Mainframe Product Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
The Mainframe Product must protect audit information from any type of unauthorized read access.
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult if not impossible to achieve. In ad...Rule Medium Severity -
The Mainframe Product must protect audit information from unauthorized modification.
If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audi...Rule Medium Severity -
The Mainframe Product must protect audit tools from unauthorized access.
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on au...Rule Medium Severity -
The Mainframe Product must protect audit tools from unauthorized deletion.
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on au...Rule Medium Severity -
The Mainframe Product must prevent the installation of patches, service packs, or application components without verification that the software component has been digitally signed using a certificate that is recognized and approved by the organization.
Changes to any software components can have significant effects on the overall security of the application. Verifying software components have been digitally signed using a certificate that is reco...Rule Medium Severity -
The Mainframe Product must limit privileges to change the Mainframe Product installation datasets to system programmers and authorized users in accordance with applicable access control policies.
If the application were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a ...Rule Medium Severity -
The Mainframe Product must limit privileges to change Mainframe Product user datasets to authorized individuals.
If the application were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a ...Rule Medium Severity -
The Mainframe Product must be configured to disable non-essential capabilities.
It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and...Rule Medium Severity -
The Mainframe Product must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational use...Rule Medium Severity -
The Mainframe Product must use multifactor authentication for network access to non-privileged accounts.
To assure accountability and prevent unauthenticated access, non-privileged users must use multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authent...Rule Medium Severity -
The Mainframe Product must use multifactor authentication for local access to privileged accounts.
To ensure accountability and prevent unauthenticated access, privileged users must use multifactor authentication to prevent potential misuse and compromise of the system. Multifactor authenticat...Rule Medium Severity -
The Mainframe Product must use multifactor authentication for local access to nonprivileged accounts.
To ensure accountability, prevent unauthenticated access, and prevent misuse of the system, nonprivileged users must use multifactor authentication for local access. Multifactor authentication is...Rule Medium Severity -
The Mainframe Product must enforce a minimum 15-character password length.
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectivene...Rule Medium Severity -
The Mainframe Product must enforce password complexity by requiring that at least one lowercase character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
The Mainframe Product must enforce password complexity by requiring that at least one special character be used.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
The Mainframe Product must transmit only cryptographically protected passwords.
Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily co...Rule Medium Severity -
The Mainframe Product must enforce 24 hours/1 day as the minimum password lifetime.
Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. Restricting this setting limits the user's ability to...Rule Medium Severity -
The Mainframe Product must enforce a 60-day maximum password lifetime restriction.
Any password, no matter how complex, can eventually be cracked; therefore, passwords need to be changed at specific intervals. One method of minimizing this risk is to use complex passwords and p...Rule Medium Severity -
The Mainframe Product, when using PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entit...Rule Medium Severity -
The Mainframe Product must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
To prevent the compromise of authentication information such as passwords during the authentication process, the feedback from the information system must not provide any information that would all...Rule Medium Severity -
The Mainframe Product must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and DoD data may be co...Rule Medium Severity -
The Mainframe Product must identify prohibited mobile code.
Decisions regarding the employment of mobile code within applications are based on the potential for the code to cause damage to the system if used maliciously. Mobile code is defined as software...Rule Medium Severity -
The Mainframe Product must block, quarantine, and/or alert system administrators when prohibited mobile code is identified.
Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code ...Rule Medium Severity -
The Mainframe Product must prevent the download of prohibited mobile code.
Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the system if used maliciously. Mobile code ...Rule Medium Severity -
The Mainframe Product must prevent the automatic execution of mobile code in, at a minimum, office applications, browsers, email clients, mobile code run-time environments, and mobile agent systems.
Mobile code can cause damage to the system. It can execute without explicit action from, or notification to, a user. Preventing automatic execution of mobile code includes, for example, disabling...Rule Medium Severity -
The Mainframe Product must separate user functionality (including user interface services) from information system management functionality.
Application management functionality includes functions necessary for administration and requires privileged user access. Allowing non-privileged users to access application management functionalit...Rule Medium Severity -
In the event of application failure, Mainframe Products must preserve any information necessary to determine the cause of failure and any information necessary to return to operations with the least disruption to mission processes.
Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, i...Rule Medium Severity -
The Mainframe Product must protect the confidentiality and integrity of all information at rest.
Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive) within an organizational information system. Mobile devices...Rule Medium Severity -
The Mainframe Product must be configured such that emergency accounts are never automatically removed or disabled.
Emergency accounts are administrator accounts which are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation...Rule Medium Severity -
The Mainframe Product must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
Any application providing too much information in error messages risks compromising the data and security of the application and system. The structure and content of error messages needs to be care...Rule Medium Severity -
The Mainframe product must notify the system programmer and security administrator of failed security verification tests.
If personnel are not notified of failed security verification tests, they will not be able to take corrective action and the unsecure condition(s) will remain. Security function is defined as the...Rule Medium Severity -
The Mainframe Product must notify system programmers and security administrators when accounts are created.
Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply ...Rule Medium Severity -
The Mainframe Product must notify system programmers and security administrators when accounts are modified.
When application accounts are modified, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the application processes themselves. Sending notif...Rule Medium Severity -
The Mainframe Product must notify system programmers and security administrators for account removal actions.
When application accounts are removed, user accessibility is affected. Accounts are utilized for identifying users or for identifying the application processes themselves. Sending notification of a...Rule Medium Severity -
The Mainframe Product must automatically terminate a user session after conditions, as defined in site security plan, are met or trigger events requiring session disconnect.
Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i....Rule Medium Severity -
The Mainframe Product must display an explicit logoff message to users indicating the reliable termination of authenticated communications sessions.
If a user cannot explicitly end an application session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Users need to be aware of whether or no...Rule Medium Severity -
The Mainframe Product must associate types of security attributes having security attribute values as defined in site security plan with information in storage.
Without the association of security attributes to information, there is no basis for the application to make security related access-control decisions. Security attributes are abstractions represe...Rule Medium Severity -
The Mainframe Product must associate types of security attributes having security attribute values as defined in site security plan with information in process.
Without the association of security attributes to information, there is no basis for the application to make security related access-control decisions. Security attributes are abstractions represe...Rule Medium Severity -
The Mainframe Product must notify system programmers and security administrators of account enabling actions.
Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of re-establishing access. One way to accomplish this is for the attacker to simply ...Rule Medium Severity -
The Mainframe Product must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileg...Rule Medium Severity -
The Mainframe Product must audit the execution of privileged functions.
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and...Rule Medium Severity -
The mainframe product must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
In order to ensure applications have a sufficient storage capacity in which to write the audit logs, applications need to be able to allocate audit record storage capacity. The task of allocating...Rule Medium Severity -
The Mainframe Product must provide an immediate warning to the system programmer and security administrator (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.
If security personnel are not notified immediately upon storage volume utilization reaching 75 percent, they are unable to plan for storage capacity expansion.Rule Medium Severity -
The Mainframe Product must provide an audit reduction capability that supports on-demand audit review and analysis.
The ability to perform on-demand audit review and analysis, including after the audit data has been subjected to audit reduction, greatly facilitates the organization's ability to generate incident...Rule Medium Severity -
The Mainframe Product must provide a report generation capability that supports on-demand audit review and analysis.
The report generation capability must support on-demand review and analysis in order to facilitate the organization's ability to generate incident reports as needed to better handle larger-scale or...Rule Medium Severity -
The Mainframe Product must provide a report generation capability that supports after-the-fact investigations of security incidents.
If the report generation capability does not support after-the-fact investigations, it is difficult to establish, correlate, and investigate the events leading up to an outage or attack, or identif...Rule Medium Severity -
The Mainframe Product must provide an audit reduction capability that does not alter original content or time ordering of audit records.
If the audit reduction capability alters the content or time ordering of audit records, the integrity of the audit records is compromised, and the records are no longer usable for forensic analysis...Rule Medium Severity -
The Mainframe Product must provide a report generation capability that does not alter original content or time ordering of audit records.
If the audit report generation capability alters the original content or time ordering of audit records, the integrity of the audit records is compromised, and the records are no longer usable for ...Rule Medium Severity -
The Mainframe Product must implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner.
Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the system. Changes to information system configurations can h...Rule Medium Severity -
The Mainframe Product must audit the enforcement actions used to restrict access associated with changes to the application.
Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted attacks and an audit trail will not be available...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.