| V-223649 | | IBM RACF must limit Write or greater access to SYS1.NUCLEUS to system programmers only. | This data set contains a large portion of the system initialization (IPL) programs and pointers to the master and alternate master catalog. Unauthoriz... |
| V-223666 | | IBM RACF access to the System Master Catalog must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223667 | | IBM RACF must limit Write or greater access to SYS1.UADS to system programmers only, and WRITE or greater access must be limited to system programmer personnel and/or security personnel. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223668 | | IBM z/OS must protect dynamic lists in accordance with proper security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223674 | | IBM RACF must limit Write or greater access to SYS1.IMAGELIB to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223675 | | IBM RACF must limit Write or greater access to SYS1.SVCLIB to appropriate authorized users. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223676 | | IBM RACF must limit Write or greater access to SYS1.LPALIB to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223677 | | IBM z/OS libraries included in the system REXXLIB concatenation must be properly protected. | Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: ac... |
| V-223678 | | IBM RACF must limit write or greater access to all LPA libraries to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223679 | | IBM RACF must limit Write or greater access to libraries containing EXIT modules to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223682 | | IBM RACF must limit WRITE or greater access to all APF-authorized libraries to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223684 | | The IBM RACF System REXX IRRPWREX security data set must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223685 | | IBM RACF security data sets and/or databases must be properly protected. | The External Security Manager (ESM) database files contain all access control information for the operating system environment and system resources. U... |
| V-223687 | | IBM RACF must limit all system PROCLIB data sets to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223697 | | IBM z/OS SYS1.PARMLIB must be properly protected. | Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the ... |
| V-223703 | | IBM RACF must define WARN = NO on all profiles. | Failure to restrict system access to authenticated users negatively impacts operating system security.... |
| V-223704 | | The IBM RACF PROTECTALL SETROPTS value specified must be properly set. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223729 | | NIST FIPS-validated cryptography must be used to protect passwords in the security database. | Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the num... |
| V-223760 | | IBM RACF must be installed and active on the system. | Enterprise environments make account management for operating systems challenging and complex. A manual process for account management functions adds ... |
| V-223777 | | IBM RACF must define UACC of NONE on all profiles. | The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.... |
| V-223781 | | Unsupported system software must not be installed and/ or active on the system. | Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that r... |
| V-223788 | | The IBM z/OS systems requiring data-at-rest protection must properly employ IBM DS8880 or equivalent hardware solutions for full disk encryption. | This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at res... |
| V-223807 | | The IBM RACF SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm to protect confidential information and remote access sessions. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Cryptographic modules must adhere to th... |
| V-223810 | | IBM z/OS SSH daemon must be configured to only use the SSHv2 protocol. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-223837 | | IBM RACF LOGONIDs must not be defined to SYS1.UADS for non-emergency use. | Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management ac... |
| V-223838 | | The IBM z/OS UNIX SUPERUSER resources must be protected in accordance with guidelines. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223856 | | IBM z/OS UID(0) must be properly assigned. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223646 | | Certificate Name Filtering must be implemented with appropriate authorization and documentation. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223647 | | Expired digital certificates must not be used. | The longer and more often a key is used, the more susceptible it is to loss or discovery. This weakens the assurance provided to a relying Party that ... |
| V-223648 | | All digital certificates in use must have a valid path to a trusted certification authority (CA). | The origin of a certificate, or the CA, is crucial in determining if the certificate should be trusted. An approved CA establishes grounds for confide... |
| V-223652 | | IBM RACF emergency USERIDs must be properly defined. | Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is requir... |
| V-223653 | | IBM RACF SETROPTS LOGOPTIONS must be properly configured. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomp... |
| V-223654 | | IBM RACF must protect memory and privileged program dumps in accordance with proper security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223655 | | IBM z/OS system commands must be properly protected. | z/OS system commands provide a method of controlling the operating environment. Failure to properly control access to z/OS system commands could resul... |
| V-223656 | | IBM RACF must properly define users that have access to the CONSOLE resource in the TSOAUTH resource class. | MCS consoles can be used to issue operator commands. Failure to properly control access to MCS consoles could result in unauthorized personnel issuing... |
| V-223657 | | The IBM RACF FACILITY resource class must be active. | IBM Provides the FACILITY Class for use in protecting a variety of features/functions/products both IBM and third-party. The FACILITY Class is not ded... |
| V-223658 | | The IBM RACF OPERCMDS resource class must be active. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223659 | | The IBM RACF MCS consoles resource class must be active. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223660 | | IBM RACF CLASSACT SETROPTS must be specified for the TEMPDSN class. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223661 | | IBM RACF started tasks defined with the trusted attribute must be justified. | Trusted Started tasks bypass RACF checking. It is vital that this attribute is NOT granted to unauthorized Started Tasks which could then obtain unaut... |
| V-223662 | | IBM RACF USERIDs possessing the Tape Bypass Label Processing (BLP) privilege must be justified. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223663 | | IBM RACF DASD volume-level protection must be properly defined. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223664 | | IBM Sensitive Utility Controls must be properly defined and protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223665 | | IBM RACF Global Access Checking must be restricted to appropriate classes and resources. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223669 | | IBM RACF allocate access to system user catalogs must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223670 | | IBM RACF must limit WRITE or greater access to System backup files to system programmers and/or batch jobs that perform DASD backups. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223671 | | IBM RACF must limit access to SYS(x).TRACE to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223672 | | IBM RACF batch jobs must be properly secured. | Batch jobs that are submitted to the operating system should inherit the USERID of the submitter. This will identify the batch job with a userid for t... |
| V-223673 | | IBM RACF batch jobs must be protected with propagation control. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223680 | | IBM RACF must limit WRITE or greater access to all system-level product installation libraries to system programmers. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223681 | | IBM RACF must limit access to SYSTEM DUMP data sets to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223683 | | IBM RACF access to SYS1.LINKLIB must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-223686 | | IBM RACF must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223688 | | IBM RACF must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223689 | | IBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected. | MCS consoles can be used to issue operator commands. Failure to properly control access to MCS consoles could result in unauthorized personnel issuing... |
| V-223690 | | IBM RACF must limit WRITE or greater access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223691 | | The IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements. | Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary... |
| V-223692 | | The IBM RACF JES(BATCHALLRACF) SETROPTS value must be set to JES(BATCHALLRACF). | In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileg... |
| V-223693 | | The IBM z/OS JES(XBMALLRACF) SETROPTS value must be set to JES(XBMALLRACF). | In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileg... |
| V-223694 | | IBM RACF OPERAUDIT SETROPTS value must set to OPERAUDIT. | Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromise... |
| V-223695 | | The IBM RACF PASSWORD(REVOKE) SETROPTS value must be specified to revoke the userid after three invalid logon attempts. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-223699 | | The IBM RACF SETROPTS SAUDIT value must be specified. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-223700 | | The IBM RACF REALDSN SETROPTS value must be specified. | Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, sec... |
| V-223701 | | IBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing. | SMF data collection is the system activity journaling facility of the z/OS system. Unauthorized access could result in the compromise of logging and r... |
| V-223702 | | IBM RACF SETROPTS RVARYPW values must be properly set. | Failure to provide logical access restrictions associated with changes to system configuration may have significant effects on the overall security of... |
| V-223705 | | The IBM RACF GRPLIST SETROPTS value must be set to ACTIVE. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223706 | | The IBM RACF RETPD SETROPTS value specified must be properly set. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223707 | | The IBM RACF TAPEDSN SETROPTS value specified must be properly set. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223708 | | The IBM RACF WHEN(PROGRAM) SETROPTS value specified must be active. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223709 | | IBM RACF use of the AUDITOR privilege must be justified. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223710 | | The IBM RACF database must be on a separate physical volume from its backup and recovery datasets. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223711 | | The IBM RACF database must be backed up on a scheduled basis. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223712 | | IBM z/OS Batch job user IDs must be properly defined. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223713 | | IBM RACF use of the RACF SPECIAL Attribute must be justified. | The organization must perform a periodic scan/review of the application (as required by CCI-000384) and disable functions, ports, protocols, and servi... |
| V-223714 | | IBM RACF assignment of the RACF OPERATIONS attribute to individual userids must be fully justified. | This requirement is intended to cover both traditional interactive logons to information systems and general accesses to information systems that occu... |
| V-223715 | | IBM z/OS must properly configure CONSOLxx members. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-223716 | | IBM z/OS must properly protect MCS console userid(s). | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-223717 | | IBM RACF users must have the required default fields. | Ensure that Every USERID is uniquely identified to the system. Within the USERID record, the user's name, default group, the owner, and the user's pas... |
| V-223718 | | IBM interactive USERIDs defined to RACF must have the required fields completed. | Interactive users are considered to be users of CICS, IMS, TSO/E, NetView, or other products that support logging on at a terminal. Improper assignmen... |
| V-223719 | | IBM z/OS Started Tasks must be properly identified and defined to RACF. | Started procedures have system generated job statements that do not contain the user, group, or password statements. To enable the started procedure t... |
| V-223721 | | The IBM RACF Automatic Data Set Protection (ADSP) SETROPTS value must be set to NOADSP. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223722 | | IBM RACF user accounts must uniquely identify system users. | To assure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated.
A group ... |
| V-223723 | | The IBM RACF INACTIVE SETROPTS value must be set to 35 days. | Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected ac... |
| V-223724 | | IBM RACF PASSWORD(RULEn) SETROPTS value(s) must be properly set. | The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexit... |
| V-223725 | | IBM RACF exit ICHPWX01 must be installed and properly configured. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-223726 | | The IBM RACF SETROPTS PASSWORD(MINCHANGE) value must be set to 1. | Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If u... |
| V-223727 | | IBM RACF SETROPTS PASSWORD(INTERVAL) must be set to 60 days. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not... |
| V-223728 | | The IBM RACF PASSWORD(HISTORY) SETROPTS value must be set to five or more. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. HISTORY s... |
| V-223731 | | The IBM RACF ERASE ALL SETROPTS value must be set to ERASE(ALL) on all systems. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the a... |
| V-223732 | | IBM RACF DASD Management USERIDs must be properly controlled. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223733 | | IBM z/OS SMF recording options for the FTP Server must be configured to write SMF records for all eligible events. | The FTP Server can provide audit data in the form of SMF records. The SMF data produced by the FTP Server provides transaction information for both su... |
| V-223734 | | IBM RACF permission bits and user audit bits for HFS objects that are part of the FTP server component must be properly configured. | MVS data sets of the FTP Server provide the configuration and operational characteristics of this product. Failure to properly secure these data sets ... |
| V-223735 | | IBM z/OS data sets for the FTP server must be properly protected. | MVS data sets of the FTP Server provide the configuration and operational characteristics of this product. Failure to properly secure these data sets ... |
| V-223736 | | IBM z/OS FTP.DATA configuration statements must indicate a BANNER statement with the proper content. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-223737 | | IBM z/OS FTP.DATA configuration statements for the FTP server must specify the BANNER statement. | Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and securit... |
| V-223739 | | IBM z/OS FTP.DATA configuration statements for the FTP Server must be specified in accordance with requirements. | This requirement is intended to cover both traditional interactive logons to information systems and general accesses to information systems that occu... |
| V-223740 | | The IBM z/OS TFTP server program must be properly protected. | Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that r... |
| V-223741 | | IBM z/OS user exits for the FTP server must not be used without proper approval and documentation. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-223742 | | The IBM z/OS FTP server daemon must be defined with proper security parameters. | The FTP Server daemon requires special privileges and access to sensitive resources to provide its system services. Failure to properly define and con... |
| V-223743 | | IBM FTP.DATA configuration for the FTP server must have the INACTIVE statement properly set. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-223744 | | IBM z/OS startup parameters for the FTP server must have the INACTIVE statement properly set. | To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or ... |
| V-223745 | | IBM z/OS RJE workstations and NJE nodes must be defined to the FACILITY resource class. | Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: ac... |
| V-223746 | | IBM z/OS JES2 input sources must be controlled in accordance with the proper security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223747 | | IBM z/OS JES2 input sources must be properly controlled. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223748 | | IBM z/OS JES2 output devices must be controlled in accordance with the proper security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223749 | | IBM z/OS JES2 output devices must be properly controlled for classified systems. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223750 | | IBM z/OS JESSPOOL resources must be protected in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223751 | | IBM z/OS JESNEWS resources must be protected in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223752 | | IBM z/OS JESTRACE and/or SYSLOG resources must be protected in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223753 | | IBM z/OS JES2 spool resources must be controlled in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223754 | | IBM z/OS JES2 system commands must be protected in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223755 | | IBM z/OS surrogate users must be controlled in accordance with proper security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223756 | | IBM z/OS RJE workstations and NJE nodes must be controlled in accordance with security requirements. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223757 | | IBM z/OS must configure system wait times to protect resource availability based on site priorities. | Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that ... |
| V-223758 | | The IBM z/OS BPX.SMF resource must be properly configured. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities... |
| V-223759 | | IBM z/OS SMF recording options for the TN3270 Telnet Server must be properly specified. | The TN3270 Telnet Server can provide audit data in the form of SMF records. The SMF data produced provides information about individual sessions. This... |
| V-223761 | | The IBM z/OS system administrator (SA) must develop a process to disable emergency accounts after the crisis is resolved or 72 hours. | Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is requir... |
| V-223762 | | The IBM z/OS system administrator (SA) must develop a process to notify appropriate personnel when accounts are created. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomp... |
| V-223763 | | The IBM z/OS system administrator (SA) must develop a process to notify appropriate personnel when accounts are modified. | Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information ... |
| V-223764 | | The IBM z/OS system administrator (SA) must develop a process to notify appropriate personnel when accounts are deleted. | Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information ... |
| V-223765 | | The IBM z/OS system administrator (SA) must develop a process to notify appropriate personnel when accounts are removed. | When operating system accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual operating system users or... |
| V-223766 | | The IBM z/OS system administrator (SA) must develop a process to notify information system security officers (ISSOs) of account enabling actions. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomp... |
| V-223767 | | IBM z/OS required SMF data record types must be collected. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomp... |
| V-223768 | | IBM z/OS must employ a session manager to manage display of the Standard Mandatory DoD Notice and Consent Banner. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-223769 | | IBM z/OS must specify SMF data options to assure appropriate activation. | SMF data collection is the basic unit of tracking of all system functions and actions. Included in this tracking data are the audit trails from each o... |
| V-223770 | | IBM z/OS SMF collection files (system MANx datasets or LOGSTREAM DASD) must have storage capacity to store at least one weeks worth of audit data. | In order to ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocat... |
| V-223771 | | IBM z/OS system administrators must develop an automated process to collect and retain SMF data. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-223772 | | IBM z/OS BUFUSEWARN in the SMFPRMxx must be properly set. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-223773 | | IBM z/OS NOBUFFS in SMFPRMxx must be properly set (default is MSG). | It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit ... |
| V-223774 | | The IBM z/OS SNTP daemon (SNTPD) must be active. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-223775 | | IBM z/OS SNTP daemon (SNTPD) permission bits must be properly configured. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time, a particular e... |
| V-223776 | | IBM z/OS PARMLIB CLOCKxx must have the Accuracy PARM properly coded. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-223778 | | IBM z/OS PASSWORD data set and OS passwords must not be used. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223780 | | The IBM z/OS Policy Agent must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems. | Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound conne... |
| V-223782 | | IBM z/OS must not allow nonexistent or inaccessible LINKLIST libraries. | Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that r... |
| V-223783 | | IBM z/OS must not allow nonexistent or inaccessible Link Pack Area (LPA) libraries. | Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that r... |
| V-223784 | | IBM z/OS must not have inaccessible APF libraries defined. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-223785 | | IBM zOS inapplicable PPT entries must be invalidated. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-223786 | | IBM z/OS LNKAUTH=APFTAB must be specified in the IEASYSxx member(s) in the currently active parmlib data set(s). | Failure to specify LINKAUTH=APFTAB allows libraries other than those designated as APF to contain authorized modules which could bypass security and v... |
| V-223792 | | The IBM z/OS Policy Agent must contain a policy that protects against or limits the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-223793 | | The IBM z/OS Policy Agent must contain a policy that manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-223794 | | The IBM z/OS must employ a session manager that conceals, via the session lock, information previously visible on the display with a publicly viewable image. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-223795 | | IBM z/OS must employ a session manager to manage session lock after a 15-minute period of inactivity. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syst... |
| V-223796 | | IBM z/OS must employ a session for users to directly initiate a session lock for all connection types. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-223797 | | IBM z/OS must employ a session manager to manage retaining a users session lock until that user reestablishes access using established identification and authentication procedures. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-223798 | | IBM z/OS system administrator must develop a procedure to remove or disable temporary user accounts after 72 hours. | Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is requir... |
| V-223800 | | IBM z/OS system administrator must develop a procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner. | Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating s... |
| V-223801 | | IBM z/OS system administrator must develop a procedure to provide an audit reduction capability that supports on-demand reporting requirements. | The ability to generate on-demand reports, including after the audit data has been subjected to audit reduction, greatly facilitates the organization'... |
| V-223803 | | IBM z/OS system administrator must develop a procedure to remove all software components after updated versions have been installed. | Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by advers... |
| V-223804 | | IBM z/OS must shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered. | If anomalies are not acted upon, security functions may fail to secure the system.
Security function is defined as the hardware, software, and/or fi... |
| V-223805 | | IBM z/OS system administrator must develop a procedure to offload SMF files to a different system or media than the system being audited. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-223806 | | IBM z/OS SMF recording options for the SSH daemon must be configured to write SMF records for all eligible events. | SMF data collection is the basic unit of tracking of all system functions and actions. Included in this tracking data are the audit trails from each o... |
| V-223809 | | The SSH daemon must be configured with the Standard Mandatory DoD Notice and Consent Banner. | Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and securit... |
| V-223811 | | IBM z/OS, for PKI-based authentication, must use the ICSF or ESM for key management. | Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will n... |
| V-223812 | | IBM z/OS permission bits and user audit bits for HFS objects that are part of the Syslog daemon component must be properly configured. | HFS directories and files of the Syslog daemon provide the configuration and executable properties of this product. Failure to properly secure these o... |
| V-223813 | | The IBM z/OS Syslog daemon must be started at z/OS initialization. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223814 | | The IBM z/OS Syslog daemon must be properly defined and secured. | The Syslog daemon, known as syslogd, is a zOS UNIX daemon that provides a central processing point for log messages issued by other zOS UNIX processes... |
| V-223815 | | IBM z/OS DFSMS Program Resources must be properly defined and protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223816 | | IBM z/OS DFSMS control data sets must be protected in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223817 | | IBM z/OS DFSMS-related RACF classes must be active. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223818 | | IBM z/OS DFSMS resources must be protected in accordance with the proper security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223819 | | IBM z/OS using DFSMS must properly specify SYS(x).PARMLIB(IGDSMSxx), SMS parameter settings. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223820 | | IBM z/OS PROFILE.TCPIP configuration statements for the TCP/IP stack must be coded properly. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities... |
| V-223821 | | IBM z/OS must be configured to restrict all TCP/IP ports to ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, i... |
| V-223822 | | IBM z/OS permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be properly configured. | HFS directories and files of the Base TCP/IP component provide the configuration, operational, and executable properties of IBMs TCP/IP system product... |
| V-223823 | | IBM z/OS TCP/IP resources must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223824 | | The IBM RACF SERVAUTH resource class must be active for TCP/IP resources. | IBM Provides the SERVAUTH Class for use in protecting a variety of TCP/IP features/functions/products both IBM and third-party. Failure to activate th... |
| V-223826 | | IBM z/OS data sets for the Base TCP/IP component must be properly protected. | MVS data sets of the Base TCP/IP component provide the configuration, operational, and executable properties of IBMs TCP/IP system product. Failure to... |
| V-223827 | | IBM z/OS Configuration files for the TCP/IP stack must be properly specified. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223831 | | IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS. | During the SSL connection process a mutually acceptable encryption algorithm is selected by the server and client. This algorithm is used to encrypt t... |
| V-223833 | | The IBM z/OS warning banner for the TN3270 Telnet server must contain the proper content of the Standard Mandatory DoD Notice and Consent Banner. | System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exi... |
| V-223834 | | IBM z/OS VTAM session setup controls for the TN3270 Telnet server must be properly specified. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223835 | | The IBM z/OS PROFILE.TCPIP configuration for the TN3270 Telnet server must have the INACTIVE statement properly specified. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-223836 | | IBM Z/OS TSOAUTH resources must be restricted to authorized users. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223839 | | IBM z/OS BPX resource(s) must be protected in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223840 | | IBM z/OS UNIX MVS HFS directories with other write permission bit set must be properly defined. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223842 | | IBM z/OS UNIX security parameters in etc/profile must be properly specified. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223843 | | IBM z/OS UNIX security parameters in /etc/rc must be properly specified. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223844 | | IBM z/OS UNIX resources must be protected in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223845 | | IBM z/OS UNIX MVS data sets or HFS objects must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223846 | | IBM z/OS UNIX MVS data sets WITH z/OS UNIX COMPONENTS must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223847 | | IBM z/OS UNIX HFS permission bits and audit bits for each directory must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223848 | | IBM z/OS UNIX SYSTEM FILE SECURITY SETTINGS must be properly protected or specified. | If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the a... |
| V-223849 | | IBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223850 | | The IBM RACF classes required to properly secure the z/OS UNIX environment must be ACTIVE. | In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileg... |
| V-223851 | | IBM z/OS UNIX OMVS parameters in PARMLIB must be properly specified. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223852 | | IBM z/OS UNIX BPXPRMxx security parameters in PARMLIB must be properly specified. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223853 | | IBM z/OS default profiles must be defined in the corresponding FACILITY Class Profile for classified systems. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223854 | | IBM z/OS UNIX HFS MapName files security parameters must be properly specified. | Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized tran... |
| V-223855 | | IBM z/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf must be properly specified. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-223857 | | IBM z/OS UNIX groups must be defined with a unique GID. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223859 | | The IBM z/OS user account for the UNIX kernel (OMVS) must be properly defined to the security database. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223860 | | The IBM z/OS user account for the z/OS UNIX SUPERUSER userid must be properly defined. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223861 | | The IBM z/OS user account for the UNIX (RMFGAT) must be properly defined. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223862 | | IBM z/OS UNIX user accounts must be properly defined. | To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223863 | | IBM z/OS attributes of UNIX user accounts used for account modeling must be defined in accordance with security requirements. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223864 | | The IBM z/OS startup user account for the z/OS UNIX Telnet Server must be properly defined. | The PROFILE.TCPIP configuration file provides system operation and configuration parameters for the TN3270 Telnet Server. Several of these parameters ... |
| V-223865 | | IBM z/OS HFS objects for the z/OS UNIX Telnet Server must be properly protected. | HFS directories and files of the z/OS UNIX Telnet Server provide the configuration and executable properties of this product. Failure to properly secu... |
| V-223866 | | The IBM z/OS UNIX Telnet Server etc/banner file must have the Standard Mandatory DoD Notice and Consent Banner. | A logon banner can be used to inform users about the environment during the initial logon. Logon banners are used to warn users against unauthorized e... |
| V-223867 | | IBM z/OS UNIX Telnet server Startup parameters must be properly specified. | The z/OS UNIX Telnet Server (i.e., otelnetd) provides interactive access to the z/OS UNIX shell. During the initialization process, startup parameters... |
| V-223868 | | The IBM z/OS UNIX Telnet server warning banner must be properly specified. | Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and securit... |
| V-223869 | | IBM z/OS System datasets used to support the VTAM network must be properly secured. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223870 | | IBM z/OS VTAM USSTAB definitions must not be used for unsecured terminals. | If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the a... |
| V-230209 | | The IBM RACF System REXX IRRPHREX security data set must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-230210 | | IBM RACF exit ICHPWX11 for password phrases must be installed and properly configured. | Use of a complex password phrase helps to increase the time and resources required to compromise the password. Password phrase complexity, or strength... |
| V-235033 | | IBM RACF must limit WRITE or greater access to LINKLIST libraries to system programmers only. | The primary function of the LINKLIST is to serve as a single repository for commonly used system modules. Failure to ensure that the proper set of lib... |
| V-245536 | | The IBM z/OS TCPIP.DATA configuration statement must contain the DOMAINORIGIN or DOMAIN specified for each TCP/IP defined. | If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poiso... |
| V-251107 | | IBM z/OS sensitive and critical system data sets must not exist on shared DASDs. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the a... |
| V-252553 | | IBM z/OS TCP/IP AT-TLS policy must be properly configured in Policy Agent. | If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks w... |
| V-255935 | | IBM Integrated Crypto Service Facility (ICSF) Configuration parameters must be correctly specified. | IBM Integrated Crypto Service Facility (ICSF) product has the ability to use privileged functions and/or have access to sensitive data. Failure to pro... |
| V-255936 | | IBM Integrated Crypto Service Facility (ICSF) install data sets are not properly protected. | IBM Integrated Crypto Service Facility (ICSF) product has the ability to use privileged functions and/or have access to sensitive data. Failure to pro... |
| V-255937 | | IBM Integrated Crypto Service Facility (ICSF) Started Task name is not properly identified / defined to the system ACP. | IBM Integrated Crypto Service Facility (ICSF) requires a started task that will be restricted to certain resources, datasets and other system function... |
| V-255938 | | IBM Integrated Crypto Service Facility (ICSF) Started task(s) must be properly defined to the STARTED resource class for RACF. | Access to product resources should be restricted to only those individuals responsible for the application connectivity and who have a requirement to ... |
| V-255939 | | IBM Integrated Crypto Service Facility (ICSF) STC data sets must be properly protected. | IBM Integrated Crypto Service Facility (ICSF) STC data sets have the ability to use privileged functions and/or have access to sensitive data. Failur... |
| V-257135 | | IBM Passtickets must be configured to be KeyEncrypted. | Passwords such as IBM Passtickets need to be protected at all times, and encryption is the standard method for protecting such passwords. If passwords... |
| V-272875 | | IBM z/OS FTP Control cards must be properly stored in a secure PDS file. | Configuring the operating system to implement organizationwide security implementation guides and security checklists ensures compliance with federal ... |
| V-272877 | | IBM z/OS started tasks for the Base TCP/IP component must be defined in accordance with security requirements. | To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-272879 | | IBM z/OS DFSMS control data sets must reside on separate storage volumes | Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the secur... |
| V-275952 | | zOSMF resource class(es) must be active in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-275953 | | The ICSF resource class(es) must be active in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-275954 | | ICSF resources must be protected in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-275956 | | zOSMF resources must be protected in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-223650 | | IBM RACF must limit Write or greater access to libraries that contain PPT modules to system programmers only. | Specific PPT designated program modules possess significant security bypass capabilities. Unauthorized access could result in the compromise of the op... |
| V-223787 | | IBM z/OS must not have duplicated sensitive utilities and/or programs existing in APF libraries. | Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized tran... |
