Skip to content
Log In

IBM z/OS ACF2 Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • CA-ACF2 must limit Write and allocate access to all system-level product installation libraries to system programmers only.

    To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...
    Rule Medium Severity
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • CA-ACF2 Access to SYS1.LINKLIB must be properly protected.

    If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part ...
    Rule Medium Severity
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • CA-ACF2 LOGONIDs must not be defined to SYS1.UADS for non-emergency use.

    Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileg...
    Rule High Severity
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements.

    Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals ...
    Rule Medium Severity
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • ACF2 PPGM GSO record value must specify protected programs that are only executed by privileged users.

    Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileg...
    Rule Medium Severity
    Show

  • SRG-OS-000329-GPOS-00128

    Group
    Show

  • The CA-ACF2 PSWD GSO record values for MAXTRY and PASSLMT must be properly set.

    By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the a...
    Rule Medium Severity
    Show

  • SRG-OS-000063-GPOS-00032

    Group
    Show

  • SRG-OS-000364-GPOS-00151

    Group
    Show

  • CA-ACF2 must be installed, functional, and properly configured.

    Failure to provide logical access restrictions associated with changes to system configuration may have significant effects on the overall security of the system. When dealing with access restrict...
    Rule High Severity
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The EXITS GSO record value must specify the module names of site written ACF2 exit routines.

    Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security ba...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The CA-ACF2 LOGONID with the REFRESH attribute must have procedures for utilization.

    Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security ba...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • IBM z/OS TSO GSO record values must be set to the values specified.

    Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security ba...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • IBM z/OS must have the RULEVLD and RSRCVLD attributes specified for LOGONIDs with the SECURITY attribute.

    The use of security policy filters provides protection for the confidentiality of data by restricting the flow of data. A crucial part of any flow control solution is the ability to configure polic...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • IBM z/OS LOGONID with the ACCTPRIV attribute must be restricted to the ISSO.

    The use of security policy filters provides protection for the confidentiality of data by restricting the flow of data. A crucial part of any flow control solution is the ability to configure polic...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • CA-ACF2 RULEOPTS GSO record values must be set to the values specified.

    Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security ba...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000480-GPOS-00225

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • CA-ACF2 database must be on a separate physical volume from its backup and recovery data sets.

    Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security ba...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • CA-ACF2 database must be backed up on a scheduled basis.

    Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security ba...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • ACF2 LOGONIDs with the NON-CNCL attribute specified in the associated LOGONID record must be listed as trusted and must be specifically approved.

    Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours can indicate hostile activity if it occurs during off hours. Depending o...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • ACF2 LOGONIDs associated with started tasks that have the MUSASS attribute and the requirement to submit jobs on behalf of its users must have the JOBFROM attribute as required.

    Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours can indicate hostile activity if it occurs during off hours. Depending o...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • IBM z/OS Started Tasks must be properly identified and defined to ACF2.

    Started procedures have system generated job statements that do not contain the user, group, or password statements. To enable the started procedure to access the same protected resources that user...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules