILITY) ID(CCS STC userid) ACCESS(UPDATE) PERMIT CSVDYLPA.DELETE.** CLASS(FACILITY) ID(syspaudt) ACCESS(UPDATE) PERMIT CSVDYLPA.DELETE.** CLASS(FACILITY) ID(CA 1 STC userid) ACCESS(UPDATE) PERMIT CSVDYLPA.DELETE.** CLASS(FACILITY) ID(CCS STC userid) ACCESS(UPDATE) The CSVDYNEX.LIST resource and/or generic equivalent will be defined with AUDIT(FAILURE(READ)SUCCESS(UPDATE)) and UPDATE access restricted to system programming personnel. The CSVDYNEX.LIST resource and/or generic equivalent will be defined with READ access restricted to auditors. Sample commands are shown here to accomplish this: RDEF FACILITY CSVDYNEX.** UACC(NONE) OWNER(syspaudt) – AUDIT(ALL(READ)) RDEF FACILITY CSVDYNEX.LIST.** UACC(NONE) OWNER(syspaudt) – AUDIT(FAILURE(READ)SUCCESS(UPDATE)) PERMIT CSVDYNEX.** CLASS(FACILITY) ID(syspaudt) ACCESS(UPDATE) PERMIT CSVDYNEX.LIST.** CLASS(FACILITY) ID(syspaudt) ACCESS(UPDATE) PERMIT CSVDYNEX.LIST.** CLASS(FACILITY) ID(audtaudt) ACCESS(READ) The CSVLLA resource will be permitted to CICS and CONTROL-O STC userids with AUDIT(ALL(READ)) and UPDATE access. Sample commands are shown here to accomplish one set of resources: RDEF FACILITY CSVLLA.** UACC(NONE) OWNER(syspaudt) AUDIT(ALL(READ)) PERMIT CSVLLA.** CLASS(FACILITY) ID(syspaudt) ACCESS(UPDATE) PERMIT CSVLLA.** CLASS(FACILITY) ID(CICS STC userids) ACCESS(UPDATE) PERMIT CSVLLA.** CLASS(FACILITY) ID(CONTROL-O STC userid) ACCESS(UPDATE)

b
CICS region logonid(s) must be defined and/or controlled in accordance with the security requirements.
IA-2 - Medium - CCI-000764 - V-44 - SV-7532r3_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
ZCIC0040
Vuln IDs
  • V-44
Rule IDs
  • SV-7532r3_rule
CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Improperly defined or controlled CICS region userids may provide an exposure and vulnerability within the CICS environment. This could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data. The region userid should be associated with a unique RACF userid. Information Assurance Officer
Checks: C-62551r1_chk

a) Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(CICSPROC) Refer to the following reports produced by the RACF Data Collection: - RACFCMDS.RPT(LISTUSER) - DSMON.RPT(RACCDT) Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. b) Ensure that the following is defined for each CICS region: 1) A unique userid is defined. 2) Defined to the STARTED resource class. c) If (b) is true, this is not a finding. d) If (b) is untrue, this is a finding.

Fix: F-18483r1_fix

Review all CICS region, default, and end-user userids to ensure they are defined and controlled as required. Ensure that the following is defined for each CICS region: 1) A unique userid is defined. Use the RACF Adduser command to accomplish this. A sample command is provided here: AU <cicsregionid> NAME('STC, CICS Region') DFLTGRP(STC) OWNER(STC) 2) Defined to the STARTED resource class. Use the RACF RDEFINE command. A sample is provided here: RDEF STARTED <cicsprocname>.** UACC(NONE) OWNER(ADMIN) DATA('USED TO MAP <cicsprocname> TO A VALID RACF USERID') STDATA(USER(=MEMBER) GROUP(STC) TRACE(YES))

b
Surrogate users must be controlled in accordance with proper security requirements.
AC-3 - Medium - CCI-000213 - V-54 - SV-7346r5_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZJES0060
Vuln IDs
  • V-54
Rule IDs
  • SV-7346r5_rule
Surrogate users have the ability to submit jobs on behalf of another user (the execution user) without specifying the execution user's password. Jobs submitted by surrogate users run with the identity of the execution user. Failure to properly control surrogate users could result in unauthorized personnel accessing sensitive resources. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.Information Assurance Officer
Checks: C-3366r3_chk

Refer to the following report produced by the RACF Data Collection: SENSITVE.RPT(SURROGAT) If no executionuserid.SUBMIT resources are defined to the SURROGAT resource class, this is not applicable. For each executionuserid.SUBMIT resource defined to the SURROGAT resource class, if the following items are in true regarding surrogate controls, this is not a finding. ___ All executionuserid.SUBMIT resources defined to the SURROGAT resource class specify a default access of NONE. ___ All resource access is logged; at the discretion of the ISSM/ISSO scheduling tasks may be exempted. . ___ Access authorization is restricted to scheduling tools, started tasks or other system applications required for running production jobs. ___ Other users may have minimal access required for running production jobs with documentation properly approved and filed with the site security official (ISSM or equivalent).

Fix: F-30560r3_fix

For executionuserid.SUBMIT resources defined to the SURROGAT resource class, ensure the following items are in effect regarding surrogate controls: All executionuserid.SUBMIT resources defined to the SURROGAT resource class specify a default access of NONE. All resource access is logged; at the discretion of the ISSM/ISSO scheduling tasks may be exempted. Access authorization is restricted to scheduling tools, started tasks or other system applications required for running production jobs. Other users may have minimal access required for running production jobs with documentation properly approved and filed with the site security official (ISSM or equivalent). Consider the following recommendations when implementing security for Surrogate Users: Keep the use of Surrogate Users outside of those granted to the scheduling software to a minimum number of individuals. The simplest configuration is to only use Surrogate resource for the appropriate Scheduling task/software for production scheduling purposes as documented. Temporary use of surrogate resource of the production batch to the scheduling tasks may be allowed for a period for testing by the appropriate specific production Support Team members. Authorization, eligibility and test period is determined by site policy. Access authorization is restricted to the minimum number of personnel required for running production jobs. However, Surrogate usage should not become the default for all jobs submitted by individual userids (i.e., system programmer shall use their assigned individual userids for software installation, duties, whereas a Cross Authorized ACID would normally be utilized for scheduled batch production only and as such shall normally be limited to the scheduling task such as CONTROLM) and not granted as a normal daily basis to individual users.. Command samples are provided to define/permit SURROGAT profiles: SETR CLASSACT(SURROGAT) SETR GENERIC(SURROGAT) GENCMD(SURROGAT) SETR RACL(SURROGAT) RDEF SURROGAT <batchid>.SUBMIT UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('SUBMIT JOBS FOR <batchid>, REFERENCE ZJES0060') PE <batchid>.SUBMIT CL(SURROGAT) ID(<authorized user such as CONTROLM>)

a
A CMP (Change Management Process) is not being utilized on this system.
CM-3 - Low - CCI-000326 - V-82 - SV-82r2_rule
RMF Control
CM-3
Severity
Low
CCI
CCI-000326
Version
AAMV0010
Vuln IDs
  • V-82
Rule IDs
  • SV-82r2_rule
Without proper tracking of changes to the operating system software environment, its processing integrity and availability are subject to compromise.Systems ProgrammerDCCS-1, DCCS-2, ECSD-1, ECSD-2
Checks: C-630r1_chk

a) Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(SMPERPT) b) Invoke the CA-EXAMINE application from within ISPF/PDF. This is typically done by executing %EXAMINE from ISPF/PDF option 6. From the CA EXAMINE primary menu, enter 2.3.3 from the command line to display the INSTALLED PRODUCTS SELECTION menu. Enter a hyphen (-) for all optional search criteria fields and a valid SMP/E CSI name. Repeat this step for all applicable SMP/E CSI names. NOTE 1: CSI names can be obtained from the SMPERPT report or by leaving the CSI name field blank and allowing CA-EXAMINE to compile a list of cataloged CSI data sets from which to choose. NOTE 2: SMP/E CSIs may not be present on this domain. If the site uses another domain to install products via SMP/E, and then copies the SMP/E product installation libraries to this domain, this is acceptable. Review the domain where the SMP/E environment resides and compare it against the domain being reviewed for compliance. The z/OS Vendor recommends that all products with the capability for installation via IBM’s SMP/E process will be installed and maintained using that process. c) If the entries contained in the SMP/E CSIs accurately reflect the operating system software environment, there is NO FINDING. d) If the entries contained in the SMP/E CSIs do not accurately reflect the operating system software environment, this is a FINDING.

Fix: F-18440r1_fix

The systems programmer responsible for supporting changes to the software will ensure that all changes and updates are tracked and maintained using a CMP. Obtain/locate all applicable SMP/E data sets (e.g., CSI, PTS, etc.). Ensure that all entries contained in the SMP/E configuration are matched with the operating system environment. Verify with the Systems programmer that the components of the operating system are controlled through a CMP. Note: Many systems are created from a base system that is controlled by a change management program. Be sure to note that the system has been maintained based on this process.

b
LNKAUTH=APFTAB is not specified in the IEASYSxx member(s) in the currently active parmlib data set(s).
CM-7 - Medium - CCI-000381 - V-83 - SV-83r2_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
AAMV0030
Vuln IDs
  • V-83
Rule IDs
  • SV-83r2_rule
Failure to specify LINKAUTH=APFTAB allows libraries other than those designated as APF to contain authorized modules which could bypass security and violate the integrity of the operating system environment. This expanded authorization list inhibits the ability to control inclusion of these modules.Systems ProgrammerDCCS-1, DCCS-2, DCSL-1
Checks: C-20621r1_chk

a) Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(PARMLIB) - Refer to the IEASYSxx listing(s). Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(AAMV0030) b) If the LNKAUTH=APFTAB parameter is specified in the IEASYSxx member, there is NO FINDING. c) If the LNKAUTH=APFTAB parameter is not specified, this is a FINDING.

Fix: F-16081r1_fix

The systems programmer will ensure that LNKAUTH=APFTAB is specified in the IEASYSxx member(s) in the currently active parmlib data set(s). Review all installed software for authorization requirements. Identify and include only libraries with this requirement in the APF designation. Change LINKAUTH=LNKLST to LINKAUTH=APFTAB in all IEASYSxx members. Control over APF authorization is specified within the operating system. The data set SYS1.PARMLIB members IEAAPFxx and PROGxx are used to specify the library names and the volumes on which they reside. (The xx is the suffix designated by the APF and PROG parameters in the IEASYSxx member of SYS1.PARMLIB or overridden by the computer operator at system initial program load [IPL]). NOTE: An entire library is listed as authorized, and not the individual modules themselves. Use the following recommendations and techniques to control the exposures created by the APF facility: (1) In SYS1.PARMLIB(IEASYSxx), use the parameter LNKAUTH=APFTAB so that all APF libraries are specified in the IEAAPFxx and PROGxx members of parmlib.

a
Inaccessible APF libraries defined.
CM-7 - Low - CCI-000381 - V-84 - SV-84r2_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
AAMV0040
Vuln IDs
  • V-84
Rule IDs
  • SV-84r2_rule
If a library designated by an APF entry does not exist on the volume specified, a library of the same name may be placed on this volume and inherit APF authorization. This could allow the introduction of modules which bypass security and violate the integrity of the operating system environment.Systems ProgrammerDCCS-1, DCCS-2, DCSL-1
Checks: C-634r1_chk

PDI Screen Sort Order: AAMV0040 Default Severity: Category III a) Refer to the following reports produced by the z/OS Data Collection: - PARMLIB.ACCESS(IEAAPFxx) - PARMLIB.ACCESS(PROGxx) NOTE: The IEAAPFxx and PROGxx reports are only produced if inaccessible libraries exist. The report names represent the actual SYS1.PARMLIB members where inaccessible libraries are found. If these reports do not exist, there is NO FINDING. Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(AAMV0040) b) If no inaccessible APF libraries exist, there is NO FINDING. c) If inaccessible APF libraries do exist, this is a FINDING.

Fix: F-16650r1_fix

The systems programmer will ensure that only existing libraries are specified in the APF list of libraries. Review the entire list of APF authorized libraries and remove those which are no longer valid designations. (2) The IEAAPFxx members will contain only required libraries. On a semi annual basis, Software Support should review the volume serial numbers, and should verify them in accordance with the system catalog. Software Support will remove all non existent libraries. The IAO should modify and/or delete the rules associated with these libraries.

a
Duplicated sensitive utilities and/or programs exist in APF libraries.
CM-7 - Low - CCI-001762 - V-85 - SV-85r2_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-001762
Version
AAMV0050
Vuln IDs
  • V-85
Rule IDs
  • SV-85r2_rule
Modules designated as sensitive utilities have the ability to significantly modify the operating system environment. Duplication of these modules causes an exposure by making it extremely difficult to track modifications to them. This could allow for the execution of invalid or trojan horse versions of these utilities.Information Assurance OfficerDCCS-1, DCCS-2, DCSL-1
Checks: C-20008r1_chk

a) Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(APFDUPS) Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(AAMV0050) b) If duplicate APF modules exist, compare the duplicates to the modules specified below: The following list contains Sensitive Utilities that will be checked. AHLGTF AMASPZAP AMAZAP AMDIOCP AMZIOCP BLSROPTR CSQJU003 CSQJU004 CSQUCVX CSQUTIL CSQ1LOGP DEBE DITTO FDRZAPOP GIMSMP HHLGTF ICKDSF ICPIOCP IDCSC01 IEHINITT IFASMFDP IGWSPZAP IHLGTF IMASPZAP IND$FILE IOPIOCP IXPIOCP IYPIOCP IZPIOCP WHOIS L052INIT TMSCOPY TMSFORMT TMSLBLPR TMSMULV TMSREMOV TMSTPNIT TMSUDSNB c) If none of the sensitive utilities are duplicated, there is NO FINDING. d) If any of the sensitive utilities is duplicated, this is a FINDING.

Fix: F-239r1_fix

The IAO will ensure that duplicate sensitive utility(ies) and/or program(s) do not exist in APF-authorized libraries. Identify all versions of the sensitive utilities contained in APF-authorized libraries listed in the above check. In cases where duplicates exist, ensure no exposure has been created and written justification has been filed with the IAO. (3) Before a library and a volume serial number are added to IEAAPFxx and PROGxx, the IAO will protect the data set from unauthorized access. Systems programming personnel will specify the requirements for users needing read or execute access to this library. Comparisons among all the APF libraries will be done to ensure that an exposure is not created by the existence of identically named modules. Address any sensitive utility concerns with the IAO, so that the function can be restricted as required. The IAO will build the appropriate protection into the ACP.

b
The review of AC=1 modules in APF authorized libraries must be reviewed annually and documentation verifying the modules integrity must be available.
SA-5 - Medium - CCI-000643 - V-86 - SV-86r4_rule
RMF Control
SA-5
Severity
Medium
CCI
CCI-000643
Version
AAMV0060
Vuln IDs
  • V-86
Rule IDs
  • SV-86r4_rule
The review of AC=1 modules that reside in APF authorized libraries must be reviewed annually. The IAO will maintain documentation identifying the integrity and justification of Vendor APF authorized libraries. For non-vendor APF authorized libraries, the source and documentation identifying the integrity and justification that describes the AC=1 module process will be maintained by the IAO. Sites have undocumented and/or unauthorized AC=1 modules have a possible risk to the confidentiality, integrity, and availability of the system and present a clear risk to the operating system, ACP, and customer data.trueInformation Assurance Officer
Checks: C-3898r4_chk

Refer to the following reports produced by the z/OS Data Collection: - EXAM.RPT(APFXRPT) Automated Analysis requires Additional Analysis. Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(AAMV0060) Verify that AC=1 modules identified in the APF Authorized data sets specified in EXAM.RPT(APFXRPT) have documentation and/or source code. If the following guidance is true, this is not a finding. ___ Documentation for Vendor APF Authorized libraries identifying the integrity and justification are maintained by the IAO. ___ Documentation and source code for non-vendor AC=1 modules in APF Authorized libraries identifying the integrity and justification are maintained by the IAO. ___ Review of all Vendor and non-vendor AC=1 modules in APF Authorized libraries will be reviewed on an annual basis.

Fix: F-6653r2_fix

The IAO working with the systems programmer will ensure that documentation and/or source code are available for AC=1 modules that reside in the APF Authorized libraries. Documentation for Vendor APF Authorized libraries identifying the integrity and justification will be available. Examples of this type of documentation can be in the form of product installation guides or product system programming guides. Documentation and source code for non-vendor AC=1 modules in APF Authorized libraries identifying the integrity and justification will be available. A review of the above documentation and/or source will be performed on an annual basis.

b
Inapplicable PPT entries have not been invalidated.
CM-7 - Medium - CCI-000381 - V-90 - SV-90r2_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
AAMV0160
Vuln IDs
  • V-90
Rule IDs
  • SV-90r2_rule
If invalid or inapplicable PPT entries exist, a venue is provided for the introduction of trojan horse modules with security bypass capabilities.Systems ProgrammerDCCS-1, DCCS-2
Checks: C-20009r1_chk

a) Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(PPTXRPT) Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(AAMV0160) b) Review the program entries in the CA-EXAMINE PPT LIBRARY SEARCH report. For all programs not found on the operating system (i.e., missing link date, size, volume, and library name), review their corresponding entries in the CA-EXAMINE PROGRAM PROPERTIES TABLE ANALYSIS report. If a program entry is found with any of the following excessive privileges, ensure that a matching SCHEDxx entry exists for that program revoking these privileges: 1) Data set integrity bypass 2) Keys 0-7 3) Security bypass c) If a SCHEDxx entry exists for all applicable PPT programs revoking the excessive privileges above, there is NO FINDING. d) If a SCHEDxx entry does not exist for an applicable PPT program, or does not revoke all the excessive privileges above, this is a FINDING. Note: Modules for products not in use on the system will have their special privileges explicitly revoked.

Fix: F-16968r1_fix

The systems programmer will ensure that any invalid entries in the PPT via IEFSDPPT module or invalid entries in the SCHED PPT are nullified by (a) nullifying the invalid IEFSDPPT entry ensuring that there is a corresponding SCHED entry which confers no special attributes, or (b) removing the SCHED PPT entry which is no longer valid if it only exists in this member. Review the PPT and ensure that all entries associated with non-existent or inapplicable modules are invalidated. As applicable, either: (a) nullify the invalid IEFSDPPT entry by ensuring that there is a corresponding SCHED entry which confers no special attributes, or (b) remove the SCHED PPT entry which is no longer valid. Some programs require extraordinary privileges not normally permitted by the operating system. The Program Properties Table (PPT) contains the names and properties of these special programs. Programs in the PPT can bypass security software mechanisms such as password protection. Only programs that require special authorizations are coded in the PPT. The PPT is maintained differently depending upon the level of MVS. Use the following recommendations and techniques to provide protection for the PPT: (1) As part of standard MVS maintenance, systems programming personnel will review the IEFSDPPT module and all programs that IBM has, by default, placed in the PPT to validate their applicability to the execution system. Please refer to the IBM z/OS MVS Initialization and Tuning Reference documentation for the version and release of z/OS installed at the individual site for the actual contents of the default IEFSDPPT (2) Modules for products not in use on the system will have their special privileges explicitly revoked. Do this by placing a PPT entry for each module in the SYS1.PARMLIB(SCHEDxx) member, specifying no special privileges. The PPT entry for each overridden program will be in the following format, accepting the default (unprivileged) values for the sub parameters: PPT PGMNAME(<program name>) (3) The Software Support team will assemble documentation regarding these PPT entries, and the IAO will keep it on file. Include the following in the documentation: - The product and release for which the PPT entry was made - The last date this entry was reviewed to authenticate status - The reason the module's privileges are being revoked

a
Non-existent or inaccessible LINKLIST libraries.
CM-7 - Low - CCI-001762 - V-100 - SV-100r2_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-001762
Version
AAMV0350
Vuln IDs
  • V-100
Rule IDs
  • SV-100r2_rule
LINKLIST libraries give a common access point for the general usage of modules. Many of the subsystems installed on a domain rely upon these modules for proper execution. If the list of libraries found in this LINKLIST is not properly maintained, the integrity of the operating environment is subject to compromise.Systems ProgrammerDCCS-1, DCCS-2, DCSL-1
Checks: C-20010r1_chk

a) Refer to the following report produced by the z/OS Data Collection: - PARMLIB.ACCESS(LNKLSTxx) NOTE: The LNKLSTxx reports are only produced if inaccessible libraries exist. The report names represent the actual SYS1.PARMLIB members where inaccessible libraries are found. If these reports do not exist, there is NO FINDING. Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(AAMV0350) b) If no inaccessible LINKLIST libraries exist, there is NO FINDING. c) If any inaccessible LINKLIST library exists, this is a FINDING.

Fix: F-16984r1_fix

The systems programmer will ensure that only existing libraries are specified in the Linklist list of libraries. Review all entries contained in the LINKLIST for the actual existence of each library. Develop a plan of action to correct deficiencies. The Linklist is a default set of libraries that MVS searches for a specified program. This facility is used so that a user does not have to know the library names in which utility types of programs are stored. Control over membership in the Linklist is specified within the operating system. The data set SYS1.PARMLIB(LNKLSTxx) is used to specify the library names. (The xx is the suffix designated by the LNK parameter in the IEASYSxx member of SYS1.PARMLIB, or overridden by the computer operator at IPL.) Use the following recommendations and techniques to control the exposures created by the LINKLIST facility: (1) Avoid inclusion of sensitive libraries in the LNKLSTxx member unless absolutely required. (2) The LNKLSTxx and PROGxx (LNKLST entries) members will contain only required libraries. On a semi annual basis, Software Support should review the volume serial numbers, and should verify them in accordance with the system catalog. Software Support will remove all non existent libraries. The IAO should modify and/or delete the rules associated with these libraries.

b
Non-standard SMF data collection options specified.
AC-11 - Medium - CCI-000057 - V-101 - SV-101r2_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
AAMV0370
Vuln IDs
  • V-101
Rule IDs
  • SV-101r2_rule
SMF data collection is the basic unit of tracking of all system functions and actions. Included in this tracking data are the audit trails from each of the ACPs. If the control options for the recording of this tracking are not properly maintained, then accountability cannot be monitored, and its use in the execution of a contingency plan could be compromised.trueInformation Assurance OfficerDCCS-1, DCCS-2, ECAR-1, ECAR-2, ECAR-3
Checks: C-4632r1_chk

Refer to the following reports produced by the z/OS Data Collection: - EXAM.RPT(SMFOPTS) - EXAM.RPT(PARMLIB) - Alternate report; refer to the SMFPRMxx listing. Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(AAMV0370) NOTE: Issues with subtype 4 and 5 of type 30 records can be exempted from collection. The following is an example of the entry to perform this: SUBSYS(STC,EXITS(IEFU29,IEFU83,IEFU84,IEFUJP,IEFUSO), INTERVAL(SMF,SYNC),NODETAIL) NOTE: If the JWT parameter is greater than 15 minutes, and the system is processing unclassified information, review the following items. If any of these items is true, there is NO FINDING. 1) If a session is not terminated, but instead is locked out after 15 minutes of inactivity, a process must be in place that requires user identification and authentication before the session is unlocked. Session lock-out will be implemented through system controls or terminal screen protections. 2) A system’s default time for terminal lock-out or session termination may be lengthened to 30 minutes at the discretion of the IAM or IAO. The IAM and/or IAO will maintain the documentation for each system with a time-out adjusted beyond the 15-minute recommendation to explain the basis for this decision. 3) The IAM and/or IAO may set selected userids to have a time-out of up to 60 minutes in order to complete critical reports or transactions without timing out. Each exception must meet the following criteria: (a) The time-out exception cannot exceed 60 minutes. (b) A letter of justification fully documenting the user requirement(s) must be submitted and approved by the site IAM or IAO. In addition, this letter must identify an alternate means of access control for the terminal(s) involved (e.g., a room that is locked at all times, a room with a cipher lock to limit access, a password protected screen saver set to 30 minutes or less, etc.). (c) The requirement must be revalidated on an annual basis. Ensure SMF collection options are specified as stated below with exception of those specified in the above NOTEs. The settings for several parameters are critical to the collection process: ACTIVE Activates the collection of SMF data. JWT(15) The maximum amount of consecutive time that an executing job may spend as ineligible to use any CPU resources before being canceled for inactivity. (This may be extended if controlled through other means, e.g., a Session Manager or ACP.) MAXDORM(0500) Specifies the amount of real time that SMF allows data to remain in an SMF buffer before it is written to a recording data set. SID Specifies the system ID to be recorded in all SMF records SYS(DETAIL) Controls the level of detail recorded. SYS(INTERVAL) Ensures the periodic recording of data for long running jobs. SYS Specifies the types and sub types of SMF records that are to be collected. SYS(TYPE) indicates that the supplied list is inclusive (i.e., specifies the record types to be collected). Record types not listed are not collected. SYS(NOTYPE) indicates that the supplied list is exclusive (i.e., specifies those record types not to be collected). Record types listed are not collected. The site may use either form of this parameter to specify SMF record type collection. However, at a minimum all record types listed.

Fix: F-363r1_fix

The IAO will ensure that collection options for SMF Data are consistent with options specified below. Review all SMF recording specifications found in SMFPRMxx members. Ensure that SMF recording options used are consistent with those outlined below. The settings for several parameters are critical to the collection process: ACTIVE Activates the collection of SMF data. JWT(15) The maximum amount of consecutive time that an executing job may spend as ineligible to use any CPU resources before being canceled for inactivity. The requirement for Job Wait Time is 15 minutes. (This may be extended if controlled through other means, e.g., a Session Manager or ACP.) NOTE: The JWT parameter can be greater than 15 minutes if the system is processing unclassified information and the following items are reviewed. 1) If a session is not terminated, but instead is locked out after 15 minutes of inactivity, a process must be in place that requires user identification and authentication before the session is unlocked. Session lock-out will be implemented through system controls or terminal screen protections. 2) A system’s default time for terminal lock-out or session termination may be lengthened to 30 minutes at the discretion of the IAM or IAO. The IAM and/or IAO will maintain the documentation for each system with a time-out adjusted beyond the 15-minute recommendation to explain the basis for this decision. 3) The IAM and/or IAO may set selected userids to have a time-out of up to 60 minutes in order to complete critical reports or transactions without timing out. Each exception must meet the following criteria: (a) The time-out exception cannot exceed 60 minutes. (b) A letter of justification fully documenting the user requirement(s) must be submitted and approved by the site IAM or IAO. In addition, this letter must identify an alternate means of access control for the terminal(s) involved (e.g., a room that is locked at all times, a room with a cipher lock to limit access, a password protected screen saver set to 30 minutes or less, etc.). (c) The requirement must be revalidated on an annual basis. MAXDORM(0500) Specifies the amount of real time that SMF allows data to remain in an SMF buffer before it is written to a recording data set. SID Specifies the system ID to be recorded in all SMF records SYS(DETAIL) Controls the level of detail recorded. SYS(INTERVAL) Ensures the periodic recording of data for long running jobs. SYS Specifies the types and sub types of SMF records that are to be collected. SYS(TYPE) indicates that the supplied list is inclusive (i.e., specifies the record types to be collected). Record types not listed are not collected. SYS(NOTYPE) indicates that the supplied list is exclusive (i.e., specifies those record types not to be collected). Record types not listed are not collected. The site may use either form of this parameter to specify SMF record type collection. However, at a minimum all record types listed.

b
Required SMF data record types must be collected.
AU-3 - Medium - CCI-000130 - V-102 - SV-102r5_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
AAMV0380
Vuln IDs
  • V-102
Rule IDs
  • SV-102r5_rule
SMF data collection is the basic unit of tracking of all system functions and actions. Included in this tracking data are the audit records from each of the ACPs and system. If the required SMF data record types are not being collected, then accountability cannot be monitored, and its use in the execution of a contingency plan could be compromised.Information Assurance Officer
Checks: C-671r4_chk

Refer to the following reports produced by the z/OS Data Collection: - EXAM.RPT(SMFOPTS) - EXAM.RPT(PARMLIB) - Alternate report; refer to the SMFPRMxx listing. Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(AAMV0380) If all of the required SMF record types identified below are collected, this is not a finding. IBM SMF Records to be collected at a minimum: 0 (00) – IPL 6 (06) – External Writer/ JES Output Writer/ Print Services Facility (PSF) 7 (07) – [SMF] Data Lost 14 (0E) – INPUT or RDBACK Data Set Activity 15 (0F) – OUTPUT, UPDAT, INOUT, or OUTIN Data Set Activity 17 (11) – Scratch Data Set Status 18 (12) – Rename Non-VSAM Data Set Status 24 (18) – JES2 Spool Offload 25 (19) – JES3 Device Allocation 26 (1A) – JES Job Purge 30 (1E) – Common Address Space Work 32 (20) – TSO/E User Work Accounting 41 (29) – DIV Objects and VLF Statistics 42 (2A) – DFSMS statistics and configuration 43 (2B) – JES Start 45 (2D) – JES Withdrawal/Stop 47 (2F) – JES SIGNON/Start Line (BSC)/LOGON 48 (30) – JES SIGNOFF/Stop Line (BSC)/LOGOFF 49 (31) – JES Integrity 52 (34) – JES2 LOGON/Start Line (SNA) 53 (35) – JES2 LOGOFF/Stop Line (SNA) 54 (36) – JES2 Integrity (SNA) 55 (37) – JES2 Network SIGNON 56 (38) – JES2 Network Integrity 57 (39) – JES2 Network SYSOUT Transmission 58 (3A) – JES2 Network SIGNOFF 60 (3C) – VSAM Volume Data Set Updated 61 (3D) – Integrated Catalog Facility Define Activity 62 (3E) – VSAM Component or Cluster Opened 64 (40) – VSAM Component or Cluster Status 65 (41) – Integrated Catalog Facility Delete Activity 66 (42) – Integrated Catalog Facility Alter Activity 80 (50) – RACF/TOP SECRET Processing 81 (51) – RACF Initialization 82 (52) – ICSF Statistics 83 (53) – RACF Audit Record For Data Sets 90 (5A) – System Status 92 (5C) except subtypes 10, 11 – OpenMVS File System Activity 102 (66) – DATABASE 2 Performance 103 (67) – IBM HTTP Server 110 (6E) – CICS/ESA Statistics 118 (76) – TCP/IP Statistics 119 (77) – TCP/IP Statistics 199 (C7) – TSOMON 230 (E6) – ACF2 or as specified in ACFFDR (vendor-supplied default is 230) 231 (E7) – TSS logs security events under this record type

Fix: F-56703r3_fix

Ensure that SMF recording options are consistent with those outlined below. IBM SMF Records to be collect at a minimum 0 (00) – IPL 6 (06) – External Writer/ JES Output Writer/ Print Services Facility (PSF) 7 (07) – [SMF] Data Lost 14 (0E) – INPUT or RDBACK Data Set Activity 15 (0F) – OUTPUT, UPDAT, INOUT, or OUTIN Data Set Activity 17 (11) – Scratch Data Set Status 18 (12) – Rename Non-VSAM Data Set Status 24 (18) – JES2 Spool Offload 25 (19) – JES3 Device Allocation 26 (1A) – JES Job Purge 30 (1E) – Common Address Space Work 32 (20) – TSO/E User Work Accounting 41 (29) – DIV Objects and VLF Statistics 42 (2A) – DFSMS statistics and configuration 43 (2B) – JES Start 45 (2D) – JES Withdrawal/Stop 47 (2F) – JES SIGNON/Start Line (BSC)/LOGON 48 (30) – JES SIGNOFF/Stop Line (BSC)/LOGOFF 49 (31) – JES Integrity 52 (34) – JES2 LOGON/Start Line (SNA) 53 (35) – JES2 LOGOFF/Stop Line (SNA) 54 (36) – JES2 Integrity (SNA) 55 (37) – JES2 Network SIGNON 56 (38) – JES2 Network Integrity 57 (39) – JES2 Network SYSOUT Transmission 58 (3A) – JES2 Network SIGNOFF 60 (3C) – VSAM Volume Data Set Updated 61 (3D) – Integrated Catalog Facility Define Activity 62 (3E) – VSAM Component or Cluster Opened 64 (40) – VSAM Component or Cluster Status 65 (41) – Integrated Catalog Facility Delete Activity 66 (42) – Integrated Catalog Facility Alter Activity 80 (50) – RACF/TOP SECRET Processing 81 (51) – RACF Initialization 82 (52) – ICSF Statistics 83 (53) – RACF Audit Record For Data Sets 90 (5A) – System Status 92 (5C) except subtypes 10, 11 – OpenMVS File System Activity 102 (66) – DATABASE 2 Performance 103 (67) – IBM HTTP Server 110 (6E) – CICS/ESA Statistics 118 (76) – TCP/IP Statistics 119 (77) – TCP/IP Statistics 199 (C7) – TSOMON 230 (E6) – ACF2 or as specified in ACFFDR (vendor-supplied default is 230) 231 (E7) – TSS logs security events under this record type

b
An automated process is not in place to collect and retain SMF data.
AU-9 - Medium - CCI-001348 - V-103 - SV-103r2_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001348
Version
AAMV0400
Vuln IDs
  • V-103
Rule IDs
  • SV-103r2_rule
SMF data collection is the basic unit of tracking of all system functions and actions. Included in this racking data is the audit trail from the ACP. If the control options for the recording of this tracking are not properly maintained, then accountability cannot be monitored and its use in the execution of a contingency plan could be compromised. Failure to collect SMF data in a timely fashion can result in the loss of critical system data.Information Assurance OfficerCODB-2, DCCS-1, DCCS-2
Checks: C-669r1_chk

a) Refer to Vulnerability Questions within the SRRAUDIT Dialog Management document. Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(AAMV0400) b) If, based on the information provided, it can be determined that an automated process is in place to collect and retain all SMF data produced on the system, there is NO FINDING. c) If it cannot be determined this process exists and is being adhered to, this is a FINDING.

Fix: F-17020r1_fix

The IAO will ensure that an automated process is in place to collect SMF data. Review SMF data collection and retention processes. Ensure that the processes utilized include a process which is automatically started to dump SMF collection files immediately upon their becoming full. To ensure that all SMF data is collected in a timely manner, and to reduce the risk of data loss, the site will ensure that automated mechanisms are in place to collect and retain all SMF data produced on the system. Dump the SMF files (MANx) in systems based on the following guidelines: (a) Dump each SMF file as it fills up during the normal course of daily processing. (b) Dump all remaining SMF data at the end of each processing day.

b
ACP database is not on a separate physical volume from its backup and recovery datasets.
CP-9 - Medium - CCI-000549 - V-104 - SV-104r2_rule
RMF Control
CP-9
Severity
Medium
CCI
CCI-000549
Version
AAMV0410
Vuln IDs
  • V-104
Rule IDs
  • SV-104r2_rule
The ACP backup and recovery data files provide the only means of recovering the ACP database in the event of its damage. In the case where this damage is to the physical volume on which it resides, and any of these recovery data files exist on this volume as well, then complete recovery of the ACP database would be extremely difficult, if even possible.Systems ProgrammerCODB-2, DCCS-1, DCCS-2
Checks: C-21014r1_chk

a) Refer to the following item gathered from the z/OS Data Collection: - Step 8 (c) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(AAMV0410) For RACF sites only, refer to the following report produced by the RACF Data Collection: - DSMON.RPT(RACDST) For ACF2 sites only, refer to the following report produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ACFBKUP) For TSS sites only, refer to the following report produced by the z/OS Data Collection, review procedure library member TSS for information: - EXAM.RPT(PROCLIBS) b) If the Access Control Product (ACP) database is not located on the same volume as either its alternate or backup file, there is NO FINDING. c) If the ACP database is collocated with either it’s alternate or backup, this is a FINDING.

Fix: F-17026r1_fix

The systems programmer will ensure that placement of ACP files are on a separate volume from its backup and recovery data sets to provide backup and recovery in the event of physical damage to a volume. Identify the ACP database(s), backup database(s), and recovery data set(s). Develop a plan to keep these data sets on different physical volumes. Implement the movement of these critical ACP files. File location is an often overlooked factor in system integrity. It is important to ensure that the effects of hardware failures on system integrity and availability are minimized. Avoid collocation of files such as primary and alternate databases. For example, the loss of the physical volume containing the ACP database should not also cause the loss of the ACP backup database as a result of their collocation. Files that will be segregated from each other on separate physical volumes include, but are not limited to, the ACP database and its alternate or backup file.

b
ACP database is not backed up on a scheduled basis.
CP-9 - Medium - CCI-000537 - V-105 - SV-105r2_rule
RMF Control
CP-9
Severity
Medium
CCI
CCI-000537
Version
AAMV0420
Vuln IDs
  • V-105
Rule IDs
  • SV-105r2_rule
Loss of the ACP database would cause an interruption in the service of the operating system environment. If regularly scheduled backups of this database are not processed, system recovery time could be unacceptably long.Information Assurance OfficerCODB-2, DCCS-1, DCCS-2
Checks: C-17293r1_chk

a) Check with the IAO and verfiy that procedures exist to backup the security data base and files. Have the IAO identify the dataset names and frequency of the backups. Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(AAMV0420) For ACF2 sites only, refer to the following report produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ACFBKUP) For TOP SECRET sites only, refer to the following report produced by the TOP SECRET Data Collection: - TSSCMDS.RPT(STATUS) Note: RACF creates an alternate data set and does not have any setting to specify that a backup is created b) If, based on the information provided, it can be determined that the ACP database is being backed up on a regularly scheduled basis, there is NO FINDING. c) If it cannot be determined that the ACP database is being backed up on a regularly scheduled basis, this is a FINDING.

Fix: F-17030r1_fix

The IAO will ensure that procedures are in place to backup all ACP files needed for recovery on a scheduled basis. Identify the ACP database and ensure that documented processes are in place to back up its contents on a regularly scheduled basis. At a minimum, nightly backup of the ACP databases, and of other critical security files (such as the ACP parameter file). More frequent backups (two or three times daily) will reduce the time necessary to affect recovery. The IAO will verify that the backup job(s) run successfully.

b
System DASD backups are not performed on a regularly scheduled basis.
CP-9 - Medium - CCI-000537 - V-106 - SV-106r2_rule
RMF Control
CP-9
Severity
Medium
CCI
CCI-000537
Version
AAMV0430
Vuln IDs
  • V-106
Rule IDs
  • SV-106r2_rule
If backups of the operating environment are not properly processed, implementation of a contingency plan would not include the data necessary to fully recover from any outage.Information Assurance OfficerCODB-2, DCCS-1, DCCS-2
Checks: C-663r1_chk

a) Refer to Vulnerability Questions within the SRRAUDIT Dialog Management document. Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(AAMV0430) b) If, based on the information provided, it can be determined that system DASD backups are performed on a regularly scheduled basis, there is NO FINDING. c) If it cannot be determined that system DASD backups are performed on a regularly scheduled basis, this is a FINDING.

Fix: F-17031r1_fix

The IAO will ensure that procedures are in place to backup the operating system and all its subsystems on a regularly scheduled interval as required to recover the environment. Review all documented processes for the backup of the operating environment. Ensure that these include a regularly scheduled backup of the entire operating system and its related subsystems, both at individual data set and full volume levels. Adequate backup scheduling is also an often overlooked integrity exposure. Back up system files on a regular schedule. Store the backups off site to prevent concurrent loss of the live production system and the backup files. Backup scheduling will vary depending on the requirements and capabilities of the individual data center. While the requirements of Data Owners may necessitate more frequent backups, a recommended schedule is as follows: - Weekly and monthly full volume backup of volumes with low update activity, such as the operating system volumes - Nightly backup of high update activity data sets and volumes, such as application system databases and user data volumes

b
PASSWORD data set and OS passwords are utilized.
CM-6 - Medium - CCI-000366 - V-107 - SV-107r2_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
AAMV0440
Vuln IDs
  • V-107
Rule IDs
  • SV-107r2_rule
All protection of system resources must come from the ACP. If multiple protection mechanisms are in place, the accessibility of data, specifically under contingency plan execution, is subject to compromise.Systems ProgrammerDCCS-1, DCCS-2, ECCD-1, ECCD-2
Checks: C-660r1_chk

a) Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(PASSWORD) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(AAMV0440) b) If, based on the information provided, it can be determined that the system PASSWORD data set and OS passwords are not used, there is NO FINDING. c) If it is evident that OS passwords are utilized, this is a FINDING.

Fix: F-17032r1_fix

System programmers will ensure that the old OS Password Protection is not used and any data protected by the old OS Password technology is removed and protection is replaced by the ACP. Review the contents of the PASSWORD data set. Ensure that any protections it provides are provided by the ACP and delete the PASSWORD data set. Access to data sets on z/OS systems can be protected using the OS password capability of MVS. This capability has been available in MVS for many years, and its use is commonly found in data centers. Since the advent of ACPs, the use of OS passwords for file protection has diminished, and is commonly considered archaic and of little use. The use of z/OS passwords is not supported by all the ACPs.

c
SYS1.PARMLIB is not limited to only system programmers.
AC-3 - High - CCI-000213 - V-108 - SV-108r2_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
ACP00010
Vuln IDs
  • V-108
Rule IDs
  • SV-108r2_rule
SYS1.PARMLIB contains the parameters which control system IPL, configuration characteristics, security facilities, and performance. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.Information Assurance OfficerDCCS-1, DCCS-2, DCSL-1, ECAR-1, ECAR-2, ECAR-3
Checks: C-676r1_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(PARMRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00010) ___ The ACP data set rules for SYS1.PARMLIB allow inappropriate (e.g., global READ) access. ___ The ACP data set rules for SYS1.PARMLIB do not restrict READ, UPDATE and ALTER access to only systems programming personnel. ___ The ACP data set rules for SYS1.PARMLIB do not restrict READ and UPDATE access to only domain level security administrators. ___ The ACP data set rules for SYS1.PARMLIB do not restrict READ access to only system Level Started Tasks, authorized Data Center personnel, and auditors. ___ The ACP data set rules for SYS1.PARMLIB do not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged. b) If all of the above are untrue, there is NO FINDING. c) If any of the above is true, this is a FINDING.

Fix: F-25790r1_fix

The IAO will ensure that update and alter access to SYS1.PARMLIB is limited to system programmers only and all update and alter access is logged. Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required The IAO will implement controls to specify the valid users authorized to update the SYS1.PARMLIB concatenation. All update and alter access to libraries in the concatenation will be logged using the ACP's facilities. 1. That systems programming personnel will be authorized to update and alter the SYS1.PARMLIB concatenation. 2. That domain level security administrators can be authorized to update the SYS1.PARMLIB concatenation. 3. That System Level Started Tasks, authorized Data Center personnel, and auditor can be authorized read access by the IAO. 4. That all update and alter access is logged.

b
Access to SYS1.LINKLIB is not properly protected.
AC-3 - Medium - CCI-000213 - V-109 - SV-109r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ACP00020
Vuln IDs
  • V-109
Rule IDs
  • SV-109r2_rule
This data set is automatically APF-authorized, contains system SVCs and the base PPT. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.Information Assurance OfficerDCCS-1, DCCS-2, DCSL-1, ECAR-1, ECAR-2, ECAR-3
Checks: C-22924r1_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(LINKRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00020) ___ The ACP data set rules for SYS1.LINKLIB allow inappropriate access. ___ The ACP data set rules for SYS1.LINKLIB do not restrict UPDATE and/or ALTER access to only z/OS systems programming personnel. ___ The ACP data set rules for SYS1.LINKLIB do not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged, this is a FINDING. b) If all of the above are untrue, there is NO FINDING. c) If any of the above is true, this is a FINDING.

Fix: F-17034r1_fix

Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required. Under the ACPs SYS1.LINKLIB is always indicated as a program control library because it is a member of the MVS link list. Access is limited to system programmers only and all update and allocate access is logged.

c
Write or greater access to SYS1.SVCLIB must be limited to system programmers only.
AC-3 - High - CCI-000213 - V-110 - SV-110r3_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
ACP00030
Vuln IDs
  • V-110
Rule IDs
  • SV-110r3_rule
This data set is automatically APF-authorized, contains system SVCs, and may also contain I/O appendages. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.Information Assurance OfficerDCCS-1, DCCS-2, DCSL-1, ECAR-1, ECAR-2, ECAR-3
Checks: C-22925r2_chk

Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(SVCRPT) Automated Analysis Review the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00030) ___ Ensure that the ACP data set rules for SYS1.SVCLIB are limited to only appropriate authorized access. ___ Ensure that the ACP data set rules for SYS1.SVCLIB restrict UPDATE and/or ALTER access to only z/OS systems programming personnel. ___ Ensure that the ACP data set rules for SYS1.SVCLIB specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged.

Fix: F-17035r2_fix

The IAO must ensure that update and allocate access to SYS1.SVCLIB is limited to system programmers only and all update and allocate access is logged and reviewed. Periodic reviews of access authorization to critical system files must be performed. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes for SYS1.SVCLIB. SYS1.SVCLIB contains SVCs and I/O appendages as such: they are very powerful and will be strictly controlled to avoid compromising system integrity.

c
Write or greater access to SYS1.IMAGELIB must be limited to system programmers only.
AC-3 - High - CCI-000213 - V-111 - SV-111r4_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
ACP00040
Vuln IDs
  • V-111
Rule IDs
  • SV-111r4_rule
SYS1.IMAGELIB is a partitioned data set containing universal character set (UCS), forms control buffer (FCB), and printer control information. Most IBM standard UCS images are included in SYS1.IMAGELIB during system installation. This data set should be protected as a z/OS system data set.Information Assurance Officer
Checks: C-807r3_chk

Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(IMAGERPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection. - PDI(ACP00040) If the following guidance is true, this is not a finding. ___ The ACP data set rules for SYS1.IMAGELIB allow inappropriate access. ___ The ACP data set rules for SYS1.IMAGELIB do not restrict UPDATE and/or ALTER access to only systems programming personnel. ___ The ACP data set rules for SYS1.IMAGELIB do not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged.

Fix: F-17036r2_fix

The IAO must ensure that UPDATE and/or ALLOCATE access to SYS1.IMAGELIB is limited to system programmers only and all update and allocate access is logged. Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect SYS1.IMAGELIB. SYS1.IMAGELIB is automatically APF-authorized. This data set contains modules, images, tables, and character sets which are essential to system print services.

c
Write or greater access to SYS1.LPALIB must be limited to system programmers only.
AC-3 - High - CCI-000213 - V-112 - SV-112r3_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
ACP00050
Vuln IDs
  • V-112
Rule IDs
  • SV-112r3_rule
SYS1.LPALIB is automatically APF-authorized during IPL processing and can contain SVCs. LPA modules, once loaded into the Link Pack Area, are capable of performing APF-authorized functions. This authorization allows a program to bypass various levels of security checking. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.Information Assurance OfficerDCCS-1, DCCS-2, DCSL-1, ECAR-1, ECAR-2, ECAR-3
Checks: C-22927r1_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(LPARPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00050) ___ The ACP data set rules for SYS1.LPALIB allow inappropriate access. ___ The ACP data set rules for SYS1.LPALIB do not restrict UPDATE and/or ALTER access to only z/OS systems programming personnel. ___ The ACP data set rules for SYS1.LPALIB do not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged. b) If all of the above are untrue, there is NO FINDING. c) If any of the above is true, this is a FINDING.

Fix: F-17037r1_fix

Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect SYS1.LPALIB. The IAO will ensure that update and allocate access to SYS1.LPALIB is limited to system programmers only and all update and allocate access is logged.

c
Update and allocate access to all APF -authorized libraries are not limited to system programmers only.
AC-3 - High - CCI-000213 - V-113 - SV-113r2_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
ACP00060
Vuln IDs
  • V-113
Rule IDs
  • SV-113r2_rule
The Authorized Program List designates those libraries that can contain program modules which possess a significant level of security bypass capability. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.Information Assurance OfficerDCCS-1, DCCS-2, DCSL-1, ECAR-1, ECAR-2, ECAR-3
Checks: C-22928r1_chk

a) Refer to the following reports produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(APFXRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00060) ___ The ACP data set rules for APF libraries allow inappropriate access. ___ The ACP data set rules for APF libraries do not restrict UPDATE and/or ALTER access to only z/OS systems programming personnel. ___ The ACP data set rules for APF libraries do not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged. b) If all of the above are untrue, there is NO FINDING. c) If any of the above is true, this is a FINDING.

Fix: F-17038r1_fix

Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect APF Authorized Libraries. The IAO will ensure that update and allocate access to all APF-authorized libraries are limited to system programmers only and all update and allocate access is logged.

c
Write or greater access to all LPA libraries must be limited to system programmers only.
AC-3 - High - CCI-000213 - V-114 - SV-114r3_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
ACP00070
Vuln IDs
  • V-114
Rule IDs
  • SV-114r3_rule
LPA modules, once loaded into the Link Pack Area, are capable of performing APF-authorized functions. This authorization allows a program to bypass various levels of security checking. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.Information Assurance OfficerDCCS-1, DCCS-2, DCSL-1, ECAR-1, ECAR-2, ECAR-3
Checks: C-22929r1_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(LPAXRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00070) ___ The ACP data set rules for LPA libraries allow inappropriate access. ___ The ACP data set rules for LPA libraries do not restrict UPDATE and/or ALTER access to only z/OS systems programming personnel. ___ The ACP data set rules for LPA libraries do not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged. b) If all of the above are untrue, there is NO FINDING. c) If any of the above is true, this is a FINDING.

Fix: F-17039r1_fix

Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect LPA Libraries. The IAO will ensure that update and allocate access to all LPA libraries is limited to system programmers only and all update and allocate access is logged.

c
Write or greater access to SYS1.NUCLEUS must be limited to system programmers only.
AC-3 - High - CCI-000213 - V-115 - SV-115r3_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
ACP00080
Vuln IDs
  • V-115
Rule IDs
  • SV-115r3_rule
This data set contains a large portion of the system initialization (IPL) programs and pointers to the master and alternate master catalog. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.Information Assurance OfficerDCCS-1, DCCS-2, DCSL-1, ECAR-1, ECAR-2, ECAR-3
Checks: C-22930r1_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(NUCLRPT) Automated Analysis Refer to the following report produced by the a Data Set and Resource Data Collection: - PDI(ACP00080) ___ The ACP data set rules for SYS1.NUCLEUS allow inappropriate access. ___ The ACP data set rules for SYS1.NUCLEUS do not restrict UPDATE and/or ALTER access to only z/OS systems programming personnel. ___ The ACP data set rules for SYS1.NUCLEUS do not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged. b) If all of the above are untrue, there is NO FINDING. c) If any of the above is true, this is a FINDING.

Fix: F-17040r1_fix

Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect SYS1.NUCLEUS. The IAO will ensure that update and allocate access to SYS1.NUCLEUS is limited to system programmers only and all update and allocate access is logged.

c
Write or greater access to libraries that contain PPT modules must be limited to system programmers only.
AC-3 - High - CCI-000213 - V-116 - SV-116r3_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
ACP00100
Vuln IDs
  • V-116
Rule IDs
  • SV-116r3_rule
Specific PPT designated program modules possess significant security bypass capabilities. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.Information Assurance OfficerDCCS-1, DCCS-2, DCSL-1, ECAR-1, ECAR-2, ECAR-3
Checks: C-22931r1_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(PPTXRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00100) ___ The ACP data set rules for libraries that contain PPT modules allow inappropriate access. ___ The ACP data set rules for libraries that contain PPT modules do not restrict UPDATE and ALLOCATE access to only z/OS systems programming personnel. ___ The ACP data set rules for libraries that contain PPT modules do not specify that all UPDATE and ALLOCATE access will be logged. b) If all of the above are untrue, there is NO FINDING. c) If any of the above is true, this is a FINDING.

Fix: F-17046r1_fix

Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect libraries containing modules listed in the Program Properties Table (PPT). The IAO will ensure that update and allocate access to libraries containing PPT modules is limited to system programmers only and all update and allocate access is logged.

b
Update and allocate access to LINKLIST libraries are not limited to system programmers only.
AC-3 - Medium - CCI-000213 - V-117 - SV-117r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ACP00110
Vuln IDs
  • V-117
Rule IDs
  • SV-117r2_rule
The primary function of the LINKLIST is to serve as a single repository for commonly used system modules. Failure to ensure that the proper set of libraries are designated for LINKLIST can impact system integrity, performance, and functionality. For this reason, controls must be employed to ensure that the correct set of LINKLIST libraries are used. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.Information Assurance OfficerDCCS-1, DCCS-2, DCSL-1, ECAR-1, ECAR-2, ECAR-3
Checks: C-23114r1_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(LNKXRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00110) ___ The ACP data set rules for LINKLIST libraries allow inappropriate access. ___ The ACP data set rules for LINKLIST libraries do not restrict UPDATE and/or ALTER access to only z/OS systems programming personnel. ___ The ACP data set rules for LINKLIST libraries do not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged. Note: Any DoD AIS Loadlibs defined to LINKLIST within z/OS Domains will be listed after all system libraraies and will be removed on the test for access to systems programmers in the SRRAUDT check. b) If all of the above are untrue, there is NO FINDING. c) If any of the above is true, this is a FINDING.

Fix: F-17097r1_fix

Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect the LINKLIST libraries. The IAO will ensure that update and allocate access to LINKLIST libraries is limited to system programmers only and all update and allocate access is logged.

c
The ACP security data sets and/or databases must be properly protected.
AC-3 - High - CCI-000213 - V-118 - SV-118r6_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
ACP00120
Vuln IDs
  • V-118
Rule IDs
  • SV-118r6_rule
The Access Control Program (ACP) database files contain all access control information for the operating system environment and system resources. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.Information Assurance Officer
Checks: C-827r4_chk

Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(ACPRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00120) Verify that the accesses to the ACP security data sets and/or databases are properly restricted. If the following guidance is true, this is not a finding. ___ The ACP data set rules for ACP security data sets and/or databases restrict READ access to auditors and DASD batch. ___ The ACP data set rules for ACP security data sets and/or databases restrict READ and/or greater access to z/OS systems programming personnel, security personnel, and/or batch jobs that perform ACP maintenance. ___ All (i.e., failures and successes) data set access authorities (i.e. READ, UPDATE, ALTER, and CONTROL) for ACP security data sets and/or databases are logged.

Fix: F-18706r5_fix

Review access authorization to critical security database files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect the ACP Files. Ensure that READ and/or greater access to all ACP files and/or databases are limited to system programmers and/or security personnel, and/or batch jobs that perform ACP maintenance. READ access can be given to auditors and DASD batch. All accesses to ACP files and/or databases are logged.

c
Access greater than Read to the System Master Catalog must be limited to system programmers only.
AC-3 - High - CCI-000213 - V-119 - SV-119r4_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
ACP00130
Vuln IDs
  • V-119
Rule IDs
  • SV-119r4_rule
System catalogs are the basis for locating all files on the system. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data. Information Assurance Officer
Checks: C-828r2_chk

a) Refer to the following reports produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(CATMRPT) - Master Catalog Automated Analysis: Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00130) If data set rules for System catalogs allow inappropriate access, this is a finding. If data set rules for the Master Catalog do not restrict greater than “READ” access to only z/OS systems programming personnel, this is a finding. Access greater than “READ” for the Master catalog is allowed to a batch job ID in the following specific case: The batch job must reside in a data set that is restricted to systems programmers only. If dataset rules for the Master Catalog do not specify that all (i.e., failures and successes) greater than “READ” access will be logged, this is a finding.

Fix: F-17105r2_fix

Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect the MASTER CATALOG. Configure the ESM rules for system catalog to only allow access above “READ” to systems programmers and those authorized by the ISSM/ISSO. Configure ESM rules for the master catalog to allow access above “READ” to systems programmers ONLY. Configure ESM rules for the master catalog to allow any batch ID access above “READ” only in this specific case: The batch job that requires above “READ” access must reside in a data set that has restricted “ALTER” or equivalent access to systems programmers ONLY. All greater than read access must be logged.

b
Update and allocate access to all system-level product installation libraries are not limited to system programmers only.
AC-3 - Medium - CCI-000213 - V-120 - SV-120r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ACP00140
Vuln IDs
  • V-120
Rule IDs
  • SV-120r2_rule
System-level product installation libraries constitute the majority of the systems software libraries. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.Information Assurance OfficerDCCS-1, DCCS-2, DCSL-1
Checks: C-830r1_chk

a) Refer to the following reports produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(SMPERPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00140) Have the systems programmer for z/OS supply the following information: - The data set name and associated SREL for each SMP/E CSI utilized to maintain this system. - The data set name of all SMP/E TLIBs and DLIBs used for installation and production support. A comprehensive list of the SMP/E DDDEFs for all CSIs may be used if valid. ___ The ACP data set rules for system-level product installation libraries (e.g., SMP/E CSIs) allow inappropriate access. ___ The ACP data set rules for system-level product installation libraries (e.g., SMP/E CSIs) do not restrict UPDATE and/or ALTER access to only z/OS systems programming personnel. b) If all of the above are untrue, there is NO FINDING. c) If any of the above is true, or if these data sets cannot be identified due to a lack of requested information, this is a FINDING.

Fix: F-17107r1_fix

Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect System-level product installation libraries, The IAO will ensure that update and allocate access to all system-level product execution libraries are limited to system programmers only.

b
Update and allocate access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) are not limited to system programmers only.
AC-3 - Medium - CCI-000213 - V-121 - SV-121r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ACP00150
Vuln IDs
  • V-121
Rule IDs
  • SV-121r2_rule
The JES2 System data sets are a common repository for all jobs submitted to the system and the associated printout and configuration of the JES2 environment. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.Information Assurance OfficerDCCS-1, DCCS-2, DCSL-1
Checks: C-832r1_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(JES2RPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00150) ___ The ACP data set rules for the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) allow inappropriate access. ___ The ACP data set rules for the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) do not restrict UPDATE and/or ALTER access to only z/OS systems programming personnel. b) If both of the above are untrue, there is NO FINDING. c) If either of the above is true, this is a FINDING.

Fix: F-19062r1_fix

Limit read and write access to the JES2 started task. Limit allocate/alter access to the systems programming staff. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect JES2 System datasets (spool, checkpoint, and parmlib datasets) The IAO will ensure that update and allocate access to JES2 System datasets (spool, checkpoint, and parmlib datasets) are limited to system programmers only. For example all SYS1.HASP* data sets.

c
Write or greater access to SYS1.UADS must be limited to system programmers only and read and update access must be limited to system programmer personnel and/or security personnel.
AC-3 - High - CCI-000213 - V-122 - SV-122r3_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
ACP00170
Vuln IDs
  • V-122
Rule IDs
  • SV-122r3_rule
SYS1.UADS is the data set where emergency USERIDs are maintained. This ensures that logon processing can occur even if the ACP is not functional. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.Information Assurance OfficerDCCS-1, DCCS-2, ECAR-1, ECAR-2, ECAR-3, ECCD-1, ECCD-2
Checks: C-833r1_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(UADSRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00170) ___ The ACP data set rules for SYS1.UADS allow inappropriate access. ___ The ACP data set rules for SYS1.UADS do not restrict ALTER access to only z/OS systems programming personnel. ___ The ACP data set rules for SYS1.UADS do not restrict READ and/or UPDATE access to z/OS systems programming personnel and/or security personnel. ___ The ACP data set rules for SYS1.UADS do not specify that all (i.e., failures and successes) data set access authorities (i.e., READ, UPDATE, ALTER, and CONTROL) will be logged. b) If all of the above are untrue, there is NO FINDING. c) If any of the above is true, this is a FINDING.

Fix: F-17123r1_fix

SYS1.UADS allocate/alter authority is limited to the systems programming staff. Read and update access should be limited to the security staff. Evaluate the impact of correcting any deficiency. Develop a plan of action and implement the changes as required to protect SYS1.UADS. The IAO will ensure that allocate access to SYS1.UADS is limited to system programmers only, read and update access to SYS1.UADS is limited to system programmer personnel and/or security personnel and all dataset access is logged.

b
Update and allocate access to SMF collection files (i.e., SYS1.MANx) are not limited to system programmers and/or batch jobs that perform SMF dump processing.
AU-9 - Medium - CCI-000162 - V-123 - SV-123r2_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
ACP00180
Vuln IDs
  • V-123
Rule IDs
  • SV-123r2_rule
SMF data collection is the system activity journaling facility of the z/OS system. With the proper parameter designations it serves as the basis to ensure individual user accountability. SMF data is the primary source for cost charge back in DISA. Unauthorized access could result in the compromise of logging and recording of the operating system environment, ACP, and customer data.Information Assurance OfficerDCCS-1, DCCS-2, ECAR-1, ECAR-2, ECAR-3, ECCD-1, ECCD-2
Checks: C-836r1_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(SMFXRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00180) ___ The ACP data set rules for the SMF data collection files (e.g., SYS1.MAN*) allow inappropriate access. ___ The ACP data set rules for the SMF data collection files (e.g., SYS1.MAN*) do not restrict ALTER access to only z/OS systems programming personnel. ___ The ACP data set rules for the SMF data collection files (e.g., SYS1.MAN*) do not restrict UPDATE access to z/OS systems programming personnel, and/or batch jobs that perform SMF dump processing. ___ The ACP data set rules for SMF data collection files (e.g., SYS1.MAN*) do not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged. b) If all of the above are untrue, there is NO FINDING. c) If any of the above is true, this is a FINDING.

