| V-223422 | | CA-ACF2 OPTS GSO record must be set to ABORT mode. | Enterprise environments make account management challenging and complex. A manual process for account management functions adds the risk of a potentia... |
| V-223439 | | IBM z/OS must protect dynamic lists in accordance with proper security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223440 | | IBM z/OS Libraries included in the system REXXLIB concatenation must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223441 | | CA-ACF2 must limit Write or greater access to SYS1.UADS To system programmers only and read and update access must be limited to system programmer personnel and/or security personnel. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223442 | | CA-ACF2 must limit all system PROCLIB data sets to appropriate authorized users. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223443 | | CA-ACF2 access to the System Master Catalog must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223445 | | CA-ACF2 must limit Write or greater access to SYS1.NUCLEUS to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223446 | | CA-ACF2 must limit Write or greater access to SYS1.LPALIB to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223447 | | CA-ACF2 must limit Write or greater access to SYS1.IMAGELIB to system programmers. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223448 | | CA-ACF2 must limit Write or greater access to Libraries containing EXIT modules to system programmers only. | Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: ac... |
| V-223449 | | CA-ACF2 must limit Write and Allocate access to all APF-authorized libraries to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223450 | | CA-ACF2 must limit Write or greater access to all LPA libraries to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223453 | | CA-ACF2 must limit Write or greater access to SYS1.SVCLIB to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223456 | | CA-ACF2 LOGONIDs must not be defined to SYS1.UADS for non-emergency use. | Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary... |
| V-223463 | | IBM z/OS SYS1.PARMLIB must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-223464 | | CA-ACF2 must be installed, functional, and properly configured. | Failure to provide logical access restrictions associated with changes to system configuration may have significant effects on the overall security of... |
| V-223493 | | IBM z/OS UID(0) must be properly assigned. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223505 | | ACF2 must use NIST FIPS-validated cryptography to protect passwords in the security database. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can ... |
| V-223514 | | ACF2 security data sets and/or databases must be properly protected. | An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions.
Sec... |
| V-223561 | | Unsupported IBM z/OS system software must not be installed and/or active on the system. | Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that r... |
| V-223569 | | The IBM z/OS systems requiring data at rest protection must properly employ IBM DS8880 or equivalent hardware solutions for full disk encryption. | Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used fo... |
| V-223588 | | IBM z/OS SSH daemon must be configured to only use the SSHv2 protocol. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-223589 | | IBM z/OS SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote ... |
| V-223616 | | IBM z/OS UNIX SUPERUSER resource must be protected in accordance with guidelines. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223419 | | IBM z/OS Certificate Name Filtering must be implemented with appropriate authorization and documentation. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223420 | | IBM z/OS must not use Expired Digital Certificates. | Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly tru... |
| V-223421 | | All IBM z/OS digital certificates in use must have a valid path to a trusted Certification authority. | Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly tru... |
| V-223423 | | The number of ACF2 users granted the special privilege PPGM must be justified. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223426 | | The number of ACF2 users granted the special privilege ALLCMDS must be justified. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223427 | | IBM z/OS system commands must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223428 | | IBM z/OS Sensitive Utility Controls must be properly defined and protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223429 | | CA-ACF2 NJE GSO record value must indicate validation options that apply to jobs submitted through a network job entry subsystem (JES2, JES3, RSCS). | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223430 | | CA-ACF2 must protect Memory and privileged program dumps in accordance with proper security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223431 | | CA-ACF2 must properly define users that have access to the CONSOLE resource in the TSOAUTH resource class. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223433 | | CA-ACF2 must limit access to SYSTEM DUMP data sets to appropriate authorized users. | Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: ac... |
