Skip to content

IBM z/OS TSS Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-OS-000104-GPOS-00051

    <GroupDescription></GroupDescription>
    Group
  • Interactive ACIDs defined to CA-TSS must have the required fields completed.

    &lt;VulnDiscussion&gt;To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to pre...
    Rule Low Severity
  • SRG-OS-000104-GPOS-00051

    <GroupDescription></GroupDescription>
    Group
  • CA-TSS Batch ACID(s) submitted through RJE and NJE must be sourced.

    &lt;VulnDiscussion&gt;To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to pre...
    Rule Medium Severity
  • SRG-OS-000104-GPOS-00051

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS DASD management ACIDs must be properly defined to CA-TSS.

    &lt;VulnDiscussion&gt;To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to pre...
    Rule Medium Severity
  • SRG-OS-000109-GPOS-00056

    <GroupDescription></GroupDescription>
    Group
  • CA-TSS user accounts must uniquely identify system users.

    &lt;VulnDiscussion&gt;To assure individual accountability and prevent unauthorized access, organizational users must be individually identified and...
    Rule Medium Severity
  • SRG-OS-000118-GPOS-00060

    <GroupDescription></GroupDescription>
    Group
  • CA-TSS security administrator must develop a process to suspend userids found inactive for more than 35 days.

    &lt;VulnDiscussion&gt;Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potenti...
    Rule Medium Severity
  • SRG-OS-000118-GPOS-00060

    <GroupDescription></GroupDescription>
    Group
  • The CA-TSS INACTIVE Control Option must be properly set.

    &lt;VulnDiscussion&gt;Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potenti...
    Rule Medium Severity
  • SRG-OS-000138-GPOS-00069

    <GroupDescription></GroupDescription>
    Group
  • The CA-TSS AUTOERASE Control Option must be set to ALL for all systems.

    &lt;VulnDiscussion&gt;Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of infor...
    Rule Medium Severity
  • SRG-OS-000184-GPOS-00078

    <GroupDescription></GroupDescription>
    Group
  • CA-TSS DOWN Control Option values must be properly specified.

    &lt;VulnDiscussion&gt;Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized acces...
    Rule Medium Severity
  • SRG-OS-000370-GPOS-00155

    <GroupDescription></GroupDescription>
    Group
  • The CA-TSS Facility Control Option must specify the sub option of MODE=FAIL.

    &lt;VulnDiscussion&gt;Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Usin...
    Rule High Severity
  • SRG-OS-000380-GPOS-00165

    <GroupDescription></GroupDescription>
    Group
  • CA-TSS ACID creation must use the EXP option.

    &lt;VulnDiscussion&gt;Without providing this capability, an account may be created without a password. Non-repudiation cannot be guaranteed once an...
    Rule Medium Severity
  • SRG-OS-000326-GPOS-00126

    <GroupDescription></GroupDescription>
    Group
  • The CA-TSS SUBACID Control Option must be set to U,8.

    &lt;VulnDiscussion&gt;In certain situations, software applications/programs need to execute with elevated privileges to perform required functions....
    Rule Medium Severity
  • SRG-OS-000326-GPOS-00126

    <GroupDescription></GroupDescription>
    Group
  • CA-TSS must use propagation control to eliminate ACID inheritance.

    &lt;VulnDiscussion&gt;In certain situations, software applications/programs need to execute with elevated privileges to perform required functions....
    Rule Medium Severity
  • SRG-OS-000326-GPOS-00126

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS scheduled production batch ACIDs must specify the CA-TSS BATCH Facility, and the Batch Job Scheduler must be authorized to the Scheduled production CA-TSS batch ACID.

    &lt;VulnDiscussion&gt;In certain situations, software applications/programs need to execute with elevated privileges to perform required functions....
    Rule Medium Severity
  • SRG-OS-000327-GPOS-00127

    <GroupDescription></GroupDescription>
    Group
  • CA-TSS ADMINBY Control Option must be set to ADMINBY.

    &lt;VulnDiscussion&gt;Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external enti...
    Rule Medium Severity
  • SRG-OS-000327-GPOS-00127

    <GroupDescription></GroupDescription>
    Group
  • CA-TSS LOG Control Option must be set to (SMF,INIT, SEC9, MSG).

    &lt;VulnDiscussion&gt;Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external enti...
    Rule Medium Severity
  • SRG-OS-000327-GPOS-00127

    <GroupDescription></GroupDescription>
    Group
  • CA-TSS MSCA ACID password changes must be documented in the change log.

    &lt;VulnDiscussion&gt;Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external enti...
    Rule Medium Severity
  • SRG-OS-000324-GPOS-00125

    <GroupDescription></GroupDescription>
    Group
  • The IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements.

    &lt;VulnDiscussion&gt;Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering crypto...
    Rule Medium Severity
  • SRG-OS-000324-GPOS-00125

    <GroupDescription></GroupDescription>
    Group
  • CA-TSS Default ACID must be properly defined.

    &lt;VulnDiscussion&gt;Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or proce...
    Rule Medium Severity
  • SRG-OS-000324-GPOS-00125

    <GroupDescription></GroupDescription>
    Group
  • The CA-TSS BYPASS attribute must be limited to trusted STCs only.

    &lt;VulnDiscussion&gt;Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or proce...
    Rule High Severity
  • SRG-OS-000324-GPOS-00125

    <GroupDescription></GroupDescription>
    Group
  • CA-TSS MSCA ACID must perform security administration only.

    &lt;VulnDiscussion&gt;Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or proce...
    Rule Medium Severity
  • SRG-OS-000324-GPOS-00125

    <GroupDescription></GroupDescription>
    Group
  • CA-TSS ACIDs granted the CONSOLE attribute must be justified.

    &lt;VulnDiscussion&gt;Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or proce...
    Rule High Severity
  • SRG-OS-000324-GPOS-00125

    <GroupDescription></GroupDescription>
    Group
  • CA-TSS ACIDs defined as security administrators must have the NOATS attribute.

    &lt;VulnDiscussion&gt;Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or proce...
    Rule Medium Severity
  • SRG-OS-000329-GPOS-00128

    <GroupDescription></GroupDescription>
    Group
  • The CA-TSS PTHRESH Control Option must be properly set.

    &lt;VulnDiscussion&gt;By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise...
    Rule Medium Severity
  • SRG-OS-000279-GPOS-00109

    <GroupDescription></GroupDescription>
    Group
  • CA-TSS VTHRESH Control Option values specified must be set to (10,NOT,CAN).

    &lt;VulnDiscussion&gt;Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of ...
    Rule Medium Severity
  • SRG-OS-000023-GPOS-00006

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS FTP.DATA configuration statements must have a proper banner statement with the Standard Mandatory DoD Notice and Consent Banner.

    &lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to the operating system ensures privacy and se...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules