IBM z/OS RACF Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The IBM RACF database must be backed up on a scheduled basis.
Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security ba...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
IBM z/OS Batch job user IDs must be properly defined.
Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security ba...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
IBM RACF use of the RACF SPECIAL Attribute must be justified.
The organization must perform a periodic scan/review of the application (as required by CCI-000384) and disable functions, ports, protocols, and services deemed to be unneeded or non-secure.Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
IBM RACF assignment of the RACF OPERATIONS attribute to individual userids must be fully justified.
This requirement is intended to cover both traditional interactive logons to information systems and general accesses to information systems that occur in other types of architectural configuration...Rule Medium Severity -
SRG-OS-000096-GPOS-00050
Group -
IBM z/OS must properly configure CONSOLxx members.
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable...Rule Medium Severity -
SRG-OS-000096-GPOS-00050
Group -
SRG-OS-000104-GPOS-00051
Group -
IBM RACF users must have the required default fields.
Ensure that Every USERID is uniquely identified to the system. Within the USERID record, the user's name, default group, the owner, and the user's passdate or phrasedate fields are completed. This ...Rule Medium Severity -
SRG-OS-000104-GPOS-00051
Group -
IBM interactive USERIDs defined to RACF must have the required fields completed.
Interactive users are considered to be users of CICS, IMS, TSO/E, NetView, or other products that support logging on at a terminal. Improper assignments of attributes in the LOGONID record for inte...Rule Medium Severity -
SRG-OS-000104-GPOS-00051
Group -
IBM z/OS Started Tasks must be properly identified and defined to RACF.
Started procedures have system generated job statements that do not contain the user, group, or password statements. To enable the started procedure to access the same protected resources that user...Rule Medium Severity -
SRG-OS-000104-GPOS-00051
Group -
SRG-OS-000104-GPOS-00051
Group -
IBM RACF user accounts must uniquely identify system users.
To assure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. A group authenticator is a generic account used by mult...Rule Medium Severity -
SRG-OS-000118-GPOS-00060
Group -
The IBM RACF INACTIVE SETROPTS value must be set to 35 days.
Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts...Rule Medium Severity -
SRG-OS-000069-GPOS-00037
Group -
IBM RACF PASSWORD(RULEn) SETROPTS value(s) must be properly set.
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectivene...Rule Medium Severity -
SRG-OS-000070-GPOS-00038
Group -
IBM RACF exit ICHPWX01 must be installed and properly configured.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
SRG-OS-000075-GPOS-00043
Group -
The IBM RACF SETROPTS PASSWORD(MINCHANGE) value must be set to 1.
Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually...Rule Medium Severity -
SRG-OS-000076-GPOS-00044
Group -
IBM RACF SETROPTS PASSWORD(INTERVAL) must be set to 60 days.
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force user...Rule Medium Severity -
SRG-OS-000077-GPOS-00045
Group -
The IBM RACF PASSWORD(HISTORY) SETROPTS value must be set to five or more.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. HISTORY specifies the number of previous passwords that ...Rule Medium Severity -
SRG-OS-000073-GPOS-00041
Group -
NIST FIPS-validated cryptography must be used to protect passwords in the security database.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be te...Rule High Severity -
SRG-OS-000138-GPOS-00069
Group -
SRG-OS-000080-GPOS-00048
Group -
IBM RACF DASD Management USERIDs must be properly controlled.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule Medium Severity -
SRG-OS-000032-GPOS-00013
Group -
SRG-OS-000080-GPOS-00048
Group -
IBM RACF permission bits and user audit bits for HFS objects that are part of the FTP server component must be properly configured.
MVS data sets of the FTP Server provide the configuration and operational characteristics of this product. Failure to properly secure these data sets may lead to unauthorized access resulting in th...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
Group -
IBM z/OS data sets for the FTP server must be properly protected.
MVS data sets of the FTP Server provide the configuration and operational characteristics of this product. Failure to properly secure these data sets may lead to unauthorized access resulting in th...Rule Medium Severity -
SRG-OS-000023-GPOS-00006
Group -
SRG-OS-000228-GPOS-00088
Group -
IBM z/OS FTP.DATA configuration statements for the FTP server must specify the BANNER statement.
Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
Group -
IBM z/OS FTP.DATA configuration statements for the FTP Server must be specified in accordance with requirements.
This requirement is intended to cover both traditional interactive logons to information systems and general accesses to information systems that occur in other types of architectural configuration...Rule Medium Severity -
SRG-OS-000368-GPOS-00154
Group -
SRG-OS-000096-GPOS-00050
Group -
IBM z/OS user exits for the FTP server must not be used without proper approval and documentation.
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable...Rule Medium Severity -
SRG-OS-000104-GPOS-00051
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.