CA IDMS Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
IDMS must reveal security-related messages only to authorized users.
Error messages issued to non-privileged users may have contents that should be considered confidential. IDMS should be configured so that these messages are not issued to those users.Rule Medium Severity -
SRG-APP-000267-DB-000163
Group -
Custom database code and associated application code must reveal detailed error messages only to the Information System Security Officer (ISSO), Information System Security manager (ISSM), Systems Administrator (SA), and Database Administrator (DBA).
Detailed error messages issued by custom or user-written code can possibly give too much detail to the users. This code should be examined to ensure that this does not happen.Rule Medium Severity -
SRG-APP-000295-DB-000305
Group -
SRG-APP-000295-DB-000305
Group -
SRG-APP-000296-DB-000306
Group -
SRG-APP-000295-DB-000305
Group -
CA IDMS must automatically terminate an external run-unit after organization-defined conditions or trigger events of time waiting to issue a database request.
Inactive sessions, such as a logged on user who leaves their terminal, may give a bad actor access to the system.Rule Medium Severity -
SRG-APP-000295-DB-000305
Group -
SRG-APP-000296-DB-000306
Group -
CA IDMS CV must supply logout functionality to allow the user to implicitly terminate a session initiated by the terminal user.
If a user does not sign off a terminal after use, it can be used for illegitimate purposes. The IDMS RESOURCE TIMEOUT INTERVAL allows the organization to set a limit to the amount of time it can be...Rule Medium Severity -
SRG-APP-000296-DB-000306
Group -
CA IDMS CV must supply logout functionality to allow the user to implicitly terminate a session by disconnecting or ending before an explicit logout.
If a user cannot explicitly end a DBMS session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Such logouts may be explicit or implicit. Exam...Rule Medium Severity -
IDMS must restrict the use of code that provides elevated privileges to specific instances.
When a user has elevated privileges, they may be able to deliberately or inadvertently make alterations to the DBMS structure or data.Rule Medium Severity -
SRG-APP-000296-DB-000306
Group -
CA IDMS CV must supply logout functionality to allow the user to implicitly terminate a batch external request unit when the batch job abnormally terminates.
IDMS must provide a facility by which an inactive user session may be terminated after a predetermined period of time.Rule Medium Severity -
SRG-APP-000340-DB-000304
Group -
SRG-APP-000340-DB-000304
Group -
IDMS must prevent unauthorized users from executing certain privileged commands that can be used to change the runtime IDMS environment.
Ensure that a subset DCMT commands are secured so that only those with the appropriate authority are able to execute them. Access to these DCMT commands can allow a user to circumvent defined secu...Rule Medium Severity -
SRG-APP-000340-DB-000304
Group -
IDMS must protect its user catalogs and system dictionaries to prevent unauthorized users from bypassing or updating security settings.
Unauthorized access to user profiles, dictionaries, and user catalogs provides the ability to damage the IDMS system.Rule Medium Severity -
SRG-APP-000342-DB-000302
Group -
SRG-APP-000380-DB-000360
Group -
SRG-APP-000383-DB-000364
Group -
IDMS terminal and lines that are not secure must be disabled.
Use of nonsecure network functions, ports, protocols, and services exposes the system to avoidable threats.Rule Medium Severity -
SRG-APP-000431-DB-000388
Group -
SRG-APP-000431-DB-000388
Group -
CA IDMS must protect system and user code and storage from corruption by user programs.
Database management systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each process has a distinct address space so that ...Rule Medium Severity -
SRG-APP-000431-DB-000388
Group -
SRG-APP-000441-DB-000378
Group -
The system storage used for data collection by the CA IDMS server must be protected.
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, an...Rule Medium Severity -
SRG-APP-000441-DB-000378
Group -
SRG-APP-000441-DB-000378
Group -
The storage used for data collection by CA IDMS web services must be protected.
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, an...Rule Medium Severity -
SRG-APP-000441-DB-000378
Group -
The storage used for data collection by CA IDMS Server and CA IDMS Web Services must be protected from online display and update.
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, an...Rule Medium Severity -
SRG-APP-000447-DB-000393
Group -
IDMS must check for invalid data and behave in a predictable manner when encountered.
A common vulnerability is unplanned behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior caused by invalid inputs, where information syst...Rule Medium Severity -
SRG-APP-000456-DB-000390
Group -
Maintenance for security-related software updates for CA IDMS modules must be provided.
When a problem is found in IDMS, corrective maintenance is published to correct the problem (including security related problems). Published fixes should be applied to the IDMS system to correct an...Rule Medium Severity -
SRG-APP-000001-DB-000031
Group -
SRG-APP-000266-DB-000162
Group -
The DBMS must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
Any DBMS or associated application providing too much information in error messages on the screen or printout risks compromising the data and security of the system. The structure and content of er...Rule Medium Severity -
SRG-APP-000428-DB-000386
Group -
SRG-APP-000313-DB-000309
Group -
The DBMS must associate organization-defined types of security labels having organization-defined security label values with information in process.
Without the association of security labels to information, there is no basis for the DBMS to make security-related access-control decisions. Security labels are abstractions representing the basic...Rule Medium Severity -
SRG-APP-000514-DB-000383
Group -
CA IDMS must implement NIST FIPS 140-2 validated cryptographic modules to protect data-in-transit.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.