IBM z/OS RACF Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000274-GPOS-00104
Group -
SRG-OS-000104-GPOS-00051
Group -
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000104-GPOS-00051
Group -
SRG-OS-000066-GPOS-00034
Group -
Expired digital certificates must not be used.
The longer and more often a key is used, the more susceptible it is to loss or discovery. This weakens the assurance provided to a relying Party that the unique binding between a key and its named ...Rule Medium Severity -
SRG-OS-000066-GPOS-00034
Group -
All digital certificates in use must have a valid path to a trusted certification authority (CA).
The origin of a certificate, or the CA, is crucial in determining if the certificate should be trusted. An approved CA establishes grounds for confidence at both ends of communications sessions in ...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
Group -
IBM RACF must limit Write or greater access to SYS1.NUCLEUS to system programmers only.
This data set contains a large portion of the system initialization (IPL) programs and pointers to the master and alternate master catalog. Unauthorized access could result in the compromise of the...Rule High Severity -
SRG-OS-000080-GPOS-00048
Group -
IBM RACF must limit Write or greater access to libraries that contain PPT modules to system programmers only.
Specific PPT designated program modules possess significant security bypass capabilities. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer d...Rule Low Severity -
SRG-OS-000123-GPOS-00064
Group -
SRG-OS-000004-GPOS-00004
Group -
IBM RACF SETROPTS LOGOPTIONS must be properly configured.
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an acco...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
Group -
SRG-OS-000080-GPOS-00048
Group -
IBM z/OS system commands must be properly protected.
z/OS system commands provide a method of controlling the operating environment. Failure to properly control access to z/OS system commands could result in unauthorized personnel issuing sensitive s...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
Group -
SRG-OS-000080-GPOS-00048
Group -
The IBM RACF FACILITY resource class must be active.
IBM Provides the FACILITY Class for use in protecting a variety of features/functions/products both IBM and third-party. The FACILITY Class is not dedicated to any one specific use and is intended ...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
Group -
The IBM RACF OPERCMDS resource class must be active.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
Group -
The IBM RACF MCS consoles resource class must be active.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
Group -
IBM RACF CLASSACT SETROPTS must be specified for the TEMPDSN class.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
Group -
SRG-OS-000080-GPOS-00048
Group -
SRG-OS-000080-GPOS-00048
Group -
SRG-OS-000080-GPOS-00048
Group -
IBM Sensitive Utility Controls must be properly defined and protected.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
Group -
SRG-OS-000080-GPOS-00048
Group -
IBM RACF access to the System Master Catalog must be properly protected.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule High Severity -
SRG-OS-000080-GPOS-00048
Group -
SRG-OS-000080-GPOS-00048
Group -
IBM z/OS must protect dynamic lists in accordance with proper security requirements.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule High Severity -
SRG-OS-000080-GPOS-00048
Group -
SRG-OS-000080-GPOS-00048
Group -
SRG-OS-000080-GPOS-00048
Group -
IBM RACF must limit access to SYS(x).TRACE to system programmers only.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
Group -
IBM RACF batch jobs must be properly secured.
Batch jobs that are submitted to the operating system should inherit the USERID of the submitter. This will identify the batch job with a userid for the purpose of accessing resources. BATCHALLRACF...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
Group -
SRG-OS-000080-GPOS-00048
Group -
IBM RACF must limit Write or greater access to SYS1.IMAGELIB to system programmers only.
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be...Rule High Severity -
SRG-OS-000080-GPOS-00048
Group -
SRG-OS-000080-GPOS-00048
Group -
SRG-OS-000080-GPOS-00048
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.