Skip to content
Log In

IBM z/OS ACF2 Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • ACF2 APPLDEF GSO record if used must have supporting documentation indicating the reason it was used.

    Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD ...
    Rule Low Severity
    Show

  • SRG-OS-000368-GPOS-00154

    Group
    Show

  • SRG-OS-000368-GPOS-00154

    Group
    Show

  • ACF2 LINKLST GSO record if specified must only contains trusted system data sets.

    Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users wi...
    Rule Medium Severity
    Show

  • SRG-OS-000096-GPOS-00050

    Group
    Show

  • SRG-OS-000096-GPOS-00050

    Group
    Show

  • ACF2 BLPPGM GSO record must not be defined.

    In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable...
    Rule Medium Severity
    Show

  • SRG-OS-000104-GPOS-00051

    Group
    Show

  • SRG-OS-000104-GPOS-00051

    Group
    Show

  • IBM z/OS user account for the UNIX kernel (OMVS) must be properly defined to the security database.

    To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational user...
    Rule Medium Severity
    Show

  • SRG-OS-000104-GPOS-00051

    Group
    Show

  • SRG-OS-000104-GPOS-00051

    Group
    Show

  • ACF2 LOGONIDs must be defined with the required fields completed.

    To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational user...
    Rule Medium Severity
    Show

  • SRG-OS-000104-GPOS-00051

    Group
    Show

  • SRG-OS-000118-GPOS-00060

    Group
    Show

  • CA-ACF2 userids found inactive for more than 35 days must be suspended.

    Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts...
    Rule Medium Severity
    Show

  • SRG-OS-000266-GPOS-00101

    Group
    Show

  • SRG-OS-000266-GPOS-00101

    Group
    Show

  • CA-ACF2 must enforce password complexity by requiring that at least one special character be used.

    Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting ...
    Rule Medium Severity
    Show

  • SRG-OS-000069-GPOS-00037

    Group
    Show

  • ACF2 PSWD GSO record value must be set to require at least one uppercase character be used.

    Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...
    Rule Medium Severity
    Show

  • SRG-OS-000071-GPOS-00039

    Group
    Show

  • ACF2 PSWD GSO record value must be set to require at least one numeric character be used.

    Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...
    Rule Medium Severity
    Show

  • SRG-OS-000070-GPOS-00038

    Group
    Show

  • SRG-OS-000072-GPOS-00040

    Group
    Show

  • SRG-OS-000073-GPOS-00041

    Group
    Show

  • ACF2 must use NIST FIPS-validated cryptography to protect passwords in the security database.

    Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily c...
    Rule High Severity
    Show

  • SRG-OS-000076-GPOS-00044

    Group
    Show

  • SRG-OS-000075-GPOS-00043

    Group
    Show

  • ACF2 PSWD GSO record value must be set to require 24 hours/one day as the minimum password lifetime.

    Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually...
    Rule Medium Severity
    Show

  • SRG-OS-000077-GPOS-00045

    Group
    Show

  • ACF2 PSWD GSO record value must be set to prohibit password reuse for a minimum of five generations or more.

    Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user...
    Rule Medium Severity
    Show

  • SRG-OS-000079-GPOS-00047

    Group
    Show

  • ACF2 TSOTWX GSO record values must be set to obliterate the logon password on TWX devices.

    To prevent the compromise of authentication information, such as passwords during the authentication process, the feedback from the operating system must not provide any information allowing an una...
    Rule Medium Severity
    Show

  • SRG-OS-000079-GPOS-00047

    Group
    Show

  • ACF2 TSOCRT GSO record values must be set to obliterate the logon to ASCII CRT devices.

    To prevent the compromise of authentication information, such as passwords during the authentication process, the feedback from the operating system must not provide any information allowing an una...
    Rule Medium Severity
    Show

  • SRG-OS-000079-GPOS-00047

    Group
    Show

  • SRG-OS-000185-GPOS-00079

    Group
    Show

  • SRG-OS-000185-GPOS-00079

    Group
    Show

  • ACF2 RESVOLS GSO record value must be set to Volmask(-). Any other setting requires documentation justifying the change.

    The RESVOLS record defines DASD and mass storage volumes for which CA ACF2 is to provide protection at the data set name level. Information at rest refers to the state of information when it is loc...
    Rule Medium Severity
    Show

  • SRG-OS-000134-GPOS-00068

    Group
    Show

  • SRG-OS-000138-GPOS-00069

    Group
    Show

  • ACF2 AUTOERAS GSO record value must be set to indicate that ACF2 is controlling the automatic physical erasure of VSAM or non VSAM data sets.

    Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of ...
    Rule Medium Severity
    Show

  • SRG-OS-000032-GPOS-00013

    Group
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • IBM z/OS permission bits and user audit bits for HFS objects that are part of the FTP Server component must be properly configured.

    MVS data sets of the FTP Server provide the configuration and operational characteristics of this product. Failure to properly secure these data sets may lead to unauthorized access resulting in th...
    Rule Medium Severity
    Show

  • SRG-OS-000023-GPOS-00006

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules