CA IDMS Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
IDMS must protect against the use of external request exits that change the userid to a shared id when actions are performed that may be audited.
Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving info...Rule Low Severity -
IDMS must use the ESM to generate auditable records for commands and utilities when DoD-defined auditable events occur.
Audit records provide a tool to help research events within IDMS. IDMS itself does not produce audit records but, when external security is in place, records can be produced through the ESM. IDMS ...Rule High Severity -
The IDMS environment must require sign-on for users and restrict them to only authorized functions.
To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational use...Rule Medium Severity -
CA IDMS must isolate the security manager to which users, groups, roles are assigned authorities/permissions to resources.
An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. Security functions are the hardware, software, and...Rule Medium Severity -
IDMS must check the validity of all data input unless the organization says otherwise.
Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated applic...Rule Medium Severity -
CA IDMS and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
When the use of dynamic SQL is necessary, the code should be written so that the invalid data can be found and the appropriate action taken.Rule Medium Severity -
CA IDMS must automatically terminate a terminal session after organization-defined conditions or trigger events of terminal inactivity time.
A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can ...Rule Medium Severity -
CA IDMS must automatically terminate a batch external request unit after organization-defined conditions or trigger events after the batch program abnormally terminates.
A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can ...Rule Medium Severity -
CA IDMS must automatically terminate a task or session after organization-defined conditions or trigger events of time waiting to get a resource and/or time of inactivity.
A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can ...Rule Medium Severity -
CA IDMS CV must supply logout functionality to allow the user to implicitly terminate an external run-unit when a database request has not been made in an organizationally prescribed time frame.
If a user cannot explicitly end a DBMS session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Such logout may be explicit or implicit. Examp...Rule Medium Severity -
IDMS must prevent users without the appropriate access from executing privileged functions or tasks within the IDMS environment.
In general, all functions within IDMS can be controlled, therefore it is up to the IDMS system administrator to determine which functions or tasks are secured or require proper authorization. Any f...Rule Medium Severity -
CA IDMS programs that can be run through a CA IDMS CV must be defined to the CV.
The ability to add programs to be executed under IDMS can be a problem if malicious programs are added. CA IDMS must prevent installation of unauthorized programs and the ability to dynamically reg...Rule Medium Severity -
CA IDMS must protect the system code and storage from corruption by user programs.
Database management systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each process has a distinct address space so that ...Rule Medium Severity -
CA IDMS must prevent user code from issuing selected SVC privileged functions.
If an SVC is used to facilitate interpartition communication for online applications executing under other DC systems, batch application programs, and programs executed under TP monitors other than...Rule Medium Severity -
The cache table procedures and views used for performance enhancements for dynamic SQL must be protected.
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, an...Rule Medium Severity -
The DBMS must develop a procedure to limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.
Database management includes the ability to control the number of users and user sessions utilizing a DBMS. Unlimited concurrent connections to the DBMS could allow a successful Denial of Service (...Rule Medium Severity -
CA IDMS must use pervasive encryption to cryptographically protect the confidentiality and integrity of all information at rest in accordance with data owner requirements.
This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to ...Rule High Severity -
SRG-APP-000133-DB-000362
Group -
All installation-delivered IDMS DEVELOPER-level tasks must be properly secured.
Developer-level tasks that are not secured may allow anyone who signs on to IDMS to use them to access and manipulate various resources within the DBMS. Satisfies: SRG-APP-000033-DB-000084, SRG-AP...Rule Medium Severity -
SRG-APP-000033-DB-000084
Group -
All installation-delivered IDMS DBADMIN-level tasks must be properly secured.
DBA-level tasks that are not secured may allow anyone who signs on to IDMS to use them to access and manipulate various resources within the DBMS. Satisfies: SRG-APP-000033-DB-000084, SRG-APP-0002...Rule Medium Severity -
SRG-APP-000033-DB-000084
Group -
All installation-delivered IDMS DC-Administrator-level programs must be properly secured.
DC Administrator-level programs that are not secured may allow unauthorized users to use them to access and manipulate various resources within the DBMS. Satisfies: SRG-APP-000033-DB-000084, SRG-A...Rule Medium Severity -
SRG-APP-000080-DB-000063
Group -
All installation-delivered IDMS DCADMIN-level tasks must be properly secured.
If DC Administrator-level tasks are not secured, any user logged on to IDMS may use them to access and manipulate various resources within the DBMS. This can be mitigated using the proper entries i...Rule Medium Severity -
SRG-APP-000033-DB-000084
Group -
IDMS must protect against the use of default userids.
Default sign-ons can be used by individuals to perform adverse actions anonymously.Rule Low Severity -
SRG-APP-000080-DB-000063
Group -
All installation-delivered IDMS User-level programs must be properly secured.
If user-level programs are not secured, then unauthorized users may use them to access and manipulate various resources within the DBMS. Satisfies: SRG-APP-000033-DB-000084, SRG-APP-000211-DB-000122Rule Medium Severity -
SRG-APP-000033-DB-000084
Group -
All installation-delivered IDMS Developer-level Programs must be properly secured.
Developer-level programs that are not secured may allow unauthorized users to access and manipulate various resources within the DBMS. Satisfies: SRG-APP-000033-DB-000084, SRG-APP-000211-DB-000122Rule Medium Severity -
SRG-APP-000033-DB-000084
Group -
All installation-delivered IDMS Database-Administrator-level programs must be properly secured.
DBA-level programs that are not secured may allow unauthorized users to use them to access and manipulate various resources within the DBMS. Satisfies: SRG-APP-000033-DB-000084, SRG-APP-000211-DB-...Rule Medium Severity -
SRG-APP-000033-DB-000084
Group -
SRG-APP-000001-DB-000031
Group -
For interactive sessions, IDMS must limit the number of concurrent sessions for the same user to one or allow unlimited sessions.
Multiple interactive sessions can provide a way to cause a DoS attack against IDMS if a user ID and password were compromised. Not allowing multiple sign-ons can mitigate the risk of malicious atta...Rule Medium Severity -
SRG-APP-000023-DB-000001
Group -
IDMS must support the implementation of an external security manager (ESM) to handle account management and user accesses, etc.
Internal security in a DBMS can be complex to implement and maintain with the increased possibility of no access or the wrong access to a needed resource. IDMS can be configured to use an ESM as th...Rule Medium Severity -
SRG-APP-000033-DB-000084
Group -
IDMS must allow only authorized users to sign on to an IDMS CV.
Unauthorized users signing on to IDMS can pose varying amounts of risk depending upon the security of the IDMS resources in an IDMS CV. Until the IDMS sign-on resource type (SGON) is secured anyone...Rule High Severity -
SRG-APP-000033-DB-000084
Group -
IDMS must enforce applicable access control policies, even after a user successfully signs on to CV.
Unless the DBMS is secured properly, there are innumerable ways that a system and its data can be compromised. The IDMS SRTT is the basis for mitigating these problems.Rule High Severity -
SRG-APP-000033-DB-000084
Group -
All installation-delivered IDMS USER-level tasks must be properly secured.
User-level tasks that are not secured may allow anyone who signs on to IDMS to use them to access and manipulate various resources within the DBMS. Satisfies: SRG-APP-000033-DB-000084, SRG-APP-000...Rule Medium Severity -
SRG-APP-000033-DB-000084
Group -
SRG-APP-000080-DB-000063
Group -
IDMS must protect against the use of numbered exits that change the userid to a shared id.
Non-repudiation of actions taken is required to maintain data integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (...Rule Low Severity -
SRG-APP-000080-DB-000063
Group -
IDMS must protect against the use of web-based applications that use generic IDs.
Web-based applications that allow a generic ID can be a door into IDMS allowing unauthorized changes whose authors may not be determined.Rule Low Severity -
SRG-APP-000080-DB-000063
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.