Fix: F-17192r1_fix

Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect modification or deletion of SMF collection files. The IAO will ensure that allocate/alter authority to SMF collection files is limited to only systems programming staff and and/or batch jobs that perform SMF dump processing and ensure the accesses are being logged.

b
Update and allocate access to data sets used to backup and/or dump SMF collection files are not limited to system programmers and/or batch jobs that perform SMF dump processing.
AU-9 - Medium - CCI-000162 - V-124 - SV-124r2_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
ACP00190
Vuln IDs
  • V-124
Rule IDs
  • SV-124r2_rule
SMF backup data sets are those data sets to which SMF data has been offloaded in order to ensure a historical tracking of individual user accountability. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.Information Assurance OfficerDCCS-1, DCCS-2, ECAR-1, ECAR-2, ECAR-3, ECCD-1, ECCD-2
Checks: C-24487r1_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(SMFBKRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00190) Have the systems programmer supply the procedures and collection specifics for SMF datasets and backup. ___ The ACP data set rules for the SMF dump/backup files allow inappropriate access. ___ The ACP data set rules for the SMF dump/backup files do not restrict UPDATE and/or ALTER access to authorized DISA and site personnel (e.g., systems programmers and batch jobs that perform SMF processing). ___ The ACP data set rules for SMF dump/backup files do not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged. b) If all of the above are untrue, there is NO FINDING. c) If any of the above is true, or if these data sets cannot be identified due to a lack of requested information, this is a FINDING.

Fix: F-17196r1_fix

The IAO will ensure that update and allocate access to datasets used to backup and/or dump SMF collection files is limited to system programmers and/or batch jobs that perform SMF dump processing and all dataset access is logged. Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect datasets used to backup and/or dump SMF Collection Files. In z/OS systems, SMF data is the ultimate record of system activity. Therefore, SMF data is of the most sensitive and critical nature. While the length of time for which SMF data will be retained is not specifically regulated, it is imperative that the information is available for the longest possible time period in case of subsequent investigations. The statute of limitations varies according to the nature of a crime. It may vary by jurisdiction, and some crimes are not subject to a statute of limitations. Apply the following guidelines to the retention of SMF data for all DOD systems: (a) Retain at least two (2) copies of the SMF data. (b) Maintain SMF data for a minimum of one year. (c) All update and alter access authority to SMF history files will be logged using the ACP’s facilities. Only systems programming personnel and batch jobs that perform SMF functions will be authorized to update the SMF files.

b
Access to SYSTEM DUMP data sets are not limited to system programmers only.
AC-3 - Medium - CCI-000213 - V-125 - SV-125r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ACP00200
Vuln IDs
  • V-125
Rule IDs
  • SV-125r2_rule
System DUMP data sets are used to record system data areas and virtual storage associated with system task failures. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.Information Assurance OfficerDCCS-1, DCCS-2, ECCD-1, ECCD-2
Checks: C-17994r1_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(DUMPRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00200) ___ The ACP data set rules for System Dump data sets allow inappropriate access. ___ The ACP data set rules for System Dump data sets do not restrict READ, UPDATE and/or ALTER access to only systems programming personnel. ___ The ACP data set rules for all System Dump data sets do not restrict READ access to personnel having justification to review these dump data sets for debugging proposes. b) If all of the above are untrue, there is NO FINDING. c) If any of the above is true, this is a FINDING. The dump data sets displayed by the DD command along with the dump datasets specified in the DUMPSRV routine are to be restricted to system programmers unless unless a letter justifying access is filed with the IAO.

Fix: F-17241r1_fix

The IAO will ensure that access to SYSTEM DUMP data set(s) is limited to system programmers only, unless a letter justifying access is filed with the IAO. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to restrict access to these data sets.

b
Update and allocate access to System backup files are not limited to system programmers and/or batch jobs that perform DASD backups.
AC-3 - Medium - CCI-000213 - V-126 - SV-126r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ACP00210
Vuln IDs
  • V-126
Rule IDs
  • SV-126r2_rule
System backup data sets are necessary for recovery of DASD resident data sets. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.Information Assurance OfficerCODB-1, DCCS-1, DCCS-2, ECCD-1
Checks: C-5027r1_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(BKUPRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00210) Collect from the storage management group the identification of the DASD backup files and all associated storage management userids/LIDs/ACIDs. ___ The ACP data set rules for system DASD backup files allow inappropriate access. ___ The ACP data set rules for system DASD backup files do not restrict UPDATE and ALLOCATE access to z/OS systems programming and/or batch jobs that perform DASD backups. b) If both of the above are untrue, there is NO FINDING. c) If either of the above is true, or if these data sets cannot be identified due to a lack of requested information, this is a FINDING.

Fix: F-17416r1_fix

Obtain the high level indexes to backup datasets names and verify that their access is restricted by the System's ACP to System Programmers and batch jobs that perform the backups. If any other userids are specified, make sure that the IAO has documented justification for the access.

b
Access to SYS(x).TRACE is not limited to system programmers only.
AC-3 - Medium - CCI-000213 - V-127 - SV-127r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ACP00220
Vuln IDs
  • V-127
Rule IDs
  • SV-127r2_rule
SYS1.TRACE is used to trace and debug system problems. Unauthorized access could result in a compromise of the integrity and availability of all system data and processes.Information Assurance OfficerDCCS-1, DCCS-2, ECCD-1, ECCD-2
Checks: C-5028r1_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(TRACERPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00220) ___ The ACP data set rule for SYS1.TRACE allows inappropriate access. ___ The ACP data set rule for SYS1.TRACE does not restrict access to systems programming personnel and started tasks that perform GTF processing. b) If both of the above are untrue, there is NO FINDING. c) If either of the above is true, this is a FINDING.

Fix: F-17417r1_fix

The IAO will ensure that access to SYS1.TRACE is limited to system programmers only.

b
Access to System page data sets (i.e., PLPA, COMMON, and LOCALx) are not limited to system programmers.
AC-3 - Medium - CCI-000213 - V-128 - SV-128r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ACP00230
Vuln IDs
  • V-128
Rule IDs
  • SV-128r2_rule
Page data sets hold individual pages of virtual storage when they are paged out of real storage. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.Information Assurance OfficerDCCS-1, DCCS-2, ECCD-1, ECCD-2
Checks: C-22933r1_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(PGXXRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00230) ___ The ACP data set rules for system page data sets (PLPA, COMMON, and LOCAL) allow inappropriate access. ___ The ACP data set rules for system page data sets (PLPA, COMMON, and LOCAL) do not restrict access to only systems programming personnel. b) If both of the above are untrue, there is NO FINDING. c) If either of the above is true, this is a FINDING

Fix: F-17419r1_fix

Verify that the ACP data set rules for system page data sets (PLPA, COMMON, and LOCAL) restrict access to only systems programming personnel.

c
Write or greater access to Libraries containing EXIT modules must be limited to system programmers only.
AC-3 - High - CCI-000213 - V-129 - SV-129r3_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
ACP00240
Vuln IDs
  • V-129
Rule IDs
  • SV-129r3_rule
System exits have a wide range of uses and capabilities within any system. Exits may introduce security exposures within the system, modify audit trails, and alter individual user capabilities. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.Information Assurance OfficerDCCS-1, DCCS-2, DCSL-1
Checks: C-5030r1_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(MVSXRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00240) ___ The ACP data set rules for libraries that contain exit modules allow inappropriate access. ___ The ACP data set rules for libraries that contain system exit modules do not restrict UPDATE and ALLOCATE access to only z/OS systems programming personnel. ___ The ACP data set rules for libraries that contain exit modules do not specify that all UPDATE and ALLOCATE access will be logged. b) If all of the above are untrue, there is NO FINDING. c) If any of the above is true, this is a FINDING.

Fix: F-17496r1_fix

Using the ACP, protect the data sets associated with all product exits installed in the z/OS environment. This reduces the potential of a hacker adding a routine to a library and possibly creating an exposure. See that all exits are tracked using a CMP. Develop usermods to include the source/object code used to support the exits. Have Systems programming personnel review all z/OS and other product exits to confirm that the exits are required and are correctly installed. Have the IAO validate that all update and alter access to libraries containing z/OS and other system level exits will be logged using the ACP’s facilities. Only systems programming personnel will be authorized to update the libraries containing z/OS and other system level exits.

b
Memory and privileged program dumps must be protected in accordance with proper security requirements.
AC-3 - Medium - CCI-000213 - V-182 - SV-31711r5_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ACP00260
Vuln IDs
  • V-182
Rule IDs
  • SV-31711r5_rule
Access to memory and privileged program dumps running Trusted Control Block (TCB) key 0-7 may hold passwords, encryption keys, or other sensitive data that must not be made available. Failure to properly control access to these facilities could result in unauthorized personnel modifying sensitive z/OS lists. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.Information Assurance Officer
Checks: C-32023r6_chk

From a command input screen enter: RLIST FACILITY (IEAABD. IEAABD.DMPAUTH IEAABD.DMPAKEY) ALL Alternately, this can be viewed by following steps: Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(ACP00260) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00260) Ensure that the Memory and privileged program dumps resources are properly protected as stated below. If all of the following guidance is true, this is not a finding. ___ Ensure that the IEAABD. resource and/or generic equivalent is defined and all access is logged. Access will not be given to any user. ___ Ensure that IEAABD.DMPAUTH. resource and/or generic equivalent is defined and READ access is limited to authorized users. ___ Ensure that IEAABD.DMPAUTH. resource and/or generic equivalent UPDATE or greater access is restricted to only systems personnel and all access is logged. ___ Ensure that IEAABD.DMPAKEY resources and/or generic equivalent is defined and all access is restricted to systems personnel and that all access is logged. ___ Ensure that resource rules for the above resources and/or generic equivalent specify UACC(NONE) and NOWARNING.

Fix: F-18600r10_fix

Memory and privileged program dump resources are provided via resources in the FACILITY resource class. Ensure that the following are properly specified in the ACP. (Note: The resources and/or resource prefixes identified below are examples of a possible installation. The actual resources and/or resource prefixes are determined when the product is actually installed on a system through the product’s installation guide and can be site specific.) Below is listed the access requirements for memory and privileged program dump resources. Ensure the guidelines for the resource type, resources, and/or generic equivalent are followed. When protecting the facilities for dumps lists via the FACILITY resource class, ensure that the following items are in effect: IEAABD. IEAABD.DMPAUTH. IEAABD.DMPAKEY. The RACF resource rules for the resources specify UACC(NONE) and NOWARNING. Ensure that no access is given to IEAABD. resource. Example RDEF FACILITY IEAABD.** UACC(NONE) OWNER(owner group) AUDIT(ALL(READ)) IEAABD.DMPAUTH. READ access is limited to authorized users that have a valid job duties requirement for access. UPDATE access will be restricted to system programming personnel and access will be logged. Example: RDEF FACILITY IEAABD.DMPAUTH.** UACC(NONE) OWNER(owner group) AUDIT(ALL(UPDATE)) PERMIT IEAABD.DMPAUTH.** CLASS(FACILITY) ID(authusers) ACCESS(READ) PERMIT IEAABD.DMPAUTH.** CLASS(FACILITY) ID(syspaudt) ACCESS(UPDATE) IEAABD.DMPAKEY. access will be restricted to system programming personnel and access will be logged. Example: RDEF FACILITY IEAABD.DMPAKEY.** UACC(NONE) OWNER(owner group) AUDIT(ALL(READ)) PERMIT IEAABD.DMPAKEY.** CLASS(FACILITY) ID(syspaudt) ACCESS(READ)

c
LOGONIDs must not be defined to SYS1.UADS for non-emergency use.
IA-2 - High - CCI-000764 - V-184 - SV-184r3_rule
RMF Control
IA-2
Severity
High
CCI
CCI-000764
Version
ZTSO0020
Vuln IDs
  • V-184
Rule IDs
  • SV-184r3_rule
SYS1.UADS is a dataset where LOGONIDs will be maintained with applicable password information when the ACP is not functional. If an unauthorized user has access to SYS1.UADS, they could enter their LOGONID and password into the SYS1.UADS dataset and could give themselves all special attributes on the system. This could enable the user to bypass all security and alter data. They could modify the audit trail information so no trace of their activity could be found.Information Assurance OfficerDCCS-1, DCCS-2, ECCD-1, ECCD-2
Checks: C-20973r1_chk

a) Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(TSOUADS) Please provide a list of all emergency userids available to the site along with the associated function of each. b) If SYS1.UADS userids are limited and reserved for emergency purposes only, there is NO FINDING. c) If any SYS1.UADS userids are assigned for other than emergency purposes, this is a FINDING.

Fix: F-18939r1_fix

The system programmer and IAO will examine the SYS1.UADS entries to ensure LOGONIDs defined include only those users required to support specific functions related to system recovery. Evaluate the impact of accomplishing the change.

c
All system PROCLIB data sets must be limited to system programmers only
AC-3 - High - CCI-000213 - V-234 - SV-234r3_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
ACP00250
Vuln IDs
  • V-234
Rule IDs
  • SV-234r3_rule
Unauthorized access to PROCLIB data sets referenced in the JES2 procedure can allow unauthorized modifications to STCs and other system level procedures. This could result in the compromise of the operating system environment, ACP, and customer data.Information Assurance OfficerDCCS-1, DCCS-2, ECCD-1, ECCD-2
Checks: C-5459r2_chk

Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(PROCRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00250) Refer to the following for the PROCLIB data sets that contain the STCs and TSO logons from the following sources: - MSTJCLxx member used during an IPL. The PROCLIB data sets are obtained from the IEFPDSI and IEFJOBS DD statements. - PROCxx DD statements and JES2 Dynamic PROCLIBs. Where ‘xx’ is the PROCLIB entries for the STC and TSU JOBCLASS configuration definitions. Verify that the accesses to the above PROCLIB data sets are properly restricted. If the following guidance is true, this is not a finding. ___ The ACP data set access authorizations restrict READ access to all authorized users. ___ The ACP data set access authorizations restrict WRITE and/or greater access to systems programming personnel.

Fix: F-18125r2_fix

The IAO will ensure that all WRITE and/or greater access to all PROCLIBs referenced in the Master JCL and JES2 or JES3 procedure for started tasks (STCs) and TSO logons are restricted to systems programming personnel only. Suggestion on how to update system to be compliant with this vulnerability: NOTE: All examples are only examples and may not reflect your operating environment. Obtain only the PROCLIB data sets that contain STC and TSO procedures. The data sets to be reviewed are obtained using the following steps: - All data sets contained in the MSTJCLxx member in the DD statement concatenation for IEFPDSI and IEFJOBS. - The data set in the PROCxx DD statement concatenation that are within the JES2 procedure or identified in the JES2 dynamic PROCLIB definitions. The specific PROCxx DD statement that is used is obtained from the PROCLIB entry for the JOBCLASSes of STC and TSU. The following is what data sets the process will obtain for analysis: MSTJCL00 //MSTJCL00 JOB MSGLEVEL=(1,1),TIME=1440 // EXEC PGM=IEEMB860,DPRTY=(15,15) //STCINRDR DD SYSOUT=(A,INTRDR) //TSOINRDR DD SYSOUT=(A,INTRDR) //IEFPDSI DD DSN=SYS3.PROCLIB,DISP=SHR <<=== // DD DSN=SYS2.PROCLIB,DISP=SHR <<=== // DD DSN=SYS1.PROCLIB,DISP=SHR <<=== //SYSUADS DD DSN=SYS1.UADS,DISP=SHR //SYSLBC DD DSN=SYS1.BRODCAST,DISP=SHR JES2 //JES2 PROC //IEFPROC EXEC PGM=HASJES20,PARM=NOREQ, // DPRTY=(15,15),TIME=1440,PERFORM=9 //ALTPARM DD DISP=SHR, // DSN=SYS1.PARMLIB(JES2BKUP) //HASPPARM DD DISP=SHR, // DSN=SYS1.PARMLIB(JES2PARM) //PROC00 DD DSN=SYS3.PROCLIB,DISP=SHR <<=== // DD DSN=SYS2.PROCLIB,DISP=SHR <<=== // DD DSN=SYS1.PROCLIB,DISP=SHR <<=== //PROC01 DD DSN=SYS4.USERPROC,DISP=SHR // DD DSN=SYS3.PROCLIB,DISP=SHR // DD DSN=SYS2.PROCLIB,DISP=SHR // DD DSN=SYS1.PROCLIB,DISP=SHR //IEFRDER DD SYSOUT=* //HASPLIST DD DDNAME=IEFRDER JES2 initialization parameter JOBCLASS PROCLIB entries JOBCLASS(*) ACCT=NO, /* ACCT # NOT REQUIRED (DEF.)*/ … PROCLIB=01, /* DEFAULT TO //PROC01 DD (DEF.)*/ … JOBCLASS(STC) AUTH=ALL, /* ALLOW ALL COMMANDS (DEF.)*/ … PROCLIB=00, /* USE //PROC00 DD (DEF.)*/ … JOBCLASS(TSU) AUTH=ALL, /* ALLOW ALL COMMANDS (DEF.)*/ … PROCLIB=00, /* USE //PROC00 DD (DEF.)*/ … PROCLIB data set that will be used in the access authorization process: SYS3.PROCLIB SYS2.PROCLIB SYS1.PROCLIB The following PROCLIB data set will NOT be used or evaluated: SYS4.USERPROC Recommendation for sites: The following are recommendations for the sites to ensure only PROCLIB data sets that contain the STC and TSO procedures are protected. - Remove all application PROCLIB data sets from MSTJCLxx and JES2 procedures. The customer will have all JCL changed to use the JCLLIB JCL statement to refer to the application PROCLIB data sets. Example: //USERPROC JCLLIB ORDER=(SYS4.USERPROC) - Remove all access to the application PROCLIB data sets and only authorize system programming personnel WRITE and/or greater access to these data sets. - Document the application PROCLIB data set access for the customers that require WRITE and/or greater access. Use this documentation as justification for the inappropriate access created by the scripts. - Change MSTJCLxx and JES2 procedure to identify STC and TSO PROCLIB data sets separate from application PROCLIB data sets. The following is a list of actions that can be performed to accomplish this recommendation: a. Ensure that MSTJCLxx contains only PROCLIB data sets that contain STC and TSO procedures. b. If an application PROCLIB data set is required for JES2, ensure that the JES2 procedure specifies more than one PROCxx DD statement concatenation or identified in the JES2 dynamic PROCLIB definitions. Identify one PROCxx DD statement data set concatenation that contains the STC and TSO PROCLIB data sets. Identify one or more additional PROCxx DD statements that can contain any other PROCLIB data sets. The concatenation of the additional PROCxx DD statements can contain the same data sets that are identified in the PROCxx DD statement for STC and TSO. The following is an example of the JES2 procedure: //JES2 PROC //IEFPROC EXEC PGM=HASJES20,PARM=NOREQ, // DPRTY=(15,15),TIME=1440,PERFORM=9 //ALTPARM DD DISP=SHR, // DSN=SYS1.PARMLIB(JES2BKUP) //HASPPARM DD DISP=SHR, // DSN=SYS1.PARMLIB(JES2PARM) //PROC00 DD DSN=SYS3.PROCLIB,DISP=SHR // DD DSN=SYS2.PROCLIB,DISP=SHR // DD DSN=SYS1.PROCLIB,DISP=SHR //PROC01 DD DSN=SYS4.USERPROC,DISP=SHR // DD DSN=SYS3.PROCLIB,DISP=SHR // DD DSN=SYS2.PROCLIB,DISP=SHR // DD DSN=SYS1.PROCLIB,DISP=SHR //IEFRDER DD SYSOUT=* //HASPLIST DD DDNAME=IEFRDER c. Ensure that the JES2 configuration file is changed to specify that the PROCLIB entry for the STC and TSU JOBCLASSes point to the proper PROCxx entry within the JES2 procedure or JES2 dynamic PROCLIB definitions that contain the STC and/or TSO procedures. All other JOBCLASSes can specify a PROCLIB entry that uses the same PROCxx or any other PROCxx DD statement identified in the JES2 procedure or identified in the JES2 dynamic PROCLIB definitions. The following is an example of the JES2 initialization parameters: JOBCLASS(*) ACCT=NO, /* ACCT # NOT REQUIRED (DEF.)*/ … PROCLIB=01, /* DEFAULT TO //PROC01 DD (DEF.)*/ … JOBCLASS(STC) AUTH=ALL, /* ALLOW ALL COMMANDS (DEF.)*/ … PROCLIB=00, /* USE //PROC00 DD (DEF.)*/ … JOBCLASS(TSU) AUTH=ALL, /* ALLOW ALL COMMANDS (DEF.)*/ … PROCLIB=00, /* USE //PROC00 DD (DEF.)*/ … d. Ensure that only system programming personnel are authorized WRITE and/or greater access to PROCLIB data sets that contain STC and TSO procedures.

b
Sensitive CICS transactions are not protected in accordance with security requirements.
AC-3 - Medium - CCI-000213 - V-251 - SV-7528r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZCIC0020
Vuln IDs
  • V-251
Rule IDs
  • SV-7528r2_rule
Sensitive CICS transactions offer the ability to circumvent transaction level controls for accessing resources under CICS. These transactions must be protected so that only authorized users can access them. Unauthorized use can result in the compromise of the confidentiality, integrity, and availability of the operating system or customer data.Information Assurance Officer
Checks: C-20545r1_chk

a) Refer to the following reports produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(TCICSTRN) - SENSITVE.RPT(GCICSTRN) NOTE: If a CICS region is using a site-defined transaction resource class pair, execute a RACF RLIST command against these resource classes. Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. b) Ensure the following items are in effect for all CICS regions: 1) Transactions listed in tables CICS CATEGORY 2 CICS AND OTHER PRODUCT TRANSACTIONS and CICS CATEGORY 4 COTS-SUPPLIED SENSITIVE TRANSACTIONS, in the z/OS STIG Addendum, are restricted to authorized personnel. Note: The exception to this is the CEOT and CSGM transactions, which can be made available to all users. Note: The exception to this is the CWBA transaction, can be made available to the CICS Default user. Note: The transactions beginning with "CK" apply to regions running WebSphere MQ. Note: Category 1 transactions are internally restricted to CICS region userids. c) If the items mentioned in (b) are true for all CICS transaction resource classes, there is NO FINDING. d) If any item mentioned in (b) is untrue for a CICS transaction resource class, this is a FINDING.

Fix: F-18485r1_fix

Develop a plan to implement the required changes. 1. Most transactions are protected in groups. An example would be "L2TRANS" which would contain all Category 2 transactions. L2TRANS is defined to RACF as a profile and contains all the Category 2 transactions. An example of how to implement this within RACF is shown here: RDEF GCICSTRN L2TRANS UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) RALT GCICSTRN L2TRANS ADDMEM(CADP CBAM CDBC) Permission to the transaction group can be accomplished with a sample command: PE L2TRANS CL(GCICSTRN) id(<syspaudt>) Note that a refresh is generally needed to the member class. In this case TCICSTRN is the member class for GCICSTRN and a sample refresh command is SETR RACL(TCICSTRN) REFRESH 2. Transactions groups should be defined and permitted in accordance with the CICS Transaction tables listed in the zOS STIG Addendum.

b
The Automatic Data Set Protection (ADSP) SETROPTS value is not set to NOADSP.
CM-6 - Medium - CCI-000366 - V-254 - SV-254r2_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RACF0250
Vuln IDs
  • V-254
Rule IDs
  • SV-254r2_rule
(RACF0250: CAT II) ADSP indicates that RACF automatically creates discrete data set profiles to protect datasets created by users having this attribute. ADSP specifies that data sets created by users who have the ADSP attribute will be RACF protected automatically. NOADSP cancels automatic RACF protection for users who have ADSP. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-17691r1_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0250) b) If the ADSP value is NOT IN EFFECT, there is NO FINDING. Note: NOADSP is the required setting. In the SETROPTS LIST output this will display as AUTOMATIC DATASET PROTECTION IS NOT IN EFFECT. c) If the ADSP value is IN EFFECT, this is a FINDING.

Fix: F-16780r1_fix

The IAO will ensure that ADSP SETROPTS value is set to NOADSP. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: NOADSP is set with the command SETR NOADSP.

b
The AUDIT SETROPTS value is improperly set.
AU-3 - Medium - CCI-001845 - V-255 - SV-255r2_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-001845
Version
RACF0260
Vuln IDs
  • V-255
Rule IDs
  • SV-255r2_rule
(RACF0260: CAT II) AUDIT specifies the names of the classes for which you want RACF to perform auditing. For the classes that you specify, RACF logs all uses of the RACDEF SVC and all changes made to profiles by RACF commands. NOAUDIT cancels auditing. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-17692r1_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0260) b) If all ACTIVE classes are also listed under the AUDIT classes, there is NO FINDING. Note: All Classes must be enabled for AUDITing. c) If there are ACTIVE classes that are not specified in the AUDIT classes, this is a FINDING.

Fix: F-16781r1_fix

The IAO will ensure that AUDIT SETROPTS value is set to AUDIT(*) indicating that RACF sets all classes to do auditing of uses of the RACDEF SVC and all changes made to profiles by RACF commands. Evaluate the impact associated with implementation of the control option. Develop a plan of action and proceed with the change. Issue the command SETR AUDIT(*) to activate all RACF Classes.

b
The CLASSACT SETROPTS must be specified for the TEMPDSN Class.
AC-3 - Medium - CCI-000213 - V-256 - SV-256r3_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
RACF0270
Vuln IDs
  • V-256
Rule IDs
  • SV-256r3_rule
CLASSACT specifies those classes defined by entries in the class descriptor table for which RACF checking is to be ACTIVE. DATASET, USER, and GROUP are active by default and cannot be activated or deactivated. The system-wide options control the default settings for determining how the Access Control Program (ACP) will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-329r3_chk

Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0270) If the TEMPDSN resource class is ACTIVE, this is not a finding. Note: At minimum, the TEMPDSN class should be ACTIVE.

Fix: F-3265r2_fix

The IAO will ensure that SETROPTS CLASSACT has been specified, at minimum, for the TEMPDSN resource class. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a list of ACTIVE classes. IBM recommends activating the classes important to your installation. At minimum the command: SETR CLASSACT(TEMPDSN) It is not recommended to perform a SETR CLASSACT(*).

b
The CMDVIOL SETROPTS value is not set to CMDVIOL.
SI-7 - Medium - CCI-002723 - V-257 - SV-257r2_rule
RMF Control
SI-7
Severity
Medium
CCI
CCI-002723
Version
RACF0280
Vuln IDs
  • V-257
Rule IDs
  • SV-257r2_rule
(RACF0280: CAT II) The CMDVIOL specifies whether RACF is to log violations detected by RACF commands. You must have the auditor attribute to specify these commands. A violation may occur because a user is not authorized to modify a particular profile, or is not authorized to enter a particular operand on a command. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-17746r1_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0280) b) If the CMDVIOL value is listed as one of the ATTRIBUTES, there is NO FINDING. c) If the CMDVIOL value is not listed as one of the ATTRIBUTES, this is a FINDING.

Fix: F-16876r1_fix

The IAO will ensure that CMDVIOL SETROPTS value is active and set to log RACF commands violations. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a list of ATTRIBUTES. (1) Command Violation Logging is activated with the command SETR CMDVIOL.

b
The EGN SETROPTS value specified is not set to EGN.
CM-4 - Medium - CCI-000336 - V-258 - SV-258r2_rule
RMF Control
CM-4
Severity
Medium
CCI
CCI-000336
Version
RACF0290
Vuln IDs
  • V-258
Rule IDs
  • SV-258r2_rule
(RACF0290: CAT II) EGN changes the meaning of the signle generic character *. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-17753r1_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0290) b) If the EGN (ENHANCED GENERIC NAMING) IS IN EFFECT, there is NO FINDING. c) If the EGN (ENHANCED GENERIC NAMING) IS NOT IN EFFECT, this is a FINDING.

Fix: F-16878r1_fix

The IAO will ensure that EGN SETROPTS value is set to EGN. This allows the generic character ** when you define dataset profiles.. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a status of Enhanced Generic Naming. (1) Enhanced Generic Naming is activated with the command SETR EGN.

b
The ERASE ALL SETROPTS value must be set to ERASE(ALL) on all systems.
SC-4 - Medium - CCI-001090 - V-259 - SV-259r4_rule
RMF Control
SC-4
Severity
Medium
CCI
CCI-001090
Version
RACF0300
Vuln IDs
  • V-259
Rule IDs
  • SV-259r4_rule
The ERASE ALL specifies that data management is to erase all scratched data sets including temporary data sets. NOERASE specifies that no DASD data sets are erased when deleted. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.Information Assurance Officer
Checks: C-17760r4_chk

Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis requires Additional Analysis. Refer to the following report produced by the RACF Data Collection: - PDI(RACF0300) For all systems, if the ERASE values are set as follows, this is not a finding. ERASE-ON-SCRATCH IS ACTIVE, CURRENT OPTIONS: ERASE-ON-SCRATCH FOR ALL DATA SETS IS IN EFFECT

Fix: F-16879r2_fix

The IAO must ensure that ERASE SETROPTS value is set to ERASE(ALL) this allows DASD datasets to be erased when deleted. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: - Issue the RACF Command SETR LIST to show the status of RACF Controls including the status of the ERASE options. - Take the appropriate actions to ensure that the SETR ERASE(ALL) has been issued to enable Erase On Scratch for all datasets.

b
The GENCMD SETROPTS value is not enabled for ACTIVE classes.
CM-6 - Medium - CCI-000366 - V-260 - SV-260r2_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RACF0310
Vuln IDs
  • V-260
Rule IDs
  • SV-260r2_rule
(RACF0310: CAT II) The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-17851r1_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0310) b) Other than the exemptions listed below for which GENCMD need not be enabled, if the classes listed as ACTIVE are also listed as GENCMD, there is NO FINDING. c) If there are ACTIVE classes not also shown as GENCMD classes and not in the list of exemptions below, this is a FINDING. EXEMPTIONS: The following are defined with GENERIC=DISALLOWED per RACF Macros and Interfaces Appendix C: CDT KERBLINK REALM SECLABEL SECLMBR The following should not use GENERICS: USER GROUP The following are listed in RACF Command Lang Ref as not being recommended for GENERICS: DIGTCERT DIGTRING Any Class identified as a GROUP class (per RACF Macros and Interfaces Appendix C): BCICSPCT DIMS ECICSDCT GCICSTRN GCPSMOBJ GCSFKEYS GDASDVOL GDSNBP GDSNCL GDSNDB GDSNJR GDSNPK GDSNPN GDSNSC GDSNSG GDSNSM GDSNSP GDSNSQ GDSNTB GDSNTS GDSNUF GDSNUT GEJBROLE GIMS GINFOMAN GLOBAL GMQADMIN GMQCHAN GMQNLIST GMQPROC GMQQUEUE GMXADMIN GMXNLIST GMXPROC GMXQUEUE GMXTOPIC GSDSF GSOMDOBJ GTERMINL GXFACILI HCICSFCT HIMS JIMS KCICSJCT MIMS NCICSPPT NODES ** should not be excluded. PROGRAM QCICSPSB QIMS RACFVARS SECDATA SECLABEL UCICSTST UIMS VCICSCMD VMXEVENT WCICSRES WIMS The following are reporting-only classes (PROFDEF=NO per RACF Macros and Interfaces Appendix C): DIRACC DIRAUTH DIRSRCH FSOBJ FSSEC IPCOBJ PROCACT PROCESS TEMPDSN VMMAC

Fix: F-16955r1_fix

The IAO will ensure that GENCMD is enabled for ACTIVE classes with exceptions identified in the "Check" portion of this PDI. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a status of GENCMD. (1) Generic Profile Command processing is activated for the required classes by the command SETR GENCMD(<classname>).

b
The GENERIC SETROPTS value is not enabled for ACTIVE classes.
CM-6 - Medium - CCI-000366 - V-261 - SV-261r2_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RACF0320
Vuln IDs
  • V-261
Rule IDs
  • SV-261r2_rule
(RACF0320: CAT II) The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-17936r1_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0320) b) Other than the exemptions listed below for which GENERIC need not be enabled, if the classes listed as ACTIVE are also listed as GENERIC, there is NO FINDING. c) If there are ACTIVE classes not also shown as GENERIC classes and not in the list of exemptions below, this is a FINDING. EXEMPTIONS: The following are defined with GENERIC=DISALLOWED per RACF Macros and Interfaces Appendix C: CDT KERBLINK REALM SECLABEL SECLMBR The following should not use GENERICS: USER GROUP The following are listed in RACF Command Lang Ref as not being recommended for GENERICS: DIGTCERT DIGTRING The following are GROUP classes per RACF Macros and Interfaces Appendix C: BCICSPCT DIMS ECICSDCT GCICSTRN GCPSMOBJ GCSFKEYS GDASDVOL GDSNBP GDSNCL GDSNDB GDSNJR GDSNPK GDSNPN GDSNSC GDSNSG GDSNSM GDSNSP GDSNSQ GDSNTB GDSNTS GDSNUF GDSNUT GEJBROLE GIMS GINFOMAN GLOBAL GMQADMIN GMQCHAN GMQNLIST GMQPROC GMQQUEUE GMXADMIN GMXNLIST GMXPROC GMXQUEUE GMXTOPIC GSDSF GSOMDOBJ GTERMINL GXFACILI HCICSFCT HIMS JIMS KCICSJCT MIMS NCICSPPT NODES ** should not be excluded. PROGRAM QCICSPSB QIMS RACFVARS SECDATA SECLABEL UCICSTST UIMS VCICSCMD VMXEVENT WCICSRES WIMS The following are reporting-only classes (PROFDEF=NO per RACF Macros and Interfaces Appendix C): DIRACC DIRAUTH DIRSRCH FSOBJ FSSEC IPCOBJ PROCACT PROCESS TEMPDSN VMMAC

Fix: F-17174r1_fix

The IAO will ensure that GENERIC is enabled for ACTIVE classes with exceptions listed in the "Check" portion of this PDI. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a status of GENERIC. (1) Generic Profile Command processing is activated for the required classes by the command SETR GENERIC(<classname>).

b
The TERMINAL SETROPTS value is not set to READ.
IA-3 - Medium - CCI-001958 - V-262 - SV-262r2_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-001958
Version
RACF0330
Vuln IDs
  • V-262
Rule IDs
  • SV-262r2_rule
(RACF0330: CAT II) TERMINAL is used to set the universal access authority (UACC) associated with undefined terminals. If you specify TERMINAL, but do not specify read or none, the system will prompt you for a value. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-17926r1_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0330) b) If the TERMINAL value is set to READ, there is NO FINDING. c) If the TERMINAL value is set to NONE, this is a FINDING.

Fix: F-416r1_fix

The IAO will ensure that the TERMINAL SETROPTS value is set to READ; this sets the universal access authority (UACC) associated with undefined terminals. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a status of TERMINAL. (1) TERMINAL READ is set by the command SETR TERMINAL(READ).

b
The PASSWORD(MINCHANGE) value must be specified as (1).
IA-5 - Medium - CCI-000198 - V-263 - SV-263r3_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000198
Version
RACF0445
Vuln IDs
  • V-263
Rule IDs
  • SV-263r3_rule
MINCHANGE specifies the number of days that must pass between a user’s password and password phrase changes. Users can not change their own passwords and password phrases within the minimum change interval. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.Information Assurance Officer
Checks: C-3211r2_chk

Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0445) If the PASSWORD(MINCHANGE) value shows "PASSWORD MINIMUM CHANGE INTERVAL IS &lt;1&gt; DAYS" this is not a finding.

Fix: F-201r1_fix

The IAO will ensure that PASSWORD(MINCHANGE) SETROPTS value number from 1 to 59. This specifies the number of days that must pass before a user can change their password. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD MINCHANGE. Use the following command as an example command: SETROPTS PASSWORD(MINCHANGE(1))

b
The INACTIVE SETROPTS value is not set to 35 days.
AC-2 - Medium - CCI-000017 - V-264 - SV-264r2_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000017
Version
RACF0360
Vuln IDs
  • V-264
Rule IDs
  • SV-264r2_rule
The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.Information Assurance OfficerDCCS-1, DCCS-2, IAAC-1
Checks: C-17928r1_chk

Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0360) Ensure the INACTIVE value is set properly In the message "INACTIVE USERIDS ARE BEING AUTOMATICALLY REVOKED AFTER xxx DAYS.", where xxx is a value of 1 to 35.

Fix: F-17124r1_fix

The IAO will ensure that INACTIVE SETROPTS value is set to a value of 1 to 35 days, this specifies the number of days that a user is inactive and still remain valid. INACTIVE specifies the number of days that a USERID can remain unused and still be considered valid. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a status of INACTIVE. The INACTIVE value is set properly with the command: SETR INACTIVE(35)

b
The GRPLIST SETROPTS value is not set to ACTIVE.
CM-6 - Medium - CCI-000366 - V-265 - SV-265r2_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RACF0350
Vuln IDs
  • V-265
Rule IDs
  • SV-265r2_rule
(RACF0350: CAT II) GRPLIST specifies that RACF processing is to perform group list access checking for all system users. When you specify GRPLIST, a users authority to access a resource is not based only on the authority of the users current connect group; access is based on the authority of any group to which the user is connected. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.Information Assurance Officer
Checks: C-17927r1_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0350) b) If the GRPLIST is enabled then the message "LIST OF GROUPS ACCESS CHECKING IS ACTIVE." will be displayed, there is NO FINDING. c) If the message indicates that LIST OF GROUPS is NOT ACTIVE, this is a FINDING.

Fix: F-17114r1_fix

The IAO will ensure that GRPLIST SETROPTS value is set to ACTIVE. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a status of GRPLIST. (1) List Of Groups Checking is activated with the command SETR GRPLIST.

b
The INITSTATS SETROPTS value is not set to INITSTATS.
AU-3 - Medium - CCI-000130 - V-266 - SV-266r2_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
RACF0370
Vuln IDs
  • V-266
Rule IDs
  • SV-266r2_rule
RACF0370: CAT II) INITSTATS specifies statistics available during RACINIT SVC processing are to be recorded. These statistics include the date and time RACINIT is issued for a particular user, the number of RACINITs for a user to a particular group, and the date and time of the last RACINIT for a user to a particular group. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-17929r1_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0370) b) If the INITSTATS value is listed as one of the ATTRIBUTES, there is NO FINDING. c) If the INITSTATS value is not listed as one of the ATTRIBUTES, this is a FINDING.

Fix: F-17126r1_fix

The IAO will ensure that INITSTATS SETROPTS value is set to INITSTATS this specifies that statistics available during RACINIT SVC processing are recorded. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a status of INITSTATS. (1) INITSTATS is activated with the command SETR INITSTATS.

b
The JES(BATCHALLRACF) SETROPTS value is not set to JES(BATCHALLRACF).
IA-2 - Medium - CCI-000764 - V-267 - SV-267r2_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
RACF0380
Vuln IDs
  • V-267
Rule IDs
  • SV-267r2_rule
(RACF0380: CAT II) JES(BATCHALLRACF) specifies that JES is to test for the presence of a USERID and password on the job statement or for propagated RACF identification information for all batch jobs. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-17930r1_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0380) b) If the JES(BATCHALLRACF) is enabled then the message "JES-BATCHALLRACF OPTION IS ACTIVE" will be displayed, there is NO FINDING. c) If the message "JES-BATCHALLRACF OPTION IS INACTIVE" is displayed, this is a FINDING.

Fix: F-17131r1_fix

The IAO will ensure that JES(BATCHALLRACF) SETROPTS value is set to JES(BATCHALLRACF). This specifies that JES is to test for a userid and password on the job statement or for propagated RACF identification information for all batch jobs. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a status of JES BATCHALLRACF. (1) JES BATCHALLRACF is activated with the command SETR JES(BATCHALLRACF).

b
The JES(XBMALLRACF) SETROPTS value is not set to JES(XBMALLRACF).
IA-2 - Medium - CCI-000764 - V-269 - SV-269r2_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
RACF0400
Vuln IDs
  • V-269
Rule IDs
  • SV-269r2_rule
(RACF0400: CAT II) XBMALLRACF ensures that (assuming you have JES configured to support XBM jobs) any XBM job submitted by a user must have a RACF identity or the job will fail. This is used only in JES2. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-17935r1_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0400) b) If the JES(XBMALLRACF) is enabled then the message "JES-XBMALLRACF OPTION IS ACTIVE" will be displayed, there is NO FINDING. c) If the message "JES-XBMALLRACF OPTION IS INACTIVE" is displayed, this is a FINDING.

Fix: F-17173r1_fix

The IAO will ensure that JES(XBMALLRACF) SETROPTS value is set to JES(XBMALLRACF). This specifies that JES is set to test for a userid and password on the job statement or for propagated RACF identification information for all jobs run under the execution batch monitor. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a status of JES-XBMALLRACF. (1) XBMALLRACF is activated with the command SETR XBMALLRACF.

b
The OPERAUDIT SETROPTS value is not set to OPERAUDIT.
AC-6 - Medium - CCI-002234 - V-270 - SV-270r2_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-002234
Version
RACF0420
Vuln IDs
  • V-270
Rule IDs
  • SV-270r2_rule
(RACF0420: CAT II) OPERAUDIT specifies whether RACF is to log all actions, such as accesses to resources and commands, allowed only because a user has the OPERATIONS or group OPERATIONS attribute. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-17937r1_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0420) b) If the OPERAUDIT value is listed as one of the ATTRIBUTES, there is NO FINDING. c) If the OPERAUDIT value is not listed as one of the ATTRIBUTES, this is a FINDING.

Fix: F-17175r1_fix

NOTE: The RACF AUDITOR attribute is required in order to specify SETROPTS OPERAUDIT and also to display the OPERAUDIT attribute with the SETROPTS LIST command. The IAO will ensure that OPERAUDIT SETROPTS value is set to OPERAUDIT. This specifies that RACF logs all actions such as accesses to resources and commands for a user who has operations or group operations attribute. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a list of ATTRIBUTES. (1) Logging of all actions, such as accesses to resources and commands, allowed only because a user has the OPERATIONS or group-OPERATIONS attribute is activated with the command SETR OPERAUDIT.

b
The PASSWORD(HISTORY) SETROPTS value is not set to 10.
IA-5 - Medium - CCI-000200 - V-271 - SV-271r2_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000200
Version
RACF0430
Vuln IDs
  • V-271
Rule IDs
  • SV-271r2_rule
(RACF0430: CAT II) HISTORY specifies the number of previous passwords that RACF saves for each USERID and compares with an intended new password. If there is a match with one of the previous passwords, or with the current password, RACF rejects the intended new password. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-17938r1_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0430) b) If the PASSWORD(HISTORY) value is set properly then the message "x GENERATIONS OF PREVIOUS PASSWORDS BEING MAINTAINED.", where x is greater than or equal to 10, there is NO FINDING. c) If the PASSWORD(HISTORY) value is set improperly then the message "x GENERATIONS OF PREVIOUS PASSWORDS BEING MAINTAINED.", where x is less than 10, this is a FINDING.

Fix: F-17176r1_fix

The IAO will ensure that PASSWORD(HISTORY) SETROPTS value is set to 10. This specifies the number of previous passwords that RACF saves for each USERID and compares with an intended new password. If there is a match with one of the previous passwords, or with the current password, RACF rejects the intended new password. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD HISTORY. (1) Setting the password history to 10 generations is activated with the command SETR PASSWORD(HISTORY(10)).

b
The PASSWORD(INTERVAL) SETROPTS value is not set to 60 days.
IA-5 - Medium - CCI-000199 - V-272 - SV-272r2_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000199
Version
RACF0440
Vuln IDs
  • V-272
Rule IDs
  • SV-272r2_rule
(RACF0440: CAT II) INTERVAL specifies the maximum number of days that each users password is valid. When a user logs on to the system, RACF compares the system password interval value specified in the user profile. RACF uses the lower of the two values to determine if the users password has expired. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-17939r1_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0440) Note: Current DoD policy has changed requiring that the password change interval be at the most 60 days. Ensure that this is in effect. b) If the PASSWORD(INTERVAL) value is set properly then the message "PASSWORD CHANGE INTERVAL IS xxx DAYS.", where xxx is less than or equal to 60 and not equal to 0, there is NO FINDING. c) If the PASSWORD(INTERVAL) value is set improperly then the message "PASSWORD CHANGE INTERVAL IS xxx DAYS.", where xxx is greater than 60 or equal to 0, this is a FINDING.

Fix: F-17178r1_fix

The IAO will ensure that PASSWORD(INTERVAL) SETROPTS value is set to 60 days. This specifies the maximum number of days that each user’s password is valid. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD INTERVAL. (1) Setting the password interval to 60 days is activated with the command SETR PASSWORD(INTERVAL(60)).

b
The PASSWORD(REVOKE) SETROPTS value specified is not in accordance with security requirements.
AC-7 - Medium - CCI-000044 - V-273 - SV-273r2_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-000044
Version
RACF0450
Vuln IDs
  • V-273
Rule IDs
  • SV-273r2_rule
(RACF0450: CAT II) The IAO will ensure that PASSWORD(REVOKE) SETROPTS value is set to 1 or 2. This value specifies the number of consecutive incorrect password attempts RACF allows before it revokes the USERID on the next incorrect attempt. If you specify REVOKE, ensure INITSTATS are in effect. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-30346r1_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0450) b) If the PASSWORD(REVOKE) value shows "AFTER &lt;n&gt; CONSECUTIVE UNSUCCESSFUL PASSWORD ATTEMPTS, A USERID WILL BE REVOKED." where &lt;n&gt; is either 1 or 2, there is NO FINDING. c) If the PASSWORD(REVOKE) value is not enabled and is not set to either 1 or 2, this is a FINDING.

Fix: F-27106r1_fix

The IAO will ensure that PASSWORD(REVOKE) SETROPTS value is set to 1 or 2. This specifies the number of consecutive incorrect password attempts RACF allows before it revokes the USERID on the next incorrect attempt. If you specify REVOKE, ensure INITSTATS are in effect. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD REVOKE. (1) Setting the password REVOKE to 2 invalid attempts activated with the command SETR PASSWORD(REVOKE(2)).

b
The PASSWORD(RULEn) SETROPTS value(s) must be properly set.
IA-5 - Medium - CCI-000192 - V-274 - SV-274r4_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000192
Version
RACF0460
Vuln IDs
  • V-274
Rule IDs
  • SV-274r4_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Use of a complex password helps to increase the time and resources required to compromise the password. The PASSWORD SETROPTS value(s) specify the rules that RACF will apply when a user selects a new password. Improper setting of any of these fields, individually or in combination with another, can result in weakened passwords and compromise the security of the processing environment.
Checks: C-17989r5_chk

Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0460) If the following options are specified, this is not a finding. ___ Verify at least one PASSWORD(RULE) under "INSTALLATION PASSWORD SYNTAX RULES" is defined with the values shown below: RULE 1 LENGTH(8) xxxxxxxx ___ Verify the following options are in effect under "PASSWORD PROCESSING OPTIONS": “MIXED CASE PASSWORD SUPPORT IS IN EFFECT” “SPECIAL CHARACTERS ARE ALLOWED.”

Fix: F-17225r4_fix

The ISSO will evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: For z/OS release 1.13 and 1.14 PTF UA90720 must be applied. For z/OS Release 2.1 PTF UA90721 must be applied. The RACF Command SETR LIST will show the status of RACF Controls including PASSWORD SYNTAX RULEs. Setting the password syntax to all Mixed Case Alphanumeric and Special Characters is activated with the commands: setr password(mixedcase) setr password(specialchars) setr password(rule1(length(8) mixedall(1:8))

b
The PASSWORD(WARNING) SETROPTS value is improperly set.
AC-9 - Medium - CCI-001395 - V-275 - SV-275r2_rule
RMF Control
AC-9
Severity
Medium
CCI
CCI-001395
Version
RACF0470
Vuln IDs
  • V-275
Rule IDs
  • SV-275r2_rule
WARNING specifies the number of days before a password expires when RACF is to issue a warning message to the user. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-18198r1_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0470) b) If the PASSWORD(WARNING) value shows "PASSWORD EXPIRATION WARNING LEVEL IS xxx DAYS.", where xxx is greater than or equal to 10, there is NO FINDING. c) If the PASSWORD(WARNING) value shows "PASSWORD EXPIRATION WARNING LEVEL IS xxx DAYS.", where xxx is less than 10, this is a FINDING.

Fix: F-17364r1_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including the value of PASSWORD WARNING. (1) WARNING is activated with the command SETR PASSWORD(WARNING(10)).

c
The PROTECTALL SETROPTS value specified must be properly set.
CM-6 - High - CCI-000366 - V-276 - SV-276r3_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
RACF0480
Vuln IDs
  • V-276
Rule IDs
  • SV-276r3_rule
When PROTECTALL processing is active and set to FAIL, the system automatically rejects any request to create or access a data set that is not RACF protected. Temporary data sets that comply with standard MVS temporary data set naming conventions are excluded from PROTECTALL processing. PROTECTALL requires that data sets be RACF protected. In order for PROTECTALL to work effectively, you must specify GENERIC to activate generic profile checking. Otherwise, RACF would allow users to create or access only data sets protected by discrete profiles. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.Information Assurance Officer
Checks: C-18206r2_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis requires Additional Analysis. Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0480) b) If the SETROPTS values for PROTECTALL is ACTIVE and set to FAIL, there is NO FINDING. c) If the SETROPTS PROTECTALL parameter is set to NOPROTECTALL or PROTECTALL(WARNING), this is a FINDING. Additional analysis may be required to determine whether this FINDING should be downgraded to a Category II or remain a Category I. Example of a Category I FINDING where no further analysis is required: Control Options: SETROPTS NOPROTECTALL Example of a possible Category I FINDING requiring additional analysis: Control Options: SETROPTS PROTECTALL(WARNING) PROTECTALL(WARNING) allows access to a data set only if it is not protected by a profile in the DATASET resource class. Therefore if all sensitive data sets are properly protected by profiles in the DATASET resource class, PROTECTALL(WARNING) will not allow unauthorized access. This situation allows for a downgrade to a Category II.

Fix: F-17365r1_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including the value for the PROTECTALL Option. (1) PROTECTALL is ACTIVATED and set to FAIL by issuing the command SETR PROTECTALL(FAIL).

a
The REALDSN SETROPTS value specified is improperly set.
AU-12 - Low - CCI-001353 - V-277 - SV-277r2_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-001353
Version
RACF0490
Vuln IDs
  • V-277
Rule IDs
  • SV-277r2_rule
REALDSN specifies that RACF is to record, in any SMF log records and operator messages, the real data set name (not the naming-conventions name) used on the data set commands and during resource access checking and resource definition. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-18260r1_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0490) b) If the REALDSN is enabled then the message "REAL DATA SET NAMES OPTION IS ACTIVE" will be displayed, there is NO FINDING. c) If the message "REAL DATA SET NAMES OPTION IS INACTIVE" is displayed, this is a FINDING.

Fix: F-17372r1_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including the value for the REALDSN Option. (1) REALDSN is ACTIVATED by issuing the command SETR REALDSN.

b
The RETPD SETROPTS value specified is improperly set.
CM-6 - Medium - CCI-000366 - V-278 - SV-278r2_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RACF0500
Vuln IDs
  • V-278
Rule IDs
  • SV-278r2_rule
RETPD specifies the default RACF security retention period for tape data sets. The security retention period is the number of days that RACF protection is to remain in effect for the tape data set and should be set to a value of 99999. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-18274r1_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0500) b) If the RETPD is enabled then the message "SECURITY RETENTION PERIOD IN EFFECT IS NEVER-EXPIRES DAYS" will be displayed, there is NO FINDING. c) If the RETPD value is not set to "NEVER-EXPIRES", this is a FINDING.

Fix: F-17375r1_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including the value for the RETPD (Retention Period) Option. (1) RETPD is activated and set to the required value by issuing the command SETR RETPD(99999).

b
The SETROPTS RVARYPW values must be properly set.
CM-5 - Medium - CCI-001813 - V-279 - SV-279r4_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001813
Version
RACF0510
Vuln IDs
  • V-279
Rule IDs
  • SV-279r4_rule
RVARYPW specifies passwords that an operator is to use to respond with requests to approve RVARY command processing. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.trueInformation Assurance Officer
Checks: C-364r3_chk

Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis requires Additional Analysis. Refer to the following report produced by the RACF Data Collection: - PDI(RACF0510) If the SETROPTS RVARYPW entries conform to the following requirements, this is not a finding. ___ The "INSTALLATION DEFINED RVARY PASSWORD IS IN EFFECT" message for both the SWITCH and STATUS functions. ___ The SWITCH and STATUS password content follow the password requirements documented in RACF0460.

Fix: F-6638r3_fix

The IAO will ensure that the RVARYPW passwords are specified and conform to password requirements documented in RACF0460. The IAO will evaluate the impact associated with implementation of the control option and develop a plan of action to implement the control option as required. A sample command for setting both the SWITCH and STATUS passwords are shown here: SETR RVARYPW(SWITCH(Wxy$8Pqu) STATUS(pbZ0@wL2))

b
The SAUDIT SETROPTS value specified is improperly set.
AU-12 - Medium - CCI-000172 - V-280 - SV-280r2_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
RACF0520
Vuln IDs
  • V-280
Rule IDs
  • SV-280r2_rule
SAUDIT specifies whether RACF is to log all RACF commands issued by users with the SPECIAL or group SPECIAL attribute. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-18748r1_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0520) b) If the SAUDIT value is listed as one of the ATTRIBUTES, there is NO FINDING. c) If the NOSAUDIT value is listed as one of the ATTRIBUTES, this is a FINDING.

Fix: F-17394r1_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: NOTE that in order to set or list the SAUDIT value, the RACF AUDITOR attribute is required. Reference the documentation for the SETROPTS command in the RACF Command Language Reference. The RACF Command SETR LIST will show the status of RACF Controls including the value for SAUDIT. (1) SAUDIT is activated and set to the required value by issuing the command SETR SAUDIT.

b
The TAPEDSN SETROPTS value specified is improperly set.
CM-6 - Medium - CCI-000366 - V-282 - SV-282r2_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RACF0550
Vuln IDs
  • V-282
Rule IDs
  • SV-282r2_rule
TAPEDSN activates tape data set protection. When tape data set protection is in effect, RACF can protect individual tape data sets as well as tape volumes. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-18802r1_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0550) b) If the TAPEDSN is enabled then the message "TAPE DATA SET PROTECTION IS ACTIVE" will be displayed, there is NO FINDING. NOTE 1: TAPEDSN should be active for domains without a tape management product. NOTE 2: For domains running CA 1, Computer Associates recommends that TAPEDSN be active and CA 1 parameter OCEOV be set to OFF. c) If the TAPEDSN value is set to INACTIVE, this is a FINDING.

Fix: F-17396r1_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including the value for the TAPEDSN Option. (1) TAPEDSN is ACTIVATED by issuing the command SETR TAPEDSN.

b
The WHEN(PROGRAM) SETROPTS value specified is not active.
CM-6 - Medium - CCI-000366 - V-283 - SV-283r2_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RACF0560
Vuln IDs
  • V-283
Rule IDs
  • SV-283r2_rule
WHEN(PROGRAM) activates RACF program control, which includes both access control to load modules and program access to data sets. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-18803r1_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0560) b) If the WHEN(PROGRAM) value is listed as one of the ATTRIBUTES, there is NO FINDING. c) If the NOWHEN(PROGRAM) value is listed as one of the ATTRIBUTES, this is a FINDING.

Fix: F-17397r1_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including the value for the WHEN(PROGRAM) Option. (1) WHEN(PROGRAM) is ACTIVATED by issuing the command SETR WHEN(PROGRAM).

a
RACF users do not have the required default fields.
IA-2 - Low - CCI-000764 - V-284 - SV-284r2_rule
RMF Control
IA-2
Severity
Low
CCI
CCI-000764
Version
RACF0570
Vuln IDs
  • V-284
Rule IDs
  • SV-284r2_rule
Ensure that Every USERID is uniquely identified to the system. Within the USERID record, the user's name, default group, the owner, and the user's passdate fields are completed. This will uniquely identify each user. If these fields are not completed for each user, user accountability will become lost. Every user will be identified to RACF via each user’s unique userid profile. To RACF, a user is an individual (user), a started task, or a batch job. Every userid will be fully identified within RACF with the following fields completed: NAME User’s name DFLTGRP Default group OWNER User’s profile owner PASSWORD Password RACF will automatically assign the default group as the password if a password is not explicitly coded. Assign a unique password to every userid to prevent unauthorized access by a person who knows the default group for a new userid.DCCS-1, DCCS-2
Checks: C-369r1_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(LISTUSER) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0570) b) If every user is fully identified with all of the following conditions: 1. A completed NAME field that can either be traced back to a current DD2875 or a Vendor Requirement (example: A Started Task). 2. The presence of the DEFAULT-GROUP and OWNER fields. 3. The PASSDATE field is not set to N/A unless this user has the PROTECTED attribute. c) If all of the above are true, there is NO FINDING. d) If any of above is untrue, this is a FINDING.

Fix: F-438r1_fix

Review all USERID definitions to ensure required information is provided. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes listed in this PDI. The following are sample commands to correct this vulnerability: 1. Add a NAME to a userid with the command ALU <userid> NAME('lastname, firstname'). 2. Every user will be assigned a default group by default. A sample command to reassign a default group is shown here: ALU <userid> DFLTGRP(<newdefaultgroup>). You must first be connected to a group via the RACF CONNECT command before making it a default group. 3. A PASSDATE field showing 00.000 indicates that a temporary password has been assigned but the user has not logged in and set a permanent password. This could indicate that a new userid was recently added or that a userid previously added is unused and should be considered for deletion. The IAO should investigate and determine if the userid should be deleted or that the new user should be contacted and told to login to set a permanent password.

b
Interactive USERIDs defined to RACF must have the required fields completed.
IA-5 - Medium - CCI-000199 - V-285 - SV-285r6_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000199
Version
RACF0580
Vuln IDs
  • V-285
Rule IDs
  • SV-285r6_rule
Improper assignments of attributes in the LOGONID record may allow users excessive privileges resulting in unauthorized access.Information Assurance Officer
Checks: C-38886r6_chk

Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(LISTUSER) Automated Analysis requires Additional Analysis. Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0580) Verify that the interactive userids are properly defined. If the following guidance is true, this is not a finding. ___ Ensure that each interactive userid has a valid LAST-ACCESS date that does not contain the value UNKNOWN. ___ Ensure that PASS-INTERVAL is set to a value of 1 to 60 days. Note: Current DoD policy has changed requiring that the password change interval is set to a value of 1 to 60. Ensure that this is in effect. Note: FTP only process and server to server userids may have PASSWORD(NOINTERVAL) specified. These users must be identified in the FTPUSERS group in the Dialog Process or FTP in the name field. Additionally these users must change their passwords on an annual basis.

Fix: F-34056r7_fix

The IAO will review all interactive USERID definitions to ensure required information is provided. Evaluate the impact of correcting any deficiencies. Develop a plan of action and implement the required changes. The PASSWORD-INTERVAL for an interactive user must be set no higher than 60 days. Note: Current DoD policy has changed requiring that the password change interval is set to a value of 1 to 60. Ensure that this is in effect. Note: FTP only process and server to server userids may have PASSWORD(NOINTERVAL) specified. These users must be identified in the FTPUSERS group in the Dialog Process or FTP in the name field. Additionally, these users must change their passwords on an annual basis or less. A sample command to accomplish this is shown here: PW USER(<userid>) INTERVAL(60). The LAST-ACCESS date must be set to a valid date and not to the value UNKNOWN. A sample command to accomplish this is shown here: ALU <userid> RESUME

b
RACF batch jobs are improperly secured.
AC-3 - Medium - CCI-000213 - V-286 - SV-286r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
RACF0590
Vuln IDs
  • V-286
Rule IDs
  • SV-286r2_rule
Batch jobs that are submitted to the operating system should inherit the USERID of the submitter. This will identify the batch job with a userid for the purpose of accessing resources. BATCHALLRACF ensures that a valid USERID is associated with batch jobs. Jobs that are submitted to the operating system via a scheduling facility must also be identified to the system. Without a batch job having an associated USERID, access to system resources will be limited.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-18030r1_chk

a) Refer to the following reports produced by the RACF Data Collection and Data Set and Resource Data Collection: - RACFCMDS.RPT(SETROPTS) - SENSITVE.RPT(SURROGAT) - RACFCMDS.RPT(LISTUSER) Refer to the documentation of the processes used for submission of batch jobs via an automated process (i.e., scheduler or other sources) and each of the associated userids. b) If the submission of batch jobs via an automated process (e.g., job scheduler, job submission started task, etc.) is being utilized, ensure the following items are in effect: 1) The SURROGAT resource class is active. Note: This does not need to be checked, automation check is performed in ZUSSR060. 2) Each batch job userid used for batch submission by a job scheduler (e.g., CONTROL-M, CA-7, CA-Scheduler, etc.) is defined as an execution-userid in a SURROGAT resource class profile. For example: RDEFINE SURROGAT execution-userid.SUBMIT UACC(NONE) OWNER(execution-userid) 3) Job scheduler userids (i.e., surrogate-userid) are permitted surrogate authority to the appropriate SURROGAT profiles. For example: PERMIT execution-userid.SUBMIT CLASS(SURROGAT) ID(surrogate-userid) ACCESS(READ) c) If all of the above in (b) are true, there is NO FINDING. d) If any of the above in (b) is untrue, this is a FINDING.

Fix: F-17773r1_fix

Ensure the following: 1. Each batch job userid used for batch submission by a job scheduler (e.g., CONTROL-M, CA-7, CA-Scheduler, etc.) is defined as an execution-userid in a SURROGAT resource class profile. For example: RDEFINE SURROGAT execution-userid.SUBMIT UACC(NONE) OWNER(execution-userid) 2. Job scheduler userids (i.e., surrogate-userid) are permitted surrogate authority to the appropriate SURROGAT profiles. For example: PERMIT execution-userid.SUBMIT CLASS(SURROGAT) ID(surrogate-userid) ACCESS(READ)

b
RACF batch jobs are not protected with propagation control.
AC-3 - Medium - CCI-000213 - V-287 - SV-287r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
RACF0600
Vuln IDs
  • V-287
Rule IDs
  • SV-287r2_rule
Batch jobs that are user-submitted to the operating system should inherit the USERID of the submitter. This will identify the batch job with the user for the purpose of accessing resources. In some environments, such as CICS, jobs submitted without the USER operand specified on the JOB statement run under a user ID other than the user submitting the job, in this case, the CICS userid. This situation presents a security violation in that the issuer of the job will inherit the authority of the CICS userid. The PROPCNTL Class was designed to prevent this from occurring. Utilize propagation control (PROPCNTL) for system-level address spaces that submit jobs on behalf of users.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-19339r1_chk

a) Refer to the following reports produced by the RACF Data Collection and Data Set and Resource Data Collection: - RACFCMDS.RPT(SETROPTS) - SENSITVE.RPT(PROPCNTL) - RACFCMDS.RPT(LISTUSER) Refer to a list all Multiple User Access Systems in use on this system. These are systems that run in a single address space, but allow multiple users to sign on to them (e.g., CICS regions, Session Managers, etc.). For each region, also include corresponding userids, profiles, data management files, and a brief description (of each region). Refer to the documentation of the processes used for submission of batch jobs via an automated process (i.e., scheduler or other sources) and each of the associated userids. b) If (1) the submission of batch jobs via an automated process (e.g., job scheduler, job submission started task, etc.) is being utilized, and/or (2) Multiple User Single Address Space Systems (MUSASS) capable of submitting batch jobs are active on this system, ensure the following items are in effect: 1) The PROPCNTL resource class is active. 2) A PROPCNTL resource class profile is defined for each userid associated with a job scheduler (e.g., CONTROL-M, CA-7, etc.) and a MUSASS able to submit batch jobs (e.g., CA-ROSCOE, etc.). c) If both of the above in (b) are true, there is NO FINDING. d) If either of the above in (b) is untrue, this is a FINDING.

Fix: F-17803r1_fix

Add a PROPCNTL profile for each userid associated with a job scheduler (e.g., CONTROL-M, CA-7, etc.) or a MUSASS able to submit batch jobs (e.g., CA-ROSCOE, etc.). A sample command is shown here: RDEF PROPCNTL controlm UACC(NONE) OWNER(ADMIN)

b
Started Tasks are not properly identified to RACF.
IA-2 - Medium - CCI-000764 - V-288 - SV-288r2_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
RACF0620
Vuln IDs
  • V-288
Rule IDs
  • SV-288r2_rule
Started procedures have system generated job statements that do not contain the user, group, or password statements. To enable the started procedure to access the same protected resources that users and groups access, started procedures must have an associated USERID. If a USERID is not associated with the started procedure, the started procedure will not have access to the resources.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-32969r1_chk

Refer to the following reports produced by the RACF Data Collection: - DSMON.RPT(RACSPT) - RACFCMDS.RPT(LISTUSER) Refer to a list of all started tasks (STCs) and associated userids with a brief description on the system. Started task procedures will have a unique associated userid or STC userids will be unique per product and function if supported by vendor documentation

Fix: F-29108r1_fix

Define a RACF STARTED Class profile for each Started Proc that maps the proc to a unique userid, or STC userids will be unique per product and function if supported by vendor documentation. This can be accomplished with the sample command: RDEF STARTED <procname>.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) STDATA(USER(<userid>) GROUP(<groupname>) TRACE(YES)) A corresponding USERID must be defined with appropriate authority. The "groupname" should be a valid STC group with no interactive users.

b
Started Tasks are improperly defined to RACF.
IA-2 - Medium - CCI-000764 - V-289 - SV-289r2_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
RACF0650
Vuln IDs
  • V-289
Rule IDs
  • SV-289r2_rule
Started procedures have system generated job statements that do not contain the user, group, or password statements. To enable the started procedure to access the same protected resources that users and groups access, started procedures must have an associated USERID. If a USERID is not associated with the started procedure, the started procedure will not have access to the resources. If the started procedure is associated with an incorrect user or a user with higher than necessary authority then a potential vulnerability exists.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-19603r1_chk

I. STC Group IDs a) Refer to the following reports produced by the RACF Data Collection: - DSMON.RPT(RACSPT) - RACFCMDS.RPT(LISTGRP) Refer to a list of all started tasks (STCs) and associated userids with a brief description on the system. b) Ensure the following items are in effect: 1) All started task userids are connected to a valid STC group ID. 2) Only userids associated with STCs are connected to STC group IDs. 3) All STC userids are defined with the PROTECTED attribute. c) If (b) above is true, there is NO FINDING. d) If (b) above is untrue, this is a FINDING. II. STC Default Profile a) Ensure the following items are in effect: 1) A generic catch all profile of ** is defined to the STARTED resource class. 2) The STC group associated with the ** profile is not granted any explicit data set or resource access authorizations. 3) The STC userid associated with the ** profile is not granted any explicit dataset or resource access authorizations and is defined with the RESTRICTED attribute. NOTE: Execute the JCL in CNTL(IRRUT100) using the STC group associated with the ** profile as SYSIN input. This report lists all occurrences of this group within the RACF database, including data set and resource access lists. b) If (a) above is true, there is NO FINDING. c) If (a) above is untrue, this is a FINDING. III. ICHRIN03 Entries a) Verify that the ICHRIN03 started procedures table is maintained to support recovery efforts in the event the STARTED resource class is deactivated or critical STC profiles are deleted. Ensure that STCs critical to support this recovery effort (e.g., JES2, VTAM, TSO, etc.) are maintained in ICHRIN03 to reflect the current STARTED resource class profiles. b) If (a) above is true, there is NO FINDING. c) If (a) above is untrue, this is a FINDING.

Fix: F-17988r1_fix

Review all STCs for compliance to Sections I, II, and III. Corrections can be made as follows. Note that the commands listed below are samples. Section I 1. Connect a STC userid to a STC group. Sample command: CO <stcuser> GROUP(<stcgroup>) OWNER(<stcgroup>) 2. If any non-STC userids are connected to a STC group, then should be removed. Sample command: RE <nonstcuser> GROUP(<stcgroup>) 3. Set up STC userids with the PROTECTED attribute. Sample command: ALU <stcuser> NOPASSWORD NOOIDCARD Section II 1. Define a generic catch all profile. Sample command: RDEF STARTED ** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) STDATA(USER(STCDFLT) GROUP(#STCDFLT) TRACE(YES)) 2. Run IRRUT100 against the group specified in the STARTED class ** profile. Remove this group from any access lists. Sample command: PE <profile> CL(<classname>) ID(<#STCDFLT or altername group name>) DEL. 3. Set up the userid as Restricted with the command: ALU <stcdflt> RESTRICTED. Remove from any and all access lists using the same steps as found in the previous item. Section III The IBM zOS Security Server RACF library documents procedures for updating ICHRIN03 (The RACF Started Procedures Table). With each SSOPAC release, the SSO includes a ICHRIN03 table that contains entries necessary for system recovery: JES2, VTAM, TSO, and the RACF subsystem. Evaluate the impact of the change and develop a plan of action to implement the changes as required.

b
DASD Management USERIDs must be properly controlled.
AC-3 - Medium - CCI-000213 - V-290 - SV-290r4_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
RACF0680
Vuln IDs
  • V-290
Rule IDs
  • SV-290r4_rule
DASD management USERIDs require access to backup and restore all files, and present a high degree of risk to the environment. These users should be given access to perform necessary functions thru use of the DASDVOL class (for non-SMS volumes) and/or thru STGADMIN profiles in the FACILITY class for SMS managed volumes. Access to individual profiles in the DATASET class should be disallowed. These userids should also set up IAW RACF0595 for batch userids which includes use of the PROTECTED Attribute.Information Assurance Officer
Checks: C-19567r2_chk

Note: This applies to non-SMS volumes. Please refer to the System Managed Storage group (i.e., ZSMSnnnn) for requirements for System managed Storage. Refer to the following reports produced by the RACF Data Collection and Data Set and Resource Data Collection: - SENSITVE.RPT(DASDVOL) - SENSITVE.RPT(GDASDVOL) - RACFCMDS.RPT(LISTUSER) - RACFCMDS.RPT(LISTGRP) Refer to all documents and procedures that apply to Storage Management. Including identification of the DASD backup data sets and associated storage management userids. Review storage management userids, If the following guidance is true, this is not a finding. ___ Storage management userids will not be given the "OPERATIONS" attribute. ___ Storage management userids will be defined with the "PROTECTED" attribute. ___ Storage management userids are permitted to the appropriate "STGADMIN" profiles in the "FACILITY" class for SMS-managed volumes. ___ Storage management userids assigned to storage management tasks (e.g., volume backup, data set archive and restore, etc.) are given access to data sets using "DASDVOL" and/or "GDASDVOL" profiles for non-SMS-managed volumes. NOTE: "DASDVOL" profiles will not work with SMS-managed volume. "FACILITY" class profiles must be used instead. If "DFSMS/MVS" is used to perform DASD management operations, "FACILITY" class profiles may also be used to authorize storage management operations to non-SMS-managed volumes in lieu of using "DASDVOL" profiles. Therefore, not all volumes may be defined to the "DASDVOL/GDASDVOL" resource classes, and not all storage management userids may be represented in the profile access lists.

Fix: F-17961r2_fix

Note: This applies to non-SMS volumes. Please refer to the System Managed Storage group (i.e., ZSMSnnnn) for requirements for System managed Storage. Evaluate the impact of accomplishing the change. Develop a plan of action and implement the change as required. Ensure that storage management userids do not possess the "OPERATIONS" attribute. A sample command to accomplish this is shown here: ALU <userid> NOOPERATIONS Ensure that storage management userids possess the "PROTECTED" attribute. A sample command to accomplish this is shown here: ALU <userid> NOPASS NOOIDCARD Ensure that storage management userids are permitted to the appropriate "STGADMIN" profiles in the "FACILITY" class for SMS-managed volumes. Ensure that storage management userids are permitted to appropriate "DASDVOL" profiles for non-SMS-managed volumes.

b
There are started tasks defined to RACF with the trusted attribute that are not justified.
AC-3 - Medium - CCI-000213 - V-291 - SV-291r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
RACF0660
Vuln IDs
  • V-291
Rule IDs
  • SV-291r2_rule
Trusted Started tasks bypass RACF checking. It is vital that this attribute is NOT granted to unauthorized Started Tasks which could then obtain unauthorized access to the system. This could result in the compromise of the confidentiality, integrity, and availability of the operating system, ACP, or customer data.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-18055r1_chk

a) Refer to the following report produced by the RACF Data Collection: - DSMON.RPT(RACSPT) Refer to a list of all started tasks (STCs) and associated userids with a brief description on the system. Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0660) b) Ensure that only approved Started Tasks have the TRUSTED flag enabled. Started Tasks approved to run with the TRUSTED attribute are contained in the TRUSTED STARTED TASKS Table in the zOS STIG Addendum. c) Ensure that no Started Tasks have been granted the PRIVILEGED attribute. d) If all of the above are true, there is NO FINDING. e) If any of the above is untrue, this is a FINDING.

Fix: F-17255r1_fix

Review assignment of the TRUSTED attribute in ICHRIN03 and/or the STARTED resource class. If a started proc defined with the TRUSTED attribute exists that is not in the approved list of trusted started tasks as found in the TRUSTED STARTED TASKS Table in the zOS STIG Addendum then the TRUSTED attribute should be removed. The TRUSTED attribute can be removed from a STARTED class profile using the command: RALT STARTED <profilename> STDATA(TRUSTED(NO)) If the STARTED class is RACLISTed then a refresh command is necessary: SETR RACL(STARTED) REFRESH If any Started Tasks exist with the PRIVILEGED attribute then take the following action to remove this attribute: RALT STARTED <profilename> STDATA(PRIVILEGED(NO)) If the STARTED class is RACLISTed then a refresh command is necessary: SETR RACL(STARTED) REFRESH

b
Emergency USERIDs must be properly defined.
AC-4 - Medium - CCI-000035 - V-292 - SV-292r2_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-000035
Version
RACF0690
Vuln IDs
  • V-292
Rule IDs
  • SV-292r2_rule
Emergency USERIDs are necessary in the event of a system outage for recovery purposes. It is critical that those USERIDs be defined with the appropriate access to ensure timely restoration of services. Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-38549r1_chk

Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(TSOUADS) Refer to the following reports produced by the RACF Data Collection: - RACFCMDS.RPT(LISTUSER) - SENSITVE.RPT(DASDVOL) - SENSITVE.RPT(GDASDVOL) Refer to the list from the IAO of all emergency userids available to the site along with the associated function of each userid. At a minimum an emergency logonid will exists with the security administration attributes specified in accordance with the following requirements. If the followng guidance is not followed this is a finding. - At least one userid exists to perform RACF security administration. These userids are defined to RACF with the system-SPECIAL attribute. They must not have the OPERATIONS attribute. - If any userids exist to perform operating system functions, they are defined without any RACF security administration privileges. These userids are defined to RACF with the system-OPERATIONS attribute, and FULL access to all DASD volumes. They must not have the SPECIAL attribute. NOTE: A user who has the system-OPERATIONS attribute has FULL access authorization to all RACF-protected resources in the DASDVOL/GDASDVOL resource classes. However, if their userid or any associated group (i.e., default or connect) is in the access list of a resource profile, they will only have the access specified in the access list. - All emergency userids are defined to RACF and SYS1.UADS. - All emergency logonid / logonid(s) are to be implemented with logging to provide an audit trail of their activities. This is accomplished with the UAUDIT attribute. - All emergency logonid / logonid(s) will have distinct, different passwords in SYS1.UADS and in RACF, and the site is to establish procedures to ensure that the passwords differ. The password for any ID in SYS1.UADS is never to match the password for the same ID in RACF. - All emergency logonid / logonid(s) will have documented procedures to provide a mechanism for the use of the IDs. Their release for use is to be logged, and the log is to be maintained by the IAO. When an emergency logonid is released for use, its password is to be reset by the IAO within 12 hours.

Fix: F-33815r1_fix

The IAO will review the emergency USERIDs to ensure access granted only authorizes those resources required to support the specific functions of either DASD Recovery or System Administration. Ensure the following items are in effect regarding emergency userids: At a minimum an emergency userids will exists with the security administration attributes specified in accordance with the following requirements: - Userids exist to perform RACF security administration only. These userids are defined to RACF with the system-SPECIAL attribute. They must not have the OPERATIONS attribute. Emergency userids will have either SPECIAL or OPERATIONS but not both. - Userids can be defined to perform operating system functions. Such userids must be defined without any RACF security administration privileges. These userids are defined to RACF with the system-OPERATIONS attribute, FULL access to all DASD volumes resources as well as the FACILITY Class STGADMN profiles. They must not have the SPECIAL attribute. NOTE: A user who has the system-OPERATIONS attribute has FULL access authorization to all RACF-protected resources in the DASDVOL/GDASDVOL resource classes. However, if their userid or any associated group (i.e., default or connect) is in the access list of a resource profile, they will only have the access specified in the access list since access lists override OPERATIONS. - Userids exist to perform RACF security administration only. These userids are defined to RACF with the system-SPECIAL attribute. They must not have the OPERATIONS attribute. Emergency userids will have either SPECIAL or OPERATIONS but not both. - All emergency userids are defined to RACF and SYS1.UADS. See TSO Command Ref for info on adding users to UADS. - All emergency userids are to be implemented with logging to provide an audit trail of their activities. This is accomplished with the UAUDIT attribute via the command: ALU <uid> UAUDIT - All emergency userids will have distinct, different passwords in SYS1.UADS and in RACF, and the site is to establish procedures to ensure that the passwords differ. The password for any ID in SYS1.UADS is never to match the password for the same ID in RACF. - All emergency userids will have documented procedures - such as a COOP Plan - to provide a mechanism for the use of the IDs. Their release for use is to be logged, and the log is to be maintained by the IAO. When an emergency userids is released for use, its password is to be reset by the IAO within 12 hours.

b
The use of the RACF SPECIAL Attribute is not justified.
AC-4 - Medium - CCI-000035 - V-293 - SV-293r3_rule
RMF Control
AC-4
Severity
Medium
CCI
CCI-000035
Version
RACF0710
Vuln IDs
  • V-293
Rule IDs
  • SV-293r3_rule
The SPECIAL user attribute allows full authorization to modify all profiles in the RACF database and allows the user to perform all RACF functions, except those requiring AUDITOR attributes. This privilege should be limited to the security group and administrators because of the extreme control that these users have. Users with this privilege can alter any profile or resource on the system and could also alter the audit trail information. The Group-Special attribute allows decentralized RACF control of datasets and resources. In cases where the scope of authority granted to a Group-Special Administrator has an impact on system security, the IAO needs to be fully aware and approve its use. Information Assurance Officer
Checks: C-19431r2_chk

a) Refer to the following reports produced by the RACF Data Collection: - DSMON.RPT(RACUSR) - DSMON.RPT(RACGRP) - RACFCMDS.RPT(LISTUSER) Automated Analysis requires Additional Analysis. Refer to the following report produced by the RACF Data Collection: - PDI(RACF0710) b) Ensure the following items are in effect regarding the SPECIAL attribute: 1) Authorization to the SYSTEM SPECIAL attribute is restricted to security personnel. 2) At minimum, ensure that any users connected to sensitive system dataset HLQ groups with the Group-SPECIAL attribute are security personnel. Otherwise, Group-SPECIAL is allowed. c) If both items in (b) are true, there is NO FINDING. d) If either item in (b) is untrue, this is a FINDING.

Fix: F-17832r1_fix

Review all USERIDs with the SPECIAL attribute. Ensure documentation providing justification for access is maintained and filed with the IAO, and that unjustified access is removed. For the SYSTEM SPECIAL attribute: A sample command for removing the SPECIAL attribute is shown here: ALU <userid> NOSPECIAL. For the GROUP SPECIAL attribute: CO <user> GROUP(<groupname>) NOSPECIAL

b
Assignment of the RACF OPERATIONS attribute to individual userids must be fully justified.
AC-16 - Medium - CCI-002262 - V-294 - SV-294r3_rule
RMF Control
AC-16
Severity
Medium
CCI
CCI-002262
Version
RACF0720
Vuln IDs
  • V-294
Rule IDs
  • SV-294r3_rule
A user possessing the OPERATIONS attribute has authorization to do maintenance operations on all RACF-protected data sets, tape volumes, and DASD volumes except those where the access list specifically limits the OPERATIONS user to a lower access authority than the operation requires. Because the OPERATIONS and GROUP-OPERATIONS privileges allow widespread access they should be limited to users documented with a valid requirement. Delegation of GROUP-OPERATIONS processing to other personnel by site-defined Group Administrators is forbidden. Information Assurance Officer
Checks: C-19571r2_chk

a) Refer to the following reports produced by the RACF Data Collection: - DSMON.RPT(RACUSR) - DSMON.RPT(RACGRP) - RACFCMDS.RPT(LISTUSER) Automated Analysis requires Additional Analysis. Refer to the following report produced by the RACF Data Collection: - PDI(RACF0720) b) Ensure the following items are in effect regarding the OPERATIONS attribute: 1) Authorization to the SYSTEM OPERATIONS attribute is restricted to key systems personnel, such as individuals responsible for continuing operations, Storage Management, and emergency recovery. 2) At minimum, ensure that any users connected to sensitive system dataset HLQ groups with the Group-OPERATIONS are key systems personnel, such as individuals responsible for continuing operations, Storage Management, and emergency recovery. . Otherwise, Group-OPERATIONS is allowed. c) If both items in (b) are true, there is NO FINDING. d) If either item in (b) is untrue, this is a FINDING.

Fix: F-448r1_fix

Review all USERIDs with the OPERATIONS attribute. Ensure documentation providing justification for access is maintained and filed with the IAO, and that unjustified access is removed. A sample command to remove the OPERATIONS attribute from a userid is shown here: ALU <userid> NOOPERATIONS To remove the Group-Operations attribute: CO <user> GROUP(<groupname>) NOOPERATIONS

b
The use of the RACF AUDITOR privilege must be justified.
CM-6 - Medium - CCI-000366 - V-295 - SV-295r3_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RACF0730
Vuln IDs
  • V-295
Rule IDs
  • SV-295r3_rule
A user having the AUDITOR attribute has the authority to specify logging options, gives control of logging SMF data and list auditing information. With the AUDITOR attribute, a user could alter SMF logging data so no trace of the activity could be found. This could destroy audit trace information for the RACF system. This attribute should be limited to a minimum number of people. This also applies to the use of Group-Auditor in cases where users are connected to sensitive system dataset HLQ or general resource owning groups with Group-Auditor. Information Assurance Officer
Checks: C-19592r2_chk

a) Refer to the following reports produced by the RACF Data Collection: - DSMON.RPT(RACUSR) - DSMON.RPT(RACGRP) - RACFCMDS.RPT(LISTUSER) Automated Analysis requires Additional Analysis. Refer to the following report produced by the RACF Data Collection: - PDI(RACF0730) b) Ensure the following items are in effect regarding the AUDITOR attribute: 1) Authorization to the SYSTEM AUDITOR attribute is restricted to auditing and/or security personnel. 2) At minimum, ensure that any users connected to sensitive system dataset HLQ groups or general resource owning groups with the Group-AUDITOR attribute are Auditor and/or Security personnel. Otherwise, Group-AUDITOR is allowed. c) If both items in (b) are true, there is NO FINDING. d) If either item in (b) is untrue, this is a FINDING.

Fix: F-17981r1_fix

Review all USERIDs with the AU (Manual) - Review all USERIDs with the AUDITOR attribute. Ensure documentation providing justification for access is maintained and filed with the IAO, and that unjustified access is removed. The AUDITOR attribute is removed from a user with the command: ALU <userid> NOAUDITOR. To remove the Group-Auditor attribute: CO <user> GROUP(<groupname>) NOAUDITOR

b
The number of USERIDs possessing the Tape Bypass Label Processing (BLP) privilege is not justified.
AC-3 - Medium - CCI-000213 - V-296 - SV-296r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
RACF0740
Vuln IDs
  • V-296
Rule IDs
  • SV-296r2_rule
BLP is extremely sensitive, as it allows the circumvention of security access checking for the data. When BLP is used in z/OS, the only verification that is done is for the data set name in the JCL. Any data set name can be used. A user could specify a data set name that he has access to, the job would pass the validation check, and the job would be processed, giving access to the data. BLP is typically used for tapes that are external to the tape management system used on the processor. BLP should be granted to only a limited number of people, preferably the tape librarian and a few key people from the operations staff. If an unauthorized user possesses BLP authority, they could potentially read any restricted tape and modify any information once it has been copied.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-409r1_chk

a) Refer to the following reports produced by the RACF Data Collection: - SENSITVE.RPT(FACILITY) - RACFCMDS.RPT(LISTUSER) - RACFCMDS.RPT(LISTGRP) - DSMON.RPT(RACCDT) b) Ensure the following items are in effect regarding bypass label processing (BLP): 1) The ICHBLP resource is defined to the FACILITY resource class with a UACC(NONE). 2) Access authorization to the ICHBLP resource is restricted at the userid level to data center personnel (e.g., tape librarian, operations staff, etc.) 3) If no tape management system (e.g., CA-1) is installed, the TAPEVOL class is active. c) If all items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING.

Fix: F-17983r1_fix

Review all USERIDs with the BLP attribute. Ensure documentation providing justification for access is maintained and filed with the IAO, and that unjustified access is removed. BLP is controlled thru the FACILITY class profile ICHBLP. Access is removed with the following command: PE ICHBLP CL(FACILITY) id(<userid>) DELETE a subsequent REFRESH of the FACILITY class may be required via the command: SETR RACL(FACILITY) REFRESH

b
TSOAUTH resources must be restricted to authorized users.
AC-3 - Medium - CCI-000213 - V-297 - SV-297r4_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZTSO0030
Vuln IDs
  • V-297
Rule IDs
  • SV-297r4_rule
The TSOAUTH resource class controls sensitive privileges, such as OPER, ACCOUNT, MOUNT, TESTAUTH, CONSOLE, and PARMLIB. Several of these privileges offer the ability, or provide a facility, to modify sensitive operating system resources. Failure to properly control and restrict access to these privileges may result in the compromise of the operating system environment, ACP, and customer data.fix typo error Information Assurance OfficerSystems Programmer
Checks: C-3410r2_chk

Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(ZTSO0030) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZTSO0030) Ensure that all TSOAUTH resources and/or generic equivalent are properly protected according to the requirements specified. If the following guidance is true, this is not a finding. ___ The ACCT authorization is restricted to security personnel. ___ The CONSOLE authorization is restricted to authorized systems personnel (e.g., systems programming personnel, operations staff, etc.) and READ access may be given to all user when SDSF in install at the IAOs discretion. ___ The MOUNT authorization is restricted to DASD batch users only. ___ The OPER authorization is restricted to authorized systems personnel (e.g., systems programming personnel, operations staff, etc.). ___ The PARMLIB authorization is restricted to only z/OS systems programming personnel and READ access may be given to auditors. ___ The TESTAUTH authorization is restricted to only z/OS systems programming personnel.

Fix: F-27086r2_fix

Configure the TSOAUTH resource class to control sensitive TSO/E commands. (Note: The resource type, resources, and/or resource prefixes identified below are examples of a possible installation. The actual resource type, resources, and/or resource prefixes are determined when the product is actually installed on a system through the product’s installation guide and can be site specific.) Below is listed the access requirements for TSOAUTH resources. Ensure the guidelines for the resources and/or generic equivalent are followed. The ACCT authorization is restricted to security personnel. The CONSOLE authorization is restricted to authorized systems personnel (e.g., systems programming personnel, operations staff, etc.) and READ access may be given to all user when SDSF in install at the IAOs discretion. The MOUNT authorization is restricted to DASD batch users only. The OPER authorization is restricted to authorized systems personnel (e.g., systems programming personnel, operations staff, etc.). The PARMLIB authorization is restricted to only z/OS systems programming personnel and READ access may be given to audit users. The TESTAUTH authorization is restricted to only z/OS systems programming personnel.

b
DASD Volume level protection must be properly defined.
AC-3 - Medium - CCI-000213 - V-298 - SV-298r4_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
RACF0760
Vuln IDs
  • V-298
Rule IDs
  • SV-298r4_rule
Volume access grants default access to all data sets residing on a given volume. This presents an exposure in the case of a data set improperly placed on a volume or inappropriate access being granted to a volume.Information Assurance Officer
Checks: C-71889r2_chk

Refer to the following reports produced by the RACF Data Collection and Data Set and Resource Data Collection: - SENSITVE.RPT(DASDVOL) - SENSITVE.RPT(GDASDVOL) - RACFCMDS.RPT(LISTUSER) - RACFCMDS.RPT(LISTGRP) Refer to all documents and procedures that apply to Storage Management including identification of the DASD backup files and all associated storage management userids. Ensure the following items are in effect regarding DASD volume controls: A profile of "**" is defined for the "DASDVOL" resource class. Access authorization to "DASDVOL" profiles is restricted to Storage Management Personnel, Storage Management Batch Userids, and Systems Programmers. All profiles defined to the "DASDVO"L resource class have "UACC(NONE)". The profile "WARNING" flag is "NO". All (i.e., failures and successes) access is logged. NOTE: Volume authorization allows access to all data sets on the volume thru the use of storage management utilities, regardless of data set profile authorization. Access to operating system and general user storage volumes should be questioned. If all of the items are in effect regarding DASD volume controls, this is not a finding. If any of the items are NOT in effect regarding DASD volume controls, this is a finding.

Fix: F-77819r2_fix

Develop a plan of action to implement the required changed. Define profiles in the "DASDVOL" class. A sample command is provided here: RDEF DASDVOL ** UACC(NONE) OWNER(<StgMgmtGrp>) AUDIT(ALL(READ)). More specific "DASDVOL" profiles should be defined to protect groups of "DASDVOLs". A sample command to create a profile protecting all DASDVOLs beginning with "SYS" is provided here: RDEF DASDVOL SYS* UACC(NONE) OWNER(<StgMgmtGrp>) AUDIT(ALL(READ)). Permission can be granted to "DASDVOL" profiles. A sample command is provided here: PE SYS* CLASS(DASDVOL) ID(<syspaudt>) ACCESS(ALTER) If any profiles are in "WARN" mode, they should be reset. A sample command is provided here: RALT DASDVOL <profilename> NOWARN. Note that the "GDASDVOL" class can also be used. See the RACF Security Admin Guide for more info.

b
Sensitive Utility Controls will be properly defined and protected.
AC-3 - Medium - CCI-000213 - V-299 - SV-299r3_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
RACF0770
Vuln IDs
  • V-299
Rule IDs
  • SV-299r3_rule
Sensitive Utility Controls can run sensitive system privileges or controls, and potentially can circumvent system and security controls. Failure to properly control access to these resources could result in the compromise of the confidentiality, integrity, and availability of the operating system environment, system services, ACP, and customer data.Information Assurance OfficerSystems ProgrammerDCCS-1, DCCS-2
Checks: C-3259r2_chk

Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(RACF0770) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(RACF0770) Ensure that all Sensitive Utilities resources and/or generic equivalent are properly protected according to the requirements specified in Sensitive Utility Controls table in the z/OS STIG Addendum. If the following guidance is true, this is not a finding. ___ The RACF resource access authorizations restrict access to the appropriate personnel. ___ The RACF resource logging is correctly specified. ___ The RACF resource access authorizations are defined with UACC(NONE) and NOWARNING.

Fix: F-18496r4_fix

The IAO will work with the systems programmer to verify that the following are properly specified in the ACP. (Note: The resources, and/or resource prefixes identified below are examples of a possible installation. The actual resource type, resources, and/or resource prefixes are determined when the product is actually installed on a system through the product’s installation guide and can be site specific.) Ensure that all Sensitive Utility Controls resources and/or generic equivalent are properly protected according to the requirements specified in Sensitive Utility Controls table in the z/OS STIG Addendum. Use Sensitive Utility Controls table in the z/OS STIG Addendum. This table lists the resources, access requirements, and logging requirements for Sensitive Utilities, ensures the following guidelines are followed: The RACF resources as designated in the above table are defined with a default access of NONE. The RACF resource access authorizations restrict access to the appropriate personnel as designated in the above table. The RACF resource rules for the resources designated in the above table specify UACC(NONE) and NOWARNING. The following commands are provided as a sample for implementing resource controls: RDEF PROGRAM AHLGTF ADDMEM('SYS1.LINKLIB'//NOPADCHK) - DATA('ADDED PER SRR PDI RACF0770 ') - AUDIT(ALL(READ)) UACC(NONE) OWNER(ADMIN) PERMIT AHLGTF CLASS(PROGRAM) ID(stcgaudt)

b
External RACF Classes are not active for CICS transaction checking.
AC-3 - Medium - CCI-000213 - V-301 - SV-301r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZCICR021
Vuln IDs
  • V-301
Rule IDs
  • SV-301r2_rule
Implement CICS transaction security by utilizing two distinct and unique RACF resource classes (i.e., member and grouping) within each CICS region. If several CICS regions are grouped in an MRO environment, it is permissible for those grouped regions to share a common pair of resource classes. Member classes contain a RACF discrete profile for each transaction. Grouping classes contain groups of transactions requiring equal protection under RACF. Ideally, member classes contain no profiles, and all transactions are defined by groups in a grouping class. If CICS Classes are not active, this could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data. Information Assurance OfficerDCCS-1, DCCS-2, ECCD-1, ECCD-2
Checks: C-5456r1_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. b) Ensure each CICS transaction resource class pair are active. c) If (b) is true, there is NO FINDING. d) If (b) is untrue, this is a FINDING.

Fix: F-18500r1_fix

Review each CICS SIT to ensure each region has a unique resource class or resource prefix specified. 1. The resources classes are activated in RACF using the following command: SETR CLASSACT(<classname>)

b
CICS System Initialization Table (SIT) parameter values must be specified in accordance with proper security requirements.
CM-6 - Medium - CCI-000366 - V-302 - SV-7530r3_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
ZCIC0030
Vuln IDs
  • V-302
Rule IDs
  • SV-7530r3_rule
The CICS SIT is used to define system operation and configuration parameters of a CICS system. Several of these parameters control the security within a CICS region. Failure to code the appropriate values could result in unexpected operations and degraded security. This exposure may result in unauthorized access impacting the confidentiality, integrity, and availability of the CICS region, applications, and customer data.Information Assurance Officer
Checks: C-30781r4_chk

Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(CICSPROC) Refer to the following report produced by the CICS Data Collection: - CICS.RPT(DFHSITxx) Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. Refer to the CICS region SYSLOG - (Alternate source of SIT parameters) be sure to process DFHSIT based on the order specified. The system initialization parameters are processed in the following order, with later system initialization parameter values overriding those specified earlier. CICS system initialization parameters are specified in the following ways: In the system initialization table, loaded from a library in the STEPLIB concatenation of the CICS startup procedure. In the PARM parameter of the EXEC PGM=DFHSIP statement of the CICS startup procedure. In the SYSIN data set defined in the startup procedure (but only if SYSIN is coded in the PARM parameter). Ensure the following CICS System Initialization Table (SIT) parameter settings are specified for each CICS region. If the following guidance is true, this is not a finding. ___ SEC=YES - If SEC is not coded in the CICS region startup JCL, go to offset x’117’ from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the security byte flag. Below is the hex and bit settings for this flag. X’80’ EQU B’10000000’ External Security Requested ___ DFLTUSER=&lt;parameter&gt; - If DFLTUSER is not coded in the CICS region startup JCL, go to offset x’118’ from the beginning on the SIT dump (record sequence number - 6) for a length of 8 bytes. The value will be the CICS default userid. ___ XUSER=YES - If XUSER is not coded in the CICS region startup JCL, go to offset x’117’ from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the security byte flag. Below is the hex and bit settings for this flag. X’04’ EQU B’00000100’ Surrogate User Checking required ___ SNSCOPE=NONE|CICS|MVSIMAGE|SYSPLEX - If SNSCOPE is not coded in the CICS region startup JCL, go to offset x’124’ from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the signon scope byte flag. Ensure that users cannot sign on to more than one CICS production region within the scope of a single CICS region, a single z/OS image, or a sysplex. Below are listed the hex and bit settings for this flag: X’01’ EQU 1 SIGNON SCOPE = NONE X’02’ EQU 2 SIGNON SCOPE = CICS X’03’ EQU 3 SIGNON SCOPE = MVSIMAGE X’04’ EQU 4 SIGNON SCOPE = SYSPLEX Note: SNSCOPE=NONE is only allowed with test/development regions. ___ XTRAN=YES|ssrrTRN - If XTRAN is not coded in the CICS region startup JCL, go to offset x’CA’ from the beginning on the SIT dump (record sequence number - 6) for a length of 7 bytes. The value will be the resource class name used for that region. If XTRAN=YES is coded, c’CICSTRN’ will be present. ___ SECPRFX=YES - If SECPRFX is not coded in the CICS region startup JCL, go to offset x’117’ from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the security byte flag. Below are the hex and bit settings for this flag. X’40’ EQU B’01000000’ Resource Prefix Required If XTRAN=ssrrTRN is specified, resource prefixing (e.g., SECPRFX=YES) is not required to be enabled. Also, CICS regions cannot share the same resource class if resource prefixing is not active.

Fix: F-18683r7_fix

Ensure that CICS System Initialization Table (SIT) parameter values are specified using the following guidance. The system initialization parameters are processed in the following order, with later system initialization parameter values overriding those specified earlier. CICS system initialization parameters are specified in the following ways: In the system initialization table, loaded from a library in the STEPLIB concatenation of the CICS startup procedure. In the PARM parameter of the EXEC PGM=DFHSIP statement of the CICS startup procedure. In the SYSIN data set defined in the startup procedure (but only if SYSIN is coded in the PARM parameter). SEC=YES - If SEC is not coded in the CICS region startup JCL, go to offset x’117’ from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the security byte flag. Below are is the hex and bit settings for this flag. X’80’ EQU B’10000000’ External Security Requested <<=== X’40’ EQU B’01000000’ Resource Prefix Required X’10’ EQU B’00010000’ RACLIST class APPCLU required X’08’ EQU B’00001000’ ESM INSTLN data is required X’04’ EQU B’00000100’ Surrogate User Checking required X’02’ EQU B’00000010’ Always enact resource check X’01’ EQU B’00000001’ Always enact command check DFLTUSER=<parameter> - If DFLTUSER is not coded in the CICS region startup JCL, go to offset x’118’ from the beginning on the SIT dump (record sequence number - 6) for a length of 8 bytes. The value will be the CICS default userid. XUSER=YES - If XUSER is not coded in the CICS region startup JCL, go to offset x’117’ from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the security byte flag. Below is the hex and bit settings for this flag. X’80’ EQU B’10000000’ External Security Requested X’40’ EQU B’01000000’ Resource Prefix Required X’10’ EQU B’00010000’ RACLIST class APPCLU required X’08’ EQU B’00001000’ ESM INSTLN data is required X’04’ EQU B’00000100’ Surrogate User Checking required <<=== X’02’ EQU B’00000010’ Always enact resource check X’01’ EQU B’00000001’ Always enact command check SNSCOPE=NONE|CICS|MVSIMAGE|SYSPLEX If SNSCOPE is not coded in the CICS region startup JCL, go to offset x’124’ from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the signon scope byte flag. Ensure that users cannot sign on to more than one CICS production region within the scope of a single CICS region, a single z/OS image, or a sysplex. Below are the hex settings for this flag: X’01’ EQU 1 SIGNON SCOPE = NONE X’02’ EQU 2 SIGNON SCOPE = CICS X’03’ EQU 3 SIGNON SCOPE = MVSIMAGE X’04’ EQU 4 SIGNON SCOPE = SYSPLEX Note: SNSCOPE=NONE is only allowed with test/development regions. XTRAN=YES|ssrrTRN - If XTRAN is not coded in the CICS region startup JCL, go to offset x’CA’ from the beginning on the SIT dump (record sequence number - 6) for a length of 7 bytes. The value will be the resource class name used for that region. If XTRAN=YES is coded, c’CICSTRN’ will be present. SECPRFX=YES - If SECPRFX is not coded in the CICS region startup JCL, go to offset x’117’ from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the security byte flag. Below are the hex and bit settings for this flag with the resource prefixing setting bolded: X’80’ EQU B’10000000’ External Security Requested X’40’ EQU B’01000000’ Resource Prefix Required <<=== X’10’ EQU B’00010000’ RACLIST class APPCLU required X’08’ EQU B’00001000’ ESM INSTLN data is required X’04’ EQU B’00000100’ Surrogate User Checking required X’02’ EQU B’00000010’ Always enact resource check X’01’ EQU B’00000001’ Always enact command check Note: If XTRAN=ssrrTRN is specified, resource prefixing (e.g., SECPRFX=YES) is not required to be enabled. Also, CICS regions cannot share the same resource class if resource prefixing is not active.

b
Configuration files for the TCP/IP stack are not properly specified.
CM-6 - Medium - CCI-000366 - V-3215 - SV-3215r2_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
ITCP0010
Vuln IDs
  • V-3215
Rule IDs
  • SV-3215r2_rule
The TCP/IP stack reads two configuration files to determine values for critical operational parameters. These file names are specified in multiple locations and, depending on the process, are referenced differently. Because system security is impacted by some of the parameter settings, specifying the file names explicitly in each location reduces ambiguity and ensures proper operations. Inappropriate values could result in undesirable operations and degraded security. This exposure may result in unauthorized access impacting data integrity or the availability of some system services.Systems ProgrammerDCCS-1, DCCS-2
Checks: C-20025r1_chk

a) Display the active started tasks executing on the domain using SDSF, or equivalent JES display product, and locate the TCPIP started task. If TCPIP is inactive, review the procedure libraries defined to JES2 and locate the TCPIP JCL member. Automated Analysis Refer to the following report produced by the IBM Communications Server Data Collection: - PDI(ITCP0010) b) Ensure the following items are in effect for the TCPIP started task JCL: 1) The PROFILE and SYSTCPD DD statements specify the TCP/IP Profile and Data configuration files respectively. 2) The RESOLVER_CONFIG variable on the EXEC statement is set to the same file name specified on the SYSTCPD DD statement. c) If both of the above are true, there is NO FINDING. d) If either of the above is untrue, this is a FINDING.

Fix: F-18175r1_fix

Review the TCP/IP started task JCL to ensure the configuration file names are specified on the appropriate DD statements and parameter option. During initialization the TCP/IP stack uses fixed search sequences to locate the PROFILE.TCPIP and TCPIP.DATA files. However, uncertainty is reduced and security auditing is enhanced by explicitly specifying the locations of the files. In the TCP/IP started task’s JCL, Data Definition (DD) statements can be used to specify the locations of the files. The PROFILE DD statement identifies the PROFILE.TCPIP file and the SYSTCPD DD statement identifies the TCPIP.DATA file. The location of the TCPIP.DATA file can also be specified by coding the RESOLVER_CONFIG environment variable as a parameter of the ENVAR option in the TCP/IP started task’s JCL. In fact, the value of this variable is checked before the SYSTCPD DD statement by some processes. However, not all processes (e.g., TN3270 Telnet Server) will access the variable to get the file location. Therefore specifying the file location explicitly, both on a DD statement and through the RESOLVER_CONFIG environment variable, reduces ambiguity. The systems programmer responsible for supporting ICS will ensure that the TCP/IP started task’s JCL specifies the PROFILE and SYSTCPD DD statements for the PROFILE.TCPIP and TCPIP.DATA configuration files and TCP/IP started task’s JCL includes the RESOLVER_CONFIG variable, set to the name of the file specified on the SYSTCPD DD statement.

b
TCPIP.DATA configuration statements for the TCP/IP stack must be properly specified.
CM-6 - Medium - CCI-000366 - V-3216 - SV-3216r4_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
ITCP0020
Vuln IDs
  • V-3216
Rule IDs
  • SV-3216r4_rule
During the initialization of TCP/IP servers and clients, the TCPIP.DATA configuration file provides information that is essential for proper operations of TCP/IP applications. Inappropriate values could result in undesirable operations and degraded security. This exposure may result in unauthorized access impacting data integrity or the availability of some system services.Systems Programmer
Checks: C-3121r2_chk

Refer to the Data configuration file specified on the SYSTCPD DD statement in the TCPIP started task JCL. Automated Analysis Refer to the following report produced by the IBM Communications Server Data Collection: - PDI(ITCP0020) Verify that the following configuration statements are specified in the TCP/IP Data configuration file. If the following guidance is true, this is not a finding. TCPIPJOBNAME HOSTNAME DOMAINORIGIN/DOMAIN (The DOMAIN statement is functionally equivalent to the DOMAINORIGIN Statement) DATASETPREFIX

Fix: F-35824r2_fix

Review the configuration statements in the TCPIP.DATA file and ensure they conform to the specifications below: TCPIPJOBNAME - Specifies the job name of the TCP/IP address space. This name is also used as part of the name of some network security resources. HOSTNAME - Specifies the TCP/IP host portion of the DNS name of the system. DOMAINORIGIN/DOMAIN - Specifies the default domain name used for DNS searches. DATASETPREFIX - Specifies the high-level qualifier to be used to dynamically allocate other configuration data sets. The TCPIP.DATA file acts as the anchor configuration data set for the TCP/IP stack and all TCP/IP servers and clients running in z/OS. During the initialization of TCP/IP servers and clients, the TCPIP.DATA file provides basic information that is essential for proper operation. The above TCPIP.DATA configuration parameters provide crucial information to TCP/IP applications.

b
PROFILE.TCPIP configuration statements for the TCP/IP stack are not coded properly.
CM-6 - Medium - CCI-000366 - V-3217 - SV-3217r2_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
ITCP0030
Vuln IDs
  • V-3217
Rule IDs
  • SV-3217r2_rule
The PROFILE.TCPIP configuration file provides system operation and configuration parameters for the TCP/IP stack. Inappropriate values could result in undesirable operations and degraded security. This exposure may result in unauthorized access impacting data integrity or the availability of some system services.Systems ProgrammerDCCS-1, DCCS-2
Checks: C-20027r1_chk

a) Refer to the Profile configuration file specified on the PROFILE DD statement in the TCPIP started task JCL. Automated Analysis Refer to the following report produced by the IBM Communications Server Data Collection: - PDI(ITCP0030) b) Ensure the following items are in effect for the configuration statements specified in the TCP/IP Profile configuration file: NOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. 1) The SMFPARMS statement is not coded or commented out. 2) The DELETE statement is not coded or commented out for production systems. 3) The SMFCONFIG statement is coded with (at least) the FTPCLIENT and TN3270CLIENT operands. 4) The TCPCONFIG and UDPCONFIG statements are coded with (at least) the RESTRICTLOWPORTS operand. NOTE: If the INCLUDE statement is coded, the data set specified will be checked for access authorization compliance in STIG ID ITCP0070. c) If all of the above are true, there is NO FINDING. d) If any of the above is untrue, this is a FINDING.

Fix: F-18178r1_fix

Review the configuration statements in the PROFILE.TCPIP file and ensure they conform to the specifications below: Ensure the following items are in effect for the configuration statements specified in the TCP/IP Profile configuration file: NOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. 1) The SMFPARMS statement is not coded or commented out. 2) The DELETE statement is not coded or commented out for production systems. 3) The SMFCONFIG statement is coded with (at least) the FTPCLIENT and TN3270CLIENT operands. 4) The TCPCONFIG and UDPCONFIG statements are coded with (at least) the RESTRICTLOWPORTS operand. NOTE: If the INCLUDE statement is coded, the data set specified will be checked for access authorization compliance in STIG ID ITCP0070. BASE TCP/IP PROFILE.TCPIP CONFIGURATION STATEMENTS FUNCTIONS INCLUDE- Specifies the name of an MVS data set that contains additional PROFILE.TCPIP statements to be used - It Alters the configuration specified by previous statements SMFPARMS- Specifies SMF logging options for some TCP applications; replaced by SMFCONFIG - Controls collection of audit data DELETE- Specifies some previous statements, including PORT and PORTRANGE, that are to be deleted - Alters the configuration specified by previous statements SMFCONFIG- - Specifies SMF logging options for Telnet, FTP, TCP, API, and stack activity - Controls collection of audit data TCPCONFIG- Specifies various settings for the TCP protocol layer of TCP/IP - Controls port access

b
The permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be configured properly.
AC-3 - Medium - CCI-000213 - V-3218 - SV-3218r4_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ITCP0040
Vuln IDs
  • V-3218
Rule IDs
  • SV-3218r4_rule
HFS directories and files of the Base TCP/IP component provide the configuration, operational, and executable properties of IBMs TCP/IP system product. Failure to properly secure these objects may lead to unauthorized access resulting in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.Systems ProgrammerInformation Assurance OfficerDCCS-1, DCCS-2, ECCD-1, ECCD-2
Checks: C-20028r2_chk

Refer to the following report produced by the UNIX System Services Data Collection: - USSCMDS.RPT(ITCP0040) Refer to the following report produced by the IBM Communications Server Data Collection: - PDI(ZTCP0040) The HFS permission bits and user audit bits for each directory and file match or are more restrictive than the specified settings listed in the table. If the guidance is true, this is not a finding. BASE TCP/IP HFS Object Security Settings File Permission Bits User Audit Bits /etc/hosts 0744 faf /etc/protocol 0744 faf /etc/resolv.conf 0744 faf /etc/services 0740 faf /usr/lpp/tcpip/sbin 0755 faf /usr/lpp/tcpip/bin 0755 faf NOTE: Some of the files listed above are not used in every configuration. Absence of any of the files is not considered a finding. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing

Fix: F-18179r3_fix

The IAO with the assistance of a systems programmer with UID(0) and/or SUPERUSER access, will review the UNIX permission bits and user audit bits on the HFS directories and files for the Base TCP/IP component. Ensure they conform to the specifications in the BASE TCP/IP HFS Object Security Settings below: BASE TCP/IP HFS Object Security Settings File Permission Bits User Audit Bits /etc/hosts 0744 faf /etc/protocol 0744 faf /etc/resolv.conf 0744 faf /etc/services 0740 faf /usr/lpp/tcpip/sbin 0755 faf /usr/lpp/tcpip/bin 0755 faf Some of the files listed above (e.g., /etc/resolv.conf) are not used in every configuration. While the absence of a file is generally not a security issue, the existence of a file that has not been properly secured can often be an issue. Therefore, all directories and files that do exist will have the specified permission and audit bit settings. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing The following commands can be used (from a user account with an effective UID(0)) to update the permission bits and audit bits: chmod 0744 /etc/hosts chaudit w=sf,rx+f /etc/hosts chmod 0744 /etc/protocol chaudit w=sf,rx+f /etc/protocol chmod 0744 /etc/resolv.conf chaudit w=sf,rx+f /etc/resolv.conf chmod 0740 /etc/services chaudit w=sf,rx+f /etc/services chmod 0755 /usr/lpp/tcpip/bin chaudit w=sf,rx+f /usr/lpp/tcpip/bin chmod 0755 /usr/lpp/tcpip/sbin chaudit w=sf,rx+f /usr/lpp/tcpip/sbin

b
TCP/IP resources must be properly protected.
AC-3 - Medium - CCI-000213 - V-3219 - SV-7083r5_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ITCP0050
Vuln IDs
  • V-3219
Rule IDs
  • SV-7083r5_rule
The Communication Server access authorization is used to protect TCP/IP resources such as stack, network, port, and other SERVAUTH resources. These resources provide additional security checks for TCP/IP users. Failure to properly secure these TCP/IP resources could lead to unauthorized user access resulting in the compromise of some system services and possible compromise of data.Information Assurance Officer
Checks: C-20329r7_chk

Refer to the following reports produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(ITCP0050) Automated Analysis requires Additional Analysis. Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ITCP0050) Ensure that all TCP/IP resources and/or generic equivalent are properly protected according to the requirements specified. If the following guidance is true, this is not a finding. ___ The EZA, EZB, and IST resources and/or generic equivalent are defined to the SERVAUTH resource class with a UACC(NONE). ___ No access is given to the EZA, EZB, and IST high level resources of the SERVAUTH resource class. ___ If the product CSSMTP is on the system, no access is given to EZB.CSSMTP of the SERVAUTH resource class. ___ If the product CSSMTP is on the system, EZB.CSSMTP.sysname.writername.JESnode will be specified and made available to the CSSMTP started task and authenticated users that require access to use CSSMTP for e-mail services. ___ Authenticated users that require access will be permitted access to the second level of the resources in the SERVAUTH resource class. Examples are the network (NETACCESS), port (PORTACCESS), stack (STACKACCESS), and FTP resources in the SERVAUTH resource class. ___ The EZB.STACKACCESS. resource access authorizations restrict access to those started tasks with valid requirements and users with valid FTP access requirements. ___ The EZB.FTP.*.*.ACCESS.HFS) resource access authorizations restrict access to FTP users with specific written documentation showing a valid requirement exists to access OMVS files and Directories.

Fix: F-18270r10_fix

The IAO must develop a plan of action to implement the required changes. Ensure the following items are in effect for TCP/IP resources. (Note: The resource class, resources, and/or resource prefixes identified below are examples of a possible installation. The actual resource class, resources, and/or resource prefixes are determined when the product is actually installed on a system through the product’s installation guide and can be site specific.) Ensure that the EZA, EZB and IST resources and/or generic equivalent are defined to the SERVAUTH resource class with a UACC(NONE) No access is given to the EZA, EZB, and IST resources of the SERVAUTH resource class. If the product CSSMTP is on the system, no access is given to EZB.CSSMTP of the SERVAUTH resource class. EZB.CSSMTP.sysname.writername.JESnode will be specified and made available to the CSSMTP started task and authenticated users that require access to use CSSMTP for e-mail services. Only authenticated users that require access are permitted access to the second level of the resources in the SERVAUTH resource class. Examples are the network (NETACCESS), port (PORTACCESS), stack (STACKACCESS), and FTP resources in the SERVAUTH resource class. The EZB.STACKACCESS. resource access authorizations restrict access to those started tasks with valid requirements and users with valid FTP access requirements. The EZB.FTP.*.*.ACCESS.HFS) resource access authorizations restrict access to FTP users with specific written documentation showing a valid requirement exists to access OMVS files and Directories. The following commands are provided as a sample for implementing resource controls: RDEF SERVAUTH EZB.** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ)) RDEF SERVAUTH EZB.CSSMTP.** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ)) RDEF SERVAUTH EZB.CSSMTP.sysname.writername.JESnode UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ)) RDEF SERVAUTH EZB.FTP.** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ)) RDEF SERVAUTH EZB.NETACCESS.** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ)) RDEF SERVAUTH EZB.PORTACCESS.** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ)) RDEF SERVAUTH EZB.STACKACCESS.** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ)) PE EZB.CSSMTP.sysname.writername.JESnode CL(SERVAUTH) ID(authusers) ACC(READ) PE EZB.FTP.** CL(SERVAUTH) ID(authusers) ACC(READ) PE EZB.FTP.sysname.ftpstc.ACCESS.HFS CL(SERVAUTH) ID(ftpprofile) ACC(READ) PE EZB.NETACCESS.** CL(SERVAUTH) ID(authusers) ACC(READ) PE EZB.PORTACCESS.** CL(SERVAUTH) ID(authusers) ACC(READ) PE EZB.STACKACCESS.** CL(SERVAUTH) ID(authusers) ACC(READ) PE EZB.STACKACCESS.sysname.TCPIP CL(SERVAUTH) ID(ftpprofile) ACC(READ) The following notes apply to these controls: - EZB.STACKACCESS.sysname.TCPIP access READ should be limited to only those started tasks that require access to the TCPIP Stack as well as any users approved for FTP Access (inbound and/or outbound). FTP users should not have access to the EZB.FTP.sysname.ftpstc.ACCESS.HFS resource unless specific written justification documenting valid requirement for those FTP users to access USS files and directories via FTP. - To be effective in restricting access, the network (EZB.NETACCESS) resource control requires configuration of the NETACCESS statement in the PROFILE.TCPIP file. - To be effective in restricting access, the port (EZB.PORTACCESS) resource control requires configuration of a PORT or PORTRANGE statement in the PROFILE.TCPIP file. These port definitions within PROFILE.TCPIP shall be defined to include SAF keyword and a valid name. A list of possible SERVAUTH resources defined to the first two nodes is shown here: (Note that additional resources may be developed with each new release of TCPIP.) EZA.DCAS. EZB.BINDDVIPARANGE. EZB.CIMPROV. EZB.FRCAACCESS. EZB.FTP. EZB.INITSTACK. EZB.IOCTL. EZB.IPSECCMD. EZB.MODDVIPA. EZB.NETACCESS. EZB.NETMGMT. EZB.NETSTAT. EZB.NSS. EZB.NSSCERT. EZB.OSM. EZB.PAGENT. EZB.PORTACCESS. EZB.RPCBIND. EZB.SOCKOPT. EZB.SNMPAGENT. EZB.STACKACCESS. EZB.TN3270. IST.NETMGMT.

b
Started tasks for the Base TCP/IP component must be defined in accordance with security requirements.
IA-2 - Medium - CCI-000764 - V-3220 - SV-7087r3_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
ITCP0060
Vuln IDs
  • V-3220
Rule IDs
  • SV-7087r3_rule
The TCP/IP started tasks require special privileges and access to sensitive resources to provide its system services. Failure to properly define and control these TCP/IP started tasks could lead to unauthorized access. This exposure may result in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.Information Assurance Officer
Checks: C-20344r1_chk

a) Refer to the following reports produced by the RACF Data Collection: - RACFCMDS.RPT(LISTUSER) - DSMON.RPT(RACSPT) b) Ensure the following items are in effect for the userid(s) assigned to the TCP/IP address space(s): 1) Named TCPIP or, in the case of multiple instances, prefixed with TCPIP 2) Defined as a PROTECTED userid 3) z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh 4) A matching entry in the STARTED resource class exists enabling the use of the standard userid(s) and appropriate group c) Ensure the following items are in effect for the userid assigned to the EZAZSSI started task: 1) Named EZAZSSI 2) Defined as a PROTECTED userid 3) A matching entry in the STARTED resource class exists enabling the use of the standard userid and appropriate group. d) If all of the items in (b) and (c) are true, there is NO FINDING. e) If any item in (b) or (c) is untrue, this is a FINDING.

Fix: F-18283r1_fix

Develop a plan of action to implement the required changes. 1) Define a userid for the TCPIP Address space. A sample command is shown here: ADDUSER TCPIP NAME('STC, TCPIP') NOPASS DFLTGRP(STCTCPX) OWNER(STCTCPX) OMVS(UID(0) HOME('/') PROGRAM('/bin/sh')) 2) Define a matching entry in the STARTED Class. A sample command is shown here: RDEFINE STARTED TCPIP.** UACC(NONE) OWNER(ADMN) AUDIT(ALL(READ)) STDATA(USER(TCPIP) GROUP(STCTCPX) TRACE(YES)) 3) Set up the RACF userid for the EZAZSSI Proc. A sample command to accomplish this is shown here: AU EZAZSSI NAME('STC, EZAZSSI') NOPASS OWNER(STCTCPX) DFLTGRP(STCTCPX) 4) Define a matching entry in the STARTED class for the EZAZSSI proc. A sample command to accomplish this is shown here: RDEF STARTED EZAZSSI.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) STDATA(USER(EZAZSSI) GROUP(STCTCPX) TRACE(YES))

b
MVS data sets for the Base TCP/IP component are not properly protected,
AC-3 - Medium - CCI-000213 - V-3221 - SV-3221r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ITCP0070
Vuln IDs
  • V-3221
Rule IDs
  • SV-3221r2_rule
MVS data sets of the Base TCP/IP component provide the configuration, operational, and executable properties of IBMs TCP/IP system product. Failure to properly secure these data sets may lead to unauthorized access resulting in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.Information Assurance OfficerSystems ProgrammerDCCS-1, DCCS-2, ECCD-1
Checks: C-3138r1_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(TCPRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ITCP0070) b) Ensure the following data set controls are in effect for the Base TCP/IP component: 1) WRITE and ALLOCATE access to product data sets is restricted to systems programming personnel (i.e., SMP/E distribution data sets with the prefix SYS1.TCPIP.AEZA and target data sets with the prefix SYS1.TCPIP.SEZA). 2) WRITE and ALLOCATE access to the data set(s) containing the Data and Profile configuration files is restricted to systems programming personnel. NOTE: If any INCLUDE statements are specified in the Profile configuration file, the named MVS data sets have the same access authorization requirements. 3) WRITE and ALLOCATE access to the data set(s) containing the Data and Profile configuration files is logged. NOTE: If any INCLUDE statements are specified in the Profile configuration file, the named MVS data sets have the same logging requirements. 4) WRITE and ALLOCATE access to the data set(s) containing the configuration files shared by TCP/IP applications is restricted to systems programming personnel. c) If all of the items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING. NOTE: For systems running the TSS ACP replace the WRITE and ALLOCATE with WRITE, UPDATE, CREATE, CONTROL, SCRATCH, and ALL.

Fix: F-18180r1_fix

Review with the IAO the data set access authorizations defined to the ACP for the Base TCP/IP component. Ensure these data sets are protected in accordance with the following rules: WRITE and ALLOCATE access to product data sets is restricted to systems programming personnel (i.e., SMP/E distribution data sets with the prefix SYS1.TCPIP.AEZA and target data sets with the prefix SYS1.TCPIP. SEZA). WRITE and ALLOCATE access to the data set(s) containing the Data and Profile configuration files is restricted to systems programming personnel. NOTE: If any INCLUDE statements are specified in the Profile configuration file, the named MVS data sets have the same access authorization requirements. WRITE and ALLOCATE access to the data set(s) containing the Data and Profile configuration files is logged. NOTE: If any INCLUDE statements are specified in the Profile configuration file, the named MVS data sets have the same logging requirements. WRITE and ALLOCATE access to the data set(s) containing the configuration files shared by TCP/IP applications is restricted to systems programming personnel. NOTE: For systems running the TSS ACP replace the WRITE and ALLOCATE with WRITE, UPDATE, CREATE, CONTROL, SCRATCH, and ALL.

b
PROFILE.TCPIP configuration statements for the TN3270 Telnet Server must be properly specified.
IA-2 - Medium - CCI-000764 - V-3222 - SV-3222r3_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
ITNT0010
Vuln IDs
  • V-3222
Rule IDs
  • SV-3222r3_rule
The PROFILE.TCPIP configuration file provides system operation and configuration parameters for the TN3270 Telnet Server. Several of these parameters have potential impact to system security. Failure to code the appropriate values could result in unexpected operations and degraded security. This exposure may result in unauthorized access impacting data integrity or the availability of some system services.Systems Programmer
Checks: C-21105r2_chk

a) Refer to the Profile configuration file specified on the PROFILE DD statement in the TCPIP started task JCL. Automated Analysis requires Additional Analysis. Refer to the following report produced by the IBM Communications Server Data Collection: - PDI(ITNT0010) b) Ensure the following items are in effect for the configuration statements specified in the TCP/IP Profile configuration file: NOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. TELNETGLOBAL Block (only one defined) 1) The KEYRING statement, if used, is only coded within the TELNETGLOBALS statement block. 2) The KEYRING statement, if used, specifies the SAF parameter. TELNETPARMS Block (one defined for each port the server is listening to, typically ports 23 and 992) 1) The TELNETPARMS INACTIVE statement is coded within each TELNETPARMS statement block and specifies a value between 1 and 900. NOTE: Effective in z/OS release 1.2, the INACTIVE statement can appear in both TELNETGLOBAL and TELNETPARM statement blocks. 2) The TELNETPARMS TKOSPECLURECON statement is not coded or commented out. BEGINVTAM Block (one or more defined) 1) The BEGINVTAM RESTRICTAPPL statement is not be coded or commented out. c) If all of the above are true, there is NO FINDING. d) If any of the above is untrue, this is a FINDING.

Fix: F-18202r1_fix

Review the configuration statements in the PROFILE.TCPIP file and ensure they conform to the specifications below: NOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. The KEYRING statement, if used, is only coded within the TELNETGLOBALS statement block. The KEYRING statement, if used, specifies the SAF parameter. "TELNETPARMS Block (one defined for each port the server is listening to, typically ports 23 and 992) " The TELNETPARMS INACTIVE statement is coded within each TELNETPARMS statement block and specifies a value between 1 and 900. INACTIVE statements should not be coded with a value greater than 900 or 0. 0 disables the inactivity timer check. NOTE: Effective in z/OS release 1.2, the INACTIVE statement can appear in both TELNETGLOBAL and TELNETPARM statement blocks. The TELNETPARMS TKOSPECLURECON statement should not be coded or it should be commented out. BEGINVTAM Block (one or more defined) The BEGINVTAM RESTRICTAPPL statement is not be coded or it should be commented out.

b
VTAM session setup controls for the TN3270 Telnet Server must be properly specified.
CM-6 - Medium - CCI-000366 - V-3223 - SV-3223r4_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
ITNT0020
Vuln IDs
  • V-3223
Rule IDs
  • SV-3223r4_rule
After a connection from a Telnet client to the TN3270 Telnet Server has been established, the process of session setup with a VTAM application occurs. A number of BEGINVTAM statements must be coded in a specific configuration to ensure adequate control to VTAM applications is maintained. Failure to code the appropriate statements could result in unauthorized access to the host and application resources. This exposure may impact data integrity or the availability of some system services.trueSystems Programmer
Checks: C-20049r2_chk

a) Refer to the Profile configuration file specified on the PROFILE DD statement in the TCPIP started task JCL. Automated Analysis requires Additional Analysis. Refer to the following report produced by the IBM Communications Server Data Collection: - PDI(ITNT0020) b) Ensure the following items are in effect for the configuration statements specified in the TCP/IP Profile configuration file: NOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. 1) Within each BEGINVTAM statement block, one BEGINVTAM USSTCP statement is coded that specifies only the table name operand. No client identifier, such as host name or IP address, is specified so the statement applies to all connections not otherwise controlled. 2) The USS table specified on each “back stop” USSTCP statement mentioned in Item (1) above is coded to allow access only to session manager applications and NC PASS applications. 3) Within each BEGINVTAM statement block, additional BEGINVTAM USSTCP statements that specify a USS table that allows access to other applications may be coded only if the statements include a client identifier operand that references only secure terminals. 4) Any BEGINVTAM DEFAULTAPPL statement that does not specify a client identifier, or specifies any type of client identifier that would apply to unsecured terminals, specifies a session manager application or an NC PASS application as the application name. 5) Any BEGINVTAM LUMAP statement, if used with the DEFAPPL operand and applied to unsecured terminals, specifies only a session manager application or an NC PASS application. NOTE: The BEGINVTAM LINEMODEAPPL requirements will not be reviewed at this time. Further testing must be performed to determine how the CL/Supersession and NC-PASS applications work with line mode. c) If all of the above are true, there is NO FINDING. d) If any of the above is untrue, this is a FINDING.

Fix: F-18187r1_fix

Review the BEGINVTAM configuration statements in the PROFILE.TCPIP file. Ensure they conform to the specifications below. NOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. Within each BEGINVTAM statement block, one BEGINVTAM USSTCP statement is coded that specifies only the table name operand. No client identifier, such as host name or IP address, is specified so the statement applies to all connections not otherwise controlled. The USS table specified on each “back stop” USSTCP statement mentioned above is coded to allow access only to session manager applications and NC PASS applications Within each BEGINVTAM statement block, additional BEGINVTAM USSTCP statements that specify a USS table that allows access to other applications may be coded only if the statements include a client identifier operand that references only secure terminals. Any BEGINVTAM DEFAULTAPPL statement that does not specify a client identifier, or specifies any type of client identifier that would apply to unsecured terminals, specifies a session manager application or an NC PASS application as the application name For z/OS systems, any BEGINVTAM LUMAP statement, if used with the DEFAPPL operand and applied to unsecured terminals, specifies only a session manager application or an NC PASS application. Further explanation: After a connection from a Telnet client to the TN3270 Telnet Server has been established, the process of session setup with a VTAM application occurs. A number of BEGINVTAM statements will be coded in a specific configuration to ensure that adequate control over access to VTAM applications is maintained. Connections originate from secure terminals or unsecured terminals. The TN3270 Telnet Server should be configured to address these two types of connections. Terminals should meet two conditions to be considered secure. One condition involves the hardware and configuration. Secure terminals include devices that are directly attached to the host, such as 3270-type terminals coax connected to a 3174 Control Unit. They also include PCs running 3270 terminal emulation clients attached to a private LAN (i.e., a LAN without access to an external network such as the NIPRNet). The other condition involves the location of the terminals. Secure terminals are located in areas with physical access limited to authorized personnel. Examples of terminals that are not secure are those attached via the NIPRNet or via dial-in servers. The intent of this distinction is to allow additional connection options (e.g., bypassing session manager control) to authorized personnel working in controlled access areas. These connection options may be necessary for operational control or for system recovery procedures. The BEGINVTAM USSTCP statement can be used to specify a customized Unformatted System Services (USS) table for client connections. The USS table can provide a level of access control by restricting the commands that allow connections to VTAM applications. The USS table specified by the USSTCP statement can be the same as the one used by the SNA component of IBM Communications Server. The BEGINVTAM DEFAULTAPPL statement can be used to specify the VTAM application to which a client is automatically connected when a session is established using a protocol other than linemode protocol. The BEGINVTAM LUMAP statement can specify a default VTAM application using the DEFAPPL operand. This processing is similar to the DEFAULTAPPL and LINEMODEAPPL processing, except that a client identifier should be coded. When a client matches the LUMAP specification, the DEFAPPL specification overrides the DEFAULTAPPL or LINEMODEAPPL specifications.

b
The warning banner for the TN3270 Telnet Server is not specified or properly specified.
AC-8 - Medium - CCI-000048 - V-3224 - SV-3224r2_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
ITNT0030
Vuln IDs
  • V-3224
Rule IDs
  • SV-3224r2_rule
A logon banner can be used to inform users about the environment during the initial logon. In the DISA environment, logon banners are used to warn users against unauthorized entry and the possibility of legal action for unauthorized users, and advise all users that system use constitutes consent to monitoring. Failure to display a logon warning banner without this type of information could adversely impact the ability to prosecute unauthorized users and users who abuse the system.Systems ProgrammerDCCS-1, DCCS-2, ECWM-1
Checks: C-3187r1_chk

a) Refer to the Profile configuration file specified on the PROFILE DD statement in the TCPIP started task JCL. b) Ensure that all USS tables referenced in BEGINVTAM USSTCP statements include MSG10 text that specifies a logon banner. The below banner is mandatory and deviations are not permitted except as authorized in writing by the DoD Chief Information Officer. The thrust of this new policy is to make it clear that there is no expectation of privacy when using DoD information systems and all use of DoD information systems is subject to searching, auditing, inspecting, seizing, and monitoring, even if some personal use of a system is permitted: STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. c) If all the items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING.

Fix: F-18191r1_fix

Review all USS tables referenced in BEGINVTAM USSTCP statements in the PROFILE.TCPIP file. Ensure the MSG10 text specifies a logon banner in accordance with DISA requirements. See MGG10 below: STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. DOD requires that a logon warning banner be displayed. Within the TN3270 Telnet Server, the banner can be implemented through the USS table that is specified on a BEGINVTAM USSTCP statement. The text associated with message ID 10 (i.e., MSG10) in the USS table is sent to clients that are subject to USSTCP processing.

b
SSL encryption options for the TN3270 Telnet Server will be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
AC-17 - Medium - CCI-000068 - V-3226 - SV-3226r3_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000068
Version
ITNT0050
Vuln IDs
  • V-3226
Rule IDs
  • SV-3226r3_rule
During the SSL connection process a mutually acceptable encryption algorithm is selected by the server and client. This algorithm is used to encrypt the data that subsequently flows between the two. However, the level or strength of encryption can vary greatly. Certain configuration options can allow no encryption to be used and others can allow a relatively weak 40-bit algorithm to be used. Failure to properly enforce adequate encryption strength could result in the loss of data privacy.Systems ProgrammerDCCS-1, DCCS-2, ECMT-2, ECTM-1
Checks: C-20732r2_chk

Refer to the Profile configuration file specified on the PROFILE DD statement in the TCPIP started task JCL. Automated Analysis Refer to the following report produced by the IBM Communications Server Data Collection: - PDI(ITNT0050) If the following items are in effect for the configuration specified in the TCP/IP Profile configuration file, this is not a finding. NOTE: If an INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. NOTE: FIPS 140-2 minimum encryption is the accepted level of encryption and will override this requirement if greater. ___ The TELNETGLOBALS block that specifies an ENCRYPTION statement states one or more of the below cipher specifications. ___ Each TELNETPARMS block that specifies the SECUREPORT statement, specifies an ENCRYPTION statement states one or more of the below cipher specifications. And the TELNETGLOBALS block does or does not specify an ENCRYPTION statement. Cipher Specifications SSL_3DES_SHA SSL_AES_256_SHA SSL_AES_128_SHA

Fix: F-6672r5_fix

The IAO will ensure the system programmer will review the SECUREPORT and TELNETPARMS ENCRYPTION statements and/or the TELNETGLOBALS statement in the PROFILE.TCPIP file. Ensuring that they conform to the requirements specified below. The TELNETGLOBALS block may specify an ENCRYPTION statement that specifies one or more of the below cipher specifications. Each TELNETPARMS block that specifies the SECUREPORT statement, an ENCRYPTION statement is coded with one or more of the below cipher specifications. And the TELNETGLOBALS block does or does not specify an ENCRYPTION statement. To prevent the use of non FIPS 140-2 encryption, the TELNETGLOBALS block and/or each TELNETPARMS block that specifies an ENCRYPTION statement will specify one or more of the following cipher specifications: Cipher Specifications SSL_3DES_SHA SSL_AES_256_SHA SSL_AES_128_SHA Note: Always check for the minimum allowed in FIPS 140-2.

b
SMF recording options for the TN3270 Telnet Server must be properly specified.
AU-3 - Medium - CCI-000130 - V-3227 - SV-3227r3_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
ITNT0060
Vuln IDs
  • V-3227
Rule IDs
  • SV-3227r3_rule
The TN3270 Telnet Server can provide audit data in the form of SMF records. The SMF data produced provides information about individual sessions. This data includes the VTAM application, the remote and local IP addresses, and the remote and local IP port numbers. Failure to collect and retain audit data may contribute to the loss of accountability and hamper security audit activities.Systems ProgrammerDCCS-1, DCCS-2, ECAR-1, ECAR-2, ECAR-3
Checks: C-3194r2_chk

Refer to the Profile configuration file specified on the PROFILE DD statement in the TCPIP started task JCL. Automated Analysis. Refer to the following report produced by the IBM Communications Server Data Collection: - PDI(ITNT0060) - PDIx(ITNT0060) Note: Created when sites have multiple TCP/IP and FTP started task procedures. Ensure the following configuration statement settings are in effect in the TCP/IP Profile configuration data set. If the following guidance is true, this is not a finding. NOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration data set, the data set specified on this statement must be checked for the following items as well. ___ The TELNETPARMS SMFINIT statement is coded with the TYPE119 operand within each TELNETPARMS statement block. ___ The TELNETPARMS SMFTERM statement is coded with the TYPE119 operand within each TELNETPARMS statement block. NOTE: Effective in z/OS release 1.2, the SMFINIT and SMFTERM statement can appear in both TELNETGLOBAL and TELNETPARM statement blocks.

Fix: F-48435r1_fix

The system programmer responsible for the IBM Communications Server will review the TELNETPARMS SMFINIT and SMFTERM statements in the PROFILE.TCPIP file. Ensure they conform to the requirements specified below. NOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. The TELNETPARMS SMFINIT statement is coded with the TYPE119 operand within each TELNETPARMS statement block. The TELNETPARMS SMFTERM statement is coded with the TYPE119 operand within each TELNETPARMS statement block. NOTE: Effective in z/OS release 1.2, the SMFINIT and SMFTERM statement can appear in both TELNETGLOBAL and TELNETPARM statement blocks.

b
The startup user account for the z/OS UNIX Telnet Server is not defined properly.
AC-3 - Medium - CCI-000213 - V-3229 - SV-3229r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
IUTN0010
Vuln IDs
  • V-3229
Rule IDs
  • SV-3229r2_rule
The z/OS UNIX Telnet Server (i.e., otelnetd) requires a UID(0) to provide its system services. After the user enters their userid and password, otelnetd switches to the security context of the users account. Because the otelnetd account is only used until authentication is completed, there is no need to require a unique account for this function. This limits the number of privileged accounts defined to the ACP and reduces the exposure potential. Failure to properly define and control otelnetd could lead to unauthorized access resulting in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.Systems ProgrammerDCCS-1, DCCS-2
Checks: C-3231r1_chk

a) Refer to the following report produced by the UNIX System Services Data Collection: - USSCMDS.RPT(EINETD) b) If the otelnetd command specifies OMVS or OMVSKERN as the user, there is NO FINDING. c) If the otelnetd command specifies any user other than OMVS or OMVSKERN, this is a FINDING.

Fix: F-18204r1_fix

Review the otelnetd startup command in the inetd.conf file and ensure the account is defined for the z/OS UNIX kernel. The user account used at the startup of otelnetd is specified in the inetd configuration file. This account is used to perform the identification and authentication of the user requesting the session. Because the account is only used until user authentication is completed, there is no need for a unique account for this function. The z/OS UNIX kernel account can be used.

b
Startup parameters for the z/OS UNIX Telnet Server are not specified properly.
SC-10 - Medium - CCI-001133 - V-3230 - SV-3230r2_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
IUTN0020
Vuln IDs
  • V-3230
Rule IDs
  • SV-3230r2_rule
The z/OS UNIX Telnet Server (i.e., otelnetd) provides interactive access to the z/OS UNIX shell. During the initialization process, startup parameters are read to define the characteristics of each otelnetd instance. Some of these parameters have an impact on system security. Failure to specify the appropriate command options could result in degraded security. This exposure may result in unauthorized access impacting data integrity or the availability of some system services.Systems ProgrammerDCCS-1, DCCS-2
Checks: C-3232r1_chk

a) Refer to the following report produced by the UNIX System Services Data Collection: - USSCMDS.RPT(EINETD) b) Ensure the following items are in effect for the otelnetd startup command: 1) Option -D login is included on the otelnetd command. 2) Option -c 900 is included on the otelnetd command. NOTE: 900 indicates a session timeout value of 15 minutes and is currently the maximum value allowed. 3) Option -h is not included on the otelnetd command. c) If all of the items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING.

Fix: F-18205r1_fix

Review the startup parameters in the inetd.conf file for otelnetd and ensure they conform to the specifications below. The otelnetd startup command includes the options -D login and -c 900, where: -D login indicates that messages should be written to the syslogd facility for login and logout activity -c 900 indicates that the Telnet session should be terminated after 15 minutes of inactivity. NOTE: The 900 is the maximum value; any value between 1 and 900 is acceptable. The otelnetd startup command should not include the option -h, where: -h indicates that the logon banner should not be displayed.

b
The warning banner for the z/OS UNIX Telnet Server must be properly specified
AC-8 - Medium - CCI-000048 - V-3231 - SV-3231r3_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
IUTN0030
Vuln IDs
  • V-3231
Rule IDs
  • SV-3231r3_rule
A logon banner can be used to inform users about the environment during the initial logon. Logon banners are used to warn users against unauthorized entry and the possibility of legal action for unauthorized users, and advise all users that system use constitutes consent to monitoring. Failure to display a logon warning banner without this type of information could adversely impact the ability to prosecute unauthorized users and users who abuse the system.trueSystems Programmer
Checks: C-20014r2_chk

a) Refer to the following report produced by the UNIX System Services Data Collection: - USSCMDS.RPT(IUTN0030) Automated Analysis requires Additional Analysis. Refer to the following report produced by the IBM Communications Server Data Collection: - PDI(IUTN0030) - PDIx(IUTN0030) Note: Created when sites have multiple TCP/IP and FTP started task procedures. NOTE: Additional Analysis will be required for the above file. b) Ensure the /etc/banner file contains a logon banner. The below banner is mandatory and deviations are not permitted except as authorized in writing by the DoD Chief Information Officer. The thrust of this new policy is to make it clear that there is no expectation of privacy when using DoD information systems and all use of DoD information systems is subject to searching, auditing, inspecting, seizing, and monitoring, even if some personal use of a system is permitted: STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. c) If all the items in (b) above are true, there is NO FINDING. d) If any item in (b) above is untrue, this is a FINDING.

Fix: F-18206r1_fix

Review the /etc/banner file and ensure the text specifies a logon banner in accordance with DISA requirements. DOD requires that a logon warning banner be displayed. Although the z/OS UNIX Telnet Server does not support the display of a message before the logon prompt, it is possible to display a message immediately after logon.

b
HFS objects for the z/OS UNIX Telnet Server will be properly protected.
AC-3 - Medium - CCI-000213 - V-3232 - SV-3232r3_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
IUTN0040
Vuln IDs
  • V-3232
Rule IDs
  • SV-3232r3_rule
HFS directories and files of the z/OS UNIX Telnet Server provide the configuration and executable properties of this product. Failure to properly secure these objects may lead to unauthorized access resulting in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.Systems ProgrammerInformation Assurance OfficerDCCS-1, DCCS-2, ECCD-1, ECCD-2
Checks: C-3234r3_chk

Refer to the following report produced by the UNIX System Services Data Collection: - USSCMDS.RPT(IUTN0040) Refer to the following report produced by the IBM Communications Server Data Collection: - PDI(ZUTN0040) The HFS permission bits and user audit bits for each directory and file match or are more restrictive than the specified settings listed in the table. If the guidance is true, this is not a finding. z/OS UNIX TELNET Server HFS Object Security Settings File Permission Bits User Audit Bits /usr/sbin/otelnetd 1740 fff /etc/banner 0744 faf NOTE: The /usr/sbin/otelnetd object is a symbolic link to /usr/lpp/tcpip/sbin/otelnetd. The permission and user audit bits on the target of the symbolic link must have the required settings. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing

Fix: F-36634r2_fix

The IAO with the assistance of a systems programmer with UID(0) and/or SUPERUSER access, will review the UNIX permission bits and user audit bits on the HFS directories and files for the z/OS UNIX Telnet Server. Ensure they conform to the specifications below: z/OS UNIX TELNET Server HFS Object Security Settings File Permission Bits User Audit Bits /usr/sbin/otelnetd 1740 fff /etc/banner 0744 faf NOTE: The /usr/sbin/otelnetd object is a symbolic link to /usr/lpp/tcpip/sbin/otelnetd. The permission and user audit bits on the target of the symbolic link must have the required settings. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing The following commands can be used (from a user account with an effective UID(0)) to update the permission bits and audit bits: chmod 1740 /usr/lpp/tcpip/sbin/otelnetd chaudit rwx=f /usr/lpp/tcpip/sbin/otelnetd chmod 0744 /etc/banner chaudit w=sf,rx+f /etc/banner

b
The FTP Server daemon is not defined with proper security parameters.
IA-2 - Medium - CCI-000764 - V-3233 - SV-13259r2_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
IFTP0010
Vuln IDs
  • V-3233
Rule IDs
  • SV-13259r2_rule
The FTP Server daemon requires special privileges and access to sensitive resources to provide its system services. Failure to properly define and control the FTP Server daemon could lead to unauthorized access. This exposure may result in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.Systems Programmer
Checks: C-8903r1_chk

a) Refer to the following reports produced by the RACF Data Collection: - RACFCMDS.RPT(LISTUSER) - DSMON.RPT(RACSPT) Refer to the JCL procedure libraries defined to JES2. b) Ensure the following items are in effect for the FTP daemon: 1) The FTP daemon is started from a JCL procedure library defined to JES2. NOTE: The JCL member is typically named FTPD 2) The FTP daemon userid is FTPD. 3) The FTPD userid is defined as a PROTECTED userid. 4) The FTPD userid has the following z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh. 5) A matching entry in the STARTED resource class exists enabling the use of the standard userid and appropriate group. c) If all of the items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING.

Fix: F-18198r1_fix

Evaluate the impact of correcting any deficiencies. Develop a plan of action and implement the required changes. Ensure the following items are in effect for all MCS consoles: 1. The FTP daemon userid must be FTPD and a matching entry in the STARTED resource class exists enabling the use of the standard userid and an appropriate group. 2. The FTPD userid is defined as a PROTECTED userid. 3) The FTPD userid has the following z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh. Sample commands to accomplish these requirements are shown here: Add the FTPD userid: AU FTPD NAME('STC, FTP Daemon') NOPASSWORD NOOIDCARD DFLTGRP(STCTCPX) OWNER(STCTCPX) OMVS(UID(0) HOME('/') PROGRAM('/bin/sh')) RDEF STARTED FTPD.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) STDATA(USER(=MEMBER) GROUP(STCTCPX) TRACE(YES)) Additional permissions may be required. See SYS1.TCPIP.SEZAINST(EZARACF) or IBM Comm Server: IP Config Guide.

b
The startup parameters for the FTP include the ANONYMOUS, ANONYMOUS=, or INACTIVE keywords. The FTP daemon’s started task JCL does not specify the SYSTCPD and SYSFTPD DD statements for configuration files.
CM-6 - Medium - CCI-000366 - V-3234 - SV-3234r2_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
IFTP0020
Vuln IDs
  • V-3234
Rule IDs
  • SV-3234r2_rule
During initialization, the FTP daemon reads JCL keywords and configuration files to determine values for critical operational parameters. Because system security is impacted by some of these parameter settings, controlling these options through the configuration file only and explicitly specifying the file locations reduces ambiguity, enhances security auditing, and ensures proper operations. Inappropriate values could result in undesirable operations and degraded security. This exposure may result in unauthorized access impacting data integrity or the availability of some system services.Systems ProgrammerDCCS-1, DCCS-2, IAIA-1, IAIA-2
Checks: C-20505r1_chk

a) Display the active started tasks executing on the domain using SDSF, or equivalent JES display product, and locate the FTP daemon. If FTP is inactive, review the procedure libraries defined to JES2 and locate the FTP JCL member. NOTE: The JCL member is typically named FTPD. Refer to the Profile configuration file specified on the PROFILE DD statement in the TCPIP started task JCL. Automated Analysis Refer to the following report produced by the IBM Communications Server Data Collection: - PDI(IFTP0020) b) Ensure the following items are in effect for the FTP daemon’s started task JCL: 1) The SYSTCPD and SYSFTPD DD statements specify the TCP/IP Data and FTP Data configuration files respectively. 2) The ANONYMOUS keyword is not coded on the PARM parameter on the EXEC statement. 3) The ANONYMOUS=logonid combination is not coded on the PARM parameter on the EXEC statement. 4) The INACTIVE keyword is not coded on the PARM parameter on the EXEC statement. c) The AUTOLOG statement block can be configured to have TCP/IP start the FTP Server. The FTP entry (e.g., FTPD) can include the PARMSTRING parameter to pass parameters to the FTP procedure when started. NOTE: Parameters passed on the PARMSTRING parameter override parameters specified in the FTP procedure. If an FTP entry is configured in the AUTOLOG statement block in the TCP/IP Profile configuration file, ensure the following items are in effect: 1) The ANONYMOUS keyword is not coded on the PARMSTRING parameter. 2) The ANONYMOUS=logonid combination is not coded on the PARMSTRING parameter. 3) The INACTIVE keyword is not coded on PARMSTRING parameter. d) If all of the items in (b) and (c) are true, there is NO FINDING. e) If any item in (b) or (c) is untrue, this is a FINDING.

Fix: F-18150r1_fix

Review the FTP daemon’s started task JCL. Ensure that the ANONYMOUS and INACTIVE startup parameters are not specified and configuration file names are specified on the appropriate DD statements. The FTP daemon program can accept parameters in the JCL procedure that is used to start the daemon. The ANONYMOUS and ANONYMOUS= keywords are designed to allow anonymous FTP connections. The INACTIVE keyword is designed to set the timeout value for inactive connections. Control of these options is recommended through the configuration file statements rather than the startup parameters. The systems programmer responsible for supporting ICS will ensure that the startup parameters for the FTP daemon does not include the ANONYMOUS, ANONYMOUS=, or INACTIVE keywords. During initialization the FTP daemon searches multiple locations for the TCPIP.DATA and FTP.DATA files according to fixed sequences. In the daemon’s started task JCL, Data Definition (DD) statements will be used to specify the locations of the files. The SYSTCPD DD statement identifies the TCPIP.DATA file and the SYSFTPD DD statement identifies the FTP.DATA file. The systems programmer responsible for supporting ICS will ensure that the FTP daemon’s started task JCL specifies the SYSTCPD and SYSFTPD DD statements for configuration files.

b
FTP.DATA configuration statements for the FTP Server are not specified in accordance with requirements.
AC-8 - Medium - CCI-000048 - V-3235 - SV-3235r2_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
IFTP0030
Vuln IDs
  • V-3235
Rule IDs
  • SV-3235r2_rule
The statements in the FTP.DATA configuration file specify the parameters and values that control the operation of the FTP Server components including the use of anonymous FTP. Several of the parameters must have specific settings to provide a secure configuration. Inappropriate values could result in undesirable operations and degraded security. This exposure may result in unauthorized access impacting data integrity or the availability of some system services.Systems ProgrammerDCCS-1, DCCS-2
Checks: C-20016r1_chk

a) Refer to the Data configuration file specified on the SYSFTPD DD statement in the FTP started task JCL. Automated Analysis Refer to the following report produced by the IBM Communications Server Data Collection: - PDI(IFTP0030) b) Ensure the following items are in effect for the configuration statements specified in the FTP Data configuration file: 1) The ANONYMOUS statement is not coded (does not exist) or, if it does exist, it is commented out. NOTE: Other statements prefixed with ANONYMOUS may be present. These statements indicate the level of anonymous support and applicable restrictions if anonymous support is enabled using the ANONYMOUS statement. These other ANONYMOUS-prefixed statements may be ignored. 2) The INACTIVE statement is coded with a value between 1 and 900 (seconds). NOTES: 900 indicates a session timeout value of 15 minutes. 0 disables the inactivity timer check. 3) The UMASK statement is coded with a value of 077. 4) The BANNER statement is coded. c) If all of the above are true, there is NO FINDING. d) If any of the above is untrue, this is a FINDING. FTP.DATA CONFIGURATION STATEMENTS STATEMENT NOT CODED, CODED WITHOUT VALUE, OR PARAMETER VALUE ANONYMOUS [Not Coded] BANNER [An HFS file, e.g., /etc/ftp.banner] INACTIVE [A value between 1 and 900 ] UMASK 077

Fix: F-18159r1_fix

Review the configuration statements in the FTP.DATA file and ensure they conform to the specifications in the FTP.DATA CONFIGURATION STATEMENTS below: STATEMENT NOT CODED, CODED WITHOUT VALUE, OR PARAMETER VALUE ANONYMOUS [Not Coded] BANNER [An HFS file, e.g., /etc/ftp.banner] INACTIVE [A value between 1 and 900 ] UMASK 077 [See Note 1] NOTE: If the FTP Server requires a UMASK value less restrictive than 077, requirements should be justified and documented with the IAO.

b
User exits for the FTP Server must not be used without proper approval and documentation.
CM-7 - Medium - CCI-000382 - V-3236 - SV-3236r3_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
IFTP0040
Vuln IDs
  • V-3236
Rule IDs
  • SV-3236r3_rule
Several user exit points in the FTP Server component are available to permit customization of its operating behavior. These exits can be used to modify functions such as FTP command usage, client connection controls, post processing tasks, and SMF record modifications. Without proper review and adequate documentation of these exit programs, undesirable operations and degraded security may result. This exposure could lead to unauthorized access impacting data integrity or the availability of some system services, or contribute to the loss of accountability and hamper security audit activities.Information Assurance ManagerSystems Programmer
Checks: C-2741r2_chk

a) Refer to the Data configuration file specified on the SYSFTPD DD statement in the FTP started task JCL. Refer to the file(s) allocated by the STEPLIB DD statement in the FTP started task JCL. Refer to the libraries specified in the system Linklist and LPA. If any FTP Server exits are in use, identify them and validate that they were reviewed for integrity and approved by the site AO. b) Ensure the following items are in effect for FTP Server user exits: The FTCHKCMD, FTCHKIP, FTCHKJES, FTCHKPWD, FTPSMFEX and FTPOSTPR modules are not located in the FTP daemon’s STEPLIB, Linklist, or LPA. NOTE: The ISPF ISRFIND utility can be used to search the system Linklist and LPA for specific modules. c) If both of the above are true, there is no finding. d) If any FTP Server user exits are implemented and the site has written approval from site ISSM to install and use the exits, there is no finding. e) If any FTP Server user exits are implemented and the site has not had the site systems programmer verify the exit was securely written and installed, this is a finding.

Fix: F-18160r2_fix

Review the configuration statements in the FTP.DATA file. Review the FTP daemon STEPLIB, system Linklist, and Link Pack Area libraries. If FTP Server exits are enabled or present, and have not been approved by the site IAM and not securely written and implemented by the site systems programmer, they should not be installed. Verify that non of the following exits are installed unless they have met the requirements listed above: FTCHKCMD FTCHKIP FTCHKJES FTCHKPWD FTPOSTPR FTPSMFEX

b
The warning banner for the FTP Server must be specified properly.
AC-8 - Medium - CCI-000048 - V-3237 - SV-3237r3_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
IFTP0050
Vuln IDs
  • V-3237
Rule IDs
  • SV-3237r3_rule
A logon banner can be used to inform users about the environment during the initial logon. In the DISA environment, logon banners are used to warn users against unauthorized entry and the possibility of legal action for unauthorized users, and advise all users that system use constitutes consent to monitoring. Failure to display a logon warning banner without this type of information could adversely impact the ability to prosecute unauthorized users and users who abuse the system.trueSystems Programmer
Checks: C-2759r2_chk

a) Refer to the Data configuration file specified on the SYSFTPD DD statement in the FTP started task JCL. Automated Analysis requires Additional Analysis. Refer to the following report produced by the IBM Communications Server Data Collection: - PDI(IFTP0050) NOTE: Additional Analysis will be required for the above file. b) Ensure the BANNER statement in the FTP Data configuration file specifies an HFS file or data set that contains a logon banner. The below banner is mandatory and deviations are not permitted except as authorized in writing by the DoD Chief Information Officer. The thrust of this new policy is to make it clear that there is no expectation of privacy when using DoD information systems and all use of DoD information systems is subject to searching, auditing, inspecting, seizing, and monitoring, even if some personal use of a system is permitted: STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. c) If all the items in (b) above are true, there is NO FINDING. d) If any item in (b) above is untrue, this is a FINDING.

Fix: F-18164r1_fix

Review the file specified by the FTP.DATA BANNER parameter. Ensure the text in this file specifies a logon banner in accordance with DISA requirements. Ensure the BANNER statement in the FTP Data configuration file specifies an HFS file or z/OS data set that contains a logon banner. The below banner is mandatory and deviations are not permitted except as authorized in writing by the DoD Chief Information Officer. The thrust of this new policy is to make it clear that there is no expectation of privacy when using DoD information systems and all use of DoD information systems is subject to searching, auditing, inspecting, seizing, and monitoring, even if some personal use of a system is permitted: STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.

b
SMF recording options for the FTP Server must be configured to write SMF records for all eligible events.
AU-3 - Medium - CCI-000130 - V-3238 - SV-3238r4_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
IFTP0060
Vuln IDs
  • V-3238
Rule IDs
  • SV-3238r4_rule
The FTP Server can provide audit data in the form of SMF records. The SMF data produced by the FTP Server provides transaction information for both successful and unsuccessful FTP commands. Failure to collect and retain audit data may contribute to the loss of accountability and hamper security audit activities.Systems ProgrammerDCCS-1, DCCS-2, ECAT-1, ECAT-2
Checks: C-2761r2_chk

Refer to the Data configuration file specified on the SYSFTPD DD statement in the FTP started task JCL. Automated Analysis Refer to the following report produced by the IBM Communications Server Data Collection: - PDI(IFTP0060) Ensure the following configuration statement settings are in effect in the FTP Data configuration data set. If the following guidance is true, this is not a finding. Ensure the following items are in effect for the configuration statements specified in the FTP Data configuration file: ___ The SMF statement is coded with a value of TYPE119. ___ The SMFJES and SMFSQL statements are coded without any additional values. ___ The SMFAPPE, SMFDEL, SMFEXIT, SMFLOGN, SMFREN, SMFRETR, and SMFSTOR statements are not coded or commented out. FTP.DATA Configuration Statements SMF TYPE119 SMFJES TYPE119 SMFSQL TYPE119 SMFAPPE [Not coded or commented out] SMFDEL [Not coded or commented out] SMFEXIT [Not coded or commented out] SMFLOGN [Not coded or commented out] SMFREN [Not coded or commented out] SMFRETR [Not coded or commented out] SMFSTOR [Not coded or commented out] Note: SMF, SMFJES, and SMFSQL may be duplicated in configuration, but one of the entries must specify TYPE119.

Fix: F-18166r2_fix

The system programmer will review the configuration statements in the FTP.DATA data set and ensure the SMF options conform to the specifications in the FTP.DATA Configuration Statements below or that they are commented out. SMF TYPE119 SMFJES TYPE119 SMFSQL TYPE119 SMFAPPE [Not coded or commented out] SMFDEL [Not coded or commented out] SMFEXIT [Not coded or commented out] SMFLOGN [Not coded or commented out] SMFREN [Not coded or commented out] SMFRETR [Not coded or commented out] SMFSTOR [Not coded or commented out] The FTP Server can provide audit data in the form of SMF records. SMF record type 119, the TCP/IP Statistics record, can be written with the following subtypes: 70 – Append 70 – Delete and Multiple Delete 72 – Invalid Logon Attempt 70 – Rename 70 – Get (Retrieve) and Multiple Get 70 – Put (Store and Store Unique) and Multiple Put SMF data produced by the FTP Server provides transaction information for both successful and unsuccessful FTP commands. This data may provide valuable information for security audit activities. Type 119 records use a more standard format and provide more information.

b
The permission bits and user audit bits for HFS objects that are part of the FTP Server component will be properly configured.
AC-3 - Medium - CCI-000213 - V-3239 - SV-3239r3_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
IFTP0070
Vuln IDs
  • V-3239
Rule IDs
  • SV-3239r3_rule
HFS directories and files of the FTP Server provide the configuration and executable properties of this product. Failure to properly secure these objects may lead to unauthorized access resulting in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.Systems ProgrammerInformation Assurance OfficerDCCS-1, DCCS-2, DCSL-1
Checks: C-41080r4_chk

Refer to the following report produced by the UNIX System Services Data Collection: - USSCMDS.RPT(IFTP0070) Refer to the following report produced by the IBM Communications Server Data Collection: - PDI(IFTP0070) The HFS permission bits and user audit bits for each directory and file match or are more restrictive than the specified settings listed in the table. If the guidance is true, this is not a finding. FTP Server HFS Object Security Settings File Permission Bits User Audit Bits /usr/sbin/ftpd 1740 fff /usr/sbin/ftpdns 1755 fff /usr/sbin/tftpd 0644 faf /etc/ftp.data 0744 faf /etc/ftp.banner 0744 faf NOTES: Some of the files listed above are not used in every configuration. The absence of a file is not considered a finding. The /usr/sbin/ftpd and /usr/sbin/ftpdns objects are symbolic links to /usr/lpp/tcpip/sbin/ftpd and /usr/lpp/tcpip/sbin/ftpdns respectively. The permission and user audit bits on the targets of the symbolic links must have the required settings. The /etc/ftp.data file may not be the configuration file the server uses. It is necessary to check the SYSFTPD DD statement in the FTP started task JCL to determine the actual file. The TFTP Server does not perform any user identification or authentication, allowing any client to connect to the TFTP Server. Due to this lack of security, the TFTP Server will not be used. The TFTP Client is not secured from use. The permission bits for /usr/sbin/tftpd should be set to 644. The /etc/ftp.banner file may not be the banner file the server uses. It is necessary to check the BANNER statement in the FTP Data configuration file to determine the actual file. Also, the permission bit setting for this file must be set as indicated in the table above. A more restrictive set of permissions is not permitted. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing

Fix: F-36626r1_fix

The IAO with the assistance of a systems programmer with UID(0) and/or SUPERUSER access, will review the UNIX permission bits and user audit bits on the HFS directories and files for the FTP Server. Ensure they conform to the specifications in the table below: FTP Server HFS Object Security Settings File Permission Bits User Audit Bits /usr/sbin/ftpd 1740 fff /usr/sbin/ftpdns 1755 fff /usr/sbin/tftpd 0644 faf /etc/ftp.data 0744 faf /etc/ftp.banner 0744 faf The /usr/sbin/ftpd and /usr/sbin/ftpdns objects are symbolic links to /usr/lpp/tcpip/sbin/ftpd and /usr/lpp/tcpip/sbin/ftpdns respectively. The permission and user audit bits on the targets of the symbolic links must have the required settings. The TFTP Server does not perform any user identification or authentication, allowing any client to connect to the TFTP Server. Due to this lack of security, the TFTP Server will not be used. The TFTP Client is not secured from use. The /etc/ftp.data file may not be the configuration file the server uses. It is necessary to check the SYSFTPD DD statement in the FTP started task JCL to determine the actual file. The /etc/ftp.banner file may not be the banner file the server uses. It is necessary to check the BANNER statement in the FTP Data configuration file to determine the actual file. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing Some of the files listed above (e.g., /etc/ftp.data) are not used in every configuration. While the absence of a file is generally not a security issue, the existence of a file that has not been properly secured can often be an issue. Therefore, all files that do exist should have the specified permission and audit bit settings. The following commands can be used (from a user account with an effective UID(0)) to update the permission bits and audit bits: chmod 1740 /usr/lpp/tcpip/sbin/ftpd chaudit rwx=f /usr/lpp/tcpip/sbin/ftpd chmod 1755 /usr/lpp/tcpip/sbin/ftpdns chaudit rwx=f /usr/lpp/tcpip/sbin/ftpdns chmod 0744 /etc/ftp.data chaudit w=sf,rx+f /etc/ftp.data chmod 0744 /etc/ftp.banner chaudit w=sf,rx+f /etc/ftp.banner

b
MVS data sets for the FTP Server are not properly protected.
AC-3 - Medium - CCI-000213 - V-3240 - SV-3240r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
IFTP0080
Vuln IDs
  • V-3240
Rule IDs
  • SV-3240r2_rule
MVS data sets of the FTP Server provide the configuration and operational characteristics of this product. Failure to properly secure these data sets may lead to unauthorized access resulting in the compromise of the integrity and availability of customer data and some system services.Information Assurance OfficerSystems ProgrammerDCCS-1, DCCS-2, DCSL-1
Checks: C-2764r1_chk

a) Refer to the following report produced by the ACF2 Data Collection: - SENSITVE.RPT(FTPRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(IFTP0080) b) Ensure the following data set controls are in effect for the FTP Server: 1) WRITE and ALLOCATE access to the data set containing the FTP Data configuration file is restricted to systems programming personnel. NOTE: READ access to all authenticated users is permitted. 2) WRITE and ALLOCATE access to the data set containing the FTP Data configuration file is logged. 3) WRITE and ALLOCATE access to the data set containing the FTP banner file is restricted to systems programming personnel. 4) READ access to the data set containing the FTP banner file is permitted to all authenticated users. NOTES: The MVS data sets mentioned above are not used in every configuration. Absence of a data set will not be considered a FINDING. The data set containing the FTP Data configuration file is determined by checking the SYSFTPD DD statement in the FTP started task JCL. The data set containing the FTP banner file is determined by checking the BANNER statement in the FTP Data configuration file. b) If all of the items in (b) are true, there is NO FINDING. c) If any item in (b) is untrue, this is a FINDING.

Fix: F-18170r1_fix

Review the data set access authorizations defined to the ACP for the FTP.DATA and FTP.BANNER files. Ensure these data sets are protected as follows: The data set containing the FTP.DATA configuration file allows read access to all authenticated users and all other access is restricted to systems programming personnel. All write and allocate access to the data set containing the FTP.DATA configuration file is logged. The data set containing the FTP banner file allows read access to all authenticated users and all other access is restricted to systems programming personnel.

b
The TFTP Server program is not properly protected.
CM-7 - Medium - CCI-001764 - V-3241 - SV-6924r2_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001764
Version
IFTP0090
Vuln IDs
  • V-3241
Rule IDs
  • SV-6924r2_rule
The Trivial File Transfer Protocol (TFTP) Server, known as tftpd, supports file transfer according to the industry standard Trivial File Transfer Protocol. The TFTP Server does not perform any user identification or authentication, allowing any client to connect to the TFTP Server. Due to this lack of security, the TFTP Server will not be used. Failure to restrict the use of the TFTP Server may result in unauthorized access to the host. This exposure may impact the integrity, availability, and privacy of application data.Information Assurance Officer
Checks: C-20528r1_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(PROGRAM) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(IFTP0090) b) Ensure the following program controls are in effect for the TFTP Server: 1) Program resources TFTPD and EZATD are defined to the PROGRAM resource class with a UACC(NONE). The library name where these programs are located is SYS1.TCPIP.SEZALOAD. 2) No access to the program resources TFTPD and EZATD is permitted. c) If both the items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING.

Fix: F-18461r1_fix

Evaluate the impact of implementing the following change. Develop a plan of action and implement the change as required. 1) Ensure that the EZATD program and its alias TFTPD are defined to RACF, no access is granted, and WARN mode is not enabled. The following commands provide a sample of how this can be accomplished. rdef program tftpd addmem('sys1.tcpip.sezaload'//nopadchk) - data('Reference SRR PDI # IFTP0090') - audit(all(read)) uacc(none) owner(admin) rdef program ezatd - addmem('sys1.tcpip.sezaload'//nopadchk) - data('Reference SRR PDI # IFTP0090') - audit(all(read)) uacc(none) owner(admin) A PROGRAM class refresh will be necessary and can be accomplished with the command: setr when(program) refresh

b
The Syslog daemon is not started at z/OS initialization.
IA-2 - Medium - CCI-000764 - V-3242 - SV-3242r2_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
ISLG0010
Vuln IDs
  • V-3242
Rule IDs
  • SV-3242r2_rule
The Syslog daemon, known as SYSLOGD, is a z/OS UNIX daemon that provides a central processing point for log messages issued by other z/OS UNIX processes. The messages may be of varying importance levels including general process information, diagnostic information, critical error notification, and audit-class information. It is important that SYSLOGD be started during the initialization phase of the z/OS system to ensure that significant messages are not lost. Failure to collect and retain audit data may contribute to the loss of accountability and hamper security audit activities.Systems ProgrammerDCCS-1, DCCS-2
Checks: C-3115r1_chk

a) Refer to the following report produced by the UNIX System Services Data Collection: - USSCMDS.RPT(ERC) Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(PARMLIB) NOTE: SYSLOGD may be started from the shell, a cataloged procedure (STC), or the BPXBATCH program. Additionally, other mechanisms (e.g., CONTROL-O) may be used to automatically start the Syslog daemon. To thoroughly analyze this PDI you may need to view the OS SYSLOG using SDSF, find the last IPL, and look for the initialization of SYSLOGD. b) If the Syslog daemon SYSLOGD is started automatically during the initialization of the z/S/ system, there is NO FINDING. c) If (b) is untrue, this is a FINDING.

Fix: F-18171r1_fix

Review the files used to initialize tasks during system IPL (e.g., /etc/rc, SYS1.PARMLIB, CONTROL-O definitions) to ensure the Syslog daemon is automatically started during z/OS system initialization. It is important that syslogd be started during the initialization phase of the z/OS system to ensure that significant messages are not lost. As with other z/OS UNIX daemons, there is more than one way to start SYSLOGD. It can be started as a process in the /etc/rc file or as a z/OS started task.

b
The Syslog daemon must be properly defined and secured.
IA-2 - Medium - CCI-000764 - V-3243 - SV-7079r3_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
ISLG0020
Vuln IDs
  • V-3243
Rule IDs
  • SV-7079r3_rule
The Syslog daemon, known as syslogd, is a zOS UNIX daemon that provides a central processing point for log messages issued by other zOS UNIX processes. It is also possible to receive log messages from other network-connected hosts. Some of the IBM Communications Server components that may send messages to syslog are the FTP, TFTP, zOS UNIX Telnet, DNS, and DHCP servers. The messages may be of varying importance levels including general process information, diagnostic information, critical error notification, and audit-class information. Primarily because of the potential to use this information in an audit process, there is a security interest in protecting the syslogd process and its associated data. The Syslog daemon requires special privileges and access to sensitive resources to provide its system services. Failure to properly define and control the Syslog daemon could lead to unauthorized access. This exposure may result in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.Systems ProgrammerInformation Assurance Officer
Checks: C-46986r5_chk

Refer to the following reports produced by the RACF Data Collection: - RACFCMDS.RPT(LISTUSER) - DSMON.RPT(RACSPT) Refer to the following report produced by the UNIX System Services Data Collection: - USSCMDS.RPT(ERC) - Refer to this report if the Syslog daemon is started from /etc/rc. Refer to the JCL procedure libraries defined to JES2. Ensure that the Syslog daemon is properly defined and protected as stated below. If the following guidance is true, this is not a finding. ___ The Syslog daemon userid is SYSLOGD. ___ The SYSLOGD userid is defined as a PROTECTED userid. ___ The SYSLOGD userid has UID(0), HOME(‘/’), and PROGRAM(‘/bin/sh’) specified in the OMVS segment. ___ A matching entry mapping the SYSLOGD started proc to the SYSLOGD userid is in the STARTED resource class. ___ If Syslog daemon is started from /etc/rc then ensure that the _BPX_JOBNAME and _BPX_USERID environment variables are assigned a value of SYSLOGD.

Fix: F-18686r4_fix

The IAO working with the systems programmer responsible for supporting IBM Comm Server will ensure that Syslog daemon runs under its own user account. Specifically, it does not share the account defined for the z/OS UNIX kernel. The Syslog daemon userid is SYSLOGD. The SYSLOGD userid is defined as a PROTECTED userid. The SYSLOGD userid has UID(0), HOME(‘/’), and PROGRAM(‘/bin/sh’) specified in the OMVS segment. To set up and use as an MVS Started Proc, the following sample commands are provided: AU SYSLOGD NAME('stc, tcpip') NOPASSWORD NOOIDCARD DFLTGRP(STC) – OWNER(STC) DATA('Reference ISLG0020 for proper setup ') ALU SYSLOGD DFLTGRP(stctcpx) ALU SYSLOGD OMVS(UID(0) HOME('/') PROGRAM('/bin/sh')) CO SYSLOGD GROUP(stctcpx) OWNER(stctcpx) A matching entry mapping the SYSLOGD started proc to the SYSLOGD userid is in the STARTED resource class. RDEF STARTED SYSLOGD.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) STDATA(USER(SYSLOGD) GROUP(STC)) If /etc/rc is used to start the Syslog daemon ensure that the _BPX_JOBNAME and _BPX_ USERID environment variables are assigned a value of SYSLOGD.

b
The permission bits and user audit bits for HFS objects that are part of the Syslog daemon component will be configured properly.
AC-3 - Medium - CCI-000213 - V-3244 - SV-3244r3_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ISLG0030
Vuln IDs
  • V-3244
Rule IDs
  • SV-3244r3_rule
HFS directories and files of the Syslog daemon provide the configuration and executable properties of this product. Failure to properly secure these objects could lead to unauthorized access. This exposure may result in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.Systems ProgrammerInformation Assurance OfficerDCCS-1, DCCS-2, ECTM-1, ECTM-2
Checks: C-3119r3_chk

Refer to the following report produced by the UNIX System Services Data Collection: - USSCMDS.RPT(ISLG0030) Refer to the following report produced by the IBM Communications Server Data Collection: - PDI(ISLG0030) The HFS permission bits and user audit bits for each directory and file match or are more restrictive than the specified settings listed in the table. If the guidance is true, this is not a finding. SYSLOG Daemon HFS Object Security Settings File Permission Bits User Audit Bits /usr/sbin/syslogd 1740 fff [Configuration File] /etc/syslog.conf 0744 faf [Output log file defined in the configuration file] 0744 fff NOTES: The /usr/sbin/syslogd object is a symbolic link to /usr/lpp/tcpip/sbin/syslogd. The permission and user audit bits on the target of the symbolic link must have the required settings. The /etc/syslog.conf file may not be the configuration file the daemon uses. It is necessary to check the script or JCL used to start the daemon to determine the actual configuration file. For example, in /etc/rc: _BPX_JOBNAME='SYSLOGD' /usr/sbin/syslogd -f /etc/syslog.conf For example, in the SYSLOGD started task JCL: //SYSLOGD EXEC PGM=SYSLOGD,REGION=30M,TIME=NOLIMIT // PARM='POSIX(ON) ALL31(ON)/ -f /etc/syslogd.conf' //SYSLOGD EXEC PGM=SYSLOGD,REGION=30M,TIME=NOLIMIT // PARM='POSIX(ON) ALL31(ON) /-f //''SYS1.TCPPARMS(SYSLOG)''' The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing

Fix: F-36627r2_fix

The IAO with the assistance of a systems programmer with UID(0) and/or SUPERUSER access, will review the UNIX permission bits and user audit bits on the HFS directories and files for the Syslog daemon. Ensure they conform to the specifications in the SYSLOG Daemon HFS Object Security Settings table below. Log files should have security that prevents anyone except the syslogd process and authorized maintenance jobs from writing to or deleting them. A maintenance process to periodically clear the log files is essential. Logging stops if the target file system becomes full. SYSLOG Daemon HFS Object Security Settings File Permission Bits User Audit Bits /usr/sbin/syslogd 1740 fff [Configuration File] /etc/syslog.conf 0744 faf [Output log file defined in the configuration file] 0744 fff The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing NOTES: The /usr/sbin/syslogd object is a symbolic link to /usr/lpp/tcpip/sbin/syslogd. The permission and user audit bits on the target of the symbolic link must have the required settings. The /etc/syslog.conf file may not be the configuration file the daemon uses. It is necessary to check the script or JCL used to start the daemon to determine the actual configuration file. For example, in /etc/rc: _BPX_JOBNAME='SYSLOGD' /usr/sbin/syslogd -f /etc/syslog.conf For example, in the SYSLOGD started task JCL: //SYSLOGD EXEC PGM=SYSLOGD,REGION=30M,TIME=NOLIMIT // PARM='POSIX(ON) ALL31(ON)/ -f /etc/syslogd.conf' //SYSLOGD EXEC PGM=SYSLOGD,REGION=30M,TIME=NOLIMIT // PARM='POSIX(ON) ALL31(ON) /-f //''SYS1.TCPPARMS(SYSLOG)''' The following commands can be used (from a user account with an effective UID(0)) to update the permission bits and audit bits: chmod 1740 /usr/lpp/tcpip/sbin/syslogd chaudit rwx=f /usr/lpp/tcpip/sbin/syslogd chmod 0744 /etc/syslog.conf chaudit w=sf,rx+f /etc/syslog.conf chmod 0744 /log_dir/log_file chaudit rwx=f /log_dir/log_file

b
The ACP audit logs must be reviewed on a regular basis .
AU-6 - Medium - CCI-000148 - V-3331 - SV-3331r3_rule
RMF Control
AU-6
Severity
Medium
CCI
CCI-000148
Version
ACP00320
Vuln IDs
  • V-3331
Rule IDs
  • SV-3331r3_rule
Each ACP has the ability to produce audit records, based on specific security-related events. Audit Trail, Monitoring, Analysis and Reporting provides automated, continuous on-line monitoring and audit trail creation capability, to alert personnel of any unusual or inappropriate activity with potential IA implications. Failure to perform audit log analysis would allow for unusual or inappropriate activity to continue without review and appropriate actions taken.Information Assurance Officer
Checks: C-23857r4_chk

Examine the documented process for audit trail reviews as well as the audit trail showing the reviews to ensure reviews and analysis of information system audit records are performed every seven days or more frequently if required by the site Security Log Management policy. DoD has defined the information system auditable events as successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels), successful and unsuccessful logon attempts, privileged activities or other system level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system. All account creations, modifications, disabling, and terminations. All kernel module loads, unloads, and restarts. Possible areas for review may be as follows: 1) A User attempting to read/update/delete/scratch/alter a critical dataset which the STIG prohibits: a) Security database files, and security setup (parmlib) b) System parmlib such as SYS1.PARMLIB 2) A user generating violation(s) while attempting to update (or greater level) operating system datasets which they do not have access to: a) SYS1*, SYS2*, SYS3*, SYS4*, SYS* 3) A user generating violation(s) while attempting to update (or greater level) APF libraries 4) A user generating violation(s) while attempting Volume Level access 5) Violations of JESSPOOL resources against domain level operations batch processing, system programmer submitted jobs, security related batch jobs and system level started tasks 6) Violations generated against critical system level resources FACILITY/IBMFAC and OPERCMDS 7) A review of users' password violations within a given day during the prior week - is an indicator for further review and research of possible unusual activity 8) The site may choose to monitor, at the discretion of the site, any additional critical system level resources they deem necessary above and beyond the above specified a) If any of the above unusual or inappropriate activity is found within the Audit Log records and documentation (email strings or other written documentation) exists showing actions were taken based upon the discovery of an unusual or inappropriate activity event, this is not a finding. b) If any of the above unusual or inappropriate activity is found within the Audit Log records and NO documentation exists, this is a finding.

Fix: F-20289r2_fix

The site must provide a Security Log Management policy that documents and implements a process to review and analyze information system audit records every seven days or more frequently if required by the site Security Log Management policy. This process must contain an audit trail of reviews. Recommend NIST Special Publication 800-92, Guide to Computer Security Log Management as a guideline for establishing Log Management policy. DoD has defined the information system auditable events as successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels), successful and unsuccessful logon attempts, privileged activities or other system level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system. All account creations, modifications, disabling, and terminations. All kernel module loads, unloads, and restarts. Possible areas for review may be as follows: 1) A User attempting to read/update/delete/alter a critical dataset which the STIG prohibits: a) Security database files, and security setup b) System parmlib such as SYS1.PARMLIB 2) A user attempting to update (or greater access levels) system datasets which they would not have access to: c) SYS1*, SYS2*, SYS3*, SYS4*, etc. 3) A user generating violation(s) attempting to update (or greater access levels) APF libraries 4) A user generating violation(s) attempting Volume Level access 5) Violations of JESSPOOL resources against domain level operations batch processing, system programmer submitted jobs, security related batch jobs, and system level started tasks 6) Violations generated against critical system level resources FACILITY/IBMFAC and OPERCMDS 7) A weekly review of users' password violations within a given day during the prior week - is an indicator for further review and research of possible unusual activity 8) The site may choose to monitor, at the discretion of the site, any additional critical system level resources they deem necessary above and beyond the above specified

b
User accounts defined to the ACP do not uniquely identify system users.
IA-2 - Medium - CCI-000764 - V-3716 - SV-3716r2_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
ACP00330
Vuln IDs
  • V-3716
Rule IDs
  • SV-3716r2_rule
System users must be uniquely identified to the operating system. To accomplish this, each user must have an individual account defined to the ACP. If user accounts are not associated with specific individuals and are shared among multiple users, individual accountability is lost. This could hamper security audit activities and lead to unauthorized user access of system resources and customer data. . Scope of, ownership of and responsibility over users shall be based upon the specifics of appointment, role, responsibilities and level of authority. Such as a domain/system level IAO is responsible for the Domain/system level users, whereas normally a application user would be the responsibility of the DoD AIS application security team unless SLA indicates otherwise.Information Assurance OfficerDCCS-1, DCCS-2, IAIA-1, IAIA-2
Checks: C-5433r1_chk

a) The IAO will provide a list of all userids that are shared among multiple users(i.e not uniquely identified system users). b) If there are no shared userids on this domain, there is NO FINDING. c) If there are shared userids on this domain, this is a FINDING. NOTE: Userids should be able to be traced back to a current DD2875 or a Vendor Requirement (example: A Started Task).

Fix: F-18149r1_fix

The IAO wil identify user accounts defined to the ACP that are being shared among multiple users. This may require interviews with appropriate system-level support personnel. Remove the shared user accounts from the ACP. The IAO is required to uniquely identify each system user to the ACP, and that access to resources is limited to those needed to perform the function. A user is defined as either an individual accessing a computer resource, or as a task executing on the system that requires access to a resource. On z/OS systems a user is identified by means of a unique userid. Security requires that audit data record the identity of the user, time of access, interaction with the system, and sensitive functions that might permit a user or program to modify, bypass, or negate security safeguards. Any userid (user) on the system must be associated with only one individual also any given individual may be assigned responsibility for multiple userids on a given system, depending on functional responsibilities, to ensure task segregation.

b
DFSMS control data sets must be protected in accordance with security requirements.
AC-3 - Medium - CCI-000213 - V-3895 - SV-7357r3_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZSMS0020
Vuln IDs
  • V-3895
Rule IDs
  • SV-7357r3_rule
DFSMS control data sets provide the configuration and operational characteristics of the system-managed storage environment. Failure to properly protect these data sets may result in unauthorized access. This exposure could compromise the availability and integrity of some system services and customer data.Information Assurance Officer
Checks: C-72933r1_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(SMSRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZSMS0020) b) Review the logical parmlib data sets, example: SYS1.PARMLIB(IGDSMSxx), to identify the fully qualified file names for the following SMS data sets: Source Control Data Set (SCDS) Active Control Data Set (ACDS) Communications Data Set (COMMDS) Automatic Class Selection Routine Source Data Sets (ACS) ACDS Backup COMMDS Backup c) If the RACF data set rules for the SCDS, ACDS, COMMDS, and ACS data sets restrict UPDATE and ALTER access to only systems programming personnel, this is not a finding. d) If the RACF data set rules for the SCDS, ACDS, COMMDS, and ACS data sets do not restrict UPDATE and ALTER access to only systems programming personnel, this is a finding. Note: At the discretion of the ISSM, DASD administrators are allowed UPDATE access to the control datasets.

Fix: F-79239r1_fix

Review the SYS1.PARMLIB(IGDSMS00) data set to identify the fully qualified file names for the following SMS data sets: Source Control Data Set (SCDS) Active Control Data Set (ACDS) Communications Data Set (COMMDS) Automatic Class Selection Routine Source Data Sets (ACS) ACDS Backup COMMDS Backup The RACF data set rules for the SCDS, ACDS, COMMDS, and ACS data sets must restrict UPDATE and ALTER access to only z/OS systems programming personnel. Note: At the discretion of the ISSM, DASD administrators are allowed UPDATE access to the control datasets. Some example commands to implement the proper controls are shown here: AD 'sys3.dfsms.mmd.commds.**' UACC(NONE) OWNER(SYS3) AUDIT(ALL(READ)) DATA('PROTECTED PER ZSMS0020') PE 'sys3.dfsms.mmd.commds.**' ID(<syspaudt>) ACC(A)

a
SYS(x).Parmlib(IEFSSNxx) SMS configuration parameter settings are not properly specified.
CM-6 - Low - CCI-000366 - V-3896 - SV-3896r2_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
ZSMS0030
Vuln IDs
  • V-3896
Rule IDs
  • SV-3896r2_rule
Configuration properties of DFSMS are specified in various members of the system parmlib concatenation (e.g., SYS1.PARMLIB). Statements within these PDS members provide the execution, operational, and configuration characteristics of the system-managed storage environment. Missing or inappropriate configuration values may result in undesirable operations and degraded security. This exposure could potentially compromise the availability and integrity of some system services and customer data.Systems ProgrammerDCCS-1, DCCS-2
Checks: C-3414r1_chk

a) Review the SYS1.PARMLIB(IEFSSNxx) data set for the following SMS parameter settings: 1) Keyword syntax: SUBSYS SUBNAME(SMS) INITRTN(IGDSSIIN) 2) Positional syntax: SMS, IGDSSIIN b) If the required parameters are defined, there is NO FINDING. c) If the required parameters are not defined, this is a FINDING.

Fix: F-18937r1_fix

Review the DFSMS-related PDS members and statements specified in the system parmlib concatenation. Ensure these elements are configured as outlined below Keyword syntax: SUBSYS SUBNAME(SMS) INITRTN(IGDSSIIN) Positional syntax: SMS, IGDSSIIN

b
MVS data sets for the WebSphere Application Server are not protected in accordance with the proper security requirements.
AC-3 - Medium - CCI-000213 - V-3897 - SV-3897r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZWAS0010
Vuln IDs
  • V-3897
Rule IDs
  • SV-3897r2_rule
MVS data sets provide the configuration, operational, and executable properties of the WebSphere Application Server (WAS) environment. Failure to properly protect these data sets may lead to unauthorized access. This exposure could compromise the integrity and availability of system services, applications, and customer data.Information Assurance OfficerDCCS-1, DCCS-2, ECCD-1, ECCD-2
Checks: C-3258r1_chk

a) Refer to the following reports produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(HTTPRPT) - SENSITVE.RPT(WASRPT) b) Ensure the following data set controls are in effect for WAS: ___ The ACP data set rules restrict UPDATE and ALTER access to HTTP product data sets (i.e., SYS1.IMW.AIMW** and SYS1.IMW.SIMW**) is restricted to systems programming personnel. NOTE: If the HTTP server is not used with WAS, this check can be ignored. ___ The ACP data set rules restrict UPDATE and ALTER access to WAS product data sets and associated product data sets are restricted to systems programming personnel. SYS*.EJS.V3500108.** (WebSphere 3.5) SYS*.WAS.V401.** (WebSphere 4.0.1) SYS*.OE.** (Java) SYS*.JAVA** (Java) SYS*.DB2.V710107.** (DB2) SYS*.GLD.** (LDAP) SYS1.LE.** (Language Environment) c) If all of the items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING.

Fix: F-26597r1_fix

The IAO will ensure that WebSphere server data sets restrict UPDATE and/or ALTER access to systems programming personnel. Ensure the following data set controls are in effect for WAS: 1) UPDATE and ALTER access to HTTP product data sets (i.e., SYS1.IMW.AIMW** and SYS1.IMW.SIMW**) are restricted to systems programming personnel. NOTE: If the HTTP server is not used with WAS, this check can be ignored. 2) UPDATE and ALTER access to WAS product data sets and associated product data sets are restricted to systems programming personnel. SYS*.EJS.V3500108.** (WebSphere 3.5) SYS*.WAS.V401.** (WebSphere 4.0.1) SYS*.OE.** (Java) SYS*.JAVA** (Java) SYS*.DB2.V710107.** (DB2) SYS*.GLD.** (LDAP) SYS1.LE.** (Language Environment)

b
HFS objects for the WebSphere Application Server are not protected in accordance with the proper security requirements.
AC-3 - Medium - CCI-000213 - V-3898 - SV-3898r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZWAS0020
Vuln IDs
  • V-3898
Rule IDs
  • SV-3898r2_rule
HFS directories and files provide the configuration, operational, and executable properties of the WebSphere Application Server (WAS) environment. Many of these objects are responsible for the security implementation of WAS. Failure to properly protect these directories and files may lead to unauthorized access. This exposure could potentially compromise the integrity and availability of system services, applications, and customer data.Information Assurance OfficerDCCS-1, DCCS-2, ECCD-1, ECCD-2
Checks: C-20978r1_chk

a) Refer to the following reports produced by the UNIX System Services Data Collection: - USSCMDS.RPT(IHSHFSOB) - USSCMDS.RPT(WASHFSOB) For each IBM HTTP server, supply the following information: (PDS member name - IHSACCTS) - Web server ID defined to the ACP - Web server administration group defined to the ACP - Web server standard HFS directory b) The following notes apply to the requirements specified in the HFS Permission Bits table in the z/OS STIG Addendum: - If an owner field indicates UID(0) user, any system ID with a UID(0) specification is acceptable. - Where an owner field indicates websrv1, the ID of the web server is intended. - Where a group field indicates webadmg1, the ID of a local web server administration group is intended. IMWEB is not a valid local group. - The site is free to set the permission and audit bit settings to be more restrictive than the documented values. Ensure the HFS permission bits, user audit bits, owner, and group for each directory and file match the specified settings listed in the HFS Permission Bits table in the z/OS STIG Addendum. Currently the guidance requires the permissions on these files to be 640, where the group is the SA or web manager account that controls the web service. However the group permission only allows READ access making it impossible to update files unless using a UID(0) account. There appears to be a conflict with this requirement. Proposed updates include changing permissions from 640 to 460. The owner will be the web server user account and the group will be the web server administrator group. Verification of these proposed changes needs to be performed. Until this occurs, compliance of the WAS configuration and property files cannot be reviewed. An entry for was.conf file settings needs to be added. Settings for the WebSphere properties and bin directories may be desirable. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing c) If all of the items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING.

Fix: F-18956r1_fix

Review the UNIX permission bits, user audit bits, and ownership settings on the HFS directories and files for the products required to support the WAS environment. Ensure the HFS permission bits, user audit bits, owner, and group for each directory and file match the specified settings listed in the HFS Permissions Bits table located in the zOS STIG Addendum.

b
The CBIND Resource Class for the WebSphere Application Server is not configured in accordance with security requirements.
AC-3 - Medium - CCI-000213 - V-3899 - SV-7265r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZWAS0030
Vuln IDs
  • V-3899
Rule IDs
  • SV-7265r2_rule
SAF resources provide the ability to control access to functions and services of the WebSphere Application Server (WAS) environment. Many of these resources provide operational and administrative support for WAS. Failure to properly protect these resources may lead to unauthorized access. This exposure could compromise the integrity and availability of application services and customer data.Information Assurance Officer
Checks: C-3261r1_chk

a) Refer to the following reports produced by the RACF Data Collection: - SENSITVE.RPT(CBIND) - RACFCMDS.RPT(SETROPTS) - DSMON.RPT(RACCDT) - Alternate list of active resource classes b) Ensure the following items are in effect for CBIND resource protection: 1) The CBIND resource class is active. 2) The CB.BIND.server_name resource is defined to the CBIND resource class with a UACC(NONE). 3) Access to the CB.BIND.server_name resource is restricted to WAS server (STC) userids and systems management userids (e.g., WebSphere administrator ID). c) If all items in (b) are true, there is NO FINDING. b) If any item in (b) is untrue, this is a FINDING.

Fix: F-18794r1_fix

There are two profiles to create when using the CBIND class. They are the CB.BIND.server_name profile, which controls whether a local or remote client can access servers. The CB.BIND is mandatory for the first two qualifiers for the profile; the third qualifier is the server name. Also, there is the CB.server_name profile that controls whether a client can use components in a server; again these definitions are mandatory. Ensure the following items are in effect for CBIND resource protection: 1) The CBIND resource class is active. 2) The CB.BIND.server_name resource is defined to the CBIND resource class with a UACC(NONE). 3) Access to the CB.BIND.server_name resource is restricted to WAS server (STC) userids and systems management userids (e.g., WebSphere administrator ID). The following command provide sample definitions and permissions for this CBIND resource: SETR CLASSACT(CBIND) SETR GENERIC(CBIND) SETR RACL(CBIND) RDEFINE CBIND cb.bind.<servername> UACC(none) owner(admin) audit(all(read)) data('IAW SRR PDI ZWAS0030') Permit cb.bind.<servername> CLASS(CBIND) ID(<wscfg1>) ACCESS(CONTROL) Note: "wscfg1" is a RACF group that contains the Websphere Application Server STCs and maintenance userids.

c
Vendor-supplied user accounts for the WebSphere Application Server must be defined to the ACP.
CM-7 - High - CCI-001762 - V-3900 - SV-3900r3_rule
RMF Control
CM-7
Severity
High
CCI
CCI-001762
Version
ZWAS0040
Vuln IDs
  • V-3900
Rule IDs
  • SV-3900r3_rule
Vendor-supplied user accounts are defined to the ACP with factory-set passwords during the installation of the WebSphere Application Server (WAS). These user accounts are common to all WAS environments and have access to restricted resources and functions. Failure to delete vendor-supplied user accounts from the ACP may lead to unauthorized access. This exposure could compromise the integrity and availability of system services, applications, and customer data.IAO will ensure that CBADMIN user password is changed from default.Information Assurance Officer
Checks: C-3264r2_chk

a) Refer to the following report produced by the ACP Data Collection: ACF2 - ACF2CMDS.RPT(LOGONIDS) RACF - RACFCMDS.RPT(LISTUSER) TSS - TSSCMDS.RPT(@ACIDS) Automated Analysis requires Additional Analysis. Refer to the following report produced by the z/OS Data Collection: - PDI(ZWAS0040) b) If the CBADMIN user account is not defined to the ACP, there is NO FINDING. c) If the CBADMIN user account is defined to ACP and the password has NOT been changed from the vendor default of CBADMIN, this is a FINDING with a severity code of CAT I. d) If the CBADMIN user account is defined to the ACP and the password has been changed from the vendor default of CBADMIN, this is a FINDING with a severity code of CAT II.

Fix: F-18947r1_fix

The IAO will ensure that the CBADMIN user account is removed or not defined to the ACP.

b
The WebSphere Application Server plug-in is not specified in accordance with the proper security requirements.
AC-17 - Medium - CCI-000068 - V-3901 - SV-3901r2_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000068
Version
ZWAS0050
Vuln IDs
  • V-3901
Rule IDs
  • SV-3901r2_rule
Requests processed by the WebSphere Application Server (WAS) are dependent on directives configured in the HTTP server httpd.conf file. These directives specify critical files containing the WAS plug-in and WAS configuration. These files provide the operational and security characteristics of WAS. Failure to properly configure WAS-related directives could lead to undesirable operations and degraded security. This exposure may compromise the availability and integrity of applications and customer data.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-20980r1_chk

a) Refer to the following report produced by the UNIX System Services Data Collection: - USSCMDS.RPT(AHTTPD) Collect the following information for each IBM HTTP server: - The JCL procedure library and member name used to start each IBM HTTP server. DOC(IHSPROCS) - For each IBM HTTP server, supply the following information: Web server ID defined to the ACP Web server administration group defined to the ACP Web server standard HFS directory b) Review the HTTP server JCL procedure to determine the httpd.conf file to review. c) Ensure that all WAS-related directives are configured using the ServerInit, Service, and ServerTerm statements as outlined below. The following path entries were added to the /etc/httpd.conf file for WebSphere 3.5: ServerInit /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:init_exit /usr/lpp/WebSphere/etc/WebSphere/AppServer/properties/was.conf Service /webapp/examples/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.jhtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.shtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /servlet/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.jsp /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit ServerTerm /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:term_exit The following path entries are added to the /etc/httpd.conf file for WebSphere 4.0.1: ServerInit - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:init_exit Service - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:service_exit ServerTerm - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:term_exit NOTE: The /etc/WebSphere clause for ServerInit matches the directory name above where the site customization was.conf file was established. Specific items to review include proper path, was.conf, and plug-in settings. d) If all WAS-related directives are configured properly, there is NO FINDING. e) If any WAS-related directive is not configured properly, this is a FINDING.

Fix: F-18948r1_fix

The IAO will ensure that the WebSphere Application Server directives in the httpd.conf file are configured as outlined below. Ensure that all WAS-related directives are configured using the ServerInit, Service, and ServerTerm statements as outlined below. The following path entries were added to the /etc/httpd.conf file for WebSphere 3.5: ServerInit /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:init_exit /usr/lpp/WebSphere/etc/WebSphere/AppServer/properties/was.conf Service /webapp/examples/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.jhtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.shtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /servlet/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.jsp /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit ServerTerm /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:term_exit The following path entries are added to the /etc/httpd.conf file for WebSphere 4.0.1: ServerInit -/usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:init_exit Service - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:service_exit ServerTerm - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:term_exit NOTE: The /etc/WebSphere clause for ServerInit matches the directory name above where the site customization was.conf file was established. Specific items to review include proper path, was.conf, and plug-in settings.

b
User timeout parameter values for WebSphere MQ queue managers are not specified in accordance with security requirements.
SC-10 - Medium - CCI-001133 - V-3903 - SV-3903r2_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
ZWMQ0020
Vuln IDs
  • V-3903
Rule IDs
  • SV-3903r2_rule
Users signed on to a WebSphere MQ queue manager could leave their terminals unattended for long periods of time. This may allow unauthorized individuals to gain access to WebSphere MQ resources and application data. This exposure could compromise the availability, integrity, and confidentiality of some system services and application data.Systems ProgrammerDCCS-1, DCCS-2, ECTM-1, ECTM-2
Checks: C-19829r1_chk

a) Refer to the following report produced by the z/OS Data Collection: - MQSRPT(ssid) NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ZWMQ0020) b) Review the ssid report(s) and perform the following steps: 1) Find the DISPLAY SECURITY command to locate the start of the security parameter settings. 2) Review the CSQH015I and CSQH016I messages to determine the Timeout and Interval parameter settings respectively. 3) Repeat these steps for each queue manager ssid. The standard values are: TIMEOUT(15) INTERVAL(5) c) If the Timeout and Interval values conform to the standard values, there is NO FINDING. d) If the Timeout and/or Interval values do not conform to the standard values, this is a FINDING.

Fix: F-18983r1_fix

Review the WebSphere MQ System Setup Guide and the information on the ALTER SECURITY command in the WebSphere MQ Script (MQSC) Command Reference. Ensure the values for the TIMEOUT and INTERVAL parameters are specified in accordance with security requirements.

b
WebSphere MQ started tasks are not defined in accordance with the proper security requirements.
IA-2 - Medium - CCI-000764 - V-3904 - SV-7526r2_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
ZWMQ0030
Vuln IDs
  • V-3904
Rule IDs
  • SV-7526r2_rule
Started tasks are used to execute WebSphere MQ queue manager services. Improperly defined WebSphere MQ started tasks may result in inappropriate access to application resources and the loss of accountability. This exposure could compromise the availability of some system services and application data.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-4628r1_chk

a) Refer to the following reports produced by the RACF Data Collection: - DSMON.RPT(RACSPT) - RACFCMDS.RPT(LISTUSER) Provide a list of all WebSphere MQ Subsystem Ids (Queue managers) and Release levels. b) Review WebSphere MQ started tasks and ensure the following items are in effect: NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). ssidMSTR is the name of a queue manager STC. ssidCHIN is the name of a distributed queuing (a.k.a., channel initiator) STC. 1) Each ssidMSTR and ssidCHIN started task is associated with a unique userid. 2) All ssidMSTR and ssidCHIN started tasks are defined to the STARTED resource class. 3) All ssidMSTR and ssidCHIN started tasks userid are defined as a PROTECTED. c) If both of the items in (b) are true, there is NO FINDING. d) If either item in (b) is untrue, this is a FINDING.

Fix: F-18797r1_fix

Each queue manager started task procedure xxxxMSTR and distributed queuing started task procedure xxxxCHIN will have a matching profile defined to the STARTED resource class. Create a corresponding userid for each started task. The STC userids will be defined as PROTECTED userids. Queue manager and channel initiator started tasks will not be defined with the TRUSTED attribute. The following sample contains commands to properly define the required Started Procs: Note that this example uses "qmq1" as the value for ssid. AU qmq1mstr NAME('STC, MQSERIES') NOPASS DFLTGRP(STC) OWNER(STC) DATA('MQSERIES QUEUE MANAGER PROC') AU qmq1chin NAME('STC, MQSERIES') NOPASSDFLTGRP(STC) OWNER(STC) DATA('MQSERIES DISTRIBUTED QUEUING CHANNEL INIT PROC') RDEF STARTED qmq1mstr.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('MAP qmq1mstr PROC TO qmq1mstr USERID') STDATA(USER(=MEMBER) GROUP(STC) TRACE(YES)) RDEF STARTED qmq1chin.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('MAP qmq1mstr PROC TO qmq1chin USERID') STDATA(USER(=MEMBER) GROUP(STC) TRACE(YES)) SETR RACL(STARTED) REFRESH

b
WebSphere MQ all update and alter access to MQSeries/WebSphere MQ product and system data sets are not properly restricted
AC-3 - Medium - CCI-000213 - V-3905 - SV-3905r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZWMQ0040
Vuln IDs
  • V-3905
Rule IDs
  • SV-3905r2_rule
MVS data sets provide the configuration, operational, and executable properties of WebSphere MQ. Some data sets are responsible for the security implementation of WebSphere MQ. Failure to properly protect these data sets may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.Information Assurance OfficerDCCS-1, DCCS-2, ECAR-1, ECAR-2, ECCD-1, ECCD-2
Checks: C-20021r1_chk

a) Refer to the following report produced by the ACP Data Collection: - SENSITVE.RPT(MQSRPT) b) Ensure ACP data sets rules for MQSeries/WebSphere MQ system data sets (e.g., SYS2.MQM.) restrict access as follows: NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). ___ READ access to data sets referenced by the following DDnames is restricted to MQSeries/WebSphere MQ STCs, MQSeries/WebSphere MQ administrators, and system programming personnel. All access to these data sets is logged. DDname Procedure Description CSQINP1 ssidMSTR Input parameters CSQINP2 ssidMSTR Input parameters CSQXLIB ssidCHIN User exit library NOTE: WRITE/UPDATE and/or ALLOCATE/ALTER access to these data sets is restricted to MQSeries/WebSphere MQ administrators and systems programming personnel. ___ WRITE/UPDATE and/or ALLOCATE/ALTER access to data sets referenced by the following DDnames is restricted to MQSeries/WebSphere MQ STCs, MQSeries/WebSphere MQ administrators, and systems programming personnel. All WRITE and ALLOCATE access to these data sets is logged. DDname Procedure Description CSQPxxxx ssidMSTR Page data sets BSDSx ssidMSTR Bootstrap data sets CSQOUTx ssidMSTR SYSOUT data sets CSQSNAP ssidMSTR DUMP data set (See note) ssidMSTR Log data sets NOTE: To determine the log data set names, review the JESMSGLG file of the ssidMSTR active task(s). Find CSQJ001I messages to obtain DSNs. ___ ALLOCATE/ALTER access to archive data sets is restricted to MQSeries/WebSphere MQ STCs, MQSeries/WebSphere MQ administrator, and system programming personnel. All ALLOCATE/ALTER access to these data sets is logged. NOTE: To determine the archive data sets names, review the JESMSGLG file of the ssidMSTR active task(s). Find the CSQY122I message to obtain the ARCPRFX1 and ARCPRFX2 DSN HLQs. ___ Except for the specific data set requirements just mentioned, WRITE/UPDATE and/or ALLOCATE/ALTER access to all other MQSeries/WebSphere MQ system data sets is restricted to the MQSeries/WebSphere MQ administrator and system programming personnel. c) If all the items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING.

Fix: F-19000r1_fix

The systems programmer will have the IAO ensure that all update and alter access to MQSeries/WebSphere MQ product and system data sets are restricted to WebSphere MQ administrators, systems programmers, and MQSeries/WebSphere MQ started tasks. The installation requires that the following data sets be APF authorized. hlqual.SCSQAUTH hlqual.SCSQLINK hlqual.SCSQANLx hlqual.SCSQSNL hlqual.SCSQMVR1 hlqual.SCSQMVR2 (2) Read access to data sets referenced by the CSQINP1, CSQINP2, and CSQXLIB DDs in the queue manager’s procedure will be restricted to the queue manager userid, WebSphere MQ administrator, and systems programming personnel. Log all access to these data sets. (3) Write and allocate access to data set profiles protecting all page sets, logs, bootstrap data sets (BSDS), and data sets referenced by the CSQOUTX and CSQSNAP DDs in the queue manager’s procedure will be restricted to the queue manager userid, WebSphere MQ administrator, and systems programming personnel. Log all write and allocate access to these data sets. (5) Allocate access to all archive data sets in the queue manager’s procedure will be restricted to the queue manager userid, WebSphere MQ administrator, and systems programming personnel. Log all allocate access to these data sets.

b
Allocate access to system user catalogs must be limited to system programmers only.
AC-3 - Medium - CCI-000213 - V-4850 - SV-4850r3_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ACP00135
Vuln IDs
  • V-4850
Rule IDs
  • SV-4850r3_rule
System catalogs are the basis for locating all files on the system. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.Information Assurance Officer
Checks: C-829r2_chk

a) Refer to the following reports produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(CATURPT) - User Catalogs Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00135) ___ The ESM data set rules for System Catalogs allow inappropriate access. ___ The ESM data set rules for User Catalogs do not restrict ALTER access / ALTER and SCRATCH (TSS) to only z/OS systems programming personnel. Access greater than “READ” for User Catalog is allowed to a batch job ID in the following specific case: The batch job must reside in a data set that is restricted to systems programmers only. ___ The ESM data set rules for User Catalogs do not specify that all (i.e., failures and successes) ALTER access will be logged. b) If all of the above are untrue, this is not a finding. c) If any of the above is true, this is a finding.

Fix: F-17106r2_fix

Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect USER CATALOGS. Configure ESM rules for allocate access to USER CATALOGS, limited to system programmers only, and all allocate access is logged. Configure ESM rules for the USER CATALOGS to allow any batch ID access above “READ” only in this specific case: The batch job that requires above “READ” access must reside in a data set that has restricted “ALTER” or equivalent access to systems programmers ONLY.

a
Non-existent or inaccessible Link Pack Area (LPA) libraries.
CM-7 - Low - CCI-001762 - V-5605 - SV-5605r2_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-001762
Version
AAMV0325
Vuln IDs
  • V-5605
Rule IDs
  • SV-5605r2_rule
LPA libraries give a common access point for the general usage of modules. Many of the subsystems installed on a domain rely upon these modules for proper execution. If the list of libraries found in this LPA member is not properly maintained, the integrity of the operating environment is subject to compromise. Systems ProgrammerDCCS-1, DCCS-2, DCSL-1
Checks: C-667r1_chk

STIG ID: AAMV0325 Default Severity: Category III Refer to the following reports produced by the z/OS Data Collection: - PARMLIB.ACCESS(LPALSTxx) - PARMLIB.ACCESS(IEAFIXxx) - PARMLIB.ACCESS(IEALPAxx) NOTE: The LPALSTxx, IEAFIXxx, and IEALPAxx reports are only produced if inaccessible libraries exist. The report names represent the actual SYS1.PARMLIB members where inaccessible libraries are found. If these reports do not exist, there is NO FINDING. Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(AAMV0325) b) If no inaccessible LPA libraries exist, there is NO FINDING. c) If inaccessible LPA libraries do exist, this is a FINDING.

Fix: F-16982r1_fix

The systems programmer will ensure that only existing libraries are specified in the LPA list of libraries. Review all entries contained in the LPA members for the actual existence of each library. Develop a plan of action to correct deficiencies. The system Link Pack Area (LPA) is the component of MVS that maintains core operating system functions resident in main storage. A security concern exists when libraries from which LPA modules are obtained require APF authorization. Control over residence in the LPA is specified within the operating system in the following members of the data set SYS1.PARMLIB: - LPALSTxx specifies the names of libraries to be concatenated to SYS1.LPALIB when the LPA is generated at IPL in an MVS/XA or MVS/ESA system. (The xx is the suffix designated by the LPA parameter in the IEASYSxx member of SYS1.PARMLIB or overridden by the computer operator at system initial program load [IPL].) - IEAFIXxx specifies the names of modules from SYS1.SVCLIB, the LPALSTxx concatenation, and the LNKLSTxx concatenation that are to be temporarily fixed in central storage in the Fixed LPA (FLPA) for the duration of an IPL. (The xx is the suffix designated by the FIX parameter in the IEASYSxx member of SYS1.PARMLIB or overridden by the computer operator at IPL.) - IEALPAxx specifies the names of modules that will be loaded from the following: ? SYS1.SVCLIB ? The LPALSTxx concatenation ? The LNKLSTxx concatenation as a temporary extension to the existing Pageable LPA (PLPA) in the Modified LPA (MLPA) for the duration of an IPL. (The xx is the suffix designated by the MLPA parameter in the IEASYSxx member of SYS1.PARMLIB or overridden by the computer operator at IPL.) Use the following recommendations and techniques to control the exposures created by the LPA facility: (1) The LPALSTxx, IEAFIXxx, and IEALPAxx members will contain only required libraries. On a semi annual basis, Software Support should review the volume serial numbers, and should verify them in accordance with the system catalog. Software Support will remove all non existent libraries. The IAO should modify and/or delete the rules associated with these libraries.

b
The hosts identified by the NSINTERADDR statement must be properly protected.
CM-6 - Medium - CCI-000366 - V-5627 - SV-5627r4_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
ITCP0025
Vuln IDs
  • V-5627
Rule IDs
  • SV-5627r4_rule
If the hosts identified by NSINTERADDR statement are not properly protected they can be stolen, damaged, or disturbed. Without adequate physical security, unauthorized users can access the host and the hosts' components. Therefore, they can interfere with the normal operations of the host. Improper control of hosts and the hosts' components could compromise network operations.trueInformation Assurance OfficerSystems Programmer
Checks: C-3122r3_chk

Refer to the Data configuration file specified on the SYSTCPD DD statement in the TCPIP started task JCL. Gather the following information for any NSINTERADDR statement coded in the TCP/IP Data configuration file: Identify the physical location of the host running a DNS server (i.e., on-site or off-site at organization, city, state). Obtain the description of the physical security controls used to limit access to the area where the host is located. Automated Analysis requires Additional Analysis. Refer to the following report produced by the IBM Communications Server Data Collection: - PDI(ITCP0025) Verify that if the NSINTERADDR statements are not specified in the TCP/IP Data configuration file, this is not applicable. Verify that the NSITERADDR statements specified in the TCP/IP Data configuration file. If the following guidance is true, this is not a finding. ___ The NSINTERADDR statements refer to hosts connected directly to networks within the physical premises of the host site. ___ The NSINTERADDR statements refer to hosts that are located in areas with physical access limited to authorized personnel.

Fix: F-35826r1_fix

The IAO will ensure that the hosts and the hosts components identified in the NSINTERADDR statement are protected. The IAO, with assistance from the system programmer, will ensure that any NSINTERADDR statements coded in the TCPIP.DATA file refer to hosts connected directly to networks within the physical premises of the host site and located in areas with physical access limited to authorized personnel.

b
CICS regions are improperly protected to prevent unauthorized propagation of the region userid.
AC-3 - Medium - CCI-000213 - V-6898 - SV-7193r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZCICR041
Vuln IDs
  • V-6898
Rule IDs
  • SV-7193r2_rule
CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Improperly defined or controlled CICS userids (i.e., region, default, and terminal users) may provide an exposure and vulnerability within the CICS environment. This could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data.Information Assurance OfficerDCCS-1, DCCS-2, ECSD-1, ECSD-2
Checks: C-4684r1_chk

a) Refer to the following report produced by the RACF Data Collection: - SENSITVE.RPT(PROPCNTL) Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. b) Ensure the CICS region is defined to the PROPCNTL resource class. c) If (b) are true, there is NO FINDING. d) If (b) is untrue, this is a FINDING.

Fix: F-18501r1_fix

Utilize propagation control for each CICS region. Under no circumstance should a user's batch job submitted from a CICS region execute under that CICS region's userid. To prevent this from occurring, define a profile in the PROPCNTL resource class for each CICS region. The following is an example: RDEFINE PROPCNTL <cics-region-userid> OWNER(ADMIN) AUDIT(ALL(READ)) The PROPCNTL class must be active and RACLISTed for this protection to be in effect: SETROPTS CLASSACT(PROPCNTL) RACLIST(PROPCNTL)

b
All hardware components of the FEPs are not placed in secure locations where they cannot be stolen, damaged, or disturbed
PE-3 - Medium - CCI-000933 - V-6900 - SV-7195r2_rule
RMF Control
PE-3
Severity
Medium
CCI
CCI-000933
Version
ZFEP0011
Vuln IDs
  • V-6900
Rule IDs
  • SV-7195r2_rule
If components of the FEPs are not properly protected they can be stolen, damaged, or disturbed. Without adequate physical security, unauthorized users can access the control panel, the operator console, and the diskette drive of the service subsystem. Therefore, they can interfere with the normal operations of the FEPs. Improper control of FEP components could compromise network operations.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-20294r1_chk

a) Review site documentation to validate that procedures are in place to protect the FEP service subsystem and diskette drive: - Documents and procedures restricting access to the hardware components of the FEPs. b) If the hardware components of the FEPs are located in secure locations, there is NO FINDING. c) If the hardware components of the FEPs are not located in secure locations, this is a FINDING.

Fix: F-18249r1_fix

Ensure that hardware components of the FEPs are protected as specified below: Physical security is the first level of security control for the FEPs. Install all hardware components of the FEPs in secure locations where they cannot be stolen, damaged, or disturbed. Make sure that FEP hardware is located in a secure area with limited access to authorized personnel.

b
Procedures are not in place to restrict access to FEP functions of the service subsystem from operator consoles (local and/or remote), and to restrict access to the diskette drive of the service subsystem.
AC-1 - Medium - CCI-000004 - V-6901 - SV-7196r2_rule
RMF Control
AC-1
Severity
Medium
CCI
CCI-000004
Version
ZFEP0012
Vuln IDs
  • V-6901
Rule IDs
  • SV-7196r2_rule
If components of the FEPs are not properly protected they can be stolen, damaged, or disturbed. Without adequate physical security, unauthorized users can access the control panel, the operator console, and the diskette drive of the service subsystem. Therefore, they can interfere with the normal operations of the FEPs. Improper control of FEP components could compromise network operations.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-3279r1_chk

a) Review site documentation to validate that procedures are in place to protect the FEP service subsystem and diskette drive: - Documents and procedures restricting access to the functions of the service subsystem from the control panel. - Documents and procedures restricting access to the functions of the service subsystem from the local and/or remote operator consoles (e.g., physical access, password control, key-lock switch of modems, etc.). - Documents and procedures restricting access to the diskette drive of the service subsystem. b) If a procedure is in place to restrict access to the functions of the service subsystem, there is NO FINDING. c) If a procedure is in place to restrict access to the functions of the service subsystem from operator consoles (local and/or remote), there is NO FINDING. d) If a procedure is in place to restrict access to the diskette drive of the service subsystem, there is NO FINDING. e) If no procedure exists for any of the above functions of the service subsystem and FEP resources, this is a FINDING.

Fix: F-18250r1_fix

Ensure that all hardware components of the FEPs are protected as decribed below and supporting documentation procedures exist for each item: 1. Documents and procedures restricting access to the hardware components of the FEPs. 2. Documents and procedures restricting access to the functions of the service subsystem from the control panel. 3. Documents and procedures restricting access to the functions of the service subsystem from the local and/or remote operator consoles (e.g., physical access, password control, key-lock switch of modems, etc.). 4. Documents and procedures restricting access to the diskette drive of the service subsystem.

b
A documented procedure is not available instructing how to load and dump the FEP NCP (Network Control Program).
CP-4 - Medium - CCI-000504 - V-6902 - SV-7197r2_rule
RMF Control
CP-4
Severity
Medium
CCI
CCI-000504
Version
ZFEP0013
Vuln IDs
  • V-6902
Rule IDs
  • SV-7197r2_rule
If components of the FEPs are not properly protected they can be stolen, damaged, or disturbed. Without adequate physical security, unauthorized users can access the control panel, the operator console, and the diskette drive of the service subsystem. Therefore, they can interfere with the normal operations of the FEPs. Improper control of FEP components could compromise network operations.DCCS-1, DCCS-2
Checks: C-20295r1_chk

a) Review site documentation to validate that procedures are in place to protect the FEP service subsystem and diskette drive: - Documents and procedures regarding the NCP load and dump processes. b) If a procedure is in place relative to the NCP load and dump processes, there is NO FINDING. c) If no procedure is in place relative to the NCP load and dump processes, this is a FINDING.

Fix: F-18251r1_fix

If documented procedures for loading and dumping the FEP NCP (Network Control Program) are not available. Create a procedure document for dumping and loading the FEP and make sure that they are available to the IAO and to authorized personnel responsible to perform these functions.

b
An active log is not available to keep track of all hardware upgrades and software changes made to the FEP (Front End Processor).
CM-3 - Medium - CCI-000318 - V-6903 - SV-7198r2_rule
RMF Control
CM-3
Severity
Medium
CCI
CCI-000318
Version
ZFEP0014
Vuln IDs
  • V-6903
Rule IDs
  • SV-7198r2_rule
If components of the FEPs are not properly protected they can be stolen, damaged, or disturbed. Without adequate physical security, unauthorized users can access the control panel, the operator console, and the diskette drive of the service subsystem. Therefore, they can interfere with the normal operations of the FEPs. Improper control of FEP components could compromise network operations.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-20296r1_chk

a) Review site documentation to validate that procedures are in place to protect the FEP service subsystem and diskette drive: - All documents and procedures that apply to FEP operations including network management, FEP initialization, IPL, shutdown, NCP dumping, backup, and recovery. b) If a log is in place to keep track of all hardware upgrades and software changes, there is NO FINDING. c) If no log is in place to keep track of all hardware upgrades and software changes, this is a FINDING.

Fix: F-18252r1_fix

The systems programmer will see that a a log of all hardware and software upgrades/changes has been created for auditing purposes and problem tracking. All changes and upgrades will be logged.

b
NCP (Net Work Control Program) Data set access authorization does not restricts UPDATE and/or ALLOCATE access to appropriate personnel.
CM-5 - Medium - CCI-001499 - V-6904 - SV-7199r2_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
ZFEP0015
Vuln IDs
  • V-6904
Rule IDs
  • SV-7199r2_rule
If components of the FEPs are not properly protected they can be stolen, damaged, or disturbed. Without adequate physical security, unauthorized users can access the control panel, the operator console, and the diskette drive of the service subsystem. Therefore, they can interfere with the normal operations of the FEPs. Improper control of FEP components could compromise network operations.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-20297r1_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(NCPRPT) ___ The ACP data set rules for NCP data sets allow inappropriate access. ___ The ACP data set rules for NCP data sets does not restrict UPDATE and/or ALL access to authorized personnel (e.g., systems programming personnel). b) If both of the above are untrue, there is NO FINDING. c) If either of the above is true, this is a FINDING.

Fix: F-18253r1_fix

Identify Names of the following data sets used for installation and in development/production environments: - NCP system data sets - NCP source definition data sets - NCP load modules - NCP host dump data sets - NCP utility programs Have the IAO validate that they are properly protected by the ACP. And that only authorized personnel are permitted UPDATE and/or ALLOCATE access (e.g., z/OS systems programming personnel).

b
A password control is not in place to restrict access to the service subsystem via the operator consoles (local and/or remote) and a key-lock switch is not used to protect the modem supporting the remote console of the service subsystem.
AC-3 - Medium - CCI-000213 - V-6905 - SV-7200r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZFEP0016
Vuln IDs
  • V-6905
Rule IDs
  • SV-7200r2_rule
If components of the FEPs are not properly protected they can be stolen, damaged, or disturbed. Without adequate physical security, unauthorized users can access the control panel, the operator console, and the diskette drive of the service subsystem. Therefore, they can interfere with the normal operations of the FEPs. Improper control of FEP components could compromise network operations.Information Assurance OfficerSystems ProgrammerDCCS-1, DCCS-2, IAAC-1
Checks: C-20301r1_chk

a) Review site documentation to validate that procedures are in place to protect the FEP service subsystem and diskette drive: - Documents and procedures restricting access to the functions of the service subsystem from the local and/or remote operator consoles (e.g., physical access, password control, key-lock switch of modems, etc.). b) If a password control is in place to restrict access to the service subsystem via the operator consoles (local and/or remote), there is NO FINDING. c) If a key-lock switch is used to protect the modem supporting the remote console of the service subsystem, there is NO FINDING. d) If no procedure exists for any of the above functions of the service subsystem and FEP resources, this is a FINDING.

Fix: F-18256r1_fix

If any of the below procedures are not in place, than correct the situation by documenting the missing procedure(s). The systems programmer should validate that Control authorization to use service subsystem console (local or remote) by FEP internal security control through password validation. Restrict access to these passwords to the absolutely minimum number of necessary personnel. Use of vendor default passwords is prohibited. Assign different passwords for the local and remote consoles. Disconnect the local/remote console after three unsuccessful attempts to log on. Passwords used by vendor (COMTEN, IBM, CNT, or AMDAHL) service personnel will be changed after any maintenance is done. All passwords will be changed every 90 days. Restrict permission to change passwords only to authorized personnel. Use a key lock switch on the modem supporting the remote console of the service subsystem to prevent unauthorized access. The key lock switch is only open for scheduled and authorized remote access.

b
RJE workstations and NJE nodes are not controlled in accordance with security requirements.
CM-6 - Medium - CCI-000366 - V-6916 - SV-7314r2_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
ZJES0011
Vuln IDs
  • V-6916
Rule IDs
  • SV-7314r2_rule
JES2 RJE workstations and NJE nodes provide a method of sending and receiving data (e.g., jobs, job output, and commands) from remote locations. Failure to properly identify and control these remote facilities could result in unauthorized sources transmitting data to and from the operating system. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-20669r1_chk

RJE Userids Note that this guidance addresses RJE Workstations that are "Dedicated". If an RJE workstation is dedicated, the assumption is that the RJE to host connection is hard-wired between the RJE and host. In this case the RMT definition statement will contain the keyword LINE= which specifies that this RJE is only connected via that one LINE statement. There are no known non-dedicated RJE Workstations in use within CSD. If such devices are used, the site should open a ticket with the FSO and jointly develop proper security controls. a) Refer to the following report produced by the z/OS Data Collection: - PARMLIB(JES2 parameters) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(LISTUSER) b) Review the JES2 parameters for RJE workstation definitions by searching for RMT( in the report. c) Ensure the RJE workstation userids are defined as follows: 1) A userid of RMTnnnn is defined to RACF for each RJE workstation, where nnnn is the number on the RMT statement. 2) No userid segments (e.g., TSO, CICS, etc.) are defined. 3) Restricted from accessing all data sets and resources with exception of the corresponding JESINPUT class profile for that remote. NOTE: Execute the JCL in CNTL(IRRUT100) using the RACF RMTnnnn userids as SYSIN input. This report lists all occurrences of these userids within the RACF database, including data set and resource access lists. d) Ensure that a FACILITY-Class profile exists in the format RJE.RMTnnnn where nnn identifies the remote number. e) If all of the above are true, there is NO FINDING. f) If any of the above are untrue, this is a FINDING.

Fix: F-18597r1_fix

RJE Userids Note that this guidance addresses RJE Workstations that are "Dedicated". If an RJE workstation is dedicated, the assumption is that the RJE to host connection is hard-wired between the RJE and host. In this case the RMT definition statement will contain the keyword LINE= which specifies that this RJE is only connected via that one LINE statement. There are no known non-dedicated RJE Workstations in use within CSD. If such devices are used, the site should open a ticket with the FSO and jointly develop proper security controls. a) Review the JES2 parameters for RJE workstation definitions by searching for RMT( in the report. b) Ensure the RJE workstation userids are defined as follows: 1) A userid of RMTnnnn is defined to RACF for each RJE workstation, where nnnn is the number on the RMT statement. 2) No userid segments (e.g., TSO, CICS, etc.) are defined. 3) Restricted from accessing all data sets and resources with exception of the corresponding JESINPUT-class profile for that remote. Review Chapter 17 of the RACF Security Admin Guide. The following is an example that show proper implementation: AG RMTGRP OWNER(ADMIN) SUPGROUP(ADMIN) AU RMT777 NAME('RMT RJE 777') DFLTGRP(RMTGRP) OWNER(RMTGRP) DATA('COMPLY WITH ZJES0011') NOPASS RESTRICTED PE RMT777 CL(JESINPUT) ID(RMT777) c) Ensure that a FACILITY-Class profile exists in the format RJE.RMTnnnn where nnn identifies the remote number. A command example is shown here: RDEF FACILITY RJE.RMT777 UACC(NONE) OWNER(ADMIN) DATA('COMPLY WITH ZJES0011 FOR RJE 777')

b
RJE workstations and NJE nodes are not controlled in accordance with STIG requirements.
AC-3 - Medium - CCI-000213 - V-6918 - SV-7318r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZJES0014
Vuln IDs
  • V-6918
Rule IDs
  • SV-7318r2_rule
JES2 RJE workstations and NJE nodes provide a method of sending and receiving data (e.g., jobs, job output, and commands) from remote locations. Failure to properly identify and control these remote facilities could result in unauthorized sources transmitting data to and from the operating system. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-3304r1_chk

a) Refer to the following report produced by the OS/390 Data Collection: - PARMLIB(JES2 parameters) Refer to the following report produced by the RACF Data Collection: - SENSITVE.RPT(FACILITY) b) Review the following resource definitions in the FACILITY resource class: NJE.* RJE.* NJE.nodename RJE.workstation NOTE 1: Nodename is the NAME parameter value specified on the NODE statement. Review the JES2 parameters for NJE node definitions by searching for NODE( in the report. NOTE 2: Workstation is RMTnnnn, where nnnn is the number on the RMT statement. Review the JES2 parameters for RJE workstation definitions by searching for RMT( in the report. c) If all JES2 defined NJE nodes and RJE workstations have a profile defined in the FACILITY resource class, there is NO FINDING. NOTE: NJE.* and RJE.* profiles will force userid and password protection of all NJE and RJE connections respectively. This method is acceptable in lieu of using discrete profiles. d) If any JES2 defined NJE node or RJE workstation does not have a profile defined in the FACILITY resource class, this is a FINDING.

Fix: F-6627r1_fix

Ensure associated USERIDs exist for all RJE/NJE sources and review the authorizations for these remote facilities. Develop a plan of action and implement the changes as required by the OS/390 STIG.

b
JES2 input sources are not controlled in accordance with theh proper security requirements.
AC-3 - Medium - CCI-000213 - V-6919 - SV-7323r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZJES0021
Vuln IDs
  • V-6919
Rule IDs
  • SV-7323r2_rule
JES2 input sources provide a variety of channels for job submission. Failure to properly control the use of these input sources could result in unauthorized submission of work into the operating system. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.Information Assurance Officer
Checks: C-20612r1_chk

a) Refer to the following reports produced by the RACF Data Collection and Data Set and Resource Data Collection: - SENSITVE.RPT(JESINPUT) - RACFCMDS.RPT(SETROPTS) - DSMON.RPT(RACCDT) - Alternate list of active resource classes Refer to the following report produced by the z/OS Data Collection: - PARMLIB(JES2 parameters) b) Review the following resources in the JESINPUT resource class: INTRDR (internal reader for batch jobs) nodename (NJE node) OFFn.* (spool offload receiver) Rnnnn (RJE workstation) RDRnn (local card reader) STCINRDR (internal reader for started tasks) TSUINRDR (internal reader for TSO logons) NOTE: If any of the following are not defined within the JES2 parameters, the resource in the JESINPUT resource class does not have to be defined. NOTE 1: Nodename is the NAME parameter in the NODE statement. Review the NJE node definitions by searching for NODE( in the report. NOTE 2: OFFn, where n is the number of the offload receiver. Review the spool offload receiver definitions by searching for OFF( in the report. NOTE 3: Rnnnn, where nnnn is the number of the remote workstation. Review the RJE node definitions by searching for RMT( in the report. NOTE 4: RDRnn, where nn is the number of the reader. Review the reader definitions by searching for RDR( in the report. c) Ensure the following items are in effect: 1) The JESINPUT resource class is active. 2) The resources mentioned in (b) are protected by generic and/or fully qualified profiles defined to the JESINPUT resource class. 3) UACC(NONE) is specified for all resources. NOTE: UACC(READ) is allowed for input sources that are permitted to submit jobs for all users. No guidance on which input sources are appropriate for UACC(READ). However, common sense should prevail during the analysis. For example, UACC(READ) would typically be inappropriate for RJE, NJE, offload, and STC input sources. d) If all of the items mentioned in (c) are true, there is NO FINDING. e) If any of the items mentioned in (c) is untrue, this is a FINDING.

Fix: F-18545r1_fix

Review the following resources in the JESINPUT resource class: INTRDR (internal reader for batch jobs) nodename (NJE node) OFFn.* (spool offload receiver) Rnnnn (RJE workstation) RDRnn (local card reader) STCINRDR (internal reader for started tasks) TSUINRDR (internal reader for TSO logons) NOTE: If any of the following are not defined within the JES2 parameters, the resource in the JESINPUT resource class does not have to be defined. NOTE 1: Nodename is the NAME parameter in the NODE statement. Review the JES2 parameters for NJE node definitions by searching for NODE( in the report. NOTE 2: OFFn, where n is the number of the offload receiver. Review the JES2 parameters for spool offload receiver definitions by searching for OFF( in the report. NOTE 3: Rnnnn, where nnnn is the number of the remote workstation. Review the JES2 parameters for RJE node definitions by searching for RMT( in the report. NOTE 4: RDRnn, where nn is the number of the reader. Review the JES2 parameters for reader definitions by searching for RDR( in the report. c) Ensure the following items are in effect: 1) The JESINPUT resource class is active. 2) The resources mentioned in (b) are protected by generic and/or fully qualified profiles defined to the JESINPUT resource class. 3) UACC(NONE) is specified for all resources. NOTE: UACC(READ) is allowed for input sources that are permitted to submit jobs for all users. Currently, there is no guidance on which input sources are appropriate for UACC(READ). However, common sense should prevail during the analysis. For example, UACC(READ) would typically be inappropriate for RJE, NJE, offload, and STC input sources. Examples: setr classact(jesinput) setr generic(jesinput) rdef jesinput intrdr uacc(none) owner(admin) audit(failures(read) success(update)) data('Per SRR PDI ZJES0021') pe intrdr cl(jesinput) id(<syspaudt>) pe intrdr cl(jesinput) id(*) /* all users */

b
JES2 input sources must be properly controlled.
AC-3 - Medium - CCI-000213 - V-6920 - SV-74863r1_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZJES0022
Vuln IDs
  • V-6920
Rule IDs
  • SV-74863r1_rule
JES2 input sources provide a variety of channels for job submission. Failure to properly control the use of these input sources could result in unauthorized submission of work into the operating system. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.
Checks: C-160r3_chk

Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(JESINPUT) Verify that the accesses for JESINPUT resources are restricted. If the guidance is true, this is not a finding. ___ The RACF resources and/or generic equivalent are defined with a default access of NONE. ___ The RACF resources and/or generic equivalent identified below will be defined with access restricted to the appropriate personnel: INTRDR nodename OFFn.* OFFn.JR OFFn.SR Rnnnn.RDm RDRnn STCINRDR TSUINRDR and/or TSOINRDR NOTE: Use common sense during the analysis. For example, access to the offload input sources should be limited to systems personnel (e.g., operations staff). ___ The RACF resource access authorizations are defined with UACC(NONE) and NOWARNING.

Fix: F-16907r3_fix

Verify with the ISSO that access authorization for resources defined to the JESINPUT resource class is restricted to the appropriate personnel Grant read access to authorized users for each of the following input sources: INTRDR nodename OFFn.* OFFn.JR OFFn.SR Rnnnn.RDm RDRnn STCINRDR TSUINRDR and/or TSOINRDR The resource definition will be generic if all of the resources of the same type have identical access controls (e.g., if all off load receivers are equivalent). The default access will be NONE except for sources that are permitted to submit jobs for all users. Those resources may be defined as either NONE or READ.

b
JES2 output devices are not controlled in accordance with the proper security requirements.
AC-3 - Medium - CCI-000213 - V-6921 - SV-7327r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZJES0031
Vuln IDs
  • V-6921
Rule IDs
  • SV-7327r2_rule
JES2 output devices provide a variety of channels to which output can be processed. Failure to properly control these output devices could result in unauthorized personnel accessing output. This exposure may compromise the confidentiality of customer data.Information Assurance Officer
Checks: C-20613r1_chk

WRITER Resource Definitions a) Refer to the following reports produced by the RACF Data Collection: - SENSITVE.RPT(WRITER) - RACFCMDS.RPT(SETROPTS) - DSMON.RPT(RACCDT) - Alternate list of active resource classes Refer to the following reports produced by the z/OS Data Collection: - EXAM.RPT(SUBSYS) - PARMLIB(JES2 parameters) b) Review the following resources in the WRITER resource class: JES2.** (backstop profile) JES2.LOCAL.OFFn.* (spool offload transmitter) JES2.LOCAL.OFFn.ST (spool offload SYSOUT transmitter) JES2.LOCAL.OFFn.JT (spool offload job transmitter) JES2.LOCAL.PRTn (local printer) JES2.LOCAL.PUNn (local punch) JES2.NJE.nodename (NJE node) JES2.RJE.Rnnnn.PRm (remote printer) JES2.RJE.Rnnnn.PUm (remote punch) NOTE 1: JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem. NOTE 2: OFFn, where n is the number of the offload transmitter. Determine the numbers by searching for OFF( in the JES2 parameters. NOTE 3: PRTn, where n is the number of the local printer. Determine the numbers by searching for PRT( in the JES2 parameters. NOTE 4: PUNn, where n is the number of the local card punch. Determine the numbers by searching for PUN( in the JES2 parameters. NOTE 5: Nodename is the NAME parameter value specified on the NODE statement. Review the JES2 parameters for NJE node definitions by searching for NODE( in the report. NOTE 6: Rnnnn.PRm, where nnnn is the number of the remote workstation and m is the number of the printer. Determine the numbers by searching for .PR in the JES2 parameters. NOTE 7: Rnnnn.PUm, where nnnn is the number of the remote workstation and m is the number of the punch. Determine the numbers by searching for .PU in the JES2 parameters. c) Ensure the following items are in effect: 1) The WRITER resource class is active. 2) The profile JES2.** is defined to the WRITER resource class with a UACC(NONE). 3) The other resources mentioned in (b) are protected by generic and/or fully qualified profiles defined to the WRITER resource class with UACC(NONE). NOTE: UACC(READ) is allowed for output destinations that are permitted to route output for all users. Currently, there is no guidance on which output destinations are appropriate for UACC(READ). However, common sense should prevail during the analysis. For example, UACC(READ) would typically be inappropriate for RJE, NJE, and offload output destinations. d) If all of the items mentioned in (c) are true, there is NO FINDING. e) If any item mentioned in (c) is untrue, this is a FINDING.

Fix: F-18546r1_fix

WRITER Resource Definitions Review the following resources in the WRITER resource class: JES2.** (backstop profile) JES2.LOCAL.OFFn.* (spool offload transmitter) JES2.LOCAL.OFFn.ST (spool offload SYSOUT transmitter) JES2.LOCAL.OFFn.JT (spool offload job transmitter) JES2.LOCAL.PRTn (local printer) JES2.LOCAL.PUNn (local punch) JES2.NJE.nodename (NJE node) JES2.RJE.Rnnnn.PRm (remote printer) JES2.RJE.Rnnnn.PUm (remote punch) NOTE 1: JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem. NOTE 2: OFFn, where n is the number of the offload transmitter. Determine the numbers by searching for OFF( in the JES2 parameters. NOTE 3: PRTn, where n is the number of the local printer. Determine the numbers by searching for PRT( in the JES2 parameters. NOTE 4: PUNn, where n is the number of the local card punch. Determine the numbers by searching for PUN( in the JES2 parameters. NOTE 5: Nodename is the NAME parameter value specified on the NODE statement. Review the JES2 parameters for NJE node definitions by searching for NODE( in the report. NOTE 6: Rnnnn.PRm, where nnnn is the number of the remote workstation and m is the number of the printer. Determine the numbers by searching for .PR in the JES2 parameters. NOTE 7: Rnnnn.PUm, where nnnn is the number of the remote workstation and m is the number of the punch. Determine the numbers by searching for .PU in the JES2 parameters. c) Ensure the following items are in effect: 1) The WRITER resource class is active. 2) The profile JES2.** is defined to the WRITER resource class with a UACC(NONE). 3) The other resources mentioned in (b) are protected by generic and/or fully qualified profiles defined to the WRITER resource class with UACC(NONE). NOTE: UACC(READ) is allowed for output destinations that are permitted to route output for all users. Currently, there is no guidance on which output destinations are appropriate for UACC(READ). However, common sense should prevail during the analysis. For example, UACC(READ) would typically be inappropriate for RJE, NJE, and offload output destinations. Examples: setr classact(writer) setr gencmd(writer) generic(writer) setr raclist(writer) RDEF WRITER JES2.** owner(admin) AUDIT(ALL) UACC(NONE) - data('Reference SRR PDI ZJES0031') RDEF WRITER JES2.LOCAL.** owner(admin) AUDIT(ALL) UACC(NONE) - data('Reference SRR PDI ZJES0031') RDEF WRITER JES2.LOCAL.OFF*.JT owner(admin) audit(ALL) UACC(NONE) - data('Reference SRR PDI ZJES0031') RDEF WRITER JES2.LOCAL.OFF*.ST owner(admin) audit(ALL) UACC(NONE) - data('Reference SRR PDI ZJES0031') RDEF WRITER JES2.LOCAL.PRT* owner(admin) audit(ALL) UACC(NONE) - data('Reference SRR PDI ZJES0031') RDEF WRITER JES2.LOCAL.PUN* owner(admin) audit(ALL) UACC(NONE) - data('Reference SRR PDI ZJES0031') RDEF WRITER JES2.NJE.** owner(admin) audit(ALL) UACC(NONE) - data('Reference SRR PDI ZJES0031') RDEF WRITER JES2.RJE.** owner(admin) audit(ALL) UACC(NONE) - data('Reference SRR PDI ZJES0031') pe JES2.** cl(writer) id(<syspaudt>) pe JES2.LOCAL.** cl(writer) id(<syspaudt>) pe JES2.LOCAL.OFF*.JT cl(writer) id(<syspaudt>) pe JES2.LOCAL.OFF*.ST cl(writer) id(<syspaudt>) pe JES2.LOCAL.PRT* cl(writer) id(<syspaudt>) pe JES2.LOCAL.PUN* cl(writer) id(<syspaudt>) pe JES2.NJE.** cl(writer) id(<syspaudt>) pe JES2.RJE.** cl(writer) id(<syspaudt>) setr racl(writer) Ref

b
JES2 output devices must be properly controlled for Classified Systems.
AC-3 - Medium - CCI-000213 - V-6922 - SV-74871r1_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZJES0032
Vuln IDs
  • V-6922
Rule IDs
  • SV-74871r1_rule
JES2 output devices provide a variety of channels to which output can be processed. Failure to properly control these output devices could result in unauthorized personnel accessing output. This exposure may compromise the confidentiality of customer data on a classified System..
Checks: C-168r3_chk

Refer to the following report produced by the Data Set and Resource Data Collection: - Classification of System - SENSITVE.RPT(WRITER) If the Classification of the system is unclassified, this is not applicable. Verify that the accesses for WRITER resources are restricted. If the following guidance is true, this is not a finding. ___ The RACF resources and/or generic equivalent are defined with a default access of NONE. ___ The RACF resources and/or generic equivalent identified below will be defined with access restricted to the operators and system programming personnel: JES2.LOCAL.devicename JES2.LOCAL.OFFn.* JES2.LOCAL.OFFn.JT JES2.LOCAL.OFFn.ST JES2.LOCAL.PRTn JES2.LOCAL.PUNn JES2.NJE.nodename JES2.RJE.devicename NOTE: Common sense should prevail during the analysis. For example, access to the offload output destinations should be limited to only systems personnel (e.g., operations staff/system programmers) on a classified system. ___ The RACF resource access authorizations are defined with UACC(NONE) and NOWARNING.

Fix: F-6626r3_fix

Verify with the ISSO to see that access authorization for resources defined to the WRITER resource class is restricted to the operators and system programmers on a classified system only. Define resources in the ACP’s respective WRITER class for each of the following output destinations: JES2.LOCAL.devicename JES2.LOCAL.OFFn.* JES2.LOCAL.OFFn.JT JES2.LOCAL.OFFn.ST JES2.LOCAL.PRTn JES2.LOCAL.PUNn JES2.NJE.nodename JES2.RJE.devicename The resource definition will be generic if all of the resources of the same type have identical access controls (e.g., if all off load transmitters are equivalent). If all users are permitted to route output to a specific destination, the resource controlling it may be defined with a default access of either NONE or READ. Otherwise it will be defined with a default access of NONE.

b
JESSPOOL resources are not protected in accordance with security requirements.
AC-3 - Medium - CCI-000213 - V-6923 - SV-7332r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZJES0041
Vuln IDs
  • V-6923
Rule IDs
  • SV-7332r2_rule
JES2 spool resources include all SYSOUT, SYSLOG, JESTRACE, and JESNEWS data sets. Failure to properly control JES2 spool resources could result in unauthorized personnel accessing job output, system activity logs, and trace data containing userid and password information. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.Information Assurance Officer
Checks: C-20614r1_chk

a) Refer to the following reports produced by the RACF Data Collection and Data Set and Resource Data Collection: - RACFCMDS.RPT(SETROPTS) - DSMON.RPT(RACCDT) - Alternate list of active resource classes Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(ZJES0041) b) Ensure that the JESSPOOL resource class is active: c) If all of the items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING.

Fix: F-18547r1_fix

Ensure that the JESSPOOL resource class is active: Use the RACF Command: SETROPTS CLASSACT(JESSPOOL). Note that you should also enable GENERICS and optionally RACLIST this class in memory. SETR GENERIC(JESSPOOL) GENCMD(JESSPOOL) SETR RACLIST(JESSPOOL)

b
JESNEWS rewsources are not protected in accordance with security requirements.
AC-3 - Medium - CCI-000213 - V-6924 - SV-7329r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZJES0042
Vuln IDs
  • V-6924
Rule IDs
  • SV-7329r2_rule
JES2 spool resources include all SYSOUT, SYSLOG, JESTRACE, and JESNEWS data sets. Failure to properly control JES2 spool resources could result in unauthorized personnel accessing job output, system activity logs, and trace data containing userid and password information. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.Information Assurance Officer
Checks: C-3323r1_chk

JESNEWS Access Controls a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(OPERCMDS) Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(SUBSYS) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZJES0042) b) Ensure the following items are in effect: 1) The JES2.UPDATE.JESNEWS resource is defined to the OPERCMDS resource class with a default access of NONE and all access is logged. NOTE: JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem. 2) Access authorization to the JES2.UPDATE.JESNEWS resource in the OPERCMDS class restricts CONTROL access to the appropriate personnel (i.e., users responsible for maintaining the JES News data set) and all access is logged. c) If both of the items in (b) are true, there is NO FINDING. d) If either item in (b) is untrue, this is a FINDING.

Fix: F-18604r1_fix

JESNEWS Access Controls Refer to "Protecting JESNEWS" in Chapter 7 of the JES2 Init & Tuning Guide. a) Ensure the following items are in effect: 1) The JES2.UPDATE.JESNEWS resource is defined to the OPERCMDS resource class with a default access of NONE and all access is logged. NOTE: JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem. 2) Access authorization to the JES2.UPDATE.JESNEWS resource in the OPERCMDS class restricts CONTROL access to the appropriate personnel (i.e., users responsible for maintaining the JES News data set) and all access is logged. Examples of setting up proper protection are shown here: RDEF OPERCMDS JES2.UPDATE.JESNEWS UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('COMPLY WITH ZJES0042') PERMIT JES2.UPDATE.JESNEWS CLASS(OPERCMDS) ID(<syspaudt>) ACCESS(CONTROL)

b
JESTRACE and/or SYSLOG resources are not protected in accordance with security requirements.
AC-3 - Medium - CCI-000213 - V-6925 - SV-7334r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZJES0044
Vuln IDs
  • V-6925
Rule IDs
  • SV-7334r2_rule
JES2 spool resources include all SYSOUT, SYSLOG, JESTRACE, and JESNEWS data sets. Failure to properly control JES2 spool resources could result in unauthorized personnel accessing job output, system activity logs, and trace data containing userid and password information. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.Information Assurance Officer
Checks: C-20685r1_chk

Refer to the following report produced by the RACF Data Collection and Data Set and Resource Data Collection: - SENSITVE.RPT(JESSPOOL) - RACFCMDS.RPT(JESSPOOL) Refer to the following report produced by the z/OS Data Collection: - PARMLIB(JES2 parameters) Review the following resources defined to the JESSPOOL resource class: localnodeid.JES2.$TRCLOG.taskid.*.JESTRACE localnodeid.+MASTER+.SYSLOG.jobid.*.SYSLOG or localnodeid.+BYPASS+.SYSLOG.jobid.-.SYSLOG NOTE: These resource profiles may be more generic as long as they pertain directly to the JESTRACE and SYSLOG data sets. For example: localnodeid.JES2.*.*.*.JESTRACE localnodeid.+MASTER+.*.*.*.SYSLOG or localnodeid.+BYPASS+.*.*.*.SYSLOG NOTE: Review the JES2 parameters to determine the localnodeid by searching for OWNNODE in the NJEDEF statement, and then searching for NODE(nnnn) (where nnnn is the value specified by OWNNODE). The NAME parameter value specified on this NODE statement is the localnodeid. Another method is to issue the JES2 command $D NODE,NAME,OWNNODE=YES to obtain the NAME of the OWNNODE. Ensure that access authorization for the resources mentioned above is restricted to the following: 1) Userid(s) associated with external writer(s) can have complete access. NOTE: An external writer is an STC that removes data sets from the JES spool. In this case, it is responsible for archiving the JESTRACE and SYSLOG data sets. The STC default name is XWTR and the external writer program is called IASXWR00. 2) Systems personnel and security administrators responsible for diagnosing JES2 and z/OS problems can have complete access. 3) Application Development and Application Support personnel responsible for diagnosing application problems can have READ access to the SYSLOG resource.

