Mainframe Product Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000345
Group -
The Mainframe Product must automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the a...Rule Medium Severity -
SRG-APP-000357
Group -
SRG-APP-000358
Group -
The Mainframe Product must off-load audit records onto a different system or media than the system being audited.
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.Rule Medium Severity -
SRG-APP-000359
Group -
SRG-APP-000360
Group -
The Mainframe Product must provide an immediate real-time alert to the operations staff, system programmers, and/or security administrators, at a minimum, of all audit failure events requiring real-time alerts.
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impe...Rule Medium Severity -
SRG-APP-000364
Group -
SRG-APP-000365
Group -
The Mainframe Product must provide an audit reduction capability that supports after-the-fact investigations of security incidents.
If the audit reduction capability does not support after-the-fact investigations, it is difficult to establish, correlate, and investigate the events leading up to an outage or attack, or identify ...Rule Medium Severity -
SRG-APP-000366
Group -
SRG-APP-000367
Group -
The Mainframe Product must provide a report generation capability that supports on-demand reporting requirements.
The report generation capability must support on-demand reporting in order to facilitate the organization's ability to generate incident reports as needed to better handle larger-scale or more comp...Rule Medium Severity -
SRG-APP-000368
Group -
SRG-APP-000369
Group -
SRG-APP-000370
Group -
SRG-APP-000378
Group -
The Mainframe product must prohibit user installation of software without explicit privileged status.
Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escal...Rule Medium Severity -
SRG-APP-000379
Group -
SRG-APP-000380
Group -
The Mainframe Product must enforce access restrictions associated with changes to application configuration.
Failure to provide logical access restrictions associated with changes to application configuration may have significant effects on the overall security of the system. When dealing with access re...Rule Medium Severity -
SRG-APP-000381
Group -
SRG-APP-000391
Group -
SRG-APP-000392
Group -
SRG-APP-000400
Group -
The Mainframe Product must prohibit the use of cached authenticators after one hour.
If cached authentication information is out of date, the validity of the authentication information may be questionable.Rule Medium Severity -
SRG-APP-000402
Group -
SRG-APP-000403
Group -
SRG-APP-000404
Group -
SRG-APP-000405
Group -
The Mainframe Product must conform to Federal Identity, Credential, and Access Management (FICAM)-issued profiles.
Without conforming to FICAM-issued profiles, the information system may not be interoperable with FICAM-authentication protocols, such as SAML 2.0 and OpenID 2.0. This requirement addresses open i...Rule Medium Severity -
SRG-APP-000409
Group -
SRG-APP-000411
Group -
Mainframe Products must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
Privileged access contains control and configuration information which is particularly sensitive, so additional protections are necessary. This is maintained by using cryptographic mechanisms to pr...Rule Medium Severity -
SRG-APP-000412
Group -
SRG-APP-000413
Group -
Mainframe Products must verify remote disconnection at the termination of nonlocal maintenance and diagnostic sessions.
If the remote connection is not closed and verified as closed, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Remote connections must be disco...Rule Medium Severity -
SRG-APP-000414
Group -
SRG-APP-000428
Group -
The Mainframe Product must implement cryptographic mechanisms to prevent unauthorized modification of all information not cleared for public release at rest on system components outside of organization facilities.
Applications handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selection of a ...Rule High Severity -
SRG-APP-000429
Group -
SRG-APP-000431
Group -
The Mainframe Product must maintain a separate execution domain for each executing process.
Applications can maintain separate execution domains for each executing process by assigning each process a separate address space. Each process has a distinct address space so that communication b...Rule Medium Severity -
SRG-APP-000447
Group -
The Mainframe Product must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.
A common vulnerability of applications is unpredictable behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior caused by invalid inputs, wh...Rule Medium Severity -
SRG-APP-000450
Group -
SRG-APP-000454
Group -
SRG-APP-000456
Group -
SRG-APP-000472
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.