Mainframe Product Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The Mainframe Product must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive orders, directives, policies, regulations, and standards.
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographic modules adhering to the higher standards appr...Rule Medium Severity -
SRG-APP-000705
Group -
The Mainframe Product must disable accounts when the accounts are no longer associated to a user.
Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality, which reduce the attack surface of the system.Rule Medium Severity -
SRG-APP-000745
Group -
The Mainframe Product must implement the capability to centrally review and analyze audit records from multiple components within the system.
Automated mechanisms for centralized reviews and analyses include Security Information and Event Management products.Rule Medium Severity -
SRG-APP-000795
Group -
The Mainframe Product must alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.
Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit log...Rule Medium Severity -
SRG-APP-000820
Group -
The Mainframe Product must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.
The purpose of requiring a device that is separate from the system to which the user is attempting to gain access for one of the factors during multifactor authentication is to reduce the likelihoo...Rule Medium Severity -
SRG-APP-000825
Group -
The Mainframe Product must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.
The purpose of requiring a device that is separate from the system to which the user is attempting to gain access for one of the factors during multifactor authentication is to reduce the likelihoo...Rule Medium Severity -
SRG-APP-000830
Group -
SRG-APP-000835
Group -
The Mainframe Product must, for password-based authentication, update the list of passwords on an organization-defined frequency.
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter pass...Rule Medium Severity -
SRG-APP-000840
Group -
SRG-APP-000845
Group -
The Mainframe Product must, for password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter pass...Rule Medium Severity -
SRG-APP-000855
Group -
The Mainframe Product must, for password-based authentication, require immediate selection of a new password upon account recovery.
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter pass...Rule Medium Severity -
SRG-APP-000860
Group -
The Mainframe Product must, for password-based authentication, allow user selection of long passwords and passphrases, including spaces and all printable characters.
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multifactor authentication. Long passwords or passphrases are preferable over shorter pass...Rule Medium Severity -
SRG-APP-000865
Group -
SRG-APP-000875
Group -
The Mainframe Product must for public key-based authentication, implement a local cache of revocation data to support path discovery and validation.
Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For PKI solutions, status information for certification paths includes certificate revocation lis...Rule Medium Severity -
SRG-APP-000880
Group -
SRG-APP-000910
Group -
The Mainframe Product must include only approved trust anchors in trust stores or certificate stores managed by the organization.
Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-...Rule Medium Severity -
SRG-APP-000915
Group -
The Mainframe Product must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.
A Trusted Platform Module (TPM) is an example of a hardware-protected data store that can be used to protect cryptographic keys.Rule Medium Severity -
SRG-APP-000920
Group -
SRG-APP-000925
Group -
The Mainframe Product must compare the internal system clocks on an organization-defined frequency with organization-defined authoritative time source.
Synchronization of internal system clocks with an authoritative source provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network.Rule Medium Severity -
The Mainframe Product must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not log out because of the tempora...Rule Medium Severity -
The Mainframe Product must initiate a session lock after a 15-minute period of inactivity.
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not log out because of the tempora...Rule Medium Severity -
The Mainframe Product must provide the capability for users to directly initiate a session lock.
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not want to log out because of the temporar...Rule Medium Severity -
The Mainframe Product must use an external security manager for all account management functions.
Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. A comp...Rule Medium Severity -
The Mainframe Product must automatically remove or disable temporary user accounts after 72 hours.
If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of al...Rule Medium Severity -
The Mainframe Product must automatically audit account creation.
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simpl...Rule Medium Severity -
The Mainframe Product must automatically audit account disabling actions.
When application accounts are disabled, user accessibility is affected. Accounts are used for identifying individual application users or for identifying the application processes themselves. In or...Rule Medium Severity -
The Mainframe Product must automatically audit account removal actions.
When application accounts are removed, user accessibility is affected. Accounts are used for identifying individual application users or for identifying the application processes themselves. In ord...Rule Medium Severity -
The Mainframe Product must enforce approved authorizations for controlling the flow of information within the system based on site security plan information flow control policies.
A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If information flow is not enforced based on approved authorizations, ...Rule Medium Severity -
For Mainframe Products providing audit record aggregation, the Mainframe Product must compile audit records from mainframe components into a system-wide audit trail that is time-correlated with a tolerance for the relationship between time stamps of individual records in the audit trail in accordance with the site security plan.
Without the ability to collate records based on the time when the events occurred, the ability to perform forensic analysis and investigations across multiple components is significantly degraded. ...Rule Medium Severity -
The Mainframe Product must provide audit record generation capability for DoD-defined auditable events within all application components.
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit r...Rule Medium Severity -
The Mainframe Product must generate audit records when successful/unsuccessful attempts to access privileges occur.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
The Mainframe Product must produce audit records containing information to establish what type of events occurred.
Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. Audit r...Rule Medium Severity -
The Mainframe Product must produce audit records containing information to establish the source of the events.
Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In addition to logging where events occur with...Rule Medium Severity -
The Mainframe Product must produce audit records containing information to establish the outcome of the events.
Without information about the outcome of events, security personnel cannot make an accurate assessment as to whether an attack was successful or if changes were made to the security state of the sy...Rule Medium Severity -
The Mainframe Product must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users.
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. Organizations consider limiting the additional audit information to only ...Rule Medium Severity -
The Mainframe Product must provide the capability to centrally review and analyze audit records from multiple components within the system.
Successful incident response and auditing relies on timely, accurate system information and analysis in order to allow the organization to identify and respond to potential incidents in a proficien...Rule Medium Severity -
The Mainframe Product must prevent the execution of prohibited mobile code.
Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.