IBM z/OS ACF2 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
IBM z/OS SNTP daemon (SNTPD) permission bits must be properly configured.
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time, a particular event occurred on a system is critical when cond...Rule Medium Severity -
IBM z/OS SMF collection files (i.e., SYS1.MANx) access must be limited to appropriate users and/or batch jobs that perform SMF dump processing.
SMF data collection is the system activity journaling facility of the z/OS system. Unauthorized access could result in the compromise of logging and recording of the operating system environment, A...Rule Medium Severity -
IBM z/OS must configure system waittimes to protect resource availability based on site priorities.
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable an exis...Rule Medium Severity -
Unsupported IBM z/OS system software must not be installed and/or active on the system.
Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users wi...Rule High Severity -
IBM z/OS must not allow non-existent or inaccessible LINKLIST libraries.
Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users wi...Rule Medium Severity -
IBM z/OS must not have inaccessible APF libraries defined.
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...Rule Medium Severity -
Duplicated IBM z/OS sensitive utilities and/or programs must not exist in APF libraries.
Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of t...Rule Medium Severity -
The IBM z/OS systems requiring data at rest protection must properly employ IBM DS8880 or equivalent hardware solutions for full disk encryption.
Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. This co...Rule High Severity -
IBM z/OS must employ a session manager to manage retaining a users session lock until that user reestablishes access using established identification and authentication procedures.
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary...Rule Medium Severity -
IBM z/OS must employ a session manager that conceal, via the session lock, information previously visible on the display with a publicly viewable image.
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature ...Rule Medium Severity -
The IBM z/OS system administrator (SA) must develop a procedure to automatically remove or disable temporary user accounts after 72 hours.
If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of al...Rule Medium Severity -
IBM z/OS system administrator must develop a procedure to shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered.
If anomalies are not acted upon, security functions may fail to secure the system. Security function is defined as the hardware, software, and/or firmware of the information system responsible fo...Rule Medium Severity -
IBM z/OS SMF recording options for the SSH daemon must be configured to write SMF records for all eligible events.
Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access man...Rule Medium Severity -
IBM z/OS SSH daemon must be configured with the Department of Defense (DoD) logon banner.
Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with...Rule Medium Severity -
IBM z/OS SSH daemon must be configured to only use the SSHv2 protocol.
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable...Rule High Severity -
IBM z/OS Syslog daemon must be properly defined and secured.
The Syslog daemon, known as syslogd, is a zOS UNIX daemon that provides a central processing point for log messages issued by other zOS UNIX processes. It is also possible to receive log messages f...Rule Medium Severity -
IBM z/OS DFSMS Program Resources must be properly defined and protected.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule Medium Severity -
IBM z/OS DFMSM resource class(es)must be defined to the GSO SAFDEF record in accordance with security requirements.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule Medium Severity -
IBM z/OS DFSMS resources must be protected in accordance with the proper security requirements.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule Medium Severity -
IBM z/OS TCP/IP resources must be properly protected.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule Medium Severity -
IBM z/OS data sets for the Base TCP/IP component must be properly protected.
MVS data sets of the Base TCP/IP component provide the configuration, operational, and executable properties of IBMs TCP/IP system product. Failure to properly secure these data sets may lead to un...Rule Medium Severity -
IBM z/OS Started tasks for the Base TCP/IP component must be defined in accordance with security requirements.
To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational user...Rule Medium Severity -
IBM z/OS SMF recording options for the TN3270 Telnet Server must be properly specified.
If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. This requirement addres...Rule Medium Severity -
IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information s...Rule Medium Severity -
IBM z/OS TSOAUTH resources must be restricted to authorized users.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule Medium Severity -
IBM z/OS UNIX security parameters in etc/profile must be properly specified.
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system....Rule Medium Severity -
IBM z/OS UNIX resources must be protected in accordance with security requirements.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule Medium Severity -
IBM z/OS BPX resource(s) must be protected in accordance with security requirements.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule Medium Severity -
IBM z/OS UNIX MVS data sets with z/OS UNIX components must be properly protected.
Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, an...Rule Medium Severity -
IBM z/OS UNIX MVS data sets or HFS objects must be properly protected.
If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part ...Rule Medium Severity -
IBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule Medium Severity -
IBM z/OS UNIX HFS MapName files security parameters must be properly specified.
Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of t...Rule Medium Severity -
IBM z/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf must be properly specified.
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable...Rule Medium Severity -
IBM z/OS user account for the z/OS UNIX SUPERSUSER userid must be properly defined.
To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational user...Rule Medium Severity -
IBM z/OS UNIX user accounts must be properly defined.
To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational user...Rule Medium Severity -
IBM z/OS startup user account for the z/OS UNIX Telnet Server must be defined properly.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule Medium Severity -
IBM z/OS HFS objects for the z/OS UNIX Telnet Server must be properly protected.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule Medium Severity -
IBM z/OS UNIX Telnet Server warning banner must be properly specified.
Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with...Rule Medium Severity -
IBM z/OS System data sets used to support the VTAM network must be properly secured.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule Medium Severity -
IBM z/OS TCPIP.DATA configuration statement must contain the DOMAINORIGIN or DOMAIN specified for each TCP/IP defined.
If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poisoned cache, the packets could have been intercep...Rule Medium Severity -
IBM z/OS must enforce a minimum eight character password length.
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectivene...Rule Medium Severity -
IBM Integrated Crypto Service Facility (ICSF) Started Task name must be properly identified / defined to the system ACP.
IBM Integrated Crypto Service Facility (ICSF) requires a started task that will be restricted to certain resources, datasets and other system functions. By defining the started task as a userid to ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.