IBM z/OS RACF Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
IBM RACF must define WARN = NO on all profiles.
Failure to restrict system access to authenticated users negatively impacts operating system security.Rule High Severity -
The IBM RACF PROTECTALL SETROPTS value specified must be properly set.
Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security ba...Rule High Severity -
The IBM RACF RETPD SETROPTS value specified must be properly set.
Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security ba...Rule Medium Severity -
The IBM RACF WHEN(PROGRAM) SETROPTS value specified must be active.
Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security ba...Rule Medium Severity -
The IBM RACF database must be on a separate physical volume from its backup and recovery datasets.
Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security ba...Rule Medium Severity -
IBM z/OS must properly protect MCS console userid(s).
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable...Rule Medium Severity -
The IBM RACF Automatic Data Set Protection (ADSP) SETROPTS value must be set to NOADSP.
To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational user...Rule Medium Severity -
The IBM RACF ERASE ALL SETROPTS value must be set to ERASE(ALL) on all systems.
Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of ...Rule Medium Severity -
IBM z/OS SMF recording options for the FTP Server must be configured to write SMF records for all eligible events.
The FTP Server can provide audit data in the form of SMF records. The SMF data produced by the FTP Server provides transaction information for both successful and unsuccessful FTP commands. Failure...Rule Medium Severity -
IBM z/OS FTP.DATA configuration statements must indicate a BANNER statement with the proper content.
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal ...Rule Medium Severity -
The IBM z/OS TFTP server program must be properly protected.
Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users wi...Rule Medium Severity -
IBM FTP.DATA configuration for the FTP server must have the INACTIVE statement properly set.
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port th...Rule Medium Severity -
IBM z/OS RJE workstations and NJE nodes must be defined to the FACILITY resource class.
Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, an...Rule Medium Severity -
IBM z/OS JES2 input sources must be controlled in accordance with the proper security requirements.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule Medium Severity -
IBM z/OS JES2 output devices must be controlled in accordance with the proper security requirements.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule Medium Severity -
IBM z/OS JESNEWS resources must be protected in accordance with security requirements.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule Medium Severity -
IBM z/OS JES2 spool resources must be controlled in accordance with security requirements.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule Medium Severity -
IBM z/OS JES2 system commands must be protected in accordance with security requirements.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule Medium Severity -
IBM z/OS RJE workstations and NJE nodes must be controlled in accordance with security requirements.
Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security ba...Rule Medium Severity -
The IBM z/OS BPX.SMF resource must be properly configured.
Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access man...Rule Medium Severity -
The IBM z/OS system administrator (SA) must develop a process to disable emergency accounts after the crisis is resolved or 72 hours.
Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may...Rule Medium Severity -
The IBM z/OS system administrator (SA) must develop a process to notify appropriate personnel when accounts are created.
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create a new a...Rule Medium Severity -
The IBM z/OS system administrator (SA) must develop a process to notify appropriate personnel when accounts are modified.
Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools includ...Rule Medium Severity -
The IBM z/OS system administrator (SA) must develop a process to notify appropriate personnel when accounts are deleted.
Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools includ...Rule Medium Severity -
The IBM z/OS system administrator (SA) must develop a process to notify appropriate personnel when accounts are removed.
When operating system accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual operating system users or for identifying the operating system processes...Rule Medium Severity -
The IBM z/OS system administrator (SA) must develop a process to notify information system security officers (ISSOs) of account enabling actions.
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable an exis...Rule Medium Severity -
IBM z/OS required SMF data record types must be collected.
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an acco...Rule Medium Severity -
IBM z/OS must employ a session manager to manage display of the Standard Mandatory DoD Notice and Consent Banner.
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal ...Rule Medium Severity -
IBM z/OS must specify SMF data options to assure appropriate activation.
SMF data collection is the basic unit of tracking of all system functions and actions. Included in this tracking data are the audit trails from each of the ACPs. If the control options for the reco...Rule Medium Severity -
IBM z/OS SMF collection files (system MANx datasets or LOGSTREAM DASD) must have storage capacity to store at least one weeks worth of audit data.
In order to ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocate audit record storage capacity. The task of a...Rule Medium Severity -
IBM z/OS BUFUSEWARN in the SMFPRMxx must be properly set.
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an ...Rule Medium Severity -
IBM z/OS NOBUFFS in SMFPRMxx must be properly set (default is MSG).
It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include: software/hardware ...Rule Medium Severity -
The IBM z/OS SNTP daemon (SNTPD) must be active.
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when condu...Rule Medium Severity -
IBM z/OS SNTP daemon (SNTPD) permission bits must be properly configured.
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time, a particular event occurred on a system is critical when cond...Rule Medium Severity -
IBM z/OS PARMLIB CLOCKxx must have the Accuracy PARM properly coded.
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when condu...Rule Medium Severity -
IBM z/OS PASSWORD data set and OS passwords must not be used.
Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security ba...Rule Medium Severity -
The IBM z/OS Policy Agent must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.
Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD ...Rule Medium Severity -
Unsupported system software must not be installed and/ or active on the system.
Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users wi...Rule High Severity -
IBM zOS inapplicable PPT entries must be invalidated.
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooke...Rule Medium Severity -
The IBM z/OS must employ a session manager that conceals, via the session lock, information previously visible on the display with a publicly viewable image.
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature ...Rule Medium Severity -
IBM z/OS system administrator must develop a procedure to remove or disable temporary user accounts after 72 hours.
Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may...Rule Medium Severity -
IBM z/OS system administrator must develop a procedure to provide an audit reduction capability that supports on-demand reporting requirements.
The ability to generate on-demand reports, including after the audit data has been subjected to audit reduction, greatly facilitates the organization's ability to generate incident reports as neede...Rule Medium Severity -
IBM z/OS must shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered.
If anomalies are not acted upon, security functions may fail to secure the system. Security function is defined as the hardware, software, and/or firmware of the information system responsible fo...Rule Medium Severity -
IBM z/OS SMF recording options for the SSH daemon must be configured to write SMF records for all eligible events.
SMF data collection is the basic unit of tracking of all system functions and actions. Included in this tracking data are the audit trails from each of the ACPs. If the control options for the reco...Rule Medium Severity -
The SSH daemon must be configured with the Standard Mandatory DoD Notice and Consent Banner.
Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with...Rule Medium Severity -
IBM z/OS permission bits and user audit bits for HFS objects that are part of the Syslog daemon component must be properly configured.
HFS directories and files of the Syslog daemon provide the configuration and executable properties of this product. Failure to properly secure these objects could lead to unauthorized access. This ...Rule Medium Severity -
The IBM z/OS Syslog daemon must be properly defined and secured.
The Syslog daemon, known as syslogd, is a zOS UNIX daemon that provides a central processing point for log messages issued by other zOS UNIX processes. It is also possible to receive log messages f...Rule Medium Severity -
IBM z/OS DFSMS control data sets must be protected in accordance with security requirements.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule Medium Severity -
IBM z/OS DFSMS-related RACF classes must be active.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule Medium Severity -
IBM z/OS PROFILE.TCPIP configuration statements for the TCP/IP stack must be coded properly.
Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access man...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.