Fix: F-18605r1_fix

The IAO will ensure that access authorization for resources defined to the JESTRACE and SYSLOG resources in the JESSPOOL resource class is restricted to the appropriate personnel. Review the following resources defined to the JESSPOOL resource class: Ensure the following resources are defined to the JESSPOOL resource class with a UACC(NONE): localnodeid.JES2.$TRCLOG.taskid.*.JESTRACE localnodeid.+MASTER+.SYSLOG.jobid.*.SYSLOG or localnodeid.+BYPASS+.SYSLOG.jobid.*.SYSLOG NOTE: These resource profiles may be more generic as long as they pertain directly to the JESTRACE and SYSLOG data sets. For example: localnodeid.JES2.$TRCLOG.*.** localnodeid.+MASTER+.SYSLOG.*.** or localnodeid.+BYPASS+.SYSLOG.*.** NOTE: Review the JES2 parameters to determine the localnodeid by searching for OWNNODE in the NJEDEF statement, and then searching for NODE(nnnn) (where nnnn is the value specified by OWNNODE). The NAME parameter value specified on this NODE statement is the localnodeid. Another method is to issue the JES2 command $D NODE,NAME,OWNNODE=YES to obtain the NAME of the OWNNODE. Ensure that access authorization for the resources mentioned above is restricted to the following: Userid(s) associated with external writer(s) can have complete access. NOTE: An external writer is a STC that removes data sets from the JES spool. In this case, it is responsible for archiving the JESTRACE and SYSLOG data sets. The STC default name is XWTR and the external writer program is called IASXWR00. Systems personnel and security administrators responsible for diagnosing JES2 and z/OS problems can have complete access. Application Development and Application Support personnel responsible for diagnosing application problems can have READ access to the SYSLOG resource. Examples: RDEFINE JESSPOOL localnodeid.JES2.$TRCLOG.*.** audit(failures(read)) uacc(NONE) - data('Reference srr finding ZJES0044 ') owner(admin) RDEFINE JESSPOOL localnodeid.+MASTER+.SYSLOG.*.** audit(failures(read)) uacc(NONE) - data('Reference srr finding ZJES0044') owner(admin) or RDEFINE JESSPOOL localnodeid.+BYPASS+.SYSLOG.*.** audit(failures(read)) uacc(NONE) - data('Reference srr finding ZJES0044') owner(admin) PE localnodeid.JES2.$TRCLOG.** cl(jesspool) id(<syspaudt> <secaaudt>) acc(a) PE localnodeid.+MASTER+.SYSLOG.*.** cl(jesspool) id(<syspaudt> <secaaudt>) acc(a) PE localnodeid.+MASTER+.SYSLOG.*.** cl(jesspool) id(<appdpaudt> <appsaudt>) acc(r) or PE localnodeid.+BYPASS+.SYSLOG.*.** cl(jesspool) id(<syspaudt> <secaaudt>) acc(a) PE localnodeid.+BYPASS+.SYSLOG.*.** cl(jesspool) id(<appdpaudt> <appsaudt>) acc(r)

b
JES2 spool resources will be controlled in accordance with security requirements.
AC-3 - Medium - CCI-000213 - V-6926 - SV-7336r3_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZJES0046
Vuln IDs
  • V-6926
Rule IDs
  • SV-7336r3_rule
JES2 spool resources include all SYSOUT, SYSLOG, JESTRACE, and JESNEWS data sets. Failure to properly control JES2 spool resources could result in unauthorized personnel accessing job output, system activity logs, and trace data containing userid and password information. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.Information Assurance Officer
Checks: C-21657r3_chk

Refer to the following reports produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(JESSPOOL) Verify that the accesses to the JESSPOOL resources are properly restricted. If the following guidance is true, this is not a finding. Review the JESSPOOL report for resource permissions with the following naming convention. These profiles may be fully qualified, be specified as generic, or be specified with masking as indicated below: localnodeid.userid.jobname.jobid.dsnumber.name localnodeid The name of the node on which the SYSIN or SYSOUT data set currently resides. userid The userid associated with the job. This is the userid RACF uses for validation purposes when the job runs. jobname The name that appears in the name field of the JOB statement. jobid The job number JES2 assigned to the job. dsnumber The unique data set number JES2 assigned to the spool data set. A D is the first character of this qualifier. name The name of the data set specified in the DSN= parameter of the DD statement. If the JCL did not specify DSN= on the DD statement that creates the spool data set, JES2 uses a question mark (?). All users have access to their own JESSPOOL resources. The localnodeid. resource will be restricted to only system programmers, operators, and automated operations personnel with access of ALTER. All access will be logged. (localnodeid. resource includes all generic and/or masked permissions, example: localnodeid.**, localnodeid.*, etc) The JESSPOOL localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked, can be made available to users, when approved by the IAO. Access will be identified at the minimum access for the user to accomplish the users function. UPDATE, CONTROL, and ALTER access will be logged. An example is team members within a team, providing the capability to view, help, and/or debug other team member jobs/processes. CSSMTP will be restricted to localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked when approved by the IAO. All access will be logged. Spooling products users (CA-SPOOL, CA View, etc.) will be restricted to localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked when approved by the IAO. Logging of access is not required.

Fix: F-19198r3_fix

The IAO will develop a plan of action to implement the required changes. Ensure the following items are in effect for JESSPOOL resources. The JESSPOOL may have more restrictive security at the direction of the IAO. The JESSPOOL resources may be fully qualified, be specified as generic, or be specified with masking as indicated below: localnodeid.userid.jobname.jobid.dsnumber.name localnodeid The name of the node on which the SYSIN or SYSOUT data set currently resides. userid The userid associated with the job. This is the userid used for validation purposes when the job runs. jobname The name that appears in the name field of the JOB statement. jobid The job number JES2 assigned to the job. dsnumber The unique data set number JES2 assigned to the spool data set. A D is the first character of this qualifier. name The name of the data set specified in the DSN= parameter of the DD statement. If the JCL did not specify DSN= on the DD statement that creates the spool data set, JES2 uses a question mark (?). By default a user has access only to that user’s own JESSPOOL resources. However, situations exist where a user legitimately requires access to jobs that run under another user’s userid. In particular, if a user routes SYSOUT to an external writer, the external writer should have access to that user’s SYSOUT. The localnodeid. resource will be restricted to only system programmers, operators, and automated operations personnel with access of ALTER. All access will be logged. (localnodeid. resource includes all generic and/or masked permissions, example: localnodeid.**, localnodeid.*, etc) RDEF JESSPOOL localnodeid.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('PROTECT JESSPOOL AT HIGH LEVEL, REF ZJES0046') PE localnodeid.** CL(JESSPOOL) ID(syspaudt) ACC(A) The JESSPOOL localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked, can be made available to users, when approved by the IAO. Access will be identified at the minimum access for the user to accomplish the users function, SERVICE(READ, UPDATE, DELETE, ADD). All access will be logged. An example is team members within a team, providing the capability to view, help, and/or debug other team member jobs/processes. If frequent situations occur where users working on a common project require selective access to each other's jobs, then the installation may delegate to the individual users the authority to grant access, but only with the approval of the IAO. RDEF JESSPOOL localnode.userid.jobname.jobid.dsnumber.name – UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) – DATA('PROTECT JESSPOOL, REF ZJES0046') PE localnode.userid.jobname.jobid.dsnumber.name CL(JESSPOOL) ID(<users_or_groups>) ACC(R) If IBM’s SDSF product is installed on the system, resources defined to the JESSPOOL resource class control functions related to jobs, output groups, and SYSIN/SYSOUT data sets on various SDSF panels. CSSMTP will not be granted to the JESSPOOL resource of the high level “node.” or “localnodeid.” . CSSMTP can have access to the specific approved JESSPOOL resources, minimally qualified to the node.userid. and all access will be logged. This will ensure system records who (userid) sent traffic to CSSMTP, when and what job/process. Spooling products users (CA-SPOOL, CA View, etc.) will be restricted to localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked when approved by the IAO. Logging of access is not required. The IAO will review JESSPOOL resource rules. If a rule has been determined not to have been used within the last 2 years, the rule shall be removed.

b
JES2 system commands are not protected in accordance with security requirements.
AC-3 - Medium - CCI-000213 - V-6928 - SV-17410r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZJES0052
Vuln IDs
  • V-6928
Rule IDs
  • SV-17410r2_rule
JES2 system commands are used to control JES2 resources and the operating system environment. Failure to properly control access to JES2 system commands could result in unauthorized personnel issuing sensitive JES2 commands. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.Information Assurance Officer
Checks: C-20875r1_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(OPERCMDS) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZJES0052) b) If the JES2.** resource is defined to the OPERCMDS class with a default access of NONE and all access is logged, there is NO FINDING. c) If access to JES2 system commands defined in the table entitled Controls on JES2 System Commands, in the z/OS STIG Addendum is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users), there is NO FINDING. NOTE: Use the GROUP category specified in the table referenced above as a guideline to determine appropriate personnel access to system commands. d) If access to specific JES2 system commands is logged as indicated in the table entitled Controls on JES2 System Commands, in the z/OS STIG Addendum, there is NO FINDING. e) If either (b), (c), or (d) above is untrue for any JES2 system command resource, this is a FINDING.

Fix: F-18834r1_fix

Extended MCS support allows the installation to control the use of JES2 system commands through the ACP. These commands are subject to various types of potential abuse. For this reason, it is necessary to place restrictions on the JES2 system commands that can be entered by particular operators. Some commands are particularly dangerous and should only be used when less drastic options have been exhausted. Misuse of these commands can create a situation in which the only recovery is an IPL. To control access to JES2 system commands, apply the following recommendations when implementing security: 1) Define the JES2.** resource in the OPERCMDS class with a default access of NONE and all access is logged. 2) Define the JES2 system commands as specified in the "Controls on JES2 System Commands" table, in the zOS STIG Addendum restricts access to the appropriate personnel (e.g., operations staff, systems programming personnel, general users). NOTE: Use the GROUP category specified in the table referenced above as a guideline to determine appropriate personnel access to system commands. 3) Define the JES2 system commands with proper logging as specified in the "Controls on JES2 System Commands" table, in the zOS STIG Addendum. Build a command file based on the referenced JES2 Command Table. A sample of the commands in the command file is provided here: RDEF OPERCMDS JES2.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('REQUIRED BY SRR PDI ZJES0052') RDEF OPERCMDS JES2.<command>.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('REQUIRED BY SRR PDI ZJES0052') PE JES2.<command>.** CL(OPERCMDS) ID(<syspaudt>) ACC(U) SETR RACL(OPERCMDS) REF

b
SMS Program Resources must be properly defined and protected.
AC-3 - Medium - CCI-000213 - V-6933 - SV-7350r4_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZSMS0012
Vuln IDs
  • V-6933
Rule IDs
  • SV-7350r4_rule
DFSMS provides data, storage, program, and device management functions for the operating system. Some DFSMS storage administration functions allow a user to obtain a privileged status and effectively bypass all ACP data set and volume controls. Failure to properly protect DFSMS resources may result in unauthorized access. This exposure could compromise the availability and integrity of the operating system environment, system services, and customer data.Information Assurance OfficerSystems Programmer
Checks: C-20707r4_chk

Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(ZSMS0012) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZSMS0012) Ensure that all SMS Program resources and/or generic equivalent are properly protected according to the requirements specified in SMS Program Resources table in the z/OS STIG Addendum. If the following guidance is true, this is not a finding. ___ The RACF resources are defined with a default access of NONE. ___ The RACF resource access authorizations restrict access to the appropriate personnel. ___ The RACF resource access authorizations are defined with UACC(NONE) and NOWARNING.

Fix: F-18737r2_fix

The IAO will work with the systems programmer to verify that the following are properly specified in the ACP. (Note: The resource type, resources, and/or resource prefixes identified below are examples of a possible installation. The actual resource type, resources, and/or resource prefixes are determined when the product is actually installed on a system through the product’s installation guide and can be site specific.) Use SMS Program Resources table in the zOS STIG Addendum. This table lists the resources, access requirements for SMS Program Resources. Ensure the guidelines for the resource type, resources, and/or generic equivalent specified in the z/OS STIG Addendum are followed. The RACF resources as designated in the above table are defined with a default access of NONE. The RACF resource access authorizations restrict access to the appropriate personnel as designated in the above table. The RACF resource rules for the resources designated in the above table specify UACC(NONE) and NOWARNING. The following commands are provided as a sample for implementing resource controls: RDEF PROGRAM ACBFUTO2 ADDMEM('SYS1.DSF.DGTLLIB'//NOPADCHK) - DATA('ADDED PER SRR PDI ZSMS0012 ') - AUDIT(FAILURE(READ)) UACC(NONE) OWNER(ADMIN) PERMIT ACBFUTO2 CLASS(PROGRAM) ID(audtaudt) PERMIT ACBFUTO2 CLASS(PROGRAM) ID(dasdaudt) PERMIT ACBFUTO2 CLASS(PROGRAM) ID(secaaudt) PERMIT ACBFUTO2 CLASS(PROGRAM) ID(syspaudt) PERMIT ACBFUTO2 CLASS(PROGRAM) ID(tstcaudt)

b
DFSMS control data sets are not properly protected.
CP-9 - Medium - CCI-000549 - V-6936 - SV-7237r2_rule
RMF Control
CP-9
Severity
Medium
CCI
CCI-000549
Version
ZSMS0022
Vuln IDs
  • V-6936
Rule IDs
  • SV-7237r2_rule
DFSMS control data sets provide the configuration and operational characteristics of the system-managed storage environment. Failure to properly protect these data sets may result in unauthorized access. This exposure could compromise the availability and integrity of some system services and customer data.Information Assurance OfficerSystems ProgrammerCOTR-1, DCCS-1, DCCS-2, ECCD-1, ECCD-2
Checks: C-3419r1_chk

a) Review the logical parmlib data sets, example: SYS1.PARMLIB(IGDSMSxx), to identify the fully qualified file names for the following SMS data sets: Active Control Data Set (ACDS) Communications Data Set (COMMDS) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZSMS0022) b) If the COMMDS and ACDS SMS data sets identified in (a) above reside on different volumes, there is NO FINDING. c) If the COMMDS and ACDS SMS data sets identified in (a) above are collocated on the same volume, this is a FINDING.

Fix: F-18936r1_fix

The systems programmer will see that the primary and backup SMS Control data sets are allocated on separate volumes. (a) Source Control Data Set (SCDS) contains a SMS configuration, which defines a storage management policy. (b) Active Control Data Set (ACDS) contains a copy of the most recently activated configuration. All systems in a SMS complex use this configuration to manage storage. (c) Communications Data Set (COMMDS) contains the name of the ACDS containing the currently active storage management policy, the current utilization statistics for each system managed volume, and other system information. (2) The ACDS data set will reside on a different volume than the COMMDS data set. Allocate backup copies of the ADCS and COMMDS data sets on a different shared volume from the primary ACDS and COMMDS data sets.

b
SYS(x).PARMLIB(IGDSMSxx), SMS parameter settings are not properly specified.
CM-6 - Medium - CCI-000366 - V-6937 - SV-7238r2_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
ZSMS0032
Vuln IDs
  • V-6937
Rule IDs
  • SV-7238r2_rule
Configuration properties of DFSMS are specified in various members of the system parmlib concatenation (e.g., SYS1.PARMLIB). Statements within these PDS members provide the execution, operational, and configuration characteristics of the system-managed storage environment. Missing or inappropriate configuration values may result in undesirable operations and degraded security. This exposure could potentially compromise the availability and integrity of some system services and customer data.Systems ProgrammerDCCS-1, DCCS-2
Checks: C-3369r1_chk

a) Review the logical parmlib data sets, example: SYS1.PARMLIB(IGDSMSxx), for the following SMS parameter settings: Parameter Key SMS ACDS(ACDS data set name) COMMDS(COMMDS data set name) b) If the required parameters are defined, there is NO FINDING. c) If the required parameters are not defined, this is a FINDING.

Fix: F-18938r1_fix

The Systems programmer will review the DFSMS-related PDS members and statements specified in the system parmlib concatenation. Ensure these elements are configured as outlined below: Parameter Key SMS ACDS(ACDS data set name) COMMDS(COMMDS data set name)

b
DFSMS-related RACF classes are not active.
AC-3 - Medium - CCI-000213 - V-6943 - SV-7244r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZSMSR008
Vuln IDs
  • V-6943
Rule IDs
  • SV-7244r2_rule
DFSMS provides data, storage, program, and device management functions for the operating system. Some DFSMS storage administration functions allow a user to obtain a privileged status and effectively bypass all ACP data set and volume controls. Failure to properly protect DFSMS resources may result in unauthorized access. This exposure could compromise the availability and integrity of the operating system environment, system services, and customer data.Information Assurance OfficerDCCS-1, DCCS-2, ECCD-1, ECCD-2
Checks: C-20779r1_chk

CLASSACT Resources a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) b) ACTIVE CLASSES lists the MGMTCLAS, STORCLAS, PROGRAM, and FACILITY resources classes. c) RACLIST CLASSES lists the MGMTCLAS and STORCLAS resource classes. d) If (b) and (c) are true, there is NO FINDING. e) If (b) or (c) is not true, this is a FINDING.

Fix: F-18739r1_fix

CLASSACT Resources ACTIVE CLASSES lists the MGMTCLAS, STORCLAS, PROGRAM, and FACILITY resources classes. The classes can be activated with the command: SETR CLASSACT(MGMTCLAS STORCLAS PROGRAM FACILITY) RACLIST CLASSES lists the MGMTCLAS and STORCLAS resource classes. The classes can be RACLISTED with the command: SETR RACL(MGMTCLAS STORCLAS)

b
z/OS UNIX OMVS parameters in PARMLIB are not properly specified.
CM-6 - Medium - CCI-000366 - V-6944 - SV-7245r2_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
ZUSS0011
Vuln IDs
  • V-6944
Rule IDs
  • SV-7245r2_rule
Parameter settings in PARMLIB and /etc specify values for z/OS UNIX security controls. The parameters impact HFS data access and operating system services. Undesirable values can allow users to gain inappropriate privileges that could impact data integrity or the availability of some system services.Systems ProgrammerDCCS-1, DCCS-2
Checks: C-20975r1_chk

a) Refer to the following report produced by the z /OS Data Collection: - EXAM.RPT(PARMLIB) - Refer to the IEASYSxx listing(s). Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI (ZUSS0011) NOTE: If the OMVS statement is not specified, OMVS=DEFAULT is used. In minimum mode there is no access to permanent file systems or to the shell, and IBM’s Communication Server TCP/IP will not run. b) If the parameter is specified as OMVS=xx or OMVS=(xx,xx,…) in the IEASYSxx member, there is NO FINDING. c) If the parameter is not specified as OMVS=xx or OMVS=(xx,xx,…), this is a FINDING.

Fix: F-18942r1_fix

Review the settings in PARMLIB and /etc for z/OS UNIX security parameters and ensure that the values conform to the specifications below: The parameter is specified as OMVS=xx or OMVS=(xx,xx,…) in the IEASYSxx member. NOTE: If the OMVS statement is not specified, OMVS=DEFAULT is used. In minimum mode there is no access to permanent file systems or to the shell, and IBM’s Communication Server TCP/IP will not run.

b
z/OS UNIX BPXPRMxx security parameters in PARMLIB must be properly specified.
CM-6 - Medium - CCI-000366 - V-6945 - SV-7246r3_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
ZUSS0012
Vuln IDs
  • V-6945
Rule IDs
  • SV-7246r3_rule
Parameter settings in PARMLIB and /etc specify values for z/OS UNIX security controls. The parameters impact HFS data access and operating system services. Undesirable values can allow users to gain inappropriate privileges that could impact data integrity or the availability of some system services.trueSystems Programmer
Checks: C-81567r2_chk

a) Review the logical parmlib data sets, example: SYS1.PARMLIB(BPXPRMxx), for the following UNIX Parameter Keywords and Values: Parameter Keyword Value SUPERUSER BPXROOT TTYGROUP TTY STEPLIBLIST /etc/steplib USERIDALIASTABLE Will not be specified. ROOT SETUID will be specified MOUNT NOSETUID SETUID (for Vendor-provided files)SECURITY STARTUP_PROC OMVS Automated Analysis requires Additional Analysis. Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ZUSS0012) b) If the required parameter keywords and values are defined, there is NO FINDING. c) If the required parameter keywords and values are not defined, this is a FINDING.

Fix: F-6714r2_fix

Refer to the following report produced by the z/OS Data Collection: - PDI(ZUSS0012) b) If the required parameter keywords and values are defined, there is NO FINDING. c) If the required parameter keywords and values are not defined, this is a FINDING. Fix Text: Review the settings in PARMLIB member BPXPRMxx for z/OS UNIX security parameters and ensure that the values conform to the specifications below: Parameter Keyword Value SUPERUSER BPXROOT TTYGROUP TTY STEPLIBLIST /etc/steplib USERIDALIASTABLE Will not be specified. ROOT SETUID will be specified MOUNT NOSETUIDSETUID (for Vendor-provided files)SECURITY STARTUP_PROC OMVS BPXPRMxx is the SYS1.PARMLIB member that contains the parameters that control the z/OS UNIX environment. BPXPRMxx controls the way features work and it establishes logical access to data by configuring the HFS environment. The SUPERUSER parameter specifies the userid to be assigned to users when the su command is entered without a userid operand. The userid must be defined to the ACP as BPXROOT and have a UID of 0. The TTYGROUP parameter specifies the group name assigned to pseudo terminals (PTYs) and remote terminals (RTYs). The group must be defined to the ACP with a unique GID and users must not be assigned to this group. This group name is used by some shell commands (e.g., talk and write) when writing to the PTY or RTY being used by another user. The name TTY must be used. The STEPLIBLIST parameter specifies the pathname of the HFS file that contains the list of MVS data sets that are used as step libraries for programs that have the set-user-id or set group id permission bit set. The use of STEPLIBLIST is at the site’s discretion, but if used the value of STEPLIBLIST will be /etc/steplib. All update and alter access to the MVS data sets in the list will be logged and only systems programming personnel will be authorized to update the data sets. The USERIDALIASTABLE parameter specifies the pathname of the HFS file that contains a list of userids and group names with their corresponding alias names. The alias table is intended primarily for use where mixed or lower case userids are used in the UNIX environment. Because the z/OS/ MVS components support only upper case userids, the USERIDALIASTABLE will not be used. The ROOT parameter specifies data for the file system that is to be mounted as the root file system for z/OS UNIX. ROOT can have a number of sub-parameters; the FILESYSTEM and SETUID|NOSETUID sub-parameters have security considerations. FILESYSTEM can be used to specify the name of the MVS HFS data set that holds the root file system. As the highest point in the HFS hierarchy, this file system is critical to system operations. Therefore appropriate ACP access rules must be written to protect the named data set. Update and alter access must be restricted to the z/OS UNIX kernel and individual systems programming personnel. The SETUID|NOSETUID sub-parameter specifies whether or not the set-user-ID or set-group-ID permission bits are supported. SETUID|NOSETUID also impacts the APF authorized and program-controlled extended attributes. For the root file system, SETUID must be specified for normal operations. The MOUNT parameter specifies data for a file system that is to be mounted by z/OS UNIX. There are usually multiple MOUNT statements and each can have a number of sub-parameters. The FILESYSTEM, SETUID|NOSETUID, and SECURITY|NOSECURITY sub-parameters have significant security considerations. FILESYSTEM can be used to specify the name of the MVS HFS data set that holds the logical file system. Appropriate ACP access rules must be written to protect the named data set. Update and alter access must be restricted to the z/OS UNIX kernel and to individual systems programming personnel. The SETUID|NOSETUID sub parameter specifies whether or not the set-user-ID or set group ID permission bits are supported. SETUID|NOSETUID also impacts the APF authorized and program-controlled extended attributes. SETUID may be specified for those file systems that contain only vendor-provided software or that have been documented to the IAO as requiring this support. Otherwise NOSETUID must be specified. The SECURITY|NOSECURITY sub-parameter specifies whether security checks are performed. SECURITY must be specified unless a specific exception for the file system has been identified and documented to the IAO. Regardless of IBM defaults, the values for SETUID|NOSETUID and SECURITY|NOSECURITY must be explicitly coded to protect against potential vendor changes and to simplify security reviews. The STARTUP_PROC parameter specifies the name of the JCL procedure (PROC) that starts the z/OS UNIX component. This started task must be defined to the ACP. The name OMVS must be used.

b
z/OS UNIX HFS MapName files security parameters are not properly specified.
CM-7 - Medium - CCI-001762 - V-6946 - SV-7247r2_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001762
Version
ZUSS0013
Vuln IDs
  • V-6946
Rule IDs
  • SV-7247r2_rule
Parameter settings in PARMLIB and /etc specify values for z/OS UNIX security controls. The parameters impact HFS data access and operating system services. Undesirable values can allow users to gain inappropriate privileges that could impact data integrity or the availability of some system services.Systems ProgrammerDCCS-1, DCCS-2
Checks: C-22296r1_chk

a) Review the logical parmlib data sets, example: SYS1.PARMLIB(BPXPRMxx), for the following FILESYSTYPE entry: FILESYSTYPE TYPE(AUTOMNT) ENTRYPOINT(BPXTAMD) If the above entry is not found or is commented out in the BPXPRMxx member(s), this is NOT APPLICABLE. b) Refer to the following report produced by the UNIX System Services Data Collection: - USSCMDS.RPT(EAUTOM) NOTE: The /etc/auto.master HFS file (and the use of Automount) is optional. If the file does not exist, this is NOT APPLICABLE. NOTE: The setuid parameter and the security parameter have a significant security impact. For this reason these parameters must be explicitly specified and not allowed to default. c) If each MapName file specifies the “setuid No” and “security Yes” statements for each automounted directory, there is NO FINDING. d) If there is any deviation from the required values, this is a FINDING.

Fix: F-18944r1_fix

Review the settings in /etc/auto.master and /etc/mapname for z/OS UNIX security parameters and ensure that the values conform to the specifications below. The /etc/auto.master HFS file (and the use of Automount) is optional. The setuid parameter and the security parameter have a significant security impact. For this reason these parameters must be explicitly specified and not be allowed to default. Each MapName file will specify the “setuid NO” and “security YES statements for each automounted directory If there is a deviation from the required values, documentation must exist for the deviation. Security NO disables security checking for file access. Security NO is only allowed on test and development domains. Setuid YES allows a user to run under a different UID/GID identity. Justification documentation is required to validate the use of setuid YES.

b
z/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf are not properly specified.
CM-7 - Medium - CCI-000382 - V-6947 - SV-7248r2_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
ZUSS0014
Vuln IDs
  • V-6947
Rule IDs
  • SV-7248r2_rule
Parameter settings in PARMLIB and /etc specify values for z/OS UNIX security controls. The parameters impact HFS data access and operating system services. Undesirable values can allow users to gain inappropriate privileges that could impact data integrity or the availability of some system services.Information Assurance OfficerSystems ProgrammerDCCS-1, DCCS-2
Checks: C-22297r1_chk

a) Refer to the following reports produced by the UNIX System Services Data Collection: - USSCMDS.RPT(EINETD) - USSCMDS.RPT(ESERV) b) If all the services in the Restricted Network Services Table in the z/OS STIG Addendum are not found in or are commented out of the /etc/inetd.conf file, there is NO FINDING. c) If any Restricted Network Services are specified, this is a FINDING.

Fix: F-6717r1_fix

Review the settings in The /etc/inetd.conf file determine if every entry in the file represents a service that is actually in use. Services that are not in use must be disabled to reduce potential security exposures. The following services must be disabled in /etc/inetd.conf unless justified and documented with the IAO: RESTRICTED NETWORK SERVICES Service Port Chargen 19 Daytime 13 Discard 9 Echo 7 Exec 512 finger 79 shell 514 time 37 login 513 smtp 25 timed 525 nameserver 42 systat 11 uucp 540 netstat 15 talk 517 qotd 17 tftp 69 /etc/inetd.conf The /etc/inetd.conf file is used by the INETD daemon. It specifies how INETD is to handle service requests on network sockets. Specifically, there is one entry in inetd.conf for each service. Each service entry specifies several parameters. The login_name parameter is of special interest. It specifies the userid under which the forked daemon is to execute. This userid is defined to the ACP and it may require a UID(0) (i.e., superuser authority) value.

b
The VTAM USSTAB definitions are being used for unsecured terminals
CM-5 - Medium - CCI-001499 - V-6949 - SV-7250r2_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
ZVTM0011
Vuln IDs
  • V-6949
Rule IDs
  • SV-7250r2_rule
VTAM options and definitions are used to define VTAM operational capabilities. They must be strictly controlled. Unauthorized users could override or change start options or network definitions. Failure to properly control VTAM resources could potentially compromise the network operations.Information Assurance OfficerSystems ProgrammerDCCS-1, DCCS-2, IAAC-1
Checks: C-20987r1_chk

a) Have the IAO and VTAM Systems Programmer supply the following information: - Documentation regarding terminal naming standards. - Documentation of all procedures controlling terminal logons to the system. - A complete list of all USS commands used by terminal users to log on to the system. - Members and data set names containing USSTAB and LOGAPPL definitions of all terminals that can log on to the system (e.g., SYS1.VTAMLST). - Members and data set names containing logon mode parameters. b) If USSTAB definitions are only used for secure terminals (e.g., terminals that are locally attached to the host or connected to the host via secure leased lines), there is NO FINDING. c) If USSTAB definitions are used for any unsecured terminals (e.g., dial up terminals or terminals attached to the Internet such as TN3270 or KNET 3270 emulation), this is a FINDING.

Fix: F-18967r1_fix

The Systems programmer and IAO will verify that USSTAB definitions are only used for secure terminals. Only terminals that are locally attached to the host or connected to the host via secure leased lines located in a secured area. Only authorized personnel may enter the area where secure terminals are located. USSTAB or LOGAPPL definitions are used to control logon from secure terminals. These terminals can log on directly to any VTAM application (e.g., TSO, CICS, etc.) of their choice and bypass Session Manager services. Secure terminals are usually locally attached to the host or connected to the host via a private LAN without access to an external network. Only authorized personnel may enter the area where secure terminals are located.

b
The System datasets used to support the VTAM network are not properly secured.
AC-3 - Medium - CCI-000213 - V-6956 - SV-7359r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZVTM0018
Vuln IDs
  • V-6956
Rule IDs
  • SV-7359r2_rule
Ensure that RACF data set rules for all VTAM system data sets restrict access to only network systems programming staff. These data sets include libraries containing VTAM load modules and exit routines, and VTAM start options and definition statements. Failure to properly control VTAM datasets could potentially compromise the network operations. Information Assurance OfficerSystems Programmer
Checks: C-26113r1_chk

a) Create a list of data set names containing all VTAM start options, configuration lists, network resource definitions, commands, procedures, exit routines, all SMP/E TLIBs, and all SMP/E DLIBs used for installation and in development/production VTAM environments. Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(VTAMRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZVTM0018) b) Ensure that RACF data set rules for all VTAM system data sets restrict access to only network systems programming staff. These data sets include libraries containing VTAM load modules and exit routines, and VTAM start options and definition statements. c) If (b) above is true, there is NO FINDING. d) If (b) above is untrue, this is a FINDING.

Fix: F-18786r1_fix

Data Set Controls Ensure that RACF data set rules for all VTAM system data sets restrict access to only network systems programming staff. These data sets include libraries containing VTAM load modules and exit routines, and VTAM start options and definition statements. The following sample RACF commands show proper definitions/permissions for VTAM datasets: AD 'SYS1.VTAM*.**' UACC(NONE) OWNER(SYS1) - AUDIT(SUCCESS(UPDATE) FAILURES(READ)) - DATA('IBM VTAM DS PROFILE: REF SRR PDI ZVTM0018') PE 'SYS1.VTAM.**' ID(<syspaudt>) ACC(A) AD 'SYS1.VTAMLIB.**' UACC(NONE) OWNER(SYS1) - AUDIT(SUCCESS(UPDATE) FAILURES(READ)) - DATA('IBM VTAM APF DS PROFILE: REF SRR PDI ZVTM0018') PE 'SYS1.VTAMLIB.**' ID(<syspaudt>) ACC(A) AD 'SYS1.VTAM.SISTCLIB.**' UACC(NONE) OWNER(SYS1) - AUDIT(SUCCESS(UPDATE) FAILURES(READ)) - DATA('IBM VTAM APF DS PROFILE: REF SRR PDI ZVTM0018') PE 'SYS1.VTAM.SISTCLIB.**' ID(<syspaudt>) ACC(A) AD 'SYS3.VTAM.**' UACC(NONE) OWNER(SYS3) - AUDIT(SUCCESS(UPDATE) FAILURES(READ)) - DATA('VTAM CUSTOMIZED DS: REF SRR PDI ZVTM0018') PE 'SYS3.VTAM.**' ID(<syspaudt>) ACC(A) AD 'SYS3.VTAMLIB.**' UACC(NONE) OWNER(SYS3) - AUDIT(SUCCESS(UPDATE) FAILURES(READ)) - DATA('IBM VTAM APF DS PROFILE: REF SRR PDI ZVTM0018') PE 'SYS3.VTAMLIB.**' ID(<syspaudt>) ACC(A) SETR GENERIC(DATASET) REFRESH

c
WebSphere MQ channel security must be implemented in accordance with security requirements.
AC-17 - High - CCI-000068 - V-6958 - SV-7259r5_rule
RMF Control
AC-17
Severity
High
CCI
CCI-000068
Version
ZWMQ0011
Vuln IDs
  • V-6958
Rule IDs
  • SV-7259r5_rule
WebSphere MQ Channel security can be configured to provide authentication, message privacy, and message integrity between queue managers. Secure Sockets Layer (SSL) uses encryption techniques, digital signatures and digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers. Failure to properly secure a WebSphere MQ channel may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of some system services, applications, and customer data.trueInformation Assurance OfficerSystems Programmer
Checks: C-19819r3_chk

Refer to the following report produced by the z/OS Data Collection: - MQSRPT(ssid) NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). Collect the following Information for Websphere MQ and MQSeries queue manager. - If a WebSphere MQ queue manager communicates with a MQSeries queue manager, provide the WebSphere MQ queue manager and channel names used to connect with MQSeries. - If any WebSphere MQ channels are used to communicate within the enclave, provide a list of channels and provide documentation regarding the sensitivity of the information on the channel. Automated Analysis requires Additional Analysis. Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ZWMQ0011) If the communication lines are controlled by a VPN and are not available in the clear at any point outside the enclave, than this is acceptable and can override the requirement to use SSL. If this is true, this is not a finding. If the following guidelines are true for each channel definition displayed from the DISPLAY CHANNEL command, this is not a finding. ___ Verify that each WebSphere MQ channel is using SSL by checking for the SSLCIPH parameter, which must specify a FIPS 140-2 compliant value of the following: (Note: Both ends of the channel must specify the same cipher specification.) ECDHE_ECDSA_AES_128_CBC_SHA256 ECDHE_ECDSA_AES_256_CBC_SHA384 ECDHE_RSA_AES_128_CBC_SHA256 ECDHE_RSA_AES_256_CBC_SHA384 TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 ___ Repeat the above step for each queue manager ssid identified.

Fix: F-18959r2_fix

The system programmer and the IAO will review the WebSphere MQ Screen interface invoked by the REXX CSQOREXX. Reviewing the channel’s SSLCIPH setting. Display the channel properties and look for the "SSL Cipher Specification" value. Ensure that a FIPS 140-2 compliant value is shown. ECDHE_ECDSA_AES_128_CBC_SHA256 ECDHE_ECDSA_AES_256_CBC_SHA384 ECDHE_RSA_AES_128_CBC_SHA256 ECDHE_RSA_AES_256_CBC_SHA384 TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 Note that both ends of the channel must specify the same cipher specification. Repeat these steps for each queue manager ssid identified.

b
WebSphere MQ resource classes are not properly actived for security checking by the ACP.
AC-3 - Medium - CCI-000213 - V-6959 - SV-7534r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZWMQ0049
Vuln IDs
  • V-6959
Rule IDs
  • SV-7534r2_rule
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to ensure the classes have been made ACTIVE under RACF will prevent RACF from enforcing security rules. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.Information Assurance Officer
Checks: C-4642r1_chk

Refer to the following reports produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) - DSMON.RPT(RACCDT) - Alternate list of active resource classes Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(ZWMQ0049) Ensure the following WebSphere MQ resource classes are active: GMQADMIN GMQNLIST GMQPROC GMQQUEUE MQADMIN MQCMDS MQCONN MQNLIST MQPROC MQQUEUE For V7.0.0 and above: GMXADMIN GMXNLIST GMXPROC GMXQUEUE GMXTOPIC MXADMIN MXNLIST MXPROC MXQUEUE MXTOPIC NOTE: If both MQADMIN and MXADMIN resource classes are not active, no security checking is performed.

Fix: F-6835r1_fix

The IAO will ensure that all WebSphere MQ resources are active and properly defined. Ensure the following WebSphere MQ resource classes are active: GMQADMIN GMQNLIST GMQPROC GMQQUEUE MQADMIN MQCMDS MQCONN MQNLIST MQPROC MQQUEUE For V7.0.0 and above: GMXADMIN GMXNLIST GMXPROC GMXQUEUE GMXTOPIC MXADMIN MXNLIST MXPROC MXQUEUE MXTOPIC NOTE: If both MQADMIN and MXADMIN resource classes are not active, no security checking is performed. The follow sample contains commands to active the required classes: SETR CLASSACT(MQADMIN MQCMDS MQCONN) SETR CLASSACT(MQNLIST MQPROC MQQUEUE) SETR CLASSACT(MXADMIN MXNLIST MXPROC MXQUEUE)

c
WebSphere MQ switch profiles must be properly defined to the MQADMIN class.
AC-3 - High - CCI-000213 - V-6960 - SV-7538r3_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
ZWMQ0051
Vuln IDs
  • V-6960
Rule IDs
  • SV-7538r3_rule
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.Information Assurance Officer
Checks: C-19837r2_chk

a) Refer to the following report produced by the Z/OS Data Collection: - MQSRPT(ssid) NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). Automated Analysis requires Additional Analysis. Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ZWMQ0051) b) Review the Security switches identified in response to the DISPLAY SECURITY command in each ssid report(s). If the all of the following switches specify ON, there is NO FINDING. SUBSYSTEM CONNECTION COMMAND CONTEXT ALTERNATE USER PROCESS NAMELIST QUEUE COMMAND RESOURCES c) If SUBSYSTEM specifies OFF, this is a FINDING with a severity of Category I. d) If any of the other above switches specify OFF (other than the exception mentioned below), this is a FINDING. Downgrade the severity to a Category II. e) If COMMAND RESOURCE Security switch specify OFF, there is NO FINDING. NOTE: At the discretion of the IAO, COMMAND RESOURCE Security switch may specify OFF, by defining ssid.NO.CMD.RESC.CHECKS in the MQADMIN resource class.

Fix: F-18807r1_fix

Switch profiles are special MQSeries/WebSphere MQ profiles that are used to turn on/off security checking for a type of resource. Due to the security exposure this creates, no profiles with the first two qualifiers of ssid.NO will be defined to the MQADMIN class, with one exception. Due to the fact that (1) all sensitive MQSeries/WebSphere MQ commands are restricted to queue managers, channel initiators, and designated systems personnel, and (2) no command resource checking is performed on DISPLAY commands, at the discretion of the IAO a ssid.NO.CMD.RESC.CHECKS switch profile may be defined to the MQADMIN class. 1. Identify if any switch profiles exist using the sample search command: SR CLASS(MQADMIN) NOMASK FILTER(*.NO.**) 2. Use the "RDEL MQADMIN <SwitchProfileName>" to remove the profile and follow up with a "SETR RACL(MQADMIN) REF" 3. An additional refresh to an active WebSphere MQ Que Manager may be required. A sample is show below using the value QMD1 as the Que Manager name. From the Console: >QMD1 REFRESH SECURITY(*)

b
z/OS UNIX security parameters in etc/profile are not properly specified.
CM-6 - Medium - CCI-000366 - V-6961 - SV-7262r2_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
ZUSS0015
Vuln IDs
  • V-6961
Rule IDs
  • SV-7262r2_rule
Parameter settings in PARMLIB and /etc specify values for z/OS UNIX security controls. The parameters impact HFS data access and operating system services. Undesirable values can allow users to gain inappropriate privileges that could impact data integrity or the availability of some system services.Systems ProgrammerDCCS-1, DCCS-2
Checks: C-3867r1_chk

a) Refer to the following report produced by the UNIX System Services Data Collection: - USSCMDS.RPT(EPROF) b) If the final or only instance of the UMASK command in /etc/profile is specified as “umask 077”, there is NO FINDING. c) If the LOGNAME variable is marked read-only (i.e., “readonly LOGNAME”) in /etc/profile, there is NO FINDING. d) If (b) or(c) above is untrue, this is a FINDING.

Fix: F-18946r1_fix

Verify that the UMASK command is executed with a value of 077 and the LOGNAME variable is marked read-only for the /etc/profile file, exceptions are documented with the IAO. The /etc/profile file is the system-wide profile that is executed for each user’s shell invocation. It provides a default environment for users. It sets environment variables and executes commands. Although there are several variables and commands that can be included, those with notable security considerations are the STEPLIB variable and the UMASK command. The STEPLIB variable should be assigned a value of none in /etc/profile unless a specific requirement for another value exists. The use of STEPLIB must be coordinated with the SYS1.PARMLIB(BPXPRMxx) STEPLIBLIST control, the /etc/steplib file, and the use of RTLS. The umask command must be executed in /etc/profile with a value of 077. This sets the file-creation permission-code mask so that a file creator has full permissions, group members have no permission, and other users have no permission. Exceptions to this may occur during software installation when the installation process demands a more permissive value, during database access by users, and during administrative actions. All requirements will be justified and documented with the IAO.

b
WebSphere MQ MQCONN Class (Connection) resource definitions must be protected in accordance with security.
AC-3 - Medium - CCI-000213 - V-6962 - SV-7541r3_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZWMQ0052
Vuln IDs
  • V-6962
Rule IDs
  • SV-7541r3_rule
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.Information Assurance Officer
Checks: C-4653r2_chk

a) Refer to the following reports produced by the RACF Data Collection: - SENSITVE.RPT(MQCONN) b) Review the following connection resources defined to the MQCONN resource class: Resource Authorized Users ssid.BATCH TSO and batch job userids ssid.CICS CICS region userids ssid.IMS IMS region userids ssid.CHIN Channel initiator userids NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). c) For all connection resources defined to the MQCONN resource class, ensure the following items are in effect: NOTE: If you do not have a resource profile defined for a particular security check, and a user issues a request that would involve making that check, MQSeries/WebSphere MQ denies access. 1) Resource profiles are defined with a UACC(NONE). 2) Access authorization to these connections restricts access to the appropriate users as indicated in (b). 3) All access FAILUREs are logged. d) If all of the items in (c) are true, there is NO FINDING. e) If any item in (c) is untrue, this is a FINDING.

Fix: F-101677r1_fix

Review the following connection resources defined to the MQCONN resource class: Resource Authorized Users ssid.BATCH TSO and batch job userids ssid.CICS CICS region userids ssid.IMS IMS region userids ssid.CHIN Channel initiator userids NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). c) For all connection resources defined to the MQCONN resource class, ensure the following items are in effect: NOTE: If you do not have a resource profile defined for a particular security check, and a user issues a request that would involve making that check, MQSeries/WebSphere MQ denies access. 1) Resource profiles are defined with a UACC(NONE). 2) Access authorization to these connections restricts access to the appropriate users as indicated in (b). 3) All access FAILUREs are logged. A set of sample commands are provided below to implement the minimum profiles necessary for proper security. Note that the IMS and/or CICS profiles can be omitted if those products do not run on the target system. /* THE FOLLOWING PROFILE FORCES GRANULAR PROFILES DEFINITIONS */ RDEF MQCONN ** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURES(READ)) DATA('MQCONN DENY-BY-DEFAULT PROFILE') RDEF MQCONN <ssid>.BATCH UACC(NONE) OWNER(ADMIN) AUDIT(FAILURES(READAUDIT(FAILURES(READ)) DATA('REQUIRED FOR ZWMQ0052') PE <ssid>.BATCH CL(MQCONN) ID(<applicableTSO&batchUsers>) RDEF MQCONN <ssid>.CICS UACC(NONE) OWNER(ADMIN) AUDIT(FAILURES(READ)) DATA('REQUIRED FOR ZWMQ0052') PE <ssid>.CICS CL(MQCONN) ID(<CICSRegionUserids>) RDEF MQCONN <ssid>.IMS UACC(NONE) OWNER(ADMIN) AUDIT(FAILURES(READ)) DATA('REQUIRED FOR ZWMQ0052') PE <ssid>.IMS CL(MQCONN) ID(<IMSRegionUserids>) RDEF MQCONN <ssid>.CHIN UACC(NONE) OWNER(ADMIN) AUDIT(FAILURES(READ)) DATA('REQUIRED FOR ZWMQ0052') PE <ssid>.CHIN CL(MQCONN) ID(<WebsphereMQCHINUsrids>) SETR RACL(MQCONN) REF Note that an additional WebSphere MQ Refresh may be required for active Qmanagers. This is done from the CONSOLE: The example is for a Que Manager Named QMD1 >QMD1 REFRESH SECURITY(*)

b
z/OS UNIX security parameters in /etc/rc not properly specified.
CM-6 - Medium - CCI-000366 - V-6963 - SV-7264r2_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
ZUSS0016
Vuln IDs
  • V-6963
Rule IDs
  • SV-7264r2_rule
Parameter settings in PARMLIB and /etc specify values for z/OS UNIX security controls. The parameters impact HFS data access and operating system services. Undesirable values can allow users to gain inappropriate privileges that could impact data integrity or the availability of some system services.Systems ProgrammerDCCS-1, DCCS-2
Checks: C-20981r1_chk

a) Refer to the following report produced by the UNIX System Services Data Collection: - USSCMDS.RPT(ERC) b) If all of the CHMOD commands in /etc/rc do not result in less restrictive access than what is specified in the SYSTEM DIRECTORY SECURITY SETTINGS Table and the SYSTEM FILE SECURITY SETTINGS Table in the z/OS STIG Addendum, there is NO FINDING. NOTE: The use of CHMOD commands in /etc/rc is required in most environments to comply with the required settings, especially for dynamic objects such as the /dev directory. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) c) If all of the CHAUDIT commands in /etc/rc do not result in less auditing than what is specified in the SYSTEM DIRECTORY SECURITY SETTINGS Table and the SYSTEM FILE SECURITY SETTINGS Table in the z/OS STIG Addendum, there is NO FINDING. NOTE: The use of CHAUDIT commands in /etc/rc may not be necessary. If none are found, there is NO FINDING. The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing d) If the _BPX_JOBNAME variable is appropriately set (i.e., to match daemon name) as each daemon (e.g., syslogd, inetd) is started in /etc/rc, there is NO FINDING. NOTE: If _BPX_JOBNAME is not specified, the started address space will be named using an inherited value. This could result in reduced security in terms of operator command access. e) If (b), (c), or (d) above is untrue, this is a FINDING.

Fix: F-18949r1_fix

Review the settings in the /etc/rc. The /etc/rcfile is the system initialization shell script. When z/OS UNIX kernel services start, /etc/rc is executed to set file permissions and ownership for dynamic system files and to perform other system startup functions such as starting daemons. There can be many commands in /etc/rc. There are two specific guidelines that must be followed: Verify that The CHMOD or CHAUDIT command does not result in less restrictive security than than what is specified in the table in the z/OS STIG addendum under the SYSTEM DIRECTORY SECURITY SETTINGS, Immediately prior to each command that starts a daemon, the _BPX_JOBNAME variable must be set to match the daemon’s name (e.g., inetd, syslogd). The use of _BPX_USERID is at the site’s discretion, but is recommended.

b
WebSphere MQ dead letter and alias dead letter queues are not properly defined.
CM-7 - Medium - CCI-001762 - V-6964 - SV-7267r2_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001762
Version
ZWMQ0053
Vuln IDs
  • V-6964
Rule IDs
  • SV-7267r2_rule
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.Systems ProgrammerDCCS-1, DCCS-2, ECCD-1, ECCD-2
Checks: C-21013r1_chk

a) Refer to the following report produced by the z/OS Data Collection: - MQSRPT(ssid) NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). b) Review the ssid report(s) and perform the following steps: 1) Find the DISPLAY QMGR DEADQ command to locate the start of the dead-letter queue information. Review the DEADQ parameter to obtain the name of the real dead-letter queue. 2) From the top of the report, find the QUEUE(dead-letter.queue.name) entry to locate the start of the real dead-letter queue definition. Review the GET and PUT parameters to determine their values, and ensure they conform to the specified security requirements. The standard values are: GET(ENABLED) PUT(ENABLED) NOTE: Dead-letter.queue.name is the value of the DEADQ parameter determined in Step 1. 3) From the top of the report, find the QUEUE(dead-letter.queue.name.PUT) entry to locate the start of the alias dead-letter queue definition. Review the GET and PUT parameters to determine their values, and ensure they conform to those specified in the security requirements. The standard values are: GET(DISABLED) PUT(ENABLED) NOTE 1: Dead-letter.queue.name is the value of the DEADQ parameter determined in Step 1. NOTE 2: The TARGQ parameter value for the alias queue will be the real dead letter queue name. NOTE 3: If an alias queue is not used in place of the dead-letter queue, then the ACP rules for the dead-letter queue must be coded to restrict unauthorized users and systems from reading the messages on the file. c) If all of the items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING.

Fix: F-18999r1_fix

The systems programmer responsible for supporting MQSeries/WebSphere MQ will ensure that the dead-letter queue and its alias are properly defined. The following scenario describes how to securely define a dead-letter queue: (1) Define the real dead-letter queue with attributes PUT(ENABLED) and GET(ENABLED). (2) Give update authority for the dead-letter queue to CKTI (the MQSeries/WebSphere MQ-supplied CICS task initiator), channel initiators, and any automated application used for dead-letter queue maintenance. (3) Define an alias queue that resolves to the real dead-letter queue, but give the alias queue the attributes PUT(ENABLED) and GET(DISABLED). (4) To put a message on the dead-letter queue, an application uses the alias queue. The application does the following: (a) Retrieve the name of the real dead-letter queue. To do this, it opens the queue manager object using MQOPEN, and then issues an MQINQ to get the dead-letter queue name. (b) Build the name of the alias queue by appending the characters “.PUT” to this name, in this case, ssid.DEAD.QUEUE.PUT. (c) Open the alias queue, ssid.DEAD.QUEUE.PUT. (d) Put the message on the real dead-letter queue by issuing an MQPUT against the alias queue. (5) Give the userid associated with the application update authority to the alias, but no access to the real dead-letter queue. NOTE: If an alias queue is not used in place of the dead-letter queue, then the ACP rules for the dead-letter queue will be coded to restrict unauthorized users and systems from reading the messages on the file. Undeliverable messages can be routed to a dead-letter queue. Two levels of access should be established for these queues. The first level allows applications, as well as some MQSeries / WebSphere MQ objects, to put messages to this queue. The second level restricts the ability to get messages from this queue and protects sensitive data. This will be accomplished by defining an alias queue that resolves to the real dead-letter queue, but defines the alias queue with the attributes PUT(ENABLED) and GET(DISABLED). The ability to get messages from the dead-letter queue will be restricted to message channel agents (MCAs), CKTI (MQSeries/WebSphere MQ-supplied CICS task initiator), channel initiators utility, and any automated application used for dead-letter queue maintenance.

b
WebSphere MQ MQQUEUE (Queue) resource profiles defined to the MQQUEUE class are not protected in accordance with security requirements.
AC-3 - Medium - CCI-000213 - V-6965 - SV-7544r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZWMQ0054
Vuln IDs
  • V-6965
Rule IDs
  • SV-7544r2_rule
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.Information Assurance Officer
Checks: C-3332r1_chk

Refer to the following report produced by the z/OS Data Collection: - MQSRPT(ssid) NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). Refer to the following reports produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(MQQUEUE) For all queue identified by the DISPLAY QUEUE(*) ALL command in the MQSRPT(ssid). These queues will be prefixed by ssid to identify the resources to be protected. Ensure these queue resources are defined to the MQQUEUE or GMQQUEUE resource classes, ensure the following items are in effect: 1) Resource profiles are defined with a UACC(NONE). 2) For message queues (i.e., ssid.queuename), access authorization restricts access to users requiring the ability to get messages from and put messages to message queues. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. 3) For system queues (i.e., ssid.SYSTEM.queuename), ALTER access authorization restricts access to WebSphere MQ STCs, WebSphere MQ administrators, systems programming personnel, and CICS regions running WebSphere MQ applications. 4) For the following system queues ensure that UPDATE access is restricted to WebSphere MQ STCs, WebSphere MQ administrators, systems programming personnel, CICS regions running WebSphere MQ applications, auditors, and users that require access to review message queues. ssid.SYSTEM.COMMAND.INPUT ssid.SYSTEM.COMMAND.REPLY ssid.SYSTEM.CSQOREXX.* 5) For system queues (i.e., ssid.SYSTEM.CSQUTIL.*) ensure that UPDATE access is restricted to WebSphere MQ STCs, WebSphere MQ administrators, systems programming personnel, CICS regions running WebSphere MQ applications, and auditors. 6) For the real dead-letter queue (to determine queue name refer to ZWMQ0053), ALTER access authorization restricts access to WebSphere MQ STCs, WebSphere MQ administrators, CICS regions running WebSphere MQ applications, and any automated application used for dead-letter queue maintenance. 7) For the alias dead-letter queue (to determine queue name refer to ZWMQ0053), UPDATE access authorization restricts access to users requiring the ability to put messages to the dead-letter queue. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list.

Fix: F-34066r1_fix

For all queue resources defined to the MQQUEUE or GMQQUEUE resource classes, ensure the following items are in effect: For all queue identified by the DISPLAY QUEUE(*) ALL command in the MQSRPT(ssid). These queues will be prefixed by ssid to identify the resources to be protected. Ensure these queue resources are defined to the MQQUEUE or GMQQUEUE resource classes, if the following guidance is true, this is not a finding. 1) Resource profiles are defined with a UACC(NONE). 2) For message queues (i.e., ssid.queuename), access authorization restricts access to users requiring the ability to get messages from and put messages to message queues. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. Decentralized MQ Administrators, non-DECC datacenter users; can have up to ALTER access to the user Message Queues. 3) For system queues (i.e., ssid.SYSTEM.queuename), access authorization restricts UPDATE and/or ALTER access to WebSphere MQ STCs, WebSphere MQ administrators, systems programming personnel, and CICS regions running WebSphere MQ applications. 4) For the following system queues ensure that UPDATE access is restricted to Auditors and Users that require access to review message queues. ssid.SYSTEM.COMMAND.INPUT ssid.SYSTEM.COMMAND.REPLY ssid.SYSTEM.CSQOREXX.* ssid.SYSTEM.CSQUTIL.* 5) For the real dead-letter queue (to determine queue name refer to ZWMQ0053), ALTER access authorization restricts access to WebSphere MQ STCs, WebSphere MQ administrators, CICS regions running WebSphere MQ applications, and any automated application used for dead-letter queue maintenance. 6) For the alias dead-letter queue (to determine queue name refer to ZWMQ0053), UPDATE access authorization restricts access to users requiring the ability to put messages to the dead-letter queue. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. Example: RDEF MQQUEUE <ssid>.SYSTEM.** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ)) DATA('REQUIRED FOR ZWMQ0054') PE <ssid>.SYSTEM.** CL(MQQUEUE) ID(<RestrictedUsersAsSpecifiecAbove>) RDEF MQQUEUE <ssid>.<qname>.** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ)) DATA('REQUIRED FOR ZWMQ0054') PE <ssid>.<qname> CL(MQQUEUE) ID(<AsSpecifiedAbove>) RDEF MQQUEUE <ssid>.<RealDeadLetterQue>.** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ)) DATA('REQUIRED FOR ZWMQ0054') PE <ssid>.<RealDeadLetterQue> CL(MQQUEUE) ID(<AsSpecifiedAbove>) RDEF MQQUEUE <ssid>.<AliasDeadLetterQue>.** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ)) DATA('REQUIRED FOR ZWMQ0054') PE <ssid>.<AliasDeadLetterQue> CL(MQQUEUE) ID(<AsSpecifiedAbove>) SETR RACL(MQQUEUE) REF

b
WebSphere MQ Process resource profiles defined in the MQPROC Class are not protected in accordance with security requirements.
AC-3 - Medium - CCI-000213 - V-6966 - SV-7546r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZWMQ0055
Vuln IDs
  • V-6966
Rule IDs
  • SV-7546r2_rule
WebSphere MQ Process resources allow for the control of processes. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.Information Assurance Officer
Checks: C-4663r1_chk

a) Refer to the following reports produced by the RACF Data Collection: - SENSITVE.RPT(MQPROC) b) For all process resources (i.e., ssid.processname) defined to the MQPROC or GMQPROC resource classes, ensure the following items are in effect: NOTE 1: ssid is the queue manager name (a.k.a., subsystem identifier). 1) Resource profiles are defined with a UACC(NONE). 2) Access authorization restricts access to users requiring the ability to make process inquires. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. c) If both of the items in (b) are true, there is NO FINDING. d) If either item in (b) is untrue, this is a FINDING.

Fix: F-18825r1_fix

Process security validates userids authorized to issue MQSeries / WebSphere MQ inquiries on process definitions. A process definition object defines an application that is started in response to a trigger event on a queue manager. Process security will be active, and all profiles ssid.processname will be defined to the MQPROC class. Restrict read access to those userids requiring access to make process inquiries. For all process resources (i.e., ssid.processname) defined to the MQPROC or GMQPROC resource classes, ensure the following items are in effect: NOTE 1: ssid is the queue manager name (a.k.a., subsystem identifier). 1) Resource profiles are defined with a UACC(NONE). 2) Access authorization restricts access to users requiring the ability to make process inquires. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. A set of sample commands are provided below to implement the minimum profiles necessary for proper security. /* THE FOLLOWING PROFILE FORCES GRANULAR PROFILES DEFINITIONS */ RDEF MQPROC ** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('MQPROC DENY-BY-DEFAULT PROFILE') RDEF MQPROC <ssid>.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('REQUIRED FOR ZWMQ0055') PE <ssid>.** CL(MQPROC) ID(<ApplicableUsers>) SETR RACL(MQPROC) REF Note that an additional WebSphere MQ Refresh may be required for active Qmanagers. This is done from the CONSOLE: The example is for a Que Manager Named QMD1 >QMD1 REFRESH SECURITY(*) The following is a sample of the commands required to allow a group (GRP1) to inquire on processes beginning with the letter V on queue manager (QM1): RDEFINE MQPROC QM1.V* UACC(NONE) AUDIT(ALL(READ)) PERMIT QM1.V* CLASS(MQPROC) ID(GRP1) ACCESS(READ)

b
WebSphere MQ Namelist resource profiles defined in the MQNLIST Class are not protected in accordance with security requirements.
AC-3 - Medium - CCI-000213 - V-6967 - SV-7548r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZWMQ0056
Vuln IDs
  • V-6967
Rule IDs
  • SV-7548r2_rule
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.Information Assurance Officer
Checks: C-4667r1_chk

a) Refer to the following reports produced by the RACF Data Collection: - SENSITVE.RPT(MQNLIST) b) For all namelist resources (i.e., ssid.namelist) defined to the MQNLIST or GMQNLIST resource classes, ensure the following items are in effect: NOTE 1: ssid is the queue manager name (a.k.a., subsystem identifier). 1) Resource profiles are defined with a UACC(NONE). 2) Access authorization restricts access to users requiring the ability to make namelist inquires. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. c) If both of the items in (b) are true, there is NO FINDING. d) If either item in (b) is untrue, this is a FINDING.

Fix: F-18827r1_fix

A namelist is a MQSeries / WebSphere MQ object that contains a list of queue names. Namelist security validates userids authorized to inquire on namelists. Namelist security will be active, and all profiles ssid.namelist will be defined to the MQNLIST or GMQNLIST class with UACC(NONE) specified. Restrict read access to those userids requiring access to make namelist inquiries. For all namelist resources (i.e., ssid.namelist) defined to the MQNLIST or GMQNLIST resource classes, ensure the following items are in effect: NOTE 1: ssid is the queue manager name (a.k.a., subsystem identifier). 1) Resource profiles are defined with a UACC(NONE). 2) Access authorization restricts access to users requiring the ability to make namelist inquires. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. A set of sample commands are provided below to implement the minimum profiles necessary for proper security. /* THE FOLLOWING PROFILE FORCES GRANULAR PROFILES DEFINITIONS */ RDEF MQNLIST ** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('MQCONN DENY-BY-DEFAULT PROFILE') RDEF MQNLIST <ssid>.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('REQUIRED FOR ZWMQ0056') PE <ssid>.** CL(MQNLIST) ID(<applicable>) SETR RACL(MQNLIST) REF Note that an additional WebSphere MQ Refresh may be required for active Qmanagers. This is done from the CONSOLE: The example is for a Que Manager Named QMD1 >QMD1 REFRESH SECURITY(*)

b
BPX resource(s)s is(are) not protected in accordance with security requirements.
AC-3 - Medium - CCI-000213 - V-6968 - SV-7404r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZUSS0021
Vuln IDs
  • V-6968
Rule IDs
  • SV-7404r2_rule
z/OS UNIX ACP-defined resources consist of sensitive capabilities including SUPERUSER, daemon, and numerous file manipulation privileges. Missing or inaccurate protection of these resources could allow a user to access sensitive data, modify or delete data and operating system controls, or issue commands that could negatively impact system availability. Information Assurance OfficerSystems Programmer
Checks: C-20791r1_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(FACILITY) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZUSS0021) b) Review the following items for the FACILITY resource class: 1) The RACF rules for the BPX.** resource specify a default access of NONE. 2) There are no RACF user access to the BPX.** resource. 3) There is no RACF rule for BPX.SAFFASTPATH defined. 4) The RACF rules for each of the BPX resources listed in the General Facility Class BPX Resources Table in the z/OS STIG Addendum, specify a default access of NONE. 5) The RACF rules for each of the BPX resources listed in the General Facility Class BPX Resources Table in the z/OS STIG Addendum, restrict access to appropriate system tasks or systems programming personnel. c) If any item in (b) is untrue, this is a FINDING. d) If all items in (b) are true, this is NOT A FINDING.

Fix: F-18751r1_fix

There are a number of resources available under z/OS UNIX that must be secured in order to preserve system integrity while allowing effective application and user access. All of these resources might not be used in every configuration, but several of them have critical impacts. The default access for each of these resources must be no access. A generic resource (e.g., BPX.**) must also be set to a default access of none to cover future additions. Because they convey especially powerful privileges, the settings for BPX.DAEMON, BPX.SAFFASTPATH, BPX.SERVER, and BPX.SUPERUSER require special attention. Access to BPX.DAEMON must be restricted to the z/OS UNIX kernel userid, z/OS UNIX daemons (e.g., inetd, syslogd, ftpd), and other system software daemons (e.g., web servers). As noted above, the BPX.SAFFASTPATH definition can cause successful security checks not to be audited. Because auditing of all accesses is required for some system files, BPX.SAFFASTPATH must not be used. Access to BPX.SERVER must be restricted to system software processes that act as servers under z/OS UNIX (e.g., web servers). Access to BPX.SUPERUSER must be restricted to Security Administrators and individual systems programming personnel. It is not appropriate for all systems programming personnel, only for those with responsibilities for components or products that use z/OS UNIX and that require superuser capability for maintenance. 1) The RACF rules for the BPX.** resource specify a default access of NONE. 2) There are no RACF user access to the BPX.** resource. 3) There is no RACF rule for BPX.SAFFASTPATH defined. 4) The RACF rules for each of the BPX resources listed in "General Facility Class BPX Resources" table in the zOS STIG Addendum specify a UACC value of NONE. 5) The RACF rules for each of the BPX resources listed in the "General Facility Class BPX Resources" table in the zOS STIG Addendum restrict access to appropriate system tasks or systems programming personnel as specified. The following list of sample commands are provided to implement this requirement. rdef facility bpx.** uacc(none) owner(admin) audit(all(read)) - data('see zuss0021') rdef facility bpx.daemon uacc(none) owner(admin) - audit(all(read)) data('see zuss0021') pe bpx.daemon cl(facility id(<authorized_users>) rdef facility bpx.debug uacc(none) owner(admin) - audit(all(read)) data('see zuss0021') pe bpx.debug cl(facility id(<authorized_users>) rdef facility bpx.fileattr.apf uacc(none) owner(admin) - audit(all(read)) data('see zuss0021') pe bpx.fileattr.apf cl(facility id(<authorized_users>) rdef facility bpx.fileattr.progctl uacc(none) owner(admin) - audit(all(read)) data('see zuss0021') pe bpx.fileattr.progctl cl(facility id(<authorized_users>) rdef facility bpx.jobname uacc(none) owner(admin) - audit(all(read)) data('see zuss0021') pe bpx.jobname cl(facility id(<authorized_users>) rdef facility bpx.server uacc(none) owner(admin) - audit(all(read)) data('see zuss0021') pe bpx.server cl(facility id(<authorized_users>) rdef facility bpx.smf uacc(none) owner(admin) - audit(all(read)) data('see zuss0021') pe bpx.smf cl(facility id(<authorized_users>) rdef facility bpx.stor.swap uacc(none) owner(admin) - audit(all(read)) data('see zuss0021') pe bpx.stor.swap cl(facility id(<authorized_users>) rdef facility bpx.superuser uacc(none) owner(admin) - audit(all(read)) data('see zuss0021') pe bpx.superuser cl(facility id(<authorized_users>) rdef facility bpx.wlmserver uacc(none) owner(admin) - audit(all(read)) data('see zuss0021') pe bpx.wlmserver cl(facility id(<authorized_users>)

b
WebSphere MQ Alternate User resources defined to MQADMIN resource class are not protected in accordance with security requirements.
AC-3 - Medium - CCI-000213 - V-6969 - SV-7550r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZWMQ0057
Vuln IDs
  • V-6969
Rule IDs
  • SV-7550r2_rule
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.Information Assurance Officer
Checks: C-4670r1_chk

a) Refer to the following reports produced by the RACF Data Collection: - SENSITVE.RPT(MQADMIN) b) For all alternate user resources (i.e., ssid.ALTERNATE.USER.alternateuserid) defined to the MQADMIN resource class, ensure the following items are in effect: NOTE 1: ssid is the queue manager name (a.k.a., subsystem identifier). 1) Resource profiles are defined with a UACC(NONE). 2) Access authorization restricts access to users requiring the ability to use the alternate userid. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. c) If both of the items in (b) are true, there is NO FINDING. d) If either item in (b) is untrue, this is a FINDING.

Fix: F-18828r1_fix

Alternate userid security allows access to be requested under another userid. Alternate userid security will be active, and all profiles ssid.ALTERNATE.USER.alternateuserid will be defined to the MQADMIN class with UACC(NONE) specified. Restrict update access to those userids requiring access to alternate userids. For all alternate user resources (i.e., ssid.ALTERNATE.USER.alternateuserid) defined to the MQADMIN resource class, ensure the following items are in effect: NOTE 1: ssid is the queue manager name (a.k.a., subsystem identifier). 1) Resource profiles are defined with a UACC(NONE). 2) Access authorization restricts access to users requiring the ability to use the alternate userid. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. A set of sample commands are provided below to implement the minimum profiles necessary for proper security. /* THE FOLLOWING PROFILE FORCES GRANULAR PROFILES DEFINITIONS */ RDEF MQADMIN ** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('MQADMIN DENY-BY-DEFAULT PROFILE') RDEF MQADMIN <ssid>.ALTERNATE.USER.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('MQADMIN DENY-BY-DEFAULT for ALT USER PROFILE') The following is a sample of the commands required to allow payroll server (PAYSRV1) to specify alternate userids starting with the characters PS on queue manager (QM1): RDEFINE MQADMIN QMD1.ALTERNATE.USER.PS* UACC(NONE) AUDIT(ALL) PERMIT QMD1.ALTERNATE.USER.PS* CLASS(MQADMIN) ID(PAYSRV1) ACCESS(UPDATE) SETR RACL(MQADMIN) REF Note that an additional WebSphere MQ Refresh may be required for active Qmanagers. This is done from the CONSOLE: The example is for a Que Manager Named QMD1 >QMD1 REFRESH SECURITY(*)

c
z/OS UNIX resources must be protected in accordance with security requirements.
AC-3 - High - CCI-000213 - V-6970 - SV-19746r3_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
ZUSS0022
Vuln IDs
  • V-6970
Rule IDs
  • SV-19746r3_rule
z/OS UNIX ACP-defined resources consist of sensitive capabilities including SUPERUSER, daemon, and numerous file manipulation privileges. Missing or inaccurate protection of these resources could allow a user to access sensitive data, modify or delete data and operating system controls, or issue commands that could negatively impact system availability.Information Assurance OfficerSystems Programmer
Checks: C-18025r1_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(SURROGAT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZUSS0022) b) If the RACF rules for all BPX.SRV.user SURROGAT resources specify a default access of NONE, there is NO FINDING. c) If the RACF rules for all BPX.SRV.user SURROGAT resources restrict access to system software processes (e.g., web servers) that act as servers under z/OS UNIX, there is NO FINDING. d) If (b) or (c) above is untrue, this is a FINDING.

Fix: F-19170r1_fix

SURROGAT class BPX resources are used in conjunction with server applications that are performing tasks on behalf of client users that may not supply an authenticator to the server. This can be the case when clients are otherwise validated or when the requested service is performed from userids representing groups. The default access for each BPX.SRV.userid resource must be no access. Access can be permitted only to system software processes that act as servers under z/OS UNIX (e.g., web servers). 1) RACF rules for all BPX.SRV.user SURROGAT resources must specify a default access of NONE. A sample is provided here: RDEF SURROGAT BPX.SRV.user UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) 2) RACF rules for all BPX.SRV.user SURROGAT resources must restrict access to system software processes (e.g., web servers) that act as servers under z/OS UNIX. RDEF SURROGAT BPX.SRV.user UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) PE BPX.SRV.user CL(SURROGAT) ID(<server>)

b
WebSphere MQ context resources defined to the MQADMIN resource class are not protected in accordance with security requirements.
AC-3 - Medium - CCI-000213 - V-6971 - SV-7552r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZWMQ0058
Vuln IDs
  • V-6971
Rule IDs
  • SV-7552r2_rule
Context security validates whether a userid has authority to pass or set identity and/or origin data for a message. Context security will be active to avoid security exposure. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data. Information Assurance Officer
Checks: C-4673r1_chk

a) Refer to the following reports produced by the RACF Data Collection: - SENSITVE.RPT(MQADMIN) b) For all context resources (i.e., ssid.CONTEXT) defined to the MQADMIN resource class, ensure the following items are in effect: NOTE 1: ssid is the queue manager name (a.k.a., subsystem identifier). 1) Resource profiles are defined with a UACC(NONE). 2) Access authorization restricts access to users requiring the ability to pass or set identity and/or origin data for a message. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. c) If both of the items in (b) are true, there is NO FINDING. d) If either item in (b) is untrue, this is a FINDING.

Fix: F-18830r1_fix

Context security validates whether a userid has authority to pass or set identity and/or origin data for a message. Context security will be active, and all profiles ssid.CONTEXT will be defined to the MQADMIN class with UACC(NONE) specified, where ssid is the queue manager name. Read access is required when the PASS option is specified for an MQOPEN or MQPUT1. Update or control access is required when the SET or OUTPUT option is specified. For all context resources (i.e., ssid.CONTEXT) defined to the MQADMIN resource class, ensure the following items are in effect: NOTE 1: ssid is the queue manager name (a.k.a., subsystem identifier). 1) Resource profiles are defined with a UACC(NONE). 2) Access authorization restricts access to users requiring the ability to pass or set identity and/or origin data for a message. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. A set of sample commands are provided below to implement the minimum profiles necessary for proper security. /* THE FOLLOWING PROFILE FORCES GRANULAR PROFILES DEFINITIONS */ RDEF MQADMIN ** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('MQADMIN DENY-BY-DEFAULT PROFILE') RDEF MQADMIN <ssid>.CONTEXT UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('MQADMIN PROFILE REQUIRED FOR CONTEXT SECURITY') The following is a sample of the commands required to allow a systems programming group (SYS1) to offload and reload messages for queue manager (QMD1): PERMIT QMD1.CONTEXT CLASS(MQADMIN) ID(SYS1) ACCESS(CONTROL) The following refresh is required for RACListed classes: SETR RACL(MQADMIN) REF Note that an additional WebSphere MQ Refresh may be required for active Qmanagers. This is done from the CONSOLE: The example is for a Que Manager Named QMD1 >QMD1 REFRESH SECURITY(*)

c
z/OS UNIX SUPERUSER resource must be protected in accordance with guidelines.
AC-3 - High - CCI-000213 - V-6972 - SV-19748r3_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
ZUSS0023
Vuln IDs
  • V-6972
Rule IDs
  • SV-19748r3_rule
z/OS UNIX ACP-defined resources consist of sensitive capabilities including SUPERUSER, daemon, and numerous file manipulation privileges. Missing or inaccurate protection of these resources could allow a user to access sensitive data, modify or delete data and operating system controls, or issue commands that could negatively impact system availability.Information Assurance OfficerSystems Programmer
Checks: C-21277r1_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(UNIXPRIV) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZUSS0023) b) Review the following items for the UNIXPRIV resource class: 1) The RACF rules for the SUPERUSER resource specify a default access of NONE. 2) There are no RACF rules that allow access to the SUPERUSER resource. 3) There is no RACF rule for CHOWN.UNRESTRICTED defined. 4) The RACF rules for each of the SUPERUSER resources listed in the UNIXPRIV CLASS RESOURCES Table in the z/OS STIG Addendum, specify a default access of NONE. 5) The RACF rules for each of the SUPERUSER resources listed in the UNIXPRIV CLASS RESOURCES Table in the z/OS STIG Addendum, restrict access to appropriate system tasks or systems programming personnel. c) If any item in (b) is untrue, this is a FINDING. d) If all items in (b) are true, this is NOT A FINDING.

Fix: F-19187r1_fix

Ensure that all SUPERUSER resources for the UNIXPRIV resource class are restricted to appropriate system tasks and/or system programming personnel. 1) The RACF rules for the SUPERUSER resource specify a default access of NONE. 2) There are no RACF rules that allow access to the SUPERUSER resource. 3) There is no RACF rule for CHOWN.UNRESTRICTED defined. 4) The RACF rules for each of the SUPERUSER resources listed in the UNIXPRIV CLASS RESOURCES Table in the z/OS STIG Addendum, specify a default access of NONE. 5) The RACF rules for each of the SUPERUSER resources listed in the UNIXPRIV CLASS RESOURCES Table in the z/OS STIG Addendum, restrict access to appropriate system tasks or systems programming personnel. Sample Commands: RDEF UNIXPRIV SUPERUSER.** UACC(NONE) OWNER(ADMIN) DATA('REFERENCE ZUSS0023') AUDIT(ALL(READ)) /* do not permit any users/groups to this resource */ SR CLASS(UNIXPRIV) MASK(CHOWN.UNRESTRICTED) /* delete if found */ PE SUPERUSER.FILESYS.** CL(UNIXPRIV) ID(<SYSPAUDT>) /* where SUPERUSER.FILESYS.** represents one of the resources listed in the UNIXPRIV CLASS RESOURCES table in the Addendum */

b
WebSphere MQ command resources defined to MQCMDS resource class are not protected in accordance with security requirements.
AC-3 - Medium - CCI-000213 - V-6973 - SV-7554r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZWMQ0059
Vuln IDs
  • V-6973
Rule IDs
  • SV-7554r2_rule
WebSphere MQ resources allow for the control of commands. Failure to properly protect WebSphere MQ Command resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data. Information Assurance Officer
Checks: C-20874r1_chk

a) Refer to the following reports produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(MQCMDS) b) For all command resources (i.e., ssid.command) defined to the MQCMDS resource class, ensure the following items are in effect: NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). 1) Resource profiles are defined with a UACC(NONE). 2) Access authorization restricts access to the appropriate personnel as designated in the Websphere MQ COMMAND SECURITY CONTROLS Table in the z/OS STIG Addendum. 3) All command access is logged as designated in the Websphere MQ COMMAND SECURITY CONTROLS Table in the z/OS STIG Addendum. c) If all of the items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING.

Fix: F-18831r1_fix

Command security validates userids authorized to issue MQSeries / WebSphere MQ commands. Command security will be active For all command resources (i.e., ssid.command) defined to the MQCMDS resource class, ensure the following items are in effect: NOTE 1: ssid is the queue manager name (a.k.a., subsystem identifier). 1) Resource profiles are defined with a UACC(NONE). 2) Access authorization restricts access to the appropriate personnel as designated in the table entitled "Websphere MQ Command Security Controls " in the zOS STIG Addendum. 3) All command access is logged as designated in the table entitled "Websphere MQ Command Security Controls" in the zOS STIG Addendum. A set of sample commands are provided below to implement the minimum profiles necessary for proper security. /* THE FOLLOWING PROFILE FORCES GRANULAR PROFILES DEFINITIONS */ RDEF MQCMDS ** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('MQCMDS DENY-BY-DEFAULT PROFILE') RDEF MQCMDSN <ssid>.<CmdName>.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('MQCMDS Required See ZWMQ0059') PE <ssid>.<CmdNAme>.** CL(MQCMDS) ID(<autherizeduser>) ACC(C) SETR RACL(MQCMDS) REF Note that an additional WebSphere MQ Refresh may be required for active Qmanagers. This is done from the CONSOLE: The example is for a Que Manager Named QMD1 >QMD1 REFRESH SECURITY(*)

b
z/OS UNIX MVS data sets or HFS objects are not properly protected.
AC-3 - Medium - CCI-000213 - V-6974 - SV-7277r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZUSS0031
Vuln IDs
  • V-6974
Rule IDs
  • SV-7277r2_rule
For the z/OS UNIX environment, there are MVS data sets that contain operating system components, MVS data sets that contain HFS file systems with operating system components, and MVS data sets that contain HFS file systems with application system and user data. All of these MVS data sets require definitions in the ACP to enforce desired access controls. In addition, the UNIX permission bits must be properly set on the HFS directories and files to enforce desired access controls.Information Assurance OfficerSystems ProgrammerDCCS-1, DCCS-2, ECCD-1, ECCD-2
Checks: C-20982r1_chk

a) Refer to the following report produced by the UNIX System Services Data Collection: - PARMLIB(BPXPRMxx) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(HFSRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZUSS0031) b) If the ACP data set rules for the data sets referenced in the ROOT and the MOUNT statements in BPXPRMxx restrict update access to the z/OS UNIX kernel (i.e., OMVS or OMVSKERN) there is NO FINDING. c) If the ACP data set rules for the data set referenced in the ROOT and the MOUNT statements in BPXPRMxx restrict update and/or allocate access to systems programming personnel there is NO FINDING. d) If (b) or (c) above is untrue, this is a FINDING.

Fix: F-18950r1_fix

Review the access authorizations defined in the ACP for the MVS data sets that contain operating system components and for the MVS data sets that contain HFS file systems and ensure that they conform to the specifications below Review the UNIX permission bits on the HFS directories and files and ensure that they conform to the specifications below: The ACP data set rules for the data sets referenced in the ROOT and the MOUNT statements in BPXPRMxx restrict update access to the z/OS UNIX kernel (i.e., OMVS or OMVSKERN The ACP data set rules for the data set referenced in the ROOT and the MOUNT statements in BPXPRMxx restrict update and/or allocate access to systems programming personnel The ROOT parameter specifies data for the file system that is to be mounted as the root file system for z/OS UNIX. ROOT can have a number of sub-parameters; the FILESYSTEM and SETUID|NOSETUID sub-parameters have security considerations. FILESYSTEM can be used to specify the name of the MVS HFS data set that holds the root file system. As the highest point in the HFS hierarchy, this file system is critical to system operations. Therefore appropriate ACP access rules must be written to protect the named data set. Update and alter access must be restricted to the z/OS UNIX kernel and individual systems programming personnel. The SETUID|NOSETUID sub-parameter specifies whether or not the set-user-ID or set-group-ID permission bits are supported. SETUID|NOSETUID also impacts the APF authorized and program-controlled extended attributes. For the root file system, SETUID must be specified for normal operations. The MOUNT parameter specifies data for a file system that is to be mounted by z/OS UNIX. There are usually multiple MOUNT statements and each can have a number of sub-parameters. The FILESYSTEM, SETUID|NOSETUID, and SECURITY|NOSECURITY sub-parameters have significant security considerations. FILESYSTEM can be used to specify the name of the MVS HFS data set that holds the logical file system. Appropriate ACP access rules must be written to protect the named data set. Update and alter access must be restricted to the z/OS UNIX kernel and to individual systems programming personnel. The SETUID|NOSETUID sub parameter specifies whether or not the set-user-ID or set group ID permission bits are supported. SETUID|NOSETUID also impacts the APF authorized and program-controlled extended attributes. SETUID may be specified for those file systems that contain only vendor-provided software or that have been documented to the IAO as requiring this support. Otherwise NOSETUID must be specified. The SECURITY|NOSECURITY sub-parameter specifies whether security checks are performed. SECURITY must be specified unless a specific exception for the file system has been identified and documented to the IAO. Regardless of IBM defaults, the values for SETUID|NOSETUID and SECURITY|NOSECURITY must be explicitly coded to protect against potential vendor changes and to simplify security reviews. Security rules must be defined to prevent unauthorized changes to the z/OS UNIX components in MVS data sets. Because z/OS UNIX is integrated with the z/OS base control program, many of the z/OS UNIX components reside in data sets that are protected by security definitions specified elsewhere. The data set names (or masks) unique to z/OS UNIX that may require additional definitions are listed in this section. Data sets in conventional MVS formats (e.g., PDS) and those in HFS format are listed. There is also a note on security for user MVS data sets in HFS format. The following HFS format data sets are unique to z/OS UNIX and require security definitions: MVS DATA SETS CONTAINING HFS DATA DATA SET NAME/MASK MAINTENANCE TYPE SYS1.OE.ROOT Target SYS3.OE.ETCFILES Target These data sets should have all access restricted to systems programming personnel and to the z/OS UNIX kernel userid OMVS. The site may choose different names for these data sets, but the access restrictions must be maintained. There may be additional data sets that contain system HFS data. Any data set that specifies a file system that is at the root level (e.g., /tmp, /u) must also have all access restricted to systems programming personnel and to the z/OS UNIX kernel userid. Depending on the number of users defined in a given z/OS UNIX image, there may be a need to define individual MVS data sets to hold their personal HFS format data. These data sets must be protected in accordance with the existing security guidelines for user data. However, there is a need for special additions to those rules. The z/OS UNIX kernel userid OMVS must have update access to all user HFS data sets. Also, users must not have update access to the MVS data sets so that HFS permission controls cannot be altered outside of the z/OS UNIX environment.

b
WebSphere MQ RESLEVEL resources in the MQADMIN resource class are not protected in accordance with security requirements.
AC-3 - Medium - CCI-000213 - V-6975 - SV-7556r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZWMQ0060
Vuln IDs
  • V-6975
Rule IDs
  • SV-7556r2_rule
RESLEVEL security profiles control the number of userids checked for API-resource security. RESLEVEL is a powerful option that can cause the bypassing of all security checks. RESLEVEL security will not be implemented. Information Assurance Officer
Checks: C-4679r1_chk

a) Refer to the following reports produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(MQADMIN) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZWMQ0060) b) Ensure the following items are in effect: NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). 1) A RESLEVEL resource (i.e., ssid.RESLEVEL) is defined for each queue manager to the MQADMIN resource class with a UACC(NONE). 2) Access authorization to these RESLEVEL resources restricts all access. No users or groups must be specified in the access list. c) If both of the items in (b) are true, there is NO FINDING. d) If either item in (b) is untrue, this is a FINDING.

Fix: F-18832r1_fix

RESLEVEL security profiles control the number of userids checked for API-resource security. RESLEVEL security will not be implemented due to the following exposures and limitations: (1) RESLEVEL is a powerful option that can cause the bypassing of all security checks. (2) Security audit records are not created when the RESLEVEL profile is utilized. (3) If the WARNING option is specified on a RESLEVEL profile, no warning messages are produced. To protect against any profile in the MQADMIN class, such as ssid.**, resolving to a RESLEVEL profile, a ssid.RESLEVEL profile will be defined for each queue manager with UACC(NONE) specified and no users or groups specified in the access list. Ensure the following items are in effect: NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). 1) A RESLEVEL resource (i.e., ssid.RESLEVEL) is defined for each queue manager to the MQADMIN resource class with a UACC(NONE). 2) Access authorization to these RESLEVEL resources restricts all access. No users or groups must be specified in the access list. A set of sample commands are provided below to implement the profile necessary for proper security. RDEF MQADMIN <ssid>.RESLEVEL UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('MQADMIN PROFILE REQUIRED BY ZWMQ0060') SETR RACL(MQADMIN) REF Note that an additional WebSphere MQ Refresh may be required for active Qmanagers. This is done from the CONSOLE: The example is for a Que Manager Named QMD1 >QMD1 REFRESH SECURITY(*)

b
z/OS UNIX MVS data sets WITH z/OS UNIX COMPONENTS are not properly protected
AC-3 - Medium - CCI-000213 - V-6976 - SV-7279r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZUSS0032
Vuln IDs
  • V-6976
Rule IDs
  • SV-7279r2_rule
For the z/OS UNIX environment, there are MVS data sets that contain operating system components, MVS data sets that contain HFS file systems with operating system components, and MVS data sets that contain HFS file systems with application system and user data. All of these MVS data sets require definitions in the ACP to enforce desired access controls. In addition, the UNIX permission bits must be properly set on the HFS directories and files to enforce desired access controls.Information Assurance OfficerSystems ProgrammerDCCS-1, DCCS-2, ECCD-1, ECCD-2
Checks: C-20983r1_chk

a) Refer to the following report produced by the ACP Data Collection: - SENSITVE.RPT(USSRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZUSS0032) b) If the ACP data set rules for each of the data sets listed in the MVS DATA SETS WITH z/OS UNIX COMPONENTS Table in the z/OS STIG Addendum restrict UPDATE and ALLOCATE access to systems programming personnel, there is NO FINDING. c) If (b) above is untrue, this is a FINDING.

Fix: F-18951r1_fix

Verify that the ACP data set rules for each of the data sets listed in the specified table in the z/OS STIG Addendum under MVS DATA SETS WITH z/OS UNIX COMPONENTS restrict UPDATE and ALLOCATE access to systems programming personnel. The data sets designated as distribution data sets should have all access restricted to systems programming personnel. TSO/E users who also use z/OS UNIX should have read access to the SYS1.SBPX* data sets. Read access for all users to the remaining target data sets is at the site’s discretion. All other access must be restricted to systems programming personnel.

b
z/OS UNIX MVS data sets used as step libraries in /etc/steplib are not properly protected
AC-3 - Medium - CCI-000213 - V-6977 - SV-7280r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZUSS0033
Vuln IDs
  • V-6977
Rule IDs
  • SV-7280r2_rule
For the z/OS UNIX environment, there are MVS data sets that contain operating system components, MVS data sets that contain HFS file systems with operating system components, and MVS data sets that contain HFS file systems with application system and user data. All of these MVS data sets require definitions in the ACP to enforce desired access controls. In addition, the UNIX permission bits must be properly set on the HFS directories and files to enforce desired access controls.Information Assurance OfficerSystems ProgrammerDCCS-1, DCCS-2, ECCD-1, ECCD-2
Checks: C-3926r1_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(STLLRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZUSS0033) ___ The ACP data set rules for libraries specified in the STEPLIBLIST file allow inappropriate access. ___ The ACP data set rules for libraries specified in the STEPLIBLIST file do not restrict UPDATE and/or ALTER/ALLOCATE access to only systems programming personnel. ___ The ACP data set rules for libraries specified in the STEPLIBLIST file do not specify that all (i.e., failures and successes) UPDATE and/or ALTER/ALLOCATE access will be logged. b) If all of the above are untrue, there is NO FINDING. c) If any of the above is true, this is a FINDING.

Fix: F-18952r1_fix

Verify with the IAO that update and allocate access to libraries residing in the /etc/steplib is limited to system programmers only. The STEPLIBLIST parameter specifies the pathname of the HFS file that contains the list of MVS data sets that are used as step libraries for programs that have the set-user-id or set group id permission bit set. The use of STEPLIBLIST is at the site’s discretion, but if used the value of STEPLIBLIST will be /etc/steplib. All update and alter access to the MVS data sets in the list will be logged and only systems programming personnel will be authorized to update the data sets.

b
z/OS UNIX HFS permission bits and audit bits for each directory will be properly protected or specified.
AC-3 - Medium - CCI-000213 - V-6978 - SV-7281r3_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZUSS0034
Vuln IDs
  • V-6978
Rule IDs
  • SV-7281r3_rule
For the z/OS UNIX environment, there are MVS data sets that contain operating system components, MVS data sets that contain HFS file systems with operating system components, and MVS data sets that contain HFS file systems with application system and user data. All of these MVS data sets require definitions in the ACP to enforce desired access controls. In addition, the UNIX permission bits must be properly set on the HFS directories and files to enforce desired access controls.Systems ProgrammerInformation Assurance OfficerDCCS-1, DCCS-2, ECCD-1, ECCD-2
Checks: C-3927r3_chk

Refer to the following report produced by the UNIX System Services Data Collection: - USSCMDS.RPT(SDPERM) Refer to the following report produced by the IBM Communications Server Data Collection: - PDI(ZUSS0034) The HFS permission bits and user audit bits for each directory and file match or are more restrictive than the specified settings listed in the SYSTEM DIRECTORY SECURITY SETTINGS Table in the z/OS STIG Addendum. If the guidance is true, this is not a finding. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing

Fix: F-6740r3_fix

The IAO with the assistance of a systems programmer with UID(0) and/or SUPERUSER access, will review the UNIX permission bits and user audit bits on each of the HFS directory in the table in the z/OS STIG Addendum under the SYSTEM DIRECTORY SECURITY SETTINGS, are equal or more restrictive. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing The following commands are a sample of the commands to be used (from a user account with an effective UID(0)) to update the permission bits and audit bits: chmod 0755 / chaudit w=sf,rx+f / chmod 0755 /bin chaudit rwx=f /bin

b
z/OS UNIX SYSTEM FILE SECURITY SETTINGS will be properly protected or specified.
AC-3 - Medium - CCI-000213 - V-6979 - SV-7282r3_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZUSS0035
Vuln IDs
  • V-6979
Rule IDs
  • SV-7282r3_rule
For the z/OS UNIX environment, there are MVS data sets that contain operating system components, MVS data sets that contain HFS file systems with operating system components, and MVS data sets that contain HFS file systems with application system and user data. All of these MVS data sets require definitions in the ACP to enforce desired access controls. In addition, the UNIX permission bits must be properly set on the HFS directories and files to enforce desired access controls.Systems ProgrammerInformation Assurance OfficerDCCS-1, DCCS-2, DCSL-1, ECCD-1, ECCD-2
Checks: C-3928r3_chk

Refer to the following reports produced by the UNIX System Services Data Collection: - USSCMDS.RPT(SFPERM) - USSCMDS.RPT(EAUTOM) Refer to the following report produced by the IBM Communications Server Data Collection: - PDI(ZUSS0035) The HFS permission bits and user audit bits for each directory and file match or are more restrictive than the specified settings listed in the SYSTEM FILE SECURITY SETTINGS Table in the z/OS STIG Addendum. If the guidance is true, this is not a finding. NOTE: Some of the files listed in the SYSTEM FILE SECURITY SETTINGS Table in the z/OS STIG Addendum are not used in every configuration. Absence of any of the files is not considered a finding. NOTE: The names of the MapName files are site-defined. Refer to the listing in the EAUTOM report. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing

Fix: F-6741r2_fix

The IAO with the assistance of a systems programmer with UID(0) and/or SUPERUSER access, will review the UNIX permission bits and user audit bits on the HFS files listed in the SYSTEM FILE SECURITY SETTINGS Table in the z/OS STIG Addendum. There are a number of files that must be secured to protect system functions in z/OS UNIX. Where not otherwise specified, these files must receive a permission setting of 744 or 774. The 774 setting may be used at the site’s discretion to help to reduce the need for assignment of superuser privileges. The table identifies permission bit and audit bit settings that are required for these specific files. More restrictive permission settings may be used at the site’s discretion or as specific environments dictate. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing The following commands are a sample of the commands to be used (from a user account with an effective UID(0)) to update the permission bits and audit bits: chmod 1755 /bin/sh chaudit w=sf,rx+f /bin/sh chmod 0740 /dev/console chaudit rwx=f /dev/console

b
WebSphere MQ channel security is not implemented in accordance with security requirements.
SC-23 - Medium - CCI-002470 - V-6980 - SV-7283r2_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-002470
Version
ZWMQ0012
Vuln IDs
  • V-6980
Rule IDs
  • SV-7283r2_rule
WebSphere MQ channel security can be configured to provide authentication, message privacy, and message integrity between queue managers. WebSphere MQ channels use SSL encryption techniques, digital signatures and digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers. Failure to properly secure a WebSphere MQ channel may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of some system services, applications, and customer data.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-21005r1_chk

a) Refer to the following report produced by the z/OS Data Collection: - MQSRPT(ssid) NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). To determine which Release of WebSphere MQ, review ssid reports for message CSQU000I. Collect the following Information for Websphere MQ queue manager - If a WebSphere MQ queue manager communicates with a MQSeries queue manager, provide the WebSphere MQ queue manager and channel names used to connect with MQSeries. - If any WebSphere MQ channels are used to communicate within the enclave, provide a list of channels and provide documentation regarding the sensitivity of the information on the channel. b) Review the ssid report(s) and perform the following steps: 1) Find the DISPLAY QMGR SSLKEYR command to locate the start of the Queue Manager definitions. 2) Verify that each WebSphere MQ 5.3 queue manager is using a digital certificate by reviewing the SSLKEYR parameter to ensure that a keyring is identified. i.e. SSLKEYR(sslkeyring-id) 3) Issue the following ACF2 command, where ssidCHIN is the lid for the WebSphere MQ Channel Initiator’s userid and sslkeyring-id is obtained from the above action: LIST ssidCHIN PROFILE(CERTDATA, KEYRING) The output will contain information on the CERTDATA and KEYRING records for the user. Find the CERTDATA entry that has a Key ring name field with sslkeyring-id. Review the ISSUERDN field for this CERTDATA record for the following: OU=PKI.OU=DoD.O=U.S. Governmemt.C=US OU=ECA.O=U.S. Government.C=US 4) Repeat these steps for each queue manager ssid identified. c) If the all of the items in (b) above are true, there is NO FINDING. d) If any of the items in (b) above are untrue, this is a FINDING.

Fix: F-18968r1_fix

Refer to the following report produced by the z/OS Data Collection: - MQSRPT(ssid) NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). 1) Find the DISPLAY QMGR SSLKEYR command to locate the start of the Queue Manager definitions. 2) Verify that each WebSphere MQ queue manager is using a digital certificate by reviewing the SSLKEYR parameter to ensure that a keyring is identified. i.e. SSLKEYR(sslkeyring-id) 3) Issue the following RACF commands, where ssidCHIN is the lid for the WebSphere MQ Channel Initiator’s userid and sslkeyring-id is obtain from the above action: RACDCERT ID(ssidCHIN) LISTRING(sslkeyring-id) NOTE: The sslkeyring-id is case sensitive. The output will contain columns for Certificate Label Name and Cert Owner. Find the Cert Owner of ID(ssidCHIN). Use the Certificate Label Name for ID(ssidCHIN) in the following command: RACDCERT ID(ssidCHIN) LIST(LABEL(‘Certificate Label Name’)) NOTE: The Certificate Label Name is case sensitive. Review the Issuer’s Name field in the resulting output for information of any of the following: OU=PKI.OU=DoD.O=U.S. Governmemt.C=US OU=ECA.O=U.S. Government.C=US 4) Repeat these steps for each queue manager ssid identified. To implement the requirements stated above, the following two items are provided which attempt to assist with (1) Technical "how to" information and (2) A DISA Point of contact for obtaining SSL certificates for CSD WebSphere MQ channels: 1. Review the information available on setting up SSL, Keyrings, and Digital Certificates in the RACF Security Administrator's Guide as well as the WebSphere MQ Security manual. Also review the information contained in the documentation provided as part of the install package from the DISA SSO Resource Management Factory (formerly Software Factory). 2. For information on obtaining an SSL certificate in the DISA CSD environment, send email inquiry to [email protected] for more info.

b
z/OS UNIX MVS HFS directory(s) with "other" write permission bit set are not properly defined.
AC-3 - Medium - CCI-000213 - V-6981 - SV-7284r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZUSS0036
Vuln IDs
  • V-6981
Rule IDs
  • SV-7284r2_rule
For the z/OS UNIX environment, there are MVS data sets that contain operating system components, MVS data sets that contain HFS file systems with operating system components, and MVS data sets that contain HFS file systems with application system and user data. All of these MVS data sets require definitions in the ACP to enforce desired access controls. In addition, the UNIX permission bits must be properly set on the HFS directories and files to enforce desired access controls.Systems ProgrammerDCCS-1, DCCS-2, DCSL-1, ECCD-1, ECCD-2
Checks: C-3929r1_chk

a) Refer to the following report produced by the UNIX System Services Data Collection: - USSCMDS.RPT(OWDIR) b) If there are no directories that have the other write permission bit set on without the sticky bit set on, there is NO FINDING. NOTE: In the symbolic permission bit display, the sticky bit is indicated as a “t” or “T” in the execute portion of the other permissions. For example, a display of the permissions of a directory with the sticky bit on could be “drwxrwxrwt”. c) If all directories that have the other write permission bit set on do not contain any files with the setuid bit set on, there is NO FINDING. NOTE: In the symbolic permission bit display, the setuid bit is indicated as an “s” or “S” in the execute portion of the owner permissions. For example, a display of the permissions of a file with the setuid bit on could be “-rwsrwxrwx”. d) If all directories that have the other write permission bit set on do not contain any files with the setgid bit set on, there is NO FINDING. NOTE: In the symbolic permission bit display, the setgid bit is indicated as an “s” or “S” in the execute portion of the group permissions. For example, a display of the permissions of a file with the setgid bit on could be “-rwxrwsrwx”. e) If (b), (c), or (d) above is untrue, this is a FINDING.

Fix: F-18958r1_fix

The systems programmer will verify the following: b) There are no directories that have the other write permission bit set on without the sticky bit set on. NOTE: In the symbolic permission bit display, the sticky bit is indicated as a “t” or “T” in the execute portion of the other permissions. For example, a display of the permissions of a directory with the sticky bit on could be “drwxrwxrwt”. c) All directories that have the other write permission bit set on do not contain any files with the setuid bit set on. NOTE: In the symbolic permission bit display, the setuid bit is indicated as an “s” or “S” in the execute portion of the owner permissions. For example, a display of the permissions of a file with the setuid bit on could be “-rwsrwxrwx”. d) All directories that have the other write permission bit set on do not contain any files with the setgid bit set on. NOTE: In the symbolic permission bit display, the setgid bit is indicated as an “s” or “S” in the execute portion of the group permissions. For example, a display of the permissions of a file with the setgid bit on could be “-rwxrwsrwx”.

b
Attributes of z/OS UNIX user accounts are not defined properly
IA-2 - Medium - CCI-000764 - V-6985 - SV-7288r2_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
ZUSS0041
Vuln IDs
  • V-6985
Rule IDs
  • SV-7288r2_rule
User identifiers (ACF2 logonids, RACF userids, and Top Secret ACIDs), groups, and started tasks that use z/OS UNIX facilities are defined to an ACP with attributes including UID and GID. If these attributes are not correctly defined, data access or command privilege controls could be compromised.Systems ProgrammerDCCS-1, DCCS-2
Checks: C-3618r1_chk

Refer to the following report produced by the ACP Data Collection: ACF2 - ACF2CMDS.RPT(OMVSGRP) RACF - RACFCMDS.RPT(LISTGRP) TSS - TSSCMDS.RPT(OMVSUSER) Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ZUSS0041) NOTE: A site can choose to have both an OMVSGRP group and an STCOMVS group or combine the groups under one of these names. Ensure that the OMVSGRP and/or STCOMVS groups are defined and have a unique GID in the range of 1-99.

Fix: F-18960r1_fix

The Systems Programmer will ensure that the OMVSGRP group and / or the STCOMVS group are each defined to the security database with a unique GID in the range of 1-99. OMVSGRP is the name suggested by IBM for all the required userids. STCOMVS is the standard name used at some sites for the userids that are associated with z/OS UNIX started tasks and daemons. These groups can be combined at the site’s discretion.

b
z/OS UNIX each group is not defined with a unique GID.
IA-2 - Medium - CCI-000764 - V-6986 - SV-7289r2_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
ZUSS0042
Vuln IDs
  • V-6986
Rule IDs
  • SV-7289r2_rule
User identifiers (ACF2 logonids, RACF userids, and Top Secret ACIDs), groups, and started tasks that use z/OS UNIX facilities are defined to an ACP with attributes including UID and GID. If these attributes are not correctly defined, data access or command privilege controls could be compromised.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-4644r1_chk

Refer to the following report produced by the ACP Data Collection: ACF2 - ACF2CMDS.RPT(OMVSGRP) RACF - RACFCMDS.RPT(LISTGRP) Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ZUSS0042) For ACF2 and RACF ensure that each GID is unique to a specific group. For TSS this is Not Applicable.

Fix: F-18961r1_fix

The systems programmer will verify that each group has a unique GID number,

b
The user account for the z/OS UNIX kernel (OMVS) is not properly defined to the security database.
IA-2 - Medium - CCI-000764 - V-6987 - SV-7290r2_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
ZUSS0043
Vuln IDs
  • V-6987
Rule IDs
  • SV-7290r2_rule
User identifiers (ACF2 logonids, RACF userids, and Top Secret ACIDs), groups, and started tasks that use z/OS UNIX facilities are defined to an ACP with attributes including UID and GID. If these attributes are not correctly defined, data access or command privilege controls could be compromised.Information Assurance OfficerSystems ProgrammerDCCS-1, DCCS-2
Checks: C-3932r1_chk

a) Refer to the following reports produced by the ACP Data Collection: ACF2 - ACF2CMDS.RPT(OMVSUSER) - ACF2CMDS.RPT(LOGONIDS) RACF - RACFCMDS.RPT(LISTUSER) TSS - TSSCMDS.RPT(@ACIDS) b) If OMVS is defined as follows, there is NO FINDING: 1) No access to interactive on-line facilities (e.g., TSO, CICS, etc.) 2) Default group specified as OMVSGRP or STCOMVS 3) UID(0) 4) HOME directory specified as “/” 5) Shell program specified as “/bin/sh” c) If OMVS is not defined as specified in (b) above, this is a FINDING

Fix: F-18962r1_fix

The systems programmer will verify that OMVS is defined as specified below: 1) No access to interactive on-line facilities (e.g., TSO, CICS, etc.) 2) Default group specified as OMVSGRP or STCOMVS 3) UID(0) 4) HOME directory specified as “/” 5) Shell program specified as “/bin/sh”

b
The user account for the z/OS UNIX SUPERSUSER userid must be properly defined.
IA-2 - Medium - CCI-000764 - V-6988 - SV-87465r1_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
ZUSS0044
Vuln IDs
  • V-6988
Rule IDs
  • SV-87465r1_rule
User identifiers (ACF2 logonids, RACF userids, and Top Secret ACIDs), groups, and started tasks that use z/OS UNIX facilities are defined to an ACP with attributes including UID and GID. If these attributes are not correctly defined, data access or command privilege controls could be compromised.Information Assurance OfficerSystems Programmer
Checks: C-72947r4_chk

Refer to system PARMLIB member BPXPRMxx (xx is determined by OMVS entry in IEASYS00.) Determine the user ID identified by the SUPERUSER parameter. (BPXROOT is the default). From a command input screen enter: LISTUSER (superuser userid) TSO CICS OMVS Alternately, - RACFCMDS.RPT(LISTUSER) If the SUPERUSER userid is defined as follows, this is not a finding: - No access to interactive on-line facilities (e.g., TSO, CICS, etc.) - Default group specified as OMVSGRP or STCOMVS - UID(0) - HOME directory specified as “/” - Shell program specified as “/bin/sh”

Fix: F-79253r3_fix

Define the user ID identified in the BPXPRM00 SUPERUSER parameter as specified below: - No access to interactive on-line facilities (e.g., TSO, CICS, etc.) - Default group specified as OMVSGRP or STCOMVS - UID(0) - HOME directory specified as “/” - Shell program specified as “/bin/sh”

b
The user account for the z/OS UNIX (RMFGAT) must be properly defined.
IA-2 - Medium - CCI-000764 - V-6989 - SV-87475r1_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
ZUSS0045
Vuln IDs
  • V-6989
Rule IDs
  • SV-87475r1_rule
User identifiers (ACF2 logonids, RACF userids, and Top Secret ACIDs), groups, and started tasks that use z/OS UNIX facilities are defined to an ACP with attributes including UID and GID. If these attributes are not correctly defined, data access or command privilege controls could be compromised.Information Assurance OfficerSystems Programmer
Checks: C-72955r2_chk

RMFGAT is the userid for the Resource Measurement Facility (RMF) Monitor III Gatherer. If RMFGAT is not define this is not applicable. From a command input screen enter: LISTUSER (RMFGAT) OMVS Alternately: Refer to the following reports produced by the ACP Data Collection: - RACFCMDS.RPT(LISTUSER) If RMFGAT is defined as follows, this is not a finding: - Default group specified as OMVSGRP or STCOMVS - A unique, non-zero UID - HOME directory specified as “/” Shell program specified as “/bin/sh”

Fix: F-79261r2_fix

Define the RMFGAT user account as specified below: - Default group specified as OMVSGRP or STCOMVS - A unique, non-zero UID - HOME directory specified as “/” - Shell program specified as “/bin/sh”

c
UID(0) must be properly assigned.
IA-2 - High - CCI-000764 - V-6991 - SV-7294r3_rule
RMF Control
IA-2
Severity
High
CCI
CCI-000764
Version
ZUSS0046
Vuln IDs
  • V-6991
Rule IDs
  • SV-7294r3_rule
User identifiers (ACF2 logonids, RACF userids, and Top Secret ACIDs), groups, and started tasks that use z/OS UNIX facilities are defined to an ACP with attributes including UID and GID. If these attributes are not correctly defined, data access or command privilege controls could be compromised.Information Assurance OfficerSystems Programmer
Checks: C-20023r2_chk

a) Refer to the following report produced by the ACP Data Collection: ACF2 - ACF2CMDS.RPT(OMVSUSER) RACF - RACFCMDS.RPT(LISTUSER) TSS - TSSCMDS.RPT(OMVSUSER) Automated Analysis requires Additional Analysis. Refer to the following report produced by the z/OS Data Collection: - PDI(ZUSS0046) b) If UID(0) is assigned only to system tasks such as the z/OS/ UNIX kernel (i.e., OMVS), z/OS UNIX daemons (e.g., inetd, syslogd, ftpd), and other system software daemons, there is NO FINDING. c) If UID(0) is assigned to security administrators who create or maintain user account definitions; and to systems programming accounts dedicated to maintenance (e.g., SMP/E) of HFS-based components, there is NO FINDING. NOTE: The assignment of UID(0) confers full time superuser privileges. This is not appropriate for personal user accounts. Access to the BPX.SUPERUSER resource is used to allow personal user accounts to gain short-term access to superuser privileges. d) If UID(0) is assigned to non-systems or non-maintenance accounts, this is a FINDING.

Fix: F-18965r1_fix

The systems programmer will verify that UID(0) is defined as specified below: UID(0) is assigned only to system tasks such as the z/OS UNIX kernel (i.e., OMVS), z/OS UNIX daemons (e.g., inetd, syslogd, ftpd), and other system software daemons. UID(0) is assigned to security administrators who create or maintain user account definitions; and to systems programming accounts dedicated to maintenance (e.g., SMP/E) of HFS-based components.. NOTE: The assignment of UID(0) confers full time superuser privileges, this is not appropriate for personal user accounts. Access to the BPX.SUPERUSER resource is used to allow personal user accounts to gain short-term access to superuser privileges.

b
z/OS UNIX user accounts are not properly defined.
IA-2 - Medium - CCI-000764 - V-6992 - SV-7295r2_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
ZUSS0047
Vuln IDs
  • V-6992
Rule IDs
  • SV-7295r2_rule
User identifiers (ACF2 logonids, RACF userids, and Top Secret ACIDs), groups, and started tasks that use z/OS UNIX facilities are defined to an ACP with attributes including UID and GID. If these attributes are not correctly defined, data access or command privilege controls could be compromised.Information Assurance OfficerSystems ProgrammerDCCS-1, DCCS-2
Checks: C-20986r1_chk

a) Refer to the following report produced by the ACP Data Collection: ACF2 - ACF2CMDS.RPT(OMVSUSER) RACF - RACFCMDS.RPT(LISTUSER) TSS - TSSCMDS.RPT(OMVSUSER) NOTE: This check only applies to users of z/OS UNIX (i.e., users with an OMVS profile defined). b) If each user account is defined as follows, there is NO FINDING: 1) A unique UID number (except for UID(0) users) 2) A unique HOME directory (except for UID(0) and other system task accounts) 3) Shell program specified as “/bin/sh”, “/bin/tcsh”, “/bin/echo”, or “/bin/false” NOTE: The shell program must have one of the specified values. The HOME directory must have a value (i.e., not be allowed to default). c) If any user account is not defined as specified in (b) above, this is a FINDING.

Fix: F-18966r1_fix

The systems programmer will verify that each user account is defined as specified below: NOTE: This check only applies to users of z/OS UNIX (i.e., users with an OMVS profile defined). 1) A unique UID number (except for UID(0) users) 2) A unique HOME directory (except for UID(0) and other system task accounts) 3) Shell program specified as “/bin/sh”, “/bin/tcsh”, “/bin/echo”, or “/bin/false” NOTE: The shell program must have one of the specified values. The HOME directory must have a value (i.e., not be allowed to default).

b
The z/OS Default profiles must not be defined in the corresponding FACILITY Class Profile for classified systems.
CM-6 - Medium - CCI-000366 - V-6997 - SV-7300r4_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
ZUSSR050
Vuln IDs
  • V-6997
Rule IDs
  • SV-7300r4_rule
The RACF FACILITY Class BPX. UNIQUE.USER profile contains the userid or the userid/group ID of the default profiles to be used for a user without a z/OS UNIX profile (i.e., OMVS Segment). In classified system user access will not be determined by default.Information Assurance Officer
Checks: C-3865r3_chk

If the system is not classified this is not applicable. From a command input screen enter: RLIST FACILITY (BPX.UNIQUE.USER) ALL Examine APPLICATION DATA for userid Alternately: Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(FACILITY) - System Classification Automated Analysis: Refer to the following report produced by the RACF Data Collection: - PDI(ZUSSR050) If system is classified and a userid is are not defined in the Application Data field in the BPX.UNIQUE.USER resource in the FACILITY report, there is no finding.

Fix: F-6718r2_fix

If system is classified a userid should not be defined in the application data field of the FACILITY report. The sample commands below show the required security parameters required for the default user: AU OEDFLTU DFLTGRP(OEDFLTG) NAME('OE DEFAULT USER') NOPASS - OMVS(UID(99999) HOME('/u/oeflt') PROGRAM('/bin/echo')) - DATA('DEFAULT OMVSUSERID ADDED WITH SOER5') RDEF FACILITY BPX. UNIQUE.USER APPLDATA() - DATA('ADDED TO SUPPORT THE DEFAULT USER') UACC(NONE) OWNER(ADMIN) SETR RACLIST(FACILITY) REFRESH

b
The RACF Classes required to properly security the z/OS UNIX environment are not ACTIVE.
AC-3 - Medium - CCI-000213 - V-6998 - SV-7301r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZUSSR060
Vuln IDs
  • V-6998
Rule IDs
  • SV-7301r2_rule
The FACILITY, SURROGAT, and UNIXPRIV Class support profiles used to secure the z/OS UNIX (OMVS) environment. Without these classes being in an ACTIVE status, system integrity can be compromised.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-3862r1_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(ZUSSR060) b) If the ACTIVE CLASSES list includes entries for the FACILITY, SURROGAT, and UNIXPRIV resource classes, there is NO FINDING. c) If (b) above is untrue, this is a FINDING.

Fix: F-18778r1_fix

UNIXPRIV class profiles are used to manage certain system privileges that are typically associated with z/OS UNIX superuser authority. By defining UNIXPRIV class profiles, certain individual superuser privileges can be granted to users who do not have superuser authority. This reduces the security risks associated with assigning full superuser authority to users. SURROGAT class profiles are only needed if there are servers (e.g., web server) running in the z/OS UNIX environment that must be able to act with the security context of a client and that client does not supply a password or other authenticator for the ACP. FACILITY class profiles are used by a variety of IBM components including UNIX System Services (OMVS). BPX prefixed profiles in this class are critical to the proper security of the z/OS UNIX environment. Ensure that the required classes are active. Develop a plan of action and activate with the RACF commands: SETR CLASSACT(FACILITY SURROGAT UNIXPRIV) SETR GENERIC(FACILITY SURROGAT UNIXPRIV) SETR GENCMD(FACILITY SURROGAT UNIXPRIV) SETR RACL(FACILITY SURROGAT UNIXPRIV)

b
RACF Classes required to support z/OS UNIX security are not properly implemented with the SETROPTS RACLIST command.
CM-6 - Medium - CCI-000366 - V-6999 - SV-7302r2_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
ZUSSR070
Vuln IDs
  • V-6999
Rule IDs
  • SV-7302r2_rule
RACF provides the ability to load certain class profiles into memory for better performance thru the use of the SETR RACLIST command. For some classes, RACLISTing is strongly recommended and should be implemented. By not following vendor recommendations, unpredictable results could occur that compromise the integrity of the z/OS system.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-3858r1_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(ZUSSR070) b) If the SETR RACLIST CLASSES list includes entries for the FACILITY, SURROGAT, and UNIXPRIV resource classes, there is NO FINDING. c) If (b) above is untrue, this is a FINDING.

Fix: F-18779r1_fix

RACF provides the ability to load certain class profiles into memory for better performance thru the use of the SETR RACLIST command. For some classes, RACLISTing is strongly recommended and should be implemented. UNIXPRIV class profiles are used to manage certain system privileges that are typically associated with z/OS UNIX superuser authority. By defining UNIXPRIV class profiles, certain individual superuser privileges can be granted to users who do not have superuser authority. This reduces the security risks associated with assigning full superuser authority to users. SURROGAT class profiles are only needed if there are servers (e.g., web server) running in the z/OS UNIX environment that must be able to act with the security context of a client and that client does not supply a password or other authenticator for the ACP. FACILITY class profiles are used by a variety of IBM components including UNIX System Services (OMVS). BPX prefixed profiles in this class are critical to the proper security of the z/OS UNIX environment. Ensure that the required classes are RACLISTed. Develop a plan of action and RACLIST with the RACF command: SETR RACL(FACILITY SURROGAT UNIXPRIV)

b
Attributes of z/OS UNIX user accounts used for account modeling must be defined in accordance with security requirements.
IA-2 - Medium - CCI-000764 - V-7050 - SV-7940r5_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
ZUSS0048
Vuln IDs
  • V-7050
Rule IDs
  • SV-7940r5_rule
RACF userids that use z/OS UNIX must be properly configured. If these attributes are not correctly defined, data access or command privilege controls could be compromised.Information Assurance Officer
Checks: C-5461r5_chk

If this is a classified system, this is not applicable. From a command input screen enter: RLIST FACILITY (BPX.UNIQUE.USER) ALL Examine APPLICATION DATA for userid Enter: List User (&lt;userid&gt;) Alternately: Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(FACILITY) - RACFCMDS.RPT(LISTUSER) Note: This check applies to any user id used to model OMVS access on the mainframe. This includes the OMVS default user and BPX.UNIQUE.USER. If the OMVS default user or BPX.UNIQUE.USER is not defined in the FACILITY report, this is not applicable. If user account used for OMVS account modeling is defined as follows, this is not a finding: A non-writable HOME directory: Shell program specified as “/bin/echo” or “/bin/false” Note: The shell program must have one of the specified values. The HOME directory must have a value (i.e., not be allowed to default).

Fix: F-75869r3_fix

Use of the OMVS default UID will not be allowed on any classified system. This is not an issue when using BPX.UNIQUE.USER. Define user id used for OMVS account modeling with a non-0 UID, a non-writable home directory, such as "\" root, and a non-executable, but existing, binary file, "/bin/false" or “/bin/echo.” AG OEDFLTG SUPGROUP(ADMIN) OWNER(ADMIN) OMVS(GID(777777)) AU OEDFLTU DFLTGRP(OEDFLTG) NAME('OE DEFAULT USER') NOPASS - OMVS(UID(99999) HOME('/u/oeflt') PROGRAM('/bin/echo')) - DATA('DEFAULT OMVSUSERID ADDED WITH SOER5') RDEF FACILITY BPX.DEFAULT.USER APPLDATA('OEDFLTU/OEDFLTG') - DATA('ADDED TO SUPPORT THE DEFAULT USER') UACC(NONE) OWNER(ADMIN) SETR RACLIST(FACILITY) REFRESH

b
CICS default logonid(s) must be defined and/or controlled in accordance with the security requirements.
IA-2 - Medium - CCI-000764 - V-7119 - SV-7536r3_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
ZCIC0041
Vuln IDs
  • V-7119
Rule IDs
  • SV-7536r3_rule
CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. An improperly defined or controlled CICS default userid may provide an exposure and vulnerability within the CICS environment. This could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data.trueInformation Assurance Officer
Checks: C-25317r3_chk

a) Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(CICSPROC) Refer to the following reports produced by the RACF Data Collection: - RACFCMDS.RPT(LISTUSER) - SENSITVE.RPT(TCICSTRN) - SENSITVE.RPT(GCICSTRN) NOTE: If a CICS region is using a site-defined transaction resource class pair, execute a RACF RLIST command against these resource classes. Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. b) Ensure the following items are in effect for the CICS default userid (i.e., DFLTUSER=default userid): 1) Not granted the RACF OPERATIONS attribute. 2) No access to interactive on-line facilities (e.g., TSO) other than CICS. 3) TIMEOUT parameter in the CICS segment is set to 15 minutes. 4) A system's default time for terminal lock-out or session termination may be lengthened to 30 minutes at the discretion of the IAM. The IAM will maintain the documentation for each system with a time-out adjusted beyond the 15-minute recommendation to explain the basis for this decision. 5) Restricted from accessing all data sets and resources with the following exceptions: (a) Non-restricted CICS transactions (e.g., CESF, CESN, ‘good morning’ transaction, etc.) (b) If applicable, resources necessary to operate in an intersystem communication (ISC) environment (i.e., LU6.1, LU6.2, and MRO) NOTE: Execute the JCL in CNTL(IRRUT100) using the CICS default userid as SYSIN input. This report lists all occurrences of this userid within the RACF database, including data set and resource access lists. c) If all items in (b) are true, this not a finding. d) If any item in (b) is untrue, this is a finding.

Fix: F-20566r1_fix

Ensure the following items are in effect for the CICS default userid (i.e., DFLTUSER=default userid): 1) Not granted the RACF OPERATIONS attribute. a) Issue a RACF LU (Listuser) command on the CICS default userid. b) The OPERATIONS attribute can be removed via the RACF command ALU <cicsdefaultuser> NOOPERATIONS 2) No access to interactive on-line facilities (e.g., TSO) other than CICS. a) Use the RACF ALU (Altuser) command to remove attributes such as TSO. Example: ALU <cicsdefaultuser> NOTSO 3) TIMEOUT parameter in the CICS segment is set to 15 minutes. 4) A system's default time for terminal lock-out or session termination may be lengthened to 30 minutes at the discretion of the IAM. The IAM will maintain the documentation for each system with a time-out adjusted beyond the 15-minute recommendation to explain the basis for this decision. a) Use the RACF LU (ListUser) command to display the CICS segment. An example is shown here: LU <cicsdefaultuser> CICS b) Use the RACF ALU command to set the 15 minute timeout value. An example is shown here: ALU <cicsdefaultuser> CICS(TIMEOUT(15)) 5) Restricted from accessing all data sets and resources with the following exceptions: a) Delete the CICS default user from dataset access lists via the command: PE '<dataset profile name>' ID(<cicsdefaultuser>) DEL (a) Non-restricted CICS transactions (e.g., CESF, CESN, ‘good morning’ transaction, etc.) (b) If applicable, resources necessary to operate in an intersystem communication (ISC) environment (i.e., LU6.1, LU6.2, and MRO) NOTE: Execute the JCL in CNTL(IRRUT100) using the CICS default userid as SYSIN input. This report lists all occurrences of this userid within the RACF database, including data set and resource access lists. c) If all items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING.

b
CICS logonid(s) must have time-out limit set to 15 minutes.
AC-11 - Medium - CCI-000057 - V-7120 - SV-7540r3_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
ZCIC0042
Vuln IDs
  • V-7120
Rule IDs
  • SV-7540r3_rule
CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Improperly defined or controlled CICS region userids may provide an exposure and vulnerability within the CICS environment. This could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data. RACF provides the PROPCNTL class to prevent userids such as the CICS region userid from being propogated/used by unauthorized userids.trueInformation Assurance Officer
Checks: C-25320r1_chk

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(LISTUSER) Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. NOTE: Any userid that does not have a TIMEOUT parameter specified will obtain its TIMEOUT parameter from the default value set in ZCIC0041. Any userid that specifies a TIMEOUT parameter must meet the requirements specified below. b) Ensure that all userids with a CICS segment have the TIMEOUT parameter set to 15 minutes. c) If (b) is true for each CICS region and/or CICS user, there is NO FINDING. NOTE: If the time-out limit is greater than 15 minutes, and the system is processing unclassified information, review the following items. If any of these is true, there is NO FINDING. 1) If a session is not terminated, but instead is locked out after 15 minutes of inactivity, a process must be in place that requires user identification and authentication before the session is unlocked. Session lock-out will be implemented through system controls or terminal screen protection. 2) A system’s default time for terminal lock-out or session termination may be lengthened to 30 minutes at the discretion of the IAM. The IAM will maintain the documentation for each system with a time-out adjusted beyond the 15-minute recommendation to explain the basis for this decision. 3) The IAM may set selected userids to have a time-out of up to 60 minutes in order to complete critical reports or transactions without timing out. Each exception must meet the following criteria: (a) The time-out exception cannot exceed 60 minutes. (b) A letter of justification fully documenting the user requirement(s) must be submitted and approved by the site IAM. In addition, this letter must identify an alternate means of access control for the terminal(s) involved (e.g., a room that is locked at all times, a room with a cipher lock to limit access, a password protected screen saver set to 30 minutes or less, etc.). (c) The requirement must be revalidated on an annual basis. c) If the CICS time-out limit is not specified for 15 minutes of inactivity, and the previously mentioned exceptions do not apply, this is a FINDING.

Fix: F-18481r1_fix

Review all CICS region, default, and end-user userids to ensure they are defined and controlled as required. Ensure that all userids with a CICS segment have the TIMEOUT parameter set to 15 minutes. Examples: Use the RACF ALtUser command to assign the required value: ALU <cics user> CICS(TIMEOUT(15))

b
z/OS system commands must be properly protected.
AC-3 - Medium - CCI-000213 - V-7482 - SV-7919r4_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ACP00282
Vuln IDs
  • V-7482
Rule IDs
  • SV-7919r4_rule
z/OS system commands provide a method of controlling the operating environment. Failure to properly control access to z/OS system commands could result in unauthorized personnel issuing sensitive system commands. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data. Information Assurance Officer
Checks: C-75043r1_chk

From a command input screen enter: RLIST OPERCMDS * ALL Alternately: Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(ACP00282) - SENSITVE.RPT(OPERCMDS) (Alternate report) Automated Analysis: Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00282) The MVS.** resource is defined to the OPERCMDS class with a default access of NONE and all (i.e., failures and successes) access logged. Access to z/OS system commands defined in the table entitled Required Controls on z/OS System Commands, in the z/OS STIG Addendum, is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users). NOTE: Use the GROUP category specified in the table referenced above as a guideline to determine appropriate personnel access to system commands. NOTE: The (MVS.SEND) Command will not be a finding if used by all. All access (i.e., failures and successes) to specific z/OS system commands is logged as indicated in the table entitled Required Controls on z/OS System Commands, in the z/OS STIG Addendum. If any of the above is untrue for any z/OS system command resource, this is a FINDING. If all of the above are true, there is NO FINDING.

Fix: F-6838r2_fix

z/OS system commands provide control over z/OS functions and can compromise security if misused. These commands are subject to various types of potential abuse. For this reason, it is necessary to place restrictions on the z/OS system commands that can be entered by particular operators. Some commands are particularly dangerous and should only be used when all less drastic options have been exhausted. Misuse of these commands can create a situation in which the only recovery is an IPL. Apply the following recommendations when implementing security: The MVS.** resource is defined to the OPERCMDS class with an access of NONE and all (i.e., failures and successes) access logged. Access to z/OS system commands defined in the "Required Controls on z/OS System Commands" table in the zOS STIG Addendum is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users). NOTE: Use the GROUP category specified in the table referenced above as a guideline to determine appropriate personnel access to system commands. NOTE: The (MVS.SEND) Command will not be a finding if used by all. All access (i.e., failures and successes) to specific z/OS system commands is logged as indicated in the table entitled "Required Controls on z/OS System Commands" in the zOS STIG Addendum. A sample set of commands to define and permit access to system command resources is shown here: RDEF OPERCMDS MVS.** UACC(NONE) OWNER(<syspaudt>) AUDIT(ALL(READ)) DATA("set up deny-by-default profile per srr pdi acp00282') Then, in accordance with the referenced table, use the following template to define profiles for each command: RDEF OPERCMDS <systemcommandprofile> UACC(NONE) OWNER(<syspaudt>) AUDIT(ALL(READ)) PERMIT <systemcommandprofile> CLASS(OPERCMDS) ID(<groupname>) ACCESS(<accesslevel>)

b
CONSOLxx members must be properly configured.
CM-7 - Medium - CCI-000382 - V-7485 - SV-7923r4_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
ACP00291
Vuln IDs
  • V-7485
Rule IDs
  • SV-7923r4_rule
MCS consoles can be used to issue operator commands. Failure to properly control access to MCS consoles could result in unauthorized personnel issuing sensitive operator commands. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.Information Assurance OfficerSystems Programmer
Checks: C-5237r2_chk

Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(PARMLIB) Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ACP00291) Review each CONSOLxx parmlib member. If the following guidance is true, this is not a finding. ____ The "DEFAULT" statement for each CONSOLxx member specifies "LOGON(REQUIRED)" or "LOGON(AUTO)". ____ The "CONSOLE" statement for each console assigns a unique name using the "NAME" parameter. ____ The "CONSOLE" statement for each console specifies "AUTH(INFO)". Exceptions are the "AUTH" parameter is not valid for consoles defined with "UNIT(PRT)" and specifying "AUTH(MASTER)" is permissible for the system console. Note: The site should be able to determine the system consoles. However, it is imperative that the site adhere to the "DEFAULT" statement requirement.

Fix: F-3247r2_fix

Ensure that the "DEFAULT" statement specifies "LOGON(REQUIRED)" so that all operators are required to log on prior to entering z/OS system commands. At the discretion of the ISSO, "LOGON(AUTO)" may be used. If "LOGON(AUTO)" is used assure that the console userids are defined with minimal access. See ACP00292. Ensure that each "CONSOLE" statement specifies an explicit console NAME. And that "AUTH(INFO)" is specified, this also including extended MCS consoles. "AUTH(MASTER)" may be specified for systems console. Note: The site should be able to determine the system consoles. However, it is imperative that the site adhere to the "DEFAULT" statement requirement.

b
MCS console userid(s) will be properly protected.
CM-7 - Medium - CCI-000382 - V-7486 - SV-7925r3_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
ACP00292
Vuln IDs
  • V-7486
Rule IDs
  • SV-7925r3_rule
MCS consoles can be used to issue operator commands. Failure to properly control access to MCS consoles could result in unauthorized personnel issuing sensitive operator commands. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.Information Assurance Officer
Checks: C-20011r2_chk

Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(PARMLIB) Refer to the following report produced by the RACF Data Collection and Data Set and Resource Data Collection: - RACFCMDS.RPT(LISTUSER) - RACFCMDS.RPT(LISTGRP) - SENSITVE.RPT(OPERCMDS) - RACFCMDS.RPT(DATASET) Verify that the MCS console userids are properly restricted. If the following guidance is true, this is not a finding. ____ Each console defined in the currently active CONSOLxx parmlib member in EXAM.RPT(PARMLIB) is associated with a valid RACF userid. ____ Each console userid has no special privileges and/or attributes (e.g., SPECIAL, OPERATIONS, etc.). ____ Each console userid has no accesses to interactive on-line facilities (e.g., TSO, CICS, etc.). ____ Each console userid will be restricted from accessing all data sets and resources except MVS.MCSOPER.consolename in the OPERCMDS resource class and consolename in the CONSOLE resource class. ____ Each console userid has the RACF default group that is an appropriate console group profile. NOTE: If LOGON(AUTO) is specified in the currently active CONSOLxx parmlib member, additional access may be required. Permissions for the console userids and/or console group may be given with access READ to MVS.CONTROL, MVS.DISPLAY, MVS.MONITOR, and MVS.STOPMN OPERCMDS resource. NOTE: Execute the JCL in CNTL(IRRUT100) using the RACF console userids as SYSIN input. This report lists all occurrences of these userids within the RACF database, including data set and resource access lists.

Fix: F-18157r2_fix

The IAO will ensure that all consoles identified in the currently active CONSOLxx parmlib member in EXAM.RPT(PARMLIB) are defined to the ACP. Review the MCS console resources defined to z/OS and the ACP, and ensure they conform to those outlined below. Each console defined in the currently active CONSOLxx parmlib member in EXAM.RPT(PARMLIB) is associated with a valid RACF userid. Each console userid has no special privileges and/or attributes (e.g., SPECIAL, OPERATIONS, etc.). Each console userid has no accesses to interactive on-line facilities (e.g., TSO, CICS, etc.). Each console userid will be restricted from accessing all data sets and resources except MVS.MCSOPER.consolename in the OPERCMDS resource class and consolename in the CONSOLE resource class. Each console userid has the RACF default group that is an appropriate console group profile. NOTE: If LOGON(AUTO) is specified in the currently active CONSOLxx parmlib member, additional access may be required. Permissions for the console userids and/or console group may be given with access READ to MVS.CONTROL, MVS.DISPLAY, MVS.MONITOR, and MVS.STOPMN OPERCMDS resource. NOTE: Execute the JCL in CNTL(IRRUT100) using the RACF console userids as SYSIN input. This report lists all occurrences of these userids within the RACF database, including data set and resource access lists. Examples: AG consautolog SUPGROUP(<syspaudt>) OWNER(<syspaudt>) - DATA(' group for console userids for autolog processing ') AG consnoautolog SUPGROUP(<syspaudt>) OWNER(<syspaudt>) - DATA('group for console userids for no autolog processing') AU consname NAME('CONSOLE USERID FOR consname') NOPASSWORD NOOIDCARD - DFLTGRP(consautolog) OWNER(consautolog) - DATA('ADDED TO SUPPORT THE CHANGE TO LOGON(AUTO) IN CONSOLXX') PERMIT MVS.CONTROL.** CL(OPERCMDS) ID(consautolog) ACCESS(READ) PERMIT MVS.DISPLAY.** CL(OPERCMDS) ID(consautolog) ACCESS(READ) PERMIT MVS.MONITOR.** CL(OPERCMDS) ID(consautolog) ACCESS(READ) PERMIT MVS.STOPMN.** CL(OPERCMDS) ID(consautolog) ACCESS(READ) PERMIT consname CL(CONSOLE) ID(consname)

b
MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.
AC-3 - Medium - CCI-000213 - V-7487 - SV-7928r3_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ACP00293
Vuln IDs
  • V-7487
Rule IDs
  • SV-7928r3_rule
MCS consoles can be used to issue operator commands. Failure to properly control access to MCS consoles could result in unauthorized personnel issuing sensitive operator commands. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.Information Assurance Officer
Checks: C-20012r1_chk

Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(CONSOLE) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(CONSOLE) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00293) Ensure the following items are in effect for all MCS consoles identified in the EXAM.RPT(CONSOLE): 1) Each console is defined to RACF with a corresponding profile in the CONSOLE resource class. 2) Each CONSOLE profile is defined with UACC(NONE). 3) The userid associated with each console has READ access to the corresponding resource defined in the CONSOLE resource class. 4) Access authorization for CONSOLE resources restricts READ access to operations and system programming personnel.

Fix: F-28348r2_fix

The IAO must ensure that all MCS consoles are defined to the CONSOLE resource class and READ access is limited to operators and system programmers. Review the MCS console resources defined to z/OS and the ACP, and ensure they conform to those outlined below. Each console defined in the CONSOLxx parmlib member is defined to RACF with a corresponding profile in the CONSOLE resource class. See the IBM zOS OPERATIONS AND PLANNNG guide for further information. Each CONSOLE profile is defined with UACC(NONE). A sample command file to accomplish items #1 and #2 is shown here: RDEF CONSOLE MMDMST UACC(NONE) OWNER(syspaudt) RDEF CONSOLE MMD041 UACC(NONE) OWNER(syspaudt) RDEF CONSOLE MMDSCN UACC(NONE) OWNER(syspaudt) RDEF CONSOLE ** UACC(NONE) OWNER(syspaudt) DATA('** represents all consoles not specifically defined') Do not permit any user or group access to the ** profile. If a new console is added to the CONSOLxx member of it will be covered by this profile and a subsequent error will display in the log which will allow identification of the undefined console. The userid associated with each console will have READ access to the corresponding resource defined in the CONSOLE resource class. A sample command file to accomplish this is shown here: Note that the actual console groupid & userids are defined as part of ACP00292. PE MMDMST CL(CONSOLE) ID(mmdmst) PE MMDSCN CL(CONSOLE) ID(mmdscn) PE MMD041 CL(CONSOLE) ID(mmd041) Access authorization for CONSOLE resources restricts READ access to operations and system programming personnel. A sample command file showing a permission of READ access for sysprogs and operators is shown here: PE MMDMST CL(CONSOLE) ID(syspaudt operaudt) PE MMDSCN CL(CONSOLE) ID(syspaudt operaudt) PE MMD041 CL(CONSOLE) ID(syspaudt operaudt)

b
Users that have access to the CONSOLE resource in the TSOAUTH resource class are not properly defined.
AC-3 - Medium - CCI-000213 - V-7488 - SV-7931r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ACP00294
Vuln IDs
  • V-7488
Rule IDs
  • SV-7931r2_rule
MCS consoles can be used to issue operator commands. Failure to properly control access to MCS consoles could result in unauthorized personnel issuing sensitive operator commands. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.Information Assurance Officer
Checks: C-5415r1_chk

a) Refer to the following reports produced by the RACF Data Collection: - RACFCMDS.RPT(LISTUSER) - SENSITVE.RPT(OPERCMDS) - SENSITVE.RPT(TSOAUTH) b) If the CONSOLE privilege is not defined to the TSOAUTH resource class, there is NO FINDING. c) At the discretion of the IAO, users may be allowed to issue z/OS system commands from a TSO session. With this in mind, ensure the following items are in effect for users granted the CONSOLE resource in the TSOAUTH resource class: 1) Userids are restricted to the INFO level on the AUTH parameter specified in the OPERPARM segment of their userid. 2) Userids are restricted to READ access to the MVS.MCSOPER.userid resource defined in the OPERCMDS resource class. 3) Userids and/or group IDs are restricted to READ access to the CONSOLE resource defined in the TSOAUTH resource class. d) If all of the above in (c) are true, there is NO FINDING. e) If any of the above in (c) are untrue, this is a FINDING.

Fix: F-18194r1_fix

Evaluate the impact of correcting any deficiencies. Develop a plan of action and implement the required changes. Ensure the following items are in effect for all MCS consoles: 1. Define a profile protecting the use of the CONSOLE command within TSO. A sample command to accomplish this is shown here: RDEF TSOAUTH CONSOLE UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) 2. Permit only authorized users. A sample command to accomplish this is shown here: PE CONSOLE CL(TSOAUTH) ID(<syspaudt>) 3. Set up the OPERPARM segment in corresponding user-class entry. A sample command to accomplish this is shown here: ALU <authorizeduser> OPERPARM(AUTH(INFO)) 4. Userids are restricted to READ access to the MVS.MCSOPER.userid resource defined in the OPERCMDS resource class. A sample command to accomplish this is shown here using the GLOBAL class: RDEF GLOBAL OPERCMDS ADDMEM(MVS.MCSOPER.&RACUID/READ) OWNER(ADMIN)

b
FACILITY resource class is inactive.
AC-3 - Medium - CCI-000213 - V-7490 - SV-7935r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
RACF0244
Vuln IDs
  • V-7490
Rule IDs
  • SV-7935r2_rule
IBM Provides the FACILITY Class for use in protecting a variety of features/functions/products both IBM and third party. The FACILITY Class is not dedicated to any one specific use and is intended as a multi-purpose RACF Class. Failure to activate this class will result in unprotected resources. This exposure may threaten the integrity of the operating system environment, and compromise the confidentiality of customer data.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-17346r1_chk

a) Refer to the following reports produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) - DSMON.RPT(RACCDT) - Alternate list of active resource classes Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0244) b) If the FACILITY resource class is active, there is NO FINDING. c) If the FACILITY resource class is not active, this is a FINDING.

Fix: F-428r1_fix

The IAO will ensure that the FACILITY resource class is active. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a list of ACTIVE classes. (1) The FACILITY Class is activated with the command SETR CLASSACT(FACILITY). (2) Generic profiles and commands should also be enabled with the command SETR GENERIC(FACILITY) GENCMD(FACILITY). (3) IBM recommends RACLISTing the FACILITY Class which is accomplished with the command SETR RACL(FACILITY).

b
MCS consoles are not active.
AC-3 - Medium - CCI-000213 - V-7491 - SV-7936r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
RACF0248
Vuln IDs
  • V-7491
Rule IDs
  • SV-7936r2_rule
(RACF0248: CAT II) MCS consoles can be used to issue operator commands. Failure to properly control access to MCS consoles could result in unauthorized personnel issuing sensitive operator commands. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-22316r1_chk

a) Refer to the following reports produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) - DSMON.RPT(RACCDT) - Alternate list of active resource classes Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0248) b) If the CONSOLE resource class is active, there is NO FINDING. c) If the CONSOLE resource class is not active, this is a FINDING.

Fix: F-408r1_fix

The IAO will ensure that CONSOLE resource class is active. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a list of ACTIVE classes. (1) The CONSOLE Class is activated with the command SETR CLASSACT(CONSOLE). (2) Generic profiles and commands should also be enabled with the command SETR GENERIC(CONSOLE) GENCMD(CONSOLE). (3) IBM recommends RACLISTing the CONSOLE Class which is accomplished with the command SETR RACL(CONSOLE). Refer to ACP00292, ACP00293, ACP00294 for information on content of the CONSOLE class.

b
The OPERCMDS resource class is not active.
AC-3 - Medium - CCI-000213 - V-7492 - SV-7937r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
RACF0246
Vuln IDs
  • V-7492
Rule IDs
  • SV-7937r2_rule
z/OS system commands provide a method of controlling the operating environment. Failure to properly control access to z/OS system commands could result in unauthorized personnel issuing sensitive system commands. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.Information Assurance OfficerDCCS-1, DCCS-2
Checks: C-17993r1_chk

a) Refer to the following reports produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) - DSMON.RPT(RACCDT) - Alternate list of active resource classes Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0246) b) If the OPERCMDS resource class is active, there is NO FINDING. c) If the OPERCMDS resource class is not active, this is a FINDING.

Fix: F-16638r1_fix

The IAO will ensure that the OPERCMDS class is active. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a list of ACTIVE classes. (1) The OPERCMDS Class is activated with the command SETR CLASSACT(OPERCMDS). (2) Generic profiles and commands should also be enabled with the command SETR GENERIC(OPERCMDS) GENCMD(OPERCMDS). (3) IBM recommends RACLISTing the OPERCMDS Class which is accomplished with the command SETR RACL(OPERCMDS). Refer to ACP00282 for information on content of the OPERCMDS class.

b
CICS system data sets are not properly protected.
CM-5 - Medium - CCI-001499 - V-7516 - SV-7978r2_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
ZCIC0010
Vuln IDs
  • V-7516
Rule IDs
  • SV-7978r2_rule
CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Unauthorized access to CICS system data sets (i.e., product, security, and application libraries) could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data.Information Assurance OfficerDCCS-1, DCCS-2, ECCD-1, ECCD-2
Checks: C-20140r1_chk

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(CICSRPT) Since it is possible to have multiple CICS regions running on an LPAR, it is recommended that you go into the z/OS STIG Addendum and fill out all the information in the "CICS System Programmers Worksheet" for each CICS region running on your LPAR. It is recommended that you save this information for any other CICS vulnerabilities that will require it. b) WRITE and/or ALLOCATE access to CICS system data sets is restricted to systems programming personnel. c) If (b) is true, there is NO FINDING. d) If (b) is untrue, this is a FINDING.

Fix: F-18244r1_fix

Review the access authorizations for CICS system data sets for each region. Ensure they conform to the specifications below: A CICS environment may include several data set types required for operation. Typically they are CICS product libraries, which are usually included in the STEPLIB concatenation but may be found in DD DFHRPL. CICS system data sets that can be identified with DFH DD statements, other product system data sets, and application program libraries. Restrict alter and update access to CICS program libraries and all system data sets to systems programmers only. Other access must be documented and approved by the IAO. The site may determine access to application data sets included in the DD DFHRPL and CICS region startup JCL according to need. Ensure that procedures are established; documented, and followed that prevents the introduction of unauthorized or untested application programs into production application systems.

c
Unsupported system software is installed and active on the system.
CM-7 - High - CCI-001764 - V-7545 - SV-8016r3_rule
RMF Control
CM-7
Severity
High
CCI
CCI-001764
Version
AAMV0012
Vuln IDs
  • V-7545
Rule IDs
  • SV-8016r3_rule
When a vendor drops support of System Software, they no longer maintain security vulnerability patches to the software. Without vulnerability patches, it is impossible to verify that the system does not contain code which could violate the integrity of the operating system environment.
Checks: C-5997r2_chk

This check applies to all products that meet the following criteria: - Uses authorized and restricted z/OS interfaces by utilizing Authorized Program Facility (APF) authorized modules or libraries. - Require access to system datasets or sensitive information or requires special or privileged authority to run. For the products in the above category refer to the Vendor’s support lifecycle information for current versions and releases. This information should be added to the Vulnerability Questions within the SRRAUDIT Dialog Management document for supported software products. Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(AAMV0012) If the software products currently running on the reviewed system are at a version greater than or equal to the products listed in the vendor’s Support Lifecycle information, this is not a finding.

Fix: F-23123r2_fix

For all products that meet the following criteria: - Uses authorized and restricted z/OS interfaces by utilizing Authorized Program Facility (APF) authorized modules or libraries. - Require access to system datasets or sensitive information or requires special or privileged authority to run. The ISSO will ensure that unsupported system software for the products in the above category is removed or upgraded prior to a vendor dropping support. Authorized software which is NO longer supported is a CAT I – vulnerability. The customer and site will be given 6 months to mitigate the risk, come up with a supported solution or obtain a formal letter approving such risk/software.

b
Site must have a formal migration plan for removing or upgrading OS systems software prior to the date the vendor drops security patch support.
CM-8 - Medium - CCI-000409 - V-7546 - SV-8019r3_rule
RMF Control
CM-8
Severity
Medium
CCI
CCI-000409
Version
AAMV0014
Vuln IDs
  • V-7546
Rule IDs
  • SV-8019r3_rule
Vendors' code may contain vulnerabilities that may be exploited to cause denial of service or to violate the integrity of the system or data on the System. Most vendors develop patches to correct these vulnerabilities. When vendors' products become unsupported, the creation of these patches cease leaving the system exposed to any future vulnerabilities not patched. Without a documented migration plan established to monitor system software versions and releases unsupported software may be allowed to run on the system.Information Assurance OfficerSecurity Manager
Checks: C-6030r2_chk

Refer to Vulnerability Questions within the SRRAUDIT Dialog Management document. Check with the Systems programmer to make sure that a documented migration plan exists to monitor system software products versions and releases for end-of-life/nonsupport dates. Verify that the procedure notifies management to start procedures to upgrade to supported versions of the products or removal before that date. Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(AAMV0014) If documented procedures exist to monitor system software products for dates they will become unsupported and to notify management to upgrade to supported versions of the products, this is not a finding. Note: If product support is provided through an outside group or the site, verify that they have a process to notify the site of unsupported software.

Fix: F-17321r3_fix

The ISSO/ISSM will verify that a process is documented and followed for unsupported software.

b
FTP / Telnet unencryted transmissions require Acknowledgement of Risk Letter(AORL)
AC-6 - Medium - CCI-000041 - V-8271 - SV-8757r2_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-000041
Version
IFTP0100
Vuln IDs
  • V-8271
Rule IDs
  • SV-8757r2_rule
In addition to the data transmission being in the clear, the user credentials are also passed in the clear, which violates the control IAIA-1. As mitigation for this vulnerability, special consideration must be given to account maintenance and the types of user privileges associated with these accounts. Interception of the above information could result in the compromise of the operating system environment, ACP, and customer data.Information being passed in the clear can violate System and Data integrity.Information Assurance OfficerDCCS-1, DCCS-2, EBRU-1, ECCT-1, ECCT-2
Checks: C-20020r1_chk

a) Provide a list of all FTP userids defined to the ACP database, including the function and purpose of each FTP userid. b) Refer to the to the above list c) Ensure that an Acknowledgement of Risk Letter exist for all userids utilizing unencrypted communications. d) If (c) is true, there is NO FINDING. e) If (c) is untrue, this is a FINDING.

Fix: F-12415r1_fix

Ensure that an Acknowledgement of Risk Letter exist for all userids utilizing unencrypted communications.

c
Site does not maintain documented procedures to apply security related software patches to their system and does not maintain a log of when these patches were applied.
SI-1 - High - CCI-001220 - V-15209 - SV-15984r2_rule
RMF Control
SI-1
Severity
High
CCI
CCI-001220
Version
AAMV0018
Vuln IDs
  • V-15209
Rule IDs
  • SV-15984r2_rule
Vendors' code may contain vulnerabilities that may be exploited to cause denial of service or to violate the integrity of the system or data on the System. Most vendors develop patches to correct these vulnerabilities. These patches must be applied and documented. Information Assurance OfficerDCAR-1, DCCS-1, DCCS-2
Checks: C-20499r1_chk

a) Refer to Vulnerability Questions within the SRRAUDIT Dialog Management document. Check with the Information Assurance Officer to make sure that documented procedures exist for security related software patches to be scheduled, applied and documented. Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(AAMV0018) b) If documented procedures exist to monitor, apply and document software patches, there is NO FINDING. c) If documented procedures do not exist to monitor, apply and document software patches, this is a FINDING.

Fix: F-16967r1_fix

The IAO will ensure that all security related software patches are scheduled to be applied and documented. System Programmers and IAOs should regularly check OS vendor web sites for information on new security patches that are applicable to their site. All applicable security patches will be scheduled to be applied to the system. A security patch is deemed applicable if the product is installed, even if it is not used or is disabled. FSO does not test or approve patches or service packs. It is the site’s responsibility to test vendor patches within their test environment.

b
Batch job user Ids must be properly defined.
AC-9 - Medium - CCI-000052 - V-17839 - SV-19114r3_rule
RMF Control
AC-9
Severity
Medium
CCI
CCI-000052
Version
RACF0595
Vuln IDs
  • V-17839
Rule IDs
  • SV-19114r3_rule
Batch jobs are submitted to the operating system under their own USERID. This will identify the batch job with the user for the purpose of accessing resources. BATCHALLRACF ensures that a valid USERID is associated with batch jobs. Jobs that are submitted to the operating system via a scheduling facility must also be identified to the system. Without a batch job having an associated USERID, access to system resources will be limited.Information Assurance Officer
Checks: C-19366r3_chk

Refer to the documentation of the processes used for submission of batch jobs via an automated process (i.e., scheduler or other sources) and each of the associated user IDs. From a command input screen enter: LISTUSER(each identified batch job) Alternately: Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(LISTUSER) The following USERID record fields/attributes must be specified: NAME PROTECTED No USERID has the LAST-ACCESS field set to UNKNOWN. If both of the above are true, this is not a finding. If either of the USERID record fields/attributes (NAME and/or PROTECTED) are blank and/or the LAST ACCESS field is set to unknown, this is a finding.

Fix: F-17759r2_fix

Ensure the following: Associated USERIDs exist for all batch jobs and documentation authorizing access to system resources is maintained and implemented. Set up the userids with the RACF PROTECTED attribute. A sample RACF command to accomplish is shown here: ALU <execution-userid> NOPASSWORD NOOIDCARD.

b
z/OS Baseline reports are not reviewed and validated to ensure only authorized changes have been made within the z/OS operating system. This is a current DISA requirement for change management to system libraries.
CM-2 - Medium - CCI-000294 - V-23837 - SV-28773r3_rule
RMF Control
CM-2
Severity
Medium
CCI
CCI-000294
Version
ACP00340
Vuln IDs
  • V-23837
Rule IDs
  • SV-28773r3_rule
A product that generates reports validating changes, additions or removal from APF and LPA libraries, as well as changes to SYS1.PARMLIB PDS members, should be run against system libraries to provide a baseline analysis to allow monitoring of changes to these libraries. Failure to monitor and review these reports on a regular bases and validating any changes could threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data. Information Assurance OfficerSystems ProgrammerDCCS-1, DCCS-2, DCPR-1, DCSL-1, ECAT-1, ECAT-2
Checks: C-29206r2_chk

Note: For DISA sites the product used to generate these reports is CA-Auditor. z/OS Baseline Reporting – Review period is based upon 10% random selection of z/OS Domains at the given site by the IAO. Such schedule shall not be published or known – selection of z/OS domains shall be randomly selected each week. a) The z/OS Baseline reports (as indentified by report/function CS212C (Updates to SYS1.PARMLIB), CS221C (APF library statistics) and CS243C (LPA library statistics) shall be reviewed and validated with the appropriate system programming staff on a weekly schedule, or as required based on INFOCON Level requirements. Note: Sites that do not utilize CA-Auditor, review the z/OS STIG Addendum for the samples of the CA-Auditor report to identify the information to collect. The INFOCON Level requirements can be found in STRATEGIC COMMAND DIRECTIVE (SD) 527-1. b) Such reports shall be compared with known and authorized changes to the specific z/OS domain. Any anomalies found shall be documented as a potential incident and must be investigated with written documentation as proof showing such review was completed. c) If the baseline reports are being reviewed and samples of the baseline reports exist, there is NO FINDING. d) If the baseline reports are not being reviewed or samples of the reports do not exist this is a FINDING.

Fix: F-27588r2_fix

Validate the results of the z/OS Baseline reports with the appropriate system programming staff. For sites that have CA-Auditor, minimally the following functional reports shall be validated: CS212C, CS221C and CS243C.. Compliance of this would be for the appropriate system programming staff to review the specific baseline reports and to affirm the changes are legitimate. Any identified exception or anomaly shall be reported, researched and documented. Such documentation shall be made available for auditor reviews. The baseline reports should be created as GDGs, and should be saved for at least a year. Please see the z/OS Addendum under ACP00340 for additional instructions, and a sample of the CA-Auditor reports that should be run for that utilizes CA-Auditor.

b
z/OS USS Software owning Shared accounts do not meet strict security and creation restrictions.
AC-3 - Medium - CCI-000213 - V-28603 - SV-36387r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZUSS0080
Vuln IDs
  • V-28603
Rule IDs
  • SV-36387r2_rule
Shared accounts by nature are a violation of proper audit trail and proper user authentication. If not properly controlled, could cause system corruption without an audit trail tracking session activity to an individual user's identity. Information Assurance OfficerInformation Assurance ManagerECAR-1, ECAR-2, ECAR-3, IAGA-1
Checks: C-35840r1_chk

z/OS Software owning Shared accounts” maybe created for the installation and upgrades on the z/OS Mainframe products that require the use of USS (UNIX System Services) as long as all IA requirements are met. “z/OS USS Software Owning Shared Accounts” shall be referenced within this VUL as the full name or abbreviated “Shared accounts” for all references within this VUL. Rules and requirements for z/OS USS Software Owning Shared Accounts. 1) Shall include a statement from the responsible SA requesting the “shared account”, stating specific justification for the z/OS USS Software Owning shared account. Responsible SA shall be responsible for maintaining all documentation concerning account, usage, control, annual review, etc and shall provide upon request by IA staff or auditors as requested. 2) A separate “z/OS USS Software Owning shared account” userid will be created for each application and/or product that requires USS for separation of duties for product support. This “shared account” shall be used for the sole purpose of file/directory ownership based upon the UID assigned to the “shared account”. 3) The “shared accounts” shall only be used within/for USS (UNIX System Services). The “shared account” userids shall have no special privileges, will not be granted access to interactive on-line facilities, batch facility, and will not be granted access to datasets and resources outside of the USS environment. 4) The “shared account” userids shall adhere to the same complex password syntax rules and shall be assigned a non-expiring complex password or be set up as protected under RACF. 5) Authorized user(s) shall only access “shared account” via the USS “SU” Command (switch user: su –s userid ) and not utilize any password. When the ACP IAO creates the account with a complex password, such password shall not be written down or shared with others. 6) The responsible documented z/OS system programmer shall be granted specific limited and temporary access based upon submitted security service requests identifying project, duration required and justification for accessing “shared account” via the “su” command on a specific z/OS domain, example: initial software installation or upgrade of specific vendor software. 7) Responsible individual z/OS System programmer shall be granted temporary access to the specific BPX.SRV.userid (“userid” shall be the single “shared account” requested) in the surogate user class with full logging of the permission to BPX.SRV.userid for the specific period of time required to perform functional requirements via the “su” command and appropriate usage of the “shared account”. 8) Standard procedure for all updates within USS Directories/files shall be performed based upon the direct authority granted to the z/OS system programmer individual userids. Shared accounts shall only be utilized for initial software installation or vendor software upgrades. If all the above requirements are not met for the z/OS USS Software Owning shared account, this is a finding.

Fix: F-31080r1_fix

To create a shared account follow the instructions below. Shared accounts” will be created for the installation and upgrades on the z/OS Mainframe products that require the use of USS (UNIX System Services) Rules and requirements for z/OS USS Software Owning Shared Accounts 1) Shall include a statement from the responsible SA requesting the “shared account”, stating specific justification for the z/OS USS Software Owning shared account. Responsible SA shall be responsible for maintaining all documentation concerning account, usage, control, annual review, etc and shall provide upon request by IA staff or auditors as requested. 2) A separate “z/OS USS Software Owning shared account” userid will be created for each application and/or product that requires USS for separation of duties for product support. This “shared account” shall be used for the sole purpose of file/directory software ownership based upon the UID assigned to the “shared account”. 3) The “shared accounts” shall only be used within/for USS (UNIX System Services). The “shared account” userids shall have no special privileges, shall not be granted access to interactive on-line facilities, batch facility, and shall not be granted access to datasets and resources outside of the USS environment. 4) The “shared account” userids shall adhere to the same complex password syntax rules and shall be assigned a non-expiring complex password or be set up as protected under RACF. 5) Authorized user(s) shall only access “shared account” via the USS “SU” Command (switch user: su –s userid ) and not utilize any password. When the ACP IAO creates the account with a complex password, such password shall not be written down or shared with others. 6) The responsible documented z/OS system programmer shall be granted specific, limited and temporary access based upon submitted security service requests identifying project, duration required and justification for accessing “shared account” via the “su” command on a specific z/OS domain, example: initial software installation or upgrade of specific vendor software. 7) Responsible Individual z/OS System programmer shall be granted temporary access to the specific BPX.SRV.userid (“userid” shall be the single “shared account” requested) in the surogate user class with full logging of the permission to BPX.SRV.userid for the specific period of time required to perform functional requirements via the “su” command and appropriate usage of the “shared account”. 8) Standard procedure for all updates within USS Directories/files shall be performed based upon the direct authority granted to the z/OS system programmer individual userids. Shared accounts shall only be utilized for initial software installation or vendor software upgrades. To share HFS or ZFS Files associated with this shared file : • Associate the directory or file with a ACP group that has been assigned a z/OS UNIX group identifier (GID), give the ACP group the appropriate group permissions, and connect the users to this ACP group • With z/OS Version 1 Release 3 or later, you can use access control lists (ACLs) to control access to files and directories by individual UIDs and GIDs. With ACLs, you can give more than one group permissions for directories or files on HFS, so you do not need to ensure that all your file owners connect to the same ACP group. NOTE: If using HFSSEC for TSS or ACF2 you will not be able to use ACLs to control access to your files. Both CA-ACF2 and CA-TSS provide for a feature and capability to control all HFS/ZFS files and directories directly within the ACP using HFSSEC resource class. HFSSEC provides full control, auditing and review capability within the native ACP software and requires less interaction in setting up appropriate and proper access controls over the vast USS environment. With appropriate HFSSEC controls in place, access controls are performed by the ACP and not via USS UID/GID Controls. Using HFSSEC, all controls are at the userid level and would not be able to utilize ACL’s to control access.

b
IEASYMUP resource will be protected in accordance with proper security requirements.
AC-6 - Medium - CCI-002234 - V-29532 - SV-38886r5_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-002234
Version
ACP00350
Vuln IDs
  • V-29532
Rule IDs
  • SV-38886r5_rule
Failure to properly control access to the IEASYMUP resource could result in unauthorized personnel modifying sensitive z/OS symbolics. This exposure may threaten the integrity and availability of the operating system environment.Information Assurance Officer
Checks: C-39208r4_chk

Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(FACILITY) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00350) Verify that the accesses for IEASYMUP resources and/or generic equivalent are properly restricted. If the following guidance is true, this is not a finding. ___ The RACF resources are defined with a default access of NONE. ___ The RACF resource access authorizations restrict UPDATE and/or greater access to DASD administrators, Tape Library personnel, and system programming personnel. ___ The RACF resource logging requirements are specified. ___ The RACF resource access authorizations are defined with UACC(NONE) and NOWARNING.

Fix: F-31250r4_fix

The IAO will ensure that the System level symbolic resources are defined to the FACILITY resource class and protected. UPDATE access to the System level symbolic resources are limited to System Programmers, DASD Administrators, and/or Tape Library personnel. All access is logged. Ensure the guidelines for the resources and/or generic equivalent are followed. Limit access to the IEASYMUP resources to above personnel with UPDATE and/or greater access. The following commands are provided as a sample for implementing resource controls: rdef facility ieasymup.* uacc(none) owner(admin) - audit(all(read)) - data('protected per acp00350') rdef facility ieasymup.symbolname uacc(none) owner(admin) - audit(all(read)) - data('protected per acp00350') pe ieasymup.symbolname cl(facility) id(<dasdaudt) acc(u) pe ieasymup.symbolname cl(facility) id(<syspaudt) acc(u) pe ieasymup.symbolname cl(facility) id(<tapeaudt) acc(u)

b
FTP Control cards will be properly stored in a secure PDS file.
IA-5 - Medium - CCI-000202 - V-29952 - SV-39518r2_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000202
Version
IFTP0110
Vuln IDs
  • V-29952
Rule IDs
  • SV-39518r2_rule
FTP control cards carry unencrypted information such as userids, passwords and remote IP Addresses. Without a requirement to store this information separate from the JCL and in-stream JCL, it allows a security exposure by allowing read exposure to this information from anyone having access to the JCL libraries.Information Assurance OfficerInformation Assurance ManagerIAIA-1, IAIA-2
Checks: C-39205r1_chk

Provide a list(s) of the locations for all FTP Control cards within a given application/AIS, ensuring no FTP control cards are within in-stream JCL, JCL libraries or any open access datasets. List shall indicate which application uses the PDS, and access requirements for those PDS’s (who and what level of access). Lists/spreadsheet used for documenting the meeting of this requirement shall be maintained by the responsible Application/AIS Team, available upon request and not maintained by DISA Mainframe IAO. Refer to the to the above list Access to FTP scripts and/or data files located on host system(s) that contain FTP userid and or password will be restricted to those individuals responsible for the application connectivity and who have a legitimate requirement to know the userid and password on a remote system. FTP Control Cards within In-stream JCL, within JCL libraries or open access libraries/datasets is a finding. Anyone having access of read or greater to the FTP control cards not listed within the spreadsheet by userid is a finding.

Fix: F-34304r1_fix

Create a list or spreadsheet of the locations where FTP control cards are stored, who should have access to those libraries and which applications the FTP control cards are for. Add Columns for all people permitted access to the secured PDS. Make sure that the FTP control Cards for each FTP are stored in a secure PDS and that they are not placed in the JCL libraries or in the in-stream JCL for each FTP.

b
Production WebSphere MQ Remotes must utilize Certified Name Filters (CNF)
CM-6 - Medium - CCI-000366 - V-31561 - SV-41848r5_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
ZWMQ0014
Vuln IDs
  • V-31561
Rule IDs
  • SV-41848r5_rule
IBM Websphere MQ can use a user ID associated with an ACP certificate as a channel user ID. When an entity at one end of an SSL channel receives a certificate from a remote connection, the entity asks The ACP if there is a user ID associated with that certificate. The entity uses that user ID as the channel user ID. If there is no user ID associated with the certificate, the entity uses the user ID under which the channel initiator is running. Without a validly defined Certificate Name Filter for the entity IBM Websphere MQ will set the channel user ID to the default.
Checks: C-40336r11_chk

Validate that the list of all Production WebSphere MQ Remotes exist, and contains approved Certified Name Filters and associated USERIDS. If the filter(s) is (are) defined, accurate and has been approved by Vulnerability ICER0030 and the associated USERID(s) is only granted need to know permissions and authority to resources and commands, this is not a finding. If there is no Certificate Name Filter for WebSphere MQ Remotes this is a Finding. Note: Improper use of CNF filters for MQ Series will result in the following Message ID. CSQX632I found in the following example: CSQX632I csect-name SSL certificate has no associated user ID, remote channel channel-name – channel initiator user ID used

Fix: F-3836r4_fix

The responsible MQ System programmer(s) shall create and maintain a spread sheet that contains a list of all Production WebSphere MQ Remotes, associated individual USERIDs with corresponding valid Certified Name Filters (CNF). This documentation will be reviewed and validated annually by responsible MQ System programmer(s) and forwarded for approval by the ISSM. The ISSO will define the associated USERIDs, the CNF, and grant the minimal need to know access, by granting only the required resources and Commands for each USERID in the ACP. See IBM WebSphere MQ Security manual for details on defining CNF for WebSphere MQ. Generic access shall not be granted such as resource permission at the SSID. MQ resource level.

b
Sensitive and critical system data sets exist on shared DASD.
AC-21 - Medium - CCI-000099 - V-33795 - SV-44220r3_rule
RMF Control
AC-21
Severity
Medium
CCI
CCI-000099
Version
AAMV0500
Vuln IDs
  • V-33795
Rule IDs
  • SV-44220r3_rule
Any time a sensitive or critical system data set is allocated on a shared DASD device, it is critical to validate that it is properly protected on any additional systems that are sharing that device. Without proper review and adequate restrictions to access of these data sets on all systems sharing them, can lead to corruption, integrity and availability of the operating system, ACP, and customer data.Information Assurance OfficerSystems ProgrammerDCCS-2, DCSL-1, ECAN-1, ECCD-1, ECCD-2
Checks: C-41843r8_chk

Check HMC, VM, and z/OS on how to validate and determine a DASD volume(s) is shared. Note: In VM issue the command 'QUEUE DASD SYSTEM' this display will show shared volume(s) and indicates the number of systems sharing the volume. Validate all machines that require access to these shared volume(s) have the volume(s) mounted. Obtain a map or list VTOC of the shared volume(s). Check if shared volume(s) contain any critical or sensitive data sets. Identify shared and critical or sensitive data sets on the system being audited. These data sets can be APF, LINKLIST, LPA, Catalogs, etc, as well as product data sets. If all of the critical or sensitive data sets identified on shared volume(s) are protected and justified to be on shared volume(s), this is not a finding. List critical or sensitive data sets are possible security breaches, if not justified and not protected on systems having access to the data set(s) and on shared volume(s).

Fix: F-6827r4_fix

The System programming and system configuration personnel will review the list of shared DASD. Validate that identified volumes of shared DASD are still valid within the following. HMC VM z/OS If the shared volume(s) are valid and systems having access to these shared volume(s) are valid, map disk/VTOC list to obtain data sets on the shared volume(s). From this list obtain a list of sensitive and critical system data sets that are found on the shared volume(s). Ensure that the data sets are justified to be shared on the system and to reside on the shared volume(s). The IAO will review all access requirements to validate that sensitive and critical system data sets are protected from unauthorized access across all systems that have access to the shared volume(s). Protecting the data set(s) whether the data set(s) are used or not used on the systems that have the shared volume(s) available to them.

b
RACF exit ICHPWX01 must be installed and properly configured.
IA-5 - Medium - CCI-000192 - V-59477 - SV-73907r3_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000192
Version
RACF0462
Vuln IDs
  • V-59477
Rule IDs
  • SV-73907r3_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. Use of a complex password helps to increase the time and resources required to compromise the password. The RACF exit ICHPWX01 will allow for additional checks not available in RACF SETROPTS whenever a user selects a new password. Improper setting of any of these fields, individually or in combination with another, can result in weakened passwords and compromise the security of the processing environment.
Checks: C-60267r3_chk

From a system console screen issue the following modify command: F AXR,IRRPWREX LIST Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0462) Review the results of the modify command. If the following options are listed, this is not a finding. The number of required character types is 4 (assures that at least 1 upper case, 1 lower case, 1 number, and 1 special character is used in Password) The user's name cannot be contained in the password Only 3 consecutive characters of the user's name are allowed The minimum word length checked is 8 The user ID cannot be contained in the password Only 3 consecutive characters of the user ID are allowed Only 3 unchanged positions of the current password are allowed These positions need to be consecutive to cause a failure This check is not case sensitive No more than 0 pairs of repeating characters are allowed This check is not case sensitive A minimum list of 33 restricted prefix strings is being checked: APPL APR AUG ASDF BASIC CADAM DEC DEMO FEB FOCUS GAME IBM JAN JUL JUN LOG MAR MAY NET NEW NOV OCT PASS ROS SEP SIGN SYS TEST TSO VALID VTAM XXX 1234 If the modify command fails or returns the following message in the system log, this is a finding. IRX0406E REXX exec load file REXXLIB does not contain exec member IRRPWREX.

Fix: F-64889r3_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: For z/OS release 1.12 through z/OS release 2.1 APARs OA43998 and OA43999 must be applied. Install exit IRRPWREX according to instructions in z/OS Security Server RACF System Programmer's Guide. Note: RACF exit ICHPWX01 is coded to call a System REXX named IRRPWREX, so the name cannot be changed without a corresponding change to ICHPWX01. System REXX requires that this exec (IRRPWREX) reside in the REXXLIB concatenation. Update parameters in IRRPWREX according to table Parameters for RACF IRRPWREX in the z/OS STIG Addendum.

c
The RACF System REXX IRRPWREX security data set must be properly protected.
AC-3 - High - CCI-000213 - V-64803 - SV-79293r1_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
RACF0465
Vuln IDs
  • V-64803
Rule IDs
  • SV-79293r1_rule
The RACF System REXX named IRRPWREX contains sensitive access control and password information for the operating system environment and system resources. Unauthorized access could result in the compromise of passwords, the operating system environment, ACP (Access Control Program), and customer data.Information Assurance Manager
Checks: C-65479r1_chk

Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(RACFREXX) Alternate source Refer to the zOS system REXXLIB concatenation found in SYS1. PARMLIB (AXR) for the data set that contains the REXX for Password exit named IRRPWREX and the defined AXRUSER. Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(RACF0465) Verify that the data set that contains IRRPWREX is properly restricted. If the following guidance is true, this is not a finding. ___ RACF data set access authorizations restrict READ to AXRUSER, z/OS systems programming personnel, security personnel, and auditors. ___ RACF data set access authorizations restrict UPDATE to security personnel using a documented change management procedure to provide a mechanism for access and revoking of access after use. ___ All (i.e., failures and successes) data set access authorities (i.e. READ, UPDATE, and CONTROL) is logged. ___ RACF data set access authorizations specify UACC(NONE) and NOWARNING.

Fix: F-70735r1_fix

Ensure that read access is restricted to security administrators, systems programmers, and auditors. Ensure that there is a procedure documented with the ISSM that defines a change management process to provide mechanism for granting Update access to security administrators on an exception basis. The process should contain procedures to revoke access when documented update is completed. Ensure all failures and successes data set access authorities for RACF data set that contains the Password exit is logged. Examples: ad 'sys3.racf.rexxlib.**' uacc(none) owner(sys3) - audit(all(read)) Permit 'sys3.racf.rexxlib.**' id(<syspaudt> <secaaudt> <audtaudt> AXRUSER) acc(r) Permit 'sys3.racf.rexxlib.**' id(<secaaudt>) acc(u)

c
NIST FIPS-validated cryptography must be used to protect passwords in the security database.
SC-13 - High - CCI-002450 - V-65649 - SV-80139r1_rule
RMF Control
SC-13
Severity
High
CCI
CCI-002450
Version
RACF0467
Vuln IDs
  • V-65649
Rule IDs
  • SV-80139r1_rule
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Cryptographic modules must adhere to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
Checks: C-67757r2_chk

From the ISPF Command Shell enter SETRopts List Alternately: Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0467) If the following is specified under “PASSWORD PROCESSING OPTIONS: “THE ACTIVE PASSWORD ENCRYPTION ALGORITHM IS KDFAES” , this is not a finding.

Fix: F-73269r1_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified below: For z/OS release 1.12 through z/OS release 2.1 APARs OA43998 and OA43999 must be applied. Set the passwords option for algorithm to KDFAES. Sample syntax to activate: SETRopts PASSWORD(ALGORITHM(KDFAES))

b
All digital certificates in use must have a valid path to a trusted Certification authority.
SC-23 - Medium - CCI-002470 - V-69223 - SV-83837r1_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-002470
Version
ICERR010
Vuln IDs
  • V-69223
Rule IDs
  • SV-83837r1_rule
The origin of a certificate, the Certificate Authority (i.e., CA), is crucial in determining if the certificate should be trusted. An approved CA establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted.
Checks: C-70021r1_chk

NOTE: The procedures in this checklist item presume the domain being reviewed is running all releases of z/OS, and use the ACP as the certificate store. If the domain being review is not a production system and is only used for test and development, this Self-Signed Certificates review can be skipped. Refer to the following report produced by the ACF2 Data Collection Checklist: RACFCMDS.RPT(CERTRPT) If no certificate information is found, there is NO FINDING. NOTE: Certificates are only valid when their Status is TRUST. Therefore, you may ignore certificates with the NOTRUST status during the following checks. If the digital certificate information indicates that the issuer's distinguished name leads to a DoD PKI Root Certification Authority, External Root Certification Authority (ECA), or an approved External Partner PKI’s Root Certification Authority, there is no finding. Reference the IASE website for complete information as to which certificates are acceptable (http://iase.disa.mil/pki-pke/interoperability/). Examples of an acceptable DoD CA are: DoD PKI Class 3 Root CA DoD PKI Med Root CA

Fix: F-75777r1_fix

Remove or and replace certificates whose the issuer's distinguished name does not lead to a DoD PKI Root Certification Authority, External Root Certification Authority (ECA), or an approved External Partner PKI’s Root Certification Authority.

b
Expired Digital Certificates must not be used.
Medium - V-69225 - SV-83841r1_rule
RMF Control
Severity
Medium
CCI
Version
ICERR020
Vuln IDs
  • V-69225
Rule IDs
  • SV-83841r1_rule
The longer and more often a key is used, the more susceptible it is to loss or discovery. This weakens the assurance provided to a relying Party that the unique binding between a key and its named subscriber is valid. Therefore, it is important that certificates are periodically refreshed. This is in accordance with DoD requirement. Expired Certificate must not be in use.
Checks: C-70023r1_chk

NOTE: The procedures in this checklist item presume the domain being reviewed is running all releases of z/OS, and use the ACP as the certificate store. If the domain being review is not a production system and is only used for test and development, this expired Certificates review can be skipped. Refer to the following report produced by the ACF2 Data Collection Checklist: RACFCMDS.RPT(CERTRPT) If no certificate information is found, there is no finding. NOTE: Certificates are only valid when their Status is TRUST. Therefore, you may ignore certificates with the NOTRUST status during the following checks. Check the expiration for each certificate with a status of TRUST. If the expiration date has passed this is a finding.

Fix: F-75779r1_fix

If the certificate is a user or device certificate with a status of TRUST, follow procedures to obtain a new certificate or re-key certificate. If it is an expired CA certificate remove it.

b
Certificate Name Filtering must be implemented with appropriate authorization and documentation.
Medium - V-69227 - SV-83847r1_rule
RMF Control
Severity
Medium
CCI
Version
ICERR030
Vuln IDs
  • V-69227
Rule IDs
  • SV-83847r1_rule
Certificate name filtering is a facility that allows multiple certificates to be mapped to a single ACP userid. Rather than matching a certificate stored in the ACP to determine the userid, criteria rules are used. Depending on the filter criteria, a large number of client certificates could be mapped to a single userid. Failure to properly control the use of certificate name filtering could result in the loss of individual identity and accountability.
Checks: C-70025r1_chk

Currently the RACDCERT command does not support a generic userid value of ID(*) LISTMAP to list all the certificate name filters defined to RACF. However, the following commands can be issued to determine if certificate name filtering may be implemented. If certificate name filtering is in use, collect documentation describing each active filter rule and written approval from the ISSM to use the rule. Issue the SETROPTS LIST command. If the DIGTNMAP resource class is active, RACF is ready to process any certificate name filters with a Status of TRUST. The DIGTNMAP resource class should not be active unless certificate name filtering is desired. If the DIGTNMAP resource class is not active, there is NO FINDING. Certificate name filters are stored as profiles in the DIGTNMAP resource class. The RLIST command is not intended for use with profiles in the DIGTNMAP resource class. However it can be used to determine if any profiles are defined. (NOTE: The information will not be displayed in a suitable format to easily interpret the filter.) RLIST DIGTNMAP * If there is nothing to list in the DIGTNMAP resource class, there is NO FINDING. If profile information is displayed, one or more certificate name filters are defined to RACF. Under the NAME heading of each profile listing is the userid the filter is being mapped to. Issue the following command the list the certificate name filter associated with each userid: RACDCERT ID(profile name userid) LISTMAP NOTE: Certificate name filters are only valid when their Status is TRUST. Therefore, you may ignore filters with the NOTRUST status. If the DIGTNMAP resource class is active and certificate name filters have a Status of TRUST, certificate name filtering is in use. If certificate name filtering is in use and filtering rules have been documented and approved by the ISSM, there is NO FINDING. If certificate name filtering is in use and filtering rules have not been documented and approved by the ISSM, this is a FINDING.

Fix: F-75781r1_fix

Ensure any certificate name filtering rules in use are documented and approved by the ISSM.

c
The SSH daemon must be configured to only use the SSHv2 protocol.
High - V-69229 - SV-83851r1_rule
RMF Control
Severity
High
CCI
Version
ZSSH0010
Vuln IDs
  • V-69229
Rule IDs
  • SV-83851r1_rule
SSHv1 is not a DoD-approved protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.
Checks: C-70035r1_chk

Locate the SSH daemon configuration file. May be found in /etc/ssh/ directory. Alternately: From UNIX System Services ISPF Shell navigate to ribbon select tools. Select option 1 - Work with Processes. If SSH Daemon is not active there is no finding. Examine SSH daemon configuration file. If the variables 'Protocol 2,1’ or ‘Protocol 1’ are defined on a line without a leading comment, this is a finding.

Fix: F-75791r1_fix

Edit the sshd_config file and set the "Protocol" setting to "2".

c
The SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm.
High - V-69231 - SV-83853r1_rule
RMF Control
Severity
High
CCI
Version
ZSSH0020
Vuln IDs
  • V-69231
Rule IDs
  • SV-83853r1_rule
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Cryptographic modules must adhere to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
Checks: C-70037r1_chk

Locate the SSH daemon configuration file. May be found in /etc/ssh/ directory. Alternately: From UNIX System Services ISPF Shell navigate to ribbon select tools. Select option 1 - Work with Processes. If SSH Daemon is not active there is no finding. Examine SSH daemon configuration file. sshd_config If there are no Ciphers lines or the ciphers list contains any cipher not starting with "3des" or "aes", this is a finding. If the MACs line is not configured to "hmac-sha1" or greater this is a finding. Examine the z/OS-specific sshd server system-wide configuration zos_sshd_config If any of the following is untrue this is a finding. FIPSMODE=YES CiphersSource=ICSF MACsSource=ICSF

Fix: F-75861r1_fix

Edit the SSH daemon configuration and remove any ciphers not starting with "3des" or "aes". If necessary, add a "Ciphers" line using FIPS 140-2 compliant algorithms. Configure for message authentication to MACs "hmac-sha1" or greater. Edit the z/OS-specific sshd server system-wide configuration file configuration as follows: FIPSMODE=YES CiphersSource=ICSF MACsSource=ICSF

b
The SSH daemon must be configured with the Department of Defense (DoD) logon banner.
Medium - V-69233 - SV-83855r1_rule
RMF Control
Severity
Medium
CCI
Version
ZSSH0030
Vuln IDs
  • V-69233
Rule IDs
  • SV-83855r1_rule
Failure to display the DoD logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.
Checks: C-70107r2_chk

Locate the SSH daemon configuration file. May be found in /etc/ssh/ directory. Alternately: From UNIX System Services ISPF Shell navigate to ribbon select tools. Select option 1 - Work with Processes. If SSH Daemon is not active there is no finding. Examine SSH daemon configuration file. If Banner statement is missing or configured to none this is a finding. Ensure that the contents of the file specified on the banner statement contain a logon banner. The below banner is mandatory and deviations are not permitted except as authorized in writing by the DoD Chief Information Officer. If there is any deviation this is a finding. STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

Fix: F-75863r1_fix

Configure the banner statement to a file that contains the Department of Defense (DoD) logon banner. Ensure that the contents of the file specified on the banner statement contain a logon banner. The below banner is mandatory and deviations are not permitted except as authorized in writing by the DoD Chief Information Officer. STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

b
SMF recording options for the SSH daemon must be configured to write SMF records for all eligible events.
Medium - V-69235 - SV-83857r1_rule
RMF Control
Severity
Medium
CCI
Version
ZSSH0040
Vuln IDs
  • V-69235
Rule IDs
  • SV-83857r1_rule
SMF data collection is the basic unit of tracking of all system functions and actions. Included in this tracking data are the audit trails from each of the ACPs. If the control options for the recording of this tracking are not properly maintained, then accountability cannot be monitored, and its use in the execution of a contingency plan could be compromised.
Checks: C-70109r1_chk

Locate the SSH daemon configuration file. May be found in /etc/ssh/ directory. Alternately: From UNIX System Services ISPF Shell navigate to ribbon select tools. Select option 1 - Work with Processes. If SSH Daemon is not active there is no finding. Examine SSH daemon configuration file. If ServerSMF is not coded with ServerSMF TYPE119_U83 or is commented out this is a finding.

Fix: F-75865r2_fix

Configure the SERVERSMF statement in the SSH Daemon configuration file to TYPE119_U83.

b
The SSH daemon must be configured to use SAF keyrings for key storage.
Medium - V-69237 - SV-83859r1_rule
RMF Control
Severity
Medium
CCI
Version
ZSSH0050
Vuln IDs
  • V-69237
Rule IDs
  • SV-83859r1_rule
The use of SAF Key Rings for key storage enforces organizational access control policies and assures the protection of cryptographic keys in storage.
Checks: C-70111r1_chk

Locate the SSH daemon configuration file. May be found in /etc/ssh/ directory. Alternately: From UNIX System Services ISPF Shell navigate to ribbon select tools. Select option 1 - Work with Processes. If SSH Daemon is not active there is no finding. Examine the file. Ensure the following are either not coded or commented out: #HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key #HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key Locate the z/OS-specific sshd server system-wide configuration file. zos_sshd_config May be found in /etc/ssh/ directory. Ensure that a HostKeyRingLabel line is coded and not commented out. If either of the above is not true this is a finding.

Fix: F-75867r1_fix

Configure the SSH Daemon configuration file with the following statements Ensure that the following is either not coded or comment out. #HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key #HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key Configure the zos_sshd_config with the HostKeyRingLabel Statement. Example: HostKeyRingLabel="SSHDAEM/SSHDring my label"

a
The SETROPTS LOGOPTIONS must be properly configured.
Low - V-71203 - SV-85827r1_rule
RMF Control
Severity
Low
CCI
Version
RACF0540
Vuln IDs
  • V-71203
Rule IDs
  • SV-85827r1_rule
Audit records are central to after-the-fact investigations of security incidents. Every effort should be taken to collect as much information as productively feasible for these investigative processes. The SETROPTS LOGOPTIONS option serves as a default auditing requirement. Auditing ‘Failures’ as a minimum will assure a base level of information is available for investigations.
Checks: C-71929r1_chk

From the ISPF Command Shell enter: SETRopts List Alternately: Refer to the following report produced by the RACF Data Collection: RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: PDI(RACF0540) If the following options are specified at a minimum, this is not a finding. LOGOPTIONS "FAILURES" CLASSES = &lt;all the classes listed in the “ACTIVE” class as a minimum&gt; LOGOPTIONS "NEVER" CLASSES = NONE

Fix: F-77877r1_fix

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: Ensure that the following LOGOPTIONS are specified: LOGOPTIONS "FAILURES" CLASSES = <all the classes listed in the “ACTIVE” class as a minimum> LOGOPTIONS "NEVER" CLASSES = NONE The other LOGOPTIONS may be site determined.

c
Libraries included in the system REXXLIB concatenation must be properly protected.
AC-3 - High - CCI-000213 - V-71223 - SV-85847r1_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
ACP00062
Vuln IDs
  • V-71223
Rule IDs
  • SV-85847r1_rule
The libraries included in the system REXXLIB concatenation can contain program modules which possess a significant level of security bypass capability. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.
Checks: C-71933r2_chk

Refer to the following reports produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(REXXRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00062) The ACP data set rules for libraries in the REXXLIB concatenation restrict inappropriate (e.g., GLOBAL read) access. The ACP data set rules for libraries in the REXXLIB concatenation restrict WRITE or greater access to only z/OS systems programming personnel. The ACP data set rules for libraries in the REXXLIB concatenation restrict READ access to the following: Appropriate Started Tasks Auditors The user-id defined in PARMLIB member AXR00 AXRUSER(user-id) The ACP data set rules for libraries in the REXXLIB concatenation specify that all (i.e., failures and successes) WRITE or greater access will be logged. If all of the above are true, this is not a finding. If any of the above is not true, this is a finding.

Fix: F-77881r1_fix

Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect APF Authorized Libraries. Ensure that WRITE or greater access to libraries included in the system REXXLIB concatenation is limited to system programmers only. Ensure READ access is allowed on to appropriate Started Tasks and Auditors. Ensure UPDATE and/or ALTER access (i.e., successes and failures) is logged.

b
The RACF SERVAUTH resource class must be active for TCP/IP resources.
AC-3 - Medium - CCI-000213 - V-75057 - SV-89737r2_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ITCPR052
Vuln IDs
  • V-75057
Rule IDs
  • SV-89737r2_rule
IBM Provides the SERVAUTH Class for use in protecting a variety of TCP/IP features/functions/products both IBM and third-party. Failure to activate this class will result in unprotected resources. This exposure may threaten the integrity of the operating system environment, and compromise the confidentiality of customer data.
Checks: C-75103r2_chk

From a command input screen enter SETROPTS LIST Alternately, Refer to the following reports produced by the RACF Data Collection: RACFCMDS.RPT (SETROPTS) DSMON.RPT (RACCDT) - Alternate list of active resource classes Automated Analysis: Refer to the following report produced by the RACF Data Collection: - PDI(ITCPR052) If there are TCP/IP resources defined and the SERVAUTH resource class is not active, this is a finding.

Fix: F-81935r1_fix

Ensure that the SERVAUTH resource class is active. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a list of ACTIVE classes. The SERVAUTH Class is activated with the command SETR CLASSACT (SERVAUTH). Generic profiles and commands should also be enabled with the command SETR GENERIC(SERVAUTH) GENCMD(SERVAUTH).

b
RACF Global Access Checking must be restricted to appropriate classes and resources
AC-3 - Medium - CCI-000213 - V-75059 - SV-89739r1_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
RACF0780
Vuln IDs
  • V-75059
Rule IDs
  • SV-89739r1_rule
RACF Global access checking can be used to improve the performance of RACF authorization checking for selected resources. The global access checking table is maintained in storage and is checked early in the RACF authorization checking sequence. If an entry in the global access checking table allows the requested access to a resource, RACF performs no further authorization checking. This can eliminate the need for I/O to the RACF database to retrieve a resource profile, which can result in substantial performance improvements. However, if an entry in the global access checking table allows a requested access to a resource, no auditing is done for the request. Capture of audit data ensure a historical checking of individual user accountability. This accountability is basic for forensic purposes.
Checks: C-75101r1_chk

From a command input screen enter: RL Global * Alternately this can be viewed by following steps: Refer to the following reports produced by the RACF Data Collection: - DSMON.RPT(RACGAC) – Examine the Global Access Checking entries. If Global * is specified in SETROPTS this is a finding. The following entries may be allowed with the approval of the ISSM: Dataset Class - ALTER access level to &amp;RACUID.** (Allows users all access to their own datasets) OPERCMDS Class – READ access to MVS.MCSOPER.&amp;RACUID (Allows users access to console for their jobs) JESJOBS Class – ALTER access to CANCEL.*.*.&amp;RACUID (Allows users to cancel their own jobs) JESJOBS Class – ALTER access to SUBMIT.*.*.&amp;RACUID (Allows users to submit their own jobs) The ISSM may allow other classes to be included after evaluation with the system programmer. If any other members are included for Global Access Checking this is a finding. If written approval by the ISSM is not provided this is a finding.

Fix: F-81933r1_fix

Ensure that Global Access Checking is appropriately administered. Evaluate the impact associated with implementation of the control option. Develop approval; documentation and a plan of action to implement the control option as specified in the example below: RALT GLOBAL class-name ADDMEM (resourcename)/accesslevel)