IBM z/OS ACF2 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000104-GPOS-00051
<GroupDescription></GroupDescription>Group -
CA-ACF2 defined user accounts must uniquely identify system users.
<VulnDiscussion>To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to pre...Rule Medium Severity -
SRG-OS-000118-GPOS-00060
<GroupDescription></GroupDescription>Group -
CA-ACF2 userids found inactive for more than 35 days must be suspended.
<VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potenti...Rule Medium Severity -
SRG-OS-000266-GPOS-00101
<GroupDescription></GroupDescription>Group -
CA-ACF2 PWPHRASE GSO record must be properly defined.
<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity o...Rule Medium Severity -
SRG-OS-000266-GPOS-00101
<GroupDescription></GroupDescription>Group -
CA-ACF2 must enforce password complexity by requiring that at least one special character be used.
<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity o...Rule Medium Severity -
SRG-OS-000069-GPOS-00037
<GroupDescription></GroupDescription>Group -
ACF2 PSWD GSO record value must be set to require at least one upper-case character be used.
<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, ...Rule Medium Severity -
SRG-OS-000071-GPOS-00039
<GroupDescription></GroupDescription>Group -
ACF2 PSWD GSO record value must be set to require at least one numeric character be used.
<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, ...Rule Medium Severity -
SRG-OS-000070-GPOS-00038
<GroupDescription></GroupDescription>Group -
ACF2 PSWD GSO record value must be set to require at least one lower-case character be used.
<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, ...Rule Medium Severity -
SRG-OS-000072-GPOS-00040
<GroupDescription></GroupDescription>Group -
ACF2 PSWD GSO record value must be set to require the change of at least 50% of the total number of characters when passwords are changed.
<VulnDiscussion>If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of...Rule Medium Severity -
SRG-OS-000073-GPOS-00041
<GroupDescription></GroupDescription>Group -
ACF2 must use NIST FIPS-validated cryptography to protect passwords in the security database.
<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are...Rule High Severity -
SRG-OS-000076-GPOS-00044
<GroupDescription></GroupDescription>Group -
ACF2 PSWD GSO record value must be set to require a 60-day maximum password lifetime restriction.
<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the ...Rule Medium Severity -
SRG-OS-000075-GPOS-00043
<GroupDescription></GroupDescription>Group -
ACF2 PSWD GSO record value must be set to require 24 hours/1 day as the minimum password lifetime.
<VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enfo...Rule Medium Severity -
SRG-OS-000077-GPOS-00045
<GroupDescription></GroupDescription>Group -
ACF2 PSWD GSO record value must be set to prohibit password reuse for a minimum of five generations or more.
<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute...Rule Medium Severity -
SRG-OS-000079-GPOS-00047
<GroupDescription></GroupDescription>Group -
ACF2 TSOTWX GSO record values must be set to obliterate the logon password on TWX devices.
<VulnDiscussion>To prevent the compromise of authentication information, such as passwords during the authentication process, the feedback fr...Rule Medium Severity -
SRG-OS-000079-GPOS-00047
<GroupDescription></GroupDescription>Group -
ACF2 TSOCRT GSO record values must be set to obliterate the logon to ASCII CRT devices.
<VulnDiscussion>To prevent the compromise of authentication information, such as passwords during the authentication process, the feedback fr...Rule Medium Severity -
SRG-OS-000079-GPOS-00047
<GroupDescription></GroupDescription>Group -
ACF2 TSO2741 GSO record values must be set to obliterate the logon password on 2741 devices.
<VulnDiscussion>To prevent the compromise of authentication information, such as passwords during the authentication process, the feedback fr...Rule Medium Severity -
SRG-OS-000185-GPOS-00079
<GroupDescription></GroupDescription>Group -
ACF2 SECVOLS GSO record value must be set to VOLMASK(). Any local changes are justified and documented with the ISSO.
<VulnDiscussion>The SECVOLS record defines the DASD and tape volumes for which CA-ACF2 provides volume-level protection. Information at rest ...Rule Medium Severity -
SRG-OS-000185-GPOS-00079
<GroupDescription></GroupDescription>Group -
ACF2 RESVOLS GSO record value must be set to Volmask(-). Any other setting requires documentation justifying the change.
<VulnDiscussion>The RESVOLS record defines DASD and mass storage volumes for which CA ACF2 is to provide protection at the data set name leve...Rule Medium Severity -
SRG-OS-000134-GPOS-00068
<GroupDescription></GroupDescription>Group -
ACF2 security data sets and/or databases must be properly protected.
<VulnDiscussion>An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform...Rule High Severity -
SRG-OS-000138-GPOS-00069
<GroupDescription></GroupDescription>Group -
ACF2 AUTOERAS GSO record value must be set to indicate that ACF2 is controlling the automatic physical erasure of VSAM or non VSAM data sets.
<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of infor...Rule Medium Severity -
SRG-OS-000032-GPOS-00013
<GroupDescription></GroupDescription>Group -
IBM z/OS SMF recording options for the FTP Server must be configured to write SMF records for all eligible events.
<VulnDiscussion>Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
<GroupDescription></GroupDescription>Group -
IBM z/OS data sets for the FTP Server must be properly protected.
<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
<GroupDescription></GroupDescription>Group -
IBM z/OS permission bits and user audit bits for HFS objects that are part of the FTP Server component must be properly configured.
<VulnDiscussion>MVS data sets of the FTP Server provide the configuration and operational characteristics of this product. Failure to properl...Rule Medium Severity -
SRG-OS-000023-GPOS-00006
<GroupDescription></GroupDescription>Group -
IBM z/OS FTP.DATA configuration statements must have a proper BANNER statement with the Standard Mandatory DoD Notice and Consent Banner.
<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and se...Rule Medium Severity -
SRG-OS-000228-GPOS-00088
<GroupDescription></GroupDescription>Group -
IBM z/OS FTP.DATA configuration statements for the FTP Server must specify the BANNER statement.
<VulnDiscussion>The structure and content of error messages must be carefully considered by the organization and development team. The extent...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
IBM z/OS FTP Control cards must be properly stored in a secure PDS file.
<VulnDiscussion>Configuring the operating system to implement organization-wide security implementation guides and security checklists ensure...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.