Skip to content

IBM z/OS TSS Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • Access to the CA-TSS MODE resource class must be appropriate.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule High Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • Data set masking characters must be properly defined to the CA-TSS security database.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • CA-TSS Emergency ACIDs must be properly limited and must audit all resource access.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule High Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • CA-TSS ACIDs must not have access to FAC(*ALL*).

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • The CA-TSS ALL record must have appropriate access to Facility Matrix Tables.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • Data set masking characters allowing access to all data sets must be properly restricted in the CA-TSS security database.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS DASD Volume access greater than CREATE found in the CA-TSS database must be limited to authorized information technology personnel requiring access to perform their job duties.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule High Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS Sensitive Utility Controls must be properly defined and protected.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00229

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS Started tasks must be properly defined to CA-TSS.

    &lt;VulnDiscussion&gt;Started procedures have system generated job statements that do not contain the user, group, or password statements. To enabl...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The CA-TSS CANCEL Control Option must not be specified.

    &lt;VulnDiscussion&gt;Configuring the operating system to implement organization-wide security implementation guides and security checklists ensure...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The CA-TSS HPBPW Control Option must be set to three days maximum.

    &lt;VulnDiscussion&gt;Configuring the operating system to implement organization-wide security implementation guides and security checklists ensure...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The CA-TSS INSTDATA Control Option must be set to 0.

    &lt;VulnDiscussion&gt;Configuring the operating system to implement organization-wide security implementation guides and security checklists ensure...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The CA-TSS OPTIONS Control Option must include option 4 at a minimum.

    &lt;VulnDiscussion&gt;Configuring the operating system to implement organization-wide security implementation guides and security checklists ensure...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • CA-TSS TEMPDS Control Option must be set to YES.

    &lt;VulnDiscussion&gt;Configuring the operating system to implement organization-wide security implementation guides and security checklists ensure...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The number of CA-TSS control ACIDs must be justified and properly assigned.

    &lt;VulnDiscussion&gt;Configuring the operating system to implement organization-wide security implementation guides and security checklists ensure...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The number of CA-TSS ACIDs with MISC9 authority must be justified.

    &lt;VulnDiscussion&gt;Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the sys...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The CA-TSS LUUPDONCE Control Option value specified must be set to NO.

    &lt;VulnDiscussion&gt;Configuring the operating system to implement organization-wide security implementation guides and security checklists ensure...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The CA-TSS Automatic Data Set Protection (ADSP) Control Option must be set to NO.

    &lt;VulnDiscussion&gt;Configuring the operating system to implement organization-wide security implementation guides and security checklists ensure...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • CA-TSS RECOVER Control Option must be set to ON.

    &lt;VulnDiscussion&gt;Configuring the operating system to implement organization-wide security implementation guides and security checklists ensure...
    Rule Medium Severity
  • SRG-OS-000096-GPOS-00050

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS must properly configure CONSOLxx members.

    &lt;VulnDiscussion&gt;In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e....
    Rule Medium Severity
  • SRG-OS-000096-GPOS-00050

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS must properly protect MCS console userid(s).

    &lt;VulnDiscussion&gt;In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e....
    Rule Medium Severity
  • SRG-OS-000104-GPOS-00051

    <GroupDescription></GroupDescription>
    Group
  • The CA-TSS CPFRCVUND Control Option value specified must be set to NO.

    &lt;VulnDiscussion&gt;To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to pre...
    Rule Medium Severity
  • SRG-OS-000104-GPOS-00051

    <GroupDescription></GroupDescription>
    Group
  • The CA-TSS CPFTARGET Control Option value specified must be set to LOCAL.

    &lt;VulnDiscussion&gt;To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to pre...
    Rule Medium Severity
  • SRG-OS-000104-GPOS-00051

    <GroupDescription></GroupDescription>
    Group
  • CA-TSS User ACIDs and Control ACIDs must have the NAME field completed.

    &lt;VulnDiscussion&gt;To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to pre...
    Rule Low Severity
  • SRG-OS-000104-GPOS-00051

    <GroupDescription></GroupDescription>
    Group
  • The CA-TSS PASSWORD(NOPW) option must not be specified for any ACID type.

    &lt;VulnDiscussion&gt;To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to pre...
    Rule High Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules