IBM z/OS TSS Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000480-GPOS-00227
Group -
SRG-OS-000096-GPOS-00050
Group -
IBM z/OS must properly configure CONSOLxx members.
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable...Rule Medium Severity -
SRG-OS-000096-GPOS-00050
Group -
IBM z/OS must properly protect MCS console userid(s).
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable...Rule Medium Severity -
SRG-OS-000104-GPOS-00051
Group -
The CA-TSS CPFRCVUND Control Option value specified must be set to NO.
To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational user...Rule Medium Severity -
SRG-OS-000104-GPOS-00051
Group -
SRG-OS-000104-GPOS-00051
Group -
CA-TSS User ACIDs and Control ACIDs must have the NAME field completed.
To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational user...Rule Low Severity -
SRG-OS-000104-GPOS-00051
Group -
The CA-TSS PASSWORD(NOPW) option must not be specified for any ACID type.
To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational user...Rule High Severity -
SRG-OS-000104-GPOS-00051
Group -
SRG-OS-000104-GPOS-00051
Group -
SRG-OS-000104-GPOS-00051
Group -
IBM z/OS DASD management ACIDs must be properly defined to CA-TSS.
To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational user...Rule Medium Severity -
SRG-OS-000109-GPOS-00056
Group -
CA-TSS user accounts must uniquely identify system users.
To assure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. A group authenticator is a generic account used by mult...Rule Medium Severity -
SRG-OS-000118-GPOS-00060
Group -
CA-TSS security administrator must develop a process to suspend userids found inactive for more than 35 days.
Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts...Rule Medium Severity -
SRG-OS-000118-GPOS-00060
Group -
SRG-OS-000138-GPOS-00069
Group -
The CA-TSS AUTOERASE Control Option must be set to ALL for all systems.
Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of ...Rule Medium Severity -
SRG-OS-000184-GPOS-00078
Group -
CA-TSS DOWN Control Option values must be properly specified.
Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. Operating systems that fail suddenly and with no ...Rule Medium Severity -
SRG-OS-000370-GPOS-00155
Group -
The CA-TSS Facility Control Option must specify the sub option of MODE=FAIL.
Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of pote...Rule High Severity -
SRG-OS-000380-GPOS-00165
Group -
SRG-OS-000326-GPOS-00126
Group -
The CA-TSS SUBACID Control Option must be set to U,8.
In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level...Rule Medium Severity -
SRG-OS-000326-GPOS-00126
Group -
SRG-OS-000326-GPOS-00126
Group -
IBM z/OS scheduled production batch ACIDs must specify the CA-TSS BATCH Facility, and the Batch Job Scheduler must be authorized to the Scheduled production CA-TSS batch ACID.
In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level...Rule Medium Severity -
SRG-OS-000327-GPOS-00127
Group -
CA-TSS ADMINBY Control Option must be set to ADMINBY.
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and...Rule Medium Severity -
SRG-OS-000327-GPOS-00127
Group -
CA-TSS LOG Control Option must be set to (SMF,INIT, SEC9, MSG).
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and...Rule Medium Severity -
SRG-OS-000327-GPOS-00127
Group -
CA-TSS MSCA ACID password changes must be documented in the change log.
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and...Rule Medium Severity -
SRG-OS-000324-GPOS-00125
Group -
The IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements.
Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals ...Rule Medium Severity -
SRG-OS-000324-GPOS-00125
Group -
CA-TSS Default ACID must be properly defined.
Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.Rule Medium Severity -
SRG-OS-000324-GPOS-00125
Group -
SRG-OS-000324-GPOS-00125
Group -
SRG-OS-000324-GPOS-00125
Group -
CA-TSS ACIDs granted the CONSOLE attribute must be justified.
Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileg...Rule High Severity -
SRG-OS-000324-GPOS-00125
Group -
CA-TSS ACIDs defined as security administrators must have the NOATS attribute.
Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileg...Rule Medium Severity -
SRG-OS-000279-GPOS-00109
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.