| V-223434 | | CA-ACF2 must limit access to SYS(x).TRACE to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223435 | | CA-ACF2 allocate access to system user catalogs must be properly protected. | Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: ac... |
| V-223436 | | ACF2 Classes required to properly security the z/OS UNIX environment must be ACTIVE. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223437 | | Access to IBM z/OS special privilege TAPE-LBL or TAPE-BLP must be limited and/or justified. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223438 | | CA-ACF2 must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223444 | | IBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223451 | | CA-ACF2 must limit Write and Allocate access to LINKLIST libraries to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223452 | | CA-ACF2 must limit Write and allocate access to all system-level product installation libraries to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223454 | | CA-ACF2 Access to SYS1.LINKLIB must be properly protected. | If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the a... |
| V-223455 | | CA-ACF2 must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223457 | | IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements. | Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management ac... |
| V-223458 | | CA-ACF2 must limit Update and Allocate access to system backup files to system programmers and/or batch jobs that perform DASD backups. | Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary... |
| V-223459 | | ACF2 PPGM GSO record value must specify protected programs that are only executed by privileged users. | Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary... |
| V-223462 | | The CA-ACF2 PSWD GSO record values for MAXTRY and PASSLMT must be properly set. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, ... |
| V-223465 | | CA-ACF2 must limit Write and allocate access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223467 | | The EXITS GSO record value must specify the module names of site written ACF2 exit routines. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223468 | | The CA-ACF2 LOGONID with the REFRESH attribute must have procedures for utilization. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223469 | | IBM z/OS TSO GSO record values must be set to the values specified. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223470 | | IBM z/OS procedures must restrict ACF2 LOGONIDs with the READALL attribute to auditors and/or authorized users. | The use of security policy filters provides protection for the confidentiality of data by restricting the flow of data. A crucial part of any flow con... |
| V-223471 | | IBM z/OS must have the RULEVLD and RSRCVLD attributes specified for LOGONIDs with the SECURITY attribute. | The use of security policy filters provides protection for the confidentiality of data by restricting the flow of data. A crucial part of any flow con... |
| V-223472 | | IBM z/OS LOGONIDs with the AUDIT or CONSULT attribute must be properly scoped. | The use of security policy filters provides protection for the confidentiality of data by restricting the flow of data. A crucial part of any flow con... |
| V-223473 | | IBM z/OS LOGONID with the ACCTPRIV attribute must be restricted to the ISSO. | The use of security policy filters provides protection for the confidentiality of data by restricting the flow of data. A crucial part of any flow con... |
| V-223474 | | IBM z/OS batch jobs with restricted ACF2 LOGONIDs must have the PGM(xxxxxxxx) and SUBAUTH attributes or the SOURCE(xxxxxxxx) attribute assigned to the corresponding LOGONIDs. | Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours can indicate hostile activ... |
| V-223475 | | CA-ACF2 RULEOPTS GSO record values must be set to the values specified. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223476 | | The CA-ACF2 GSO OPTS record value must be properly specified. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223477 | | CA-ACF2 must prevent the use of dictionary words for passwords. | If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by incre... |
| V-223478 | | CA-ACF2 database must be on a separate physical volume from its backup and recovery data sets. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223479 | | CA-ACF2 database must be backed up on a scheduled basis. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223480 | | ACF2 REFRESH attribute must be restricted to security administrators' LOGON ID only. | Users with the refresh attribute have the ability to effect changes to ESM global system options. Unauthorized use could result in the compromise of t... |
| V-223481 | | ACF2 maintenance LOGONIDs must have corresponding GSO MAINT records. | Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours can indicate hostile activ... |
| V-223482 | | ACF2 LOGONIDs with the NON-CNCL attribute specified in the associated LOGONID record must be listed as trusted and must be specifically approved. | Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours can indicate hostile activ... |
| V-223483 | | ACF2 LOGONIDs with the ACCOUNT, LEADER, or SECURITY attribute must be properly scoped. | Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours can indicate hostile activ... |
| V-223484 | | ACF2 LOGONIDs associated with started tasks that have the MUSASS attribute and the requirement to submit jobs on behalf of its users must have the JOBFROM attribute as required. | Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours can indicate hostile activ... |
| V-223485 | | IBM z/OS Started Tasks must be properly identified and defined to ACF2. | Started procedures have system generated job statements that do not contain the user, group, or password statements. To enable the started procedure t... |
| V-223486 | | ACF2 emergency LOGONIDS with the REFRESH attribute must have the SUSPEND attribute specified. | Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours can indicate hostile activ... |
| V-223487 | | ACF2 BACKUP GSO record must be defined with a TIME value specifies greater than 00 unless the database is shared and backed up on another system. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223489 | | ACF2 MAINT GSO record value if specified must be restricted to production storage management user. | Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that r... |
| V-223490 | | ACF2 LINKLST GSO record if specified must only contains trusted system data sets. | Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that r... |
| V-223491 | | IBM z/OS must properly protect MCS console userid(s). | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-223492 | | ACF2 BLPPGM GSO record must not be defined. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-223494 | | IBM z/OS user account for the UNIX kernel (OMVS) must be properly defined to the security database. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223495 | | IBM z/OS user account for the UNIX (RMFGAT) must be properly defined. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223496 | | ACF2 LOGONIDs must be defined with the required fields completed. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223497 | | CA-ACF2 defined user accounts must uniquely identify system users. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223498 | | CA-ACF2 userids found inactive for more than 35 days must be suspended. | Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected ac... |
| V-223499 | | CA-ACF2 PWPHRASE GSO record must be properly defined. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure o... |
| V-223500 | | CA-ACF2 must enforce password complexity by requiring that at least one special character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure o... |
| V-223501 | | ACF2 PSWD GSO record value must be set to require at least one uppercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-223502 | | ACF2 PSWD GSO record value must be set to require at least one numeric character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-223503 | | ACF2 PSWD GSO record value must be set to require at least one lowercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-223504 | | ACF2 PSWD GSO record value must be set to require the change of at least 50 percent of the total number of characters when passwords are changed. | If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by i... |
| V-223506 | | ACF2 PSWD GSO record value must be set to require a 60-day maximum password lifetime restriction. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not... |
| V-223507 | | ACF2 PSWD GSO record value must be set to require 24 hours/one day as the minimum password lifetime. | Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If u... |
| V-223508 | | ACF2 PSWD GSO record value must be set to prohibit password reuse for a minimum of five generations or more. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the in... |
| V-223509 | | ACF2 TSOTWX GSO record values must be set to obliterate the logon password on TWX devices. | To prevent the compromise of authentication information, such as passwords during the authentication process, the feedback from the operating system m... |
| V-223510 | | ACF2 TSOCRT GSO record values must be set to obliterate the logon to ASCII CRT devices. | To prevent the compromise of authentication information, such as passwords during the authentication process, the feedback from the operating system m... |
| V-223511 | | ACF2 TSO2741 GSO record values must be set to obliterate the logon password on 2741 devices. | To prevent the compromise of authentication information, such as passwords during the authentication process, the feedback from the operating system m... |
| V-223512 | | ACF2 SECVOLS GSO record value must be set to VOLMASK(). Any local changes are justified and documented with the ISSO. | The SECVOLS record defines the DASD and tape volumes for which CA-ACF2 provides volume-level protection. Information at rest refers to the state of in... |
| V-223513 | | ACF2 RESVOLS GSO record value must be set to Volmask(-). Any other setting requires documentation justifying the change. | The RESVOLS record defines DASD and mass storage volumes for which CA ACF2 is to provide protection at the data set name level.
Information at rest re... |
| V-223515 | | ACF2 AUTOERAS GSO record value must be set to indicate that ACF2 is controlling the automatic physical erasure of VSAM or non VSAM data sets. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the a... |
| V-223517 | | IBM z/OS SMF recording options for the FTP Server must be configured to write SMF records for all eligible events. | Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
In... |
| V-223518 | | IBM z/OS data sets for the FTP Server must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223519 | | IBM z/OS permission bits and user audit bits for HFS objects that are part of the FTP Server component must be properly configured. | MVS data sets of the FTP Server provide the configuration and operational characteristics of this product. Failure to properly secure these data sets ... |
| V-223520 | | IBM z/OS FTP.DATA configuration statements must have a proper BANNER statement with the Standard Mandatory DoD Notice and Consent Banner. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-223522 | | IBM z/OS FTP.DATA configuration statements for the FTP Server must specify the BANNER statement. | The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information... |
| V-223523 | | IBM z/OS FTP Control cards must be properly stored in a secure PDS file. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223524 | | The IBM z/OS TFTP Server program must be properly protected. | Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that r... |
| V-223525 | | IBM z/OS FTP Server daemon must be defined with proper security parameters. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223526 | | IBM z/OS startup parameters for the FTP Server must be defined in the SYSTCPD and SYSFTPD DD statements for configuration files. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-223527 | | IBM z/OS FTP.DATA configuration for the FTP Server must have INACTIVE statement properly set. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-223528 | | IBM z/OS JESTRACE and/or SYSLOG resources must be protected in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223529 | | IBM z/OS JESSPOOL resources must be protected in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223530 | | IBM z/OS JESNEWS resources must be protected in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223531 | | IBM z/OS JES2 system commands must be protected in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223532 | | IBM z/OS JES2 spool resources must be controlled in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223533 | | IBM z/OS JES2 output devices must be properly controlled for Classified Systems. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223534 | | IBM z/OS JES2 output devices must be controlled in accordance with the proper security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223535 | | IBM z/OS JES2 input sources must be controlled in accordance with the proper security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223536 | | IBM z/OS Surrogate users must be controlled in accordance with proper security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223537 | | The IBM z/OS BPX.SMF resource must be properly configured. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities... |
| V-223539 | | IBM z/OS Inapplicable PPT entries must be invalidated. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-223540 | | The IBM z/OS system administrator (SA) must develop a process notify appropriate personnel when accounts are removed. | When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual operating system users o... |
| V-223541 | | The IBM z/OS system administrator (SA) must develop a process notify appropriate personnel when accounts are modified. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomp... |
| V-223542 | | The IBM z/OS system administrator (SA) must develop a process notify appropriate personnel when accounts are deleted. | When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual operating system users o... |
| V-223543 | | The IBM z/OS system administrator (SA) must develop a process notify appropriate personnel when accounts are created. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomp... |
| V-223544 | | IBM z/OS Required SMF data record types must be collected. | Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
In... |
| V-223545 | | IBM z/OS special privileges must be assigned on an as-needed basis to LOGONIDs associated with STCs and LOGONIDs that need to execute TSO in batch. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223546 | | IBM z/OS must specify SMF data options to assure appropriate activation. | Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
In... |
| V-223547 | | IBM z/OS SMF collection files (system MANx data sets or LOGSTREAM DASD) must have storage capacity to store at least one weeks worth of audit data. | In order to ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocat... |
| V-223548 | | IBM z/OS system administrators must develop an automated process to collect and retain SMF data. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-223549 | | IBM z/OS BUFUSEWARN in the SMFPRMxx must be properly set. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-223550 | | IBM z/OS NOBUFFS in SMFPRMxx must be properly set (Default is MSG). | It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit ... |
| V-223551 | | IBM z/OS SNTP daemon (SNTPD) permission bits must be properly configured. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time, a particular e... |
| V-223552 | | IBM z/OS SNTP daemon (SNTPD) must be active. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time, a particular e... |
| V-223553 | | IBM z/OS PARMLIB CLOCKxx must have the Accuracy PARM coded properly. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time, a particular e... |
| V-223554 | | IBM z/OS SMF collection files (i.e., SYS1.MANx) access must be limited to appropriate users and/or batch jobs that perform SMF dump processing. | SMF data collection is the system activity journaling facility of the z/OS system. Unauthorized access could result in the compromise of logging and r... |
| V-223556 | | IBM z/OS PASSWORD data set and OS passwords must not be used. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223557 | | IBM z/OS must configure system waittimes to protect resource availability based on site priorities. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomp... |
| V-223558 | | IBM z/OS Emergency LOGONIDs must be properly defined. | Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours can indicate hostile activ... |
| V-223560 | | IBM z/OS Policy Agent must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems. | Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound conne... |
| V-223562 | | IBM z/OS must not allow non-existent or inaccessible LINKLIST libraries. | Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that r... |
| V-223563 | | IBM z/OS must not allow non-existent or inaccessible Link Pack Area (LPA) libraries. | Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that r... |
| V-223564 | | IBM z/OS must not have inaccessible APF libraries defined. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-223565 | | IBM z/OS LNKAUTH=APFTAB must be specified in the IEASYSxx member(s) in the currently active parmlib data set(s). | Failure to specify LINKAUTH=APFTAB allows libraries other than those designated as APF to contain authorized modules which could bypass security and v... |
| V-223566 | | Duplicated IBM z/OS sensitive utilities and/or programs must not exist in APF libraries. | Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized tran... |
| V-223567 | | IBM z/OS must properly configure CONSOLxx members. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-223568 | | IBM z/OS must use ICSF or SAF Key Rings for key management. | If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.
Th... |
| V-223570 | | IBM z/OS sensitive and critical system data sets must not exist on shared DASD. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the a... |
| V-223571 | | IBM z/OS Policy agent must contain a policy that protects against or limits the effects of Denial of Service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-223572 | | IBM z/OS Policy agent must contain a policy that manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-223573 | | IBM z/OS must employ a session manager to manage retaining a users session lock until that user reestablishes access using established identification and authentication procedures. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-223574 | | IBM z/OS system administrator must develop a procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner. | Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating s... |
| V-223575 | | IBM z/OS must employ a session manager that conceal, via the session lock, information previously visible on the display with a publicly viewable image. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-223576 | | IBM z/OS must employ a session manager to manage session lock after a 15-minute period of inactivity. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-223577 | | The IBM z/OS system administrator (SA) must develop a procedure to automatically remove or disable temporary user accounts after 72 hours. | If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To ... |
| V-223578 | | IBM z/OS system administrator must develop a procedure to automatically remove or disable emergency accounts after the crisis is resolved or 72 hours. | Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is requir... |
| V-223579 | | IBM z/OS system administrator must develop a procedure to notify system administrators (SAs) and information system security officers (ISSOs) of account enabling actions. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomp... |
| V-223581 | | IBM z/OS system administrator must develop a procedure to remove all software components after updated versions have been installed. | Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by advers... |
| V-223582 | | IBM z/OS system administrator must develop a procedure to shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered. | If anomalies are not acted upon, security functions may fail to secure the system.
Security function is defined as the hardware, software, and/or fi... |
| V-223583 | | IBM z/OS must employ a session manager configured for users to directly initiate a session lock for all connection types. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-223584 | | ACF2 system administrator must develop a procedure to disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. | Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected ac... |
| V-223585 | | IBM z/OS system administrator must develop a procedure to offload SMF files to a different system or media than the system being audited. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-223586 | | IBM z/OS SMF recording options for the SSH daemon must be configured to write SMF records for all eligible events. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities... |
| V-223587 | | IBM z/OS SSH daemon must be configured with the Department of Defense (DoD) logon banner. | Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and securit... |
| V-223590 | | IBM z/OS permission bits and user audit bits for HFS objects that are part of the Syslog daemon component must be configured properly. | HFS directories and files of the Syslog daemon provide the configuration and executable properties of this product. Failure to properly secure these o... |
| V-223591 | | IBM z/OS Syslog daemon must be started at z/OS initialization. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223592 | | IBM z/OS Syslog daemon must be properly defined and secured. | The Syslog daemon, known as syslogd, is a zOS UNIX daemon that provides a central processing point for log messages issued by other zOS UNIX processes... |
| V-223593 | | IBM z/OS DFSMS resource class(es) must be defined to the GSO CLASMAP record in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223594 | | IBM z/OS DFSMS Program Resources must be properly defined and protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223595 | | IBM z/OS DFSMS control data sets must be protected in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223596 | | IBM z/OS DFMSM resource class(es)must be defined to the GSO SAFDEF record in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223597 | | IBM z/OS DFSMS resources must be protected in accordance with the proper security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223598 | | IBM z/OS using DFSMS must properly specify SYS(x).PARMLIB(IGDSMSxx), SMS parameter settings. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223599 | | IBM z/OS PROFILE.TCPIP configuration statements for the TCP/IP stack must be coded properly. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities... |
| V-223600 | | IBM z//OS must be configured to restrict all TCP/IP ports to ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, i... |
| V-223601 | | IBM z/OS TCP/IP resources must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223602 | | IBM z/OS permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be configured properly. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223603 | | IBM z/OS data sets for the Base TCP/IP component must be properly protected. | MVS data sets of the Base TCP/IP component provide the configuration, operational, and executable properties of IBMs TCP/IP system product. Failure to... |
| V-223604 | | IBM z/OS Configuration files for the TCP/IP stack must be properly specified. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223605 | | IBM z/OS Started tasks for the Base TCP/IP component must be defined in accordance with security requirements. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223608 | | IBM z/OS PROFILE.TCPIP configuration INACTIVITY statement must be configured to 900 seconds. | Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that ... |
| V-223609 | | IBM z/OS SMF recording options for the TN3270 Telnet Server must be properly specified. | If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks w... |
| V-223610 | | IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote ... |
| V-223611 | | IBM z/OS TN3270 Telnet Server configuration statement MSG10 text must have the Standard Mandatory DoD Notice and Consent Banner. | A logon banner can be used to inform users about the environment during the initial logon. In the DISA environment, logon banners are used to warn use... |
| V-223613 | | IBM z/OS VTAM session setup controls for the TN3270 Telnet Server must be properly specified. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223615 | | IBM z/OS TSOAUTH resources must be restricted to authorized users. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223617 | | IBM z/OS UNIX security parameters in etc/profile must be properly specified. | Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the secur... |
| V-223618 | | IBM z/OS UNIX security parameters in /etc/rc must be properly specified. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223619 | | IBM z/OS UNIX resources must be protected in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223620 | | IBM z/OS UNIX MVS HFS directory(s) with other write permission bit set must be properly defined. | Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: ac... |
| V-223621 | | IBM z/OS BPX resource(s) must be protected in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223622 | | IBM z/OS UNIX SYSTEM FILE SECURITY SETTINGS must be properly protected or specified. | If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the a... |
| V-223623 | | IBM z/OS UNIX MVS data sets with z/OS UNIX components must be properly protected. | Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: ac... |
| V-223624 | | IBM z/OS UNIX MVS data sets or HFS objects must be properly protected. | If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the a... |
| V-223625 | | IBM z/OS UNIX HFS permission bits and audit bits for each directory must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223626 | | IBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223629 | | IBM z/OS UNIX OMVS parameters in PARMLIB must be properly specified. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223630 | | IBM z/OS UNIX HFS MapName files security parameters must be properly specified. | Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized tran... |
| V-223631 | | IBM z/OS UNIX BPXPRMxx security parameters in PARMLIB must be properly specified. | Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the secur... |
| V-223632 | | IBM z/OS User exits for the FTP Server must not be used without proper approval and documentation. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-223633 | | IBM z/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf must be properly specified. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-223634 | | IBM z/OS user account for the z/OS UNIX SUPERSUSER userid must be properly defined. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223635 | | IBM z/OS UNIX user accounts must be properly defined. | To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223636 | | IBM z/OS UNIX groups must be defined with a unique GID. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223637 | | IBM z/OS Attributes of z/OS UNIX user accounts must have a unique GID in the range of 1-99. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223638 | | IBM z/OS Attributes of UNIX user accounts used for account modeling must be defined in accordance with security requirements. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223639 | | IBM z/OS startup user account for the z/OS UNIX Telnet Server must be defined properly. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223640 | | IBM z/OS HFS objects for the z/OS UNIX Telnet Server must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223641 | | IBM z/OS UNIX Telnet Server etc/banner file must have the Standard Mandatory DoD Notice and Consent Banner. | A logon banner can be used to inform users about the environment during the initial logon. In the DISA environment, logon banners are used to warn use... |
| V-223642 | | IBM z/OS UNIX Telnet Server warning banner must be properly specified. | Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and securit... |
| V-223643 | | IBM z/OS UNIX Telnet Server Startup parameters must be properly specified to display the banner. | Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and securit... |
| V-223644 | | IBM z/OS System data sets used to support the VTAM network must be properly secured. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223645 | | IBM z/OS VTAM USSTAB definitions must not be used for unsecured terminals. | If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the a... |
| V-245535 | | IBM z/OS TCPIP.DATA configuration statement must contain the DOMAINORIGIN or DOMAIN specified for each TCP/IP defined. | If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poiso... |
| V-252547 | | IBM z/OS TCP/IP AT-TLS policy must be properly configured in Policy Agent. | If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks w... |
| V-252705 | | IBM z/OS must enforce a minimum eight character password length. | The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexit... |
| V-255895 | | IBM z/OS FTP.DATA configuration statements for the FTP Server must be specified in accordance with requirements. | This requirement is intended to cover both traditional interactive logons to information systems and general accesses to information systems that occu... |
| V-255932 | | IBM Integrated Crypto Service Facility (ICSF) Configuration parameters must be correctly specified. | IBM Integrated Crypto Service Facility (ICSF) product has the ability to use privileged functions and/or have access to sensitive data. Failure to pro... |
| V-255933 | | IBM Integrated Crypto Service Facility (ICSF) install data sets must be properly protected. | IBM Integrated Crypto Service Facility (ICSF) product has the ability to use privileged functions and/or have access to sensitive data. Failure to pro... |
| V-255934 | | IBM Integrated Crypto Service Facility (ICSF) Started Task name must be properly identified / defined to the system ACP. | IBM Integrated Crypto Service Facility (ICSF) requires a started task that will be restricted to certain resources, datasets and other system function... |
| V-255945 | | IBM Integrated Crypto Service Facility (ICSF) STC data sets must be properly protected. | IBM Integrated Crypto Service Facility (ICSF) STC data sets have the ability to use privileged functions and/or have access to sensitive data. Failur... |
| V-272873 | | IBM z/OS DFSMS control data sets must reside on separate storage volumes. | Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the secur... |
| V-272874 | | IBM z/OS RJE workstations and NJE nodes must be defined to the FACILITY resource class. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-275949 | | zOSMF resource class(es) must be defined to the ACF2 GSO CLASMAP record in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-275951 | | ICSF resources must be protected in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-275964 | | zOSMF resources must be protected in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-275965 | | ICSF resource class(es) must be defined to the ACF2 GSO CLASMAP record in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-223424 | | The number of ACF2 users granted the special privilege OPERATOR must be kept to a strictly controlled minimum. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223425 | | The number of ACF2 users granted the special privilege CONSOLE must be justified. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223466 | | CA-ACF2 must limit Write or greater access to libraries that contain PPT modules to system programmers only. | If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the a... |
| V-223488 | | ACF2 APPLDEF GSO record if used must have supporting documentation indicating the reason it was used. | Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound conne... |
