Mainframe Product Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The Mainframe Product must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and DoD data may be co...Rule Medium Severity -
The Mainframe Product must identify prohibited mobile code.
Decisions regarding the employment of mobile code within applications are based on the potential for the code to cause damage to the system if used maliciously. Mobile code is defined as software...Rule Medium Severity -
The Mainframe Product must block, quarantine, and/or alert system administrators when prohibited mobile code is identified.
Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code ...Rule Medium Severity -
The Mainframe Product must prevent the download of prohibited mobile code.
Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code ...Rule Medium Severity -
The Mainframe Product must prevent the automatic execution of mobile code in, at a minimum, office applications, browsers, email clients, mobile code run-time environments, and mobile agent systems.
Mobile code can cause damage to the system. It can execute without explicit action from, or notification to, a user. Preventing automatic execution of mobile code includes, for example, disabling...Rule Medium Severity -
The Mainframe Product must separate user functionality (including user interface services) from information system management functionality.
Application management functionality includes functions necessary for administration and requires privileged user access. Allowing non-privileged users to access application management functionalit...Rule Medium Severity -
In the event of application failure, Mainframe Products must preserve any information necessary to determine the cause of failure and any information necessary to return to operations with the least disruption to mission processes.
Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, i...Rule Medium Severity -
The Mainframe Product must protect the confidentiality and integrity of all information at rest.
Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive) within an organizational information system. Mobile devices...Rule Medium Severity -
The Mainframe Product must be configured such that emergency accounts are never automatically removed or disabled.
Emergency accounts are administrator accounts which are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation...Rule Medium Severity -
The Mainframe Product must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
Any application providing too much information in error messages risks compromising the data and security of the application and system. The structure and content of error messages needs to be care...Rule Medium Severity -
The Mainframe product must notify the system programmer and security administrator of failed security verification tests.
If personnel are not notified of failed security verification tests, they will not be able to take corrective action and the unsecure condition(s) will remain. Security function is defined as the...Rule Medium Severity -
The Mainframe Product must notify system programmers and security administrators when accounts are created.
Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply ...Rule Medium Severity -
The Mainframe Product must notify system programmers and security administrators when accounts are modified.
When application accounts are modified, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the application processes themselves. Sending notif...Rule Medium Severity -
The Mainframe Product must notify system programmers and security administrators for account removal actions.
When application accounts are removed, user accessibility is affected. Accounts are utilized for identifying users or for identifying the application processes themselves. Sending notification of a...Rule Medium Severity -
The Mainframe Product must automatically terminate a user session after conditions, as defined in site security plan, are met or trigger events requiring session disconnect.
Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i....Rule Medium Severity -
The Mainframe Product must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions.
If a user cannot explicitly end an application session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether or no...Rule Medium Severity -
The Mainframe Product must associate types of security attributes having security attribute values as defined in site security plan with information in storage.
Without the association of security attributes to information, there is no basis for the application to make security related access-control decisions. Security attributes are abstractions represe...Rule Medium Severity -
The Mainframe Product must associate types of security attributes having security attribute values as defined in site security plan with information in process.
Without the association of security attributes to information, there is no basis for the application to make security related access-control decisions. Security attributes are abstractions represe...Rule Medium Severity -
The Mainframe Product must notify system programmers and security administrators of account enabling actions.
Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply ...Rule Medium Severity -
The Mainframe Product must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileg...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.