Skip to content

IBM z/OS TSS Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-OS-000032-GPOS-00013

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS SMF recording options for the SSH daemon must be configured to write SMF records for all eligible events.

    &lt;VulnDiscussion&gt;SMF data collection is the basic unit of tracking of all system functions and actions. Included in this tracking data are the...
    Rule Medium Severity
  • SRG-OS-000228-GPOS-00088

    <GroupDescription></GroupDescription>
    Group
  • The IBM z/OS SSH daemon must be configured with the Standard Mandatory DoD Notice and Consent Banner.

    &lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to the operating system ensures privacy and se...
    Rule Medium Severity
  • SRG-OS-000032-GPOS-00013

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS PROFILE.TCPIP configuration statements for the TCP/IP stack must be properly coded.

    &lt;VulnDiscussion&gt;Remote access services, such as those providing remote access to network devices and information systems, which lack automate...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be configured properly.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS TCP/IP resources must be properly protected.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS data sets for the Base TCP/IP component must be properly protected.

    &lt;VulnDiscussion&gt;MVS data sets of the Base TCP/IP component provide the configuration, operational, and executable properties of IBMs TCP/IP s...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS Configuration files for the TCP/IP stack must be properly specified.

    &lt;VulnDiscussion&gt;Configuring the operating system to implement organization-wide security implementation guides and security checklists ensure...
    Rule Medium Severity
  • SRG-OS-000104-GPOS-00051

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS started tasks for the Base TCP/IP component must be defined in accordance with security requirements.

    &lt;VulnDiscussion&gt;To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to pre...
    Rule Medium Severity
  • SRG-OS-000297-GPOS-00115

    <GroupDescription></GroupDescription>
    Group
  • IBM z//OS must be configured to restrict all TCP/IP ports to ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.

    &lt;VulnDiscussion&gt;Remote access services, such as those providing remote access to network devices and information systems, which lack automate...
    Rule Medium Severity
  • SRG-OS-000023-GPOS-00006

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS TN3270 Telnet server configuration statement MSG10 text must have the Standard Mandatory DoD Notice and Consent Banner.

    &lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to the operating system ensures privacy and se...
    Rule Medium Severity
  • SRG-OS-000392-GPOS-00172

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS SMF recording options for the TN3270 Telnet server must be properly specified.

    &lt;VulnDiscussion&gt;Remote access services, such as those providing remote access to network devices and information systems, which lack automate...
    Rule Medium Severity
  • SRG-OS-000033-GPOS-00014

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS SSL encryption options for the TN3270 Telnet server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.

    &lt;VulnDiscussion&gt;Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS VTAM session setup controls for the TN3270 Telnet server must be properly specified.

    &lt;VulnDiscussion&gt;Configuring the operating system to implement organization-wide security implementation guides and security checklists ensure...
    Rule Medium Severity
  • SRG-OS-000163-GPOS-00072

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS PROFILE.TCPIP configuration for the TN3270 Telnet server must have the INACTIVE statement properly specified.

    &lt;VulnDiscussion&gt;Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/I...
    Rule Medium Severity
  • SRG-OS-000228-GPOS-00088

    <GroupDescription></GroupDescription>
    Group
  • The IBM z/OS warning banner for the TN3270 Telnet server must be properly specified.

    &lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to the operating system ensures privacy and se...
    Rule Medium Severity
  • SRG-OS-000425-GPOS-00189

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS TELNETPARMS or TELNETGLOBALS must specify a SECUREPORT statement for systems requiring confidentiality and integrity.

    &lt;VulnDiscussion&gt;Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for examp...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM Z/OS TSOAUTH resources must be restricted to authorized users.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule Medium Severity
  • SRG-OS-000324-GPOS-00125

    <GroupDescription></GroupDescription>
    Group
  • CA-TSS LOGONIDs must not be defined to SYS1.UADS for non-emergency use.

    &lt;VulnDiscussion&gt;Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or proce...
    Rule High Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS UNIX HFS MapName file security parameters must be properly specified.

    &lt;VulnDiscussion&gt;Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of d...
    Rule Medium Severity
  • SRG-OS-000047-GPOS-00023

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS NOBUFFS in SMFPRMxx must be properly set (default is MSG).

    &lt;VulnDiscussion&gt;It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required....
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS BPX resource(s) must be protected in accordance with security requirements.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS UNIX resources must be protected in accordance with security requirements.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS UNIX SUPERUSER resources must be protected in accordance with guidelines.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule High Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS UNIX MVS data sets or HFS objects must be properly protected.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS UNIX MVS data sets with z/OS UNIX components must be properly protected.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules