Skip to content
Log In

CA IDMS Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • IDMS must protect against the use web services that do not require a sign on when actions are performed that may be audited.

    IDMS web services provide a way for web-based applications to access an IDMS database. If not secured, the Web services interface could be used to reveal or change sensitive data.
    Rule Low Severity
    Show

  • SRG-APP-000089-DB-000064

    Group
    Show

  • IDMS must use the ESM to generate auditable records for resources when DoD-defined auditable events occur.

    Audit records provide a tool to help research events within IDMS. IDMS does not produce audit records, but when using external security, records can be produced through the ESM. IDMS relies on the...
    Rule High Severity
    Show

  • SRG-APP-000089-DB-000064

    Group
    Show

  • SRG-APP-000133-DB-000200

    Group
    Show

  • Database objects in an IDMS environment must be secured to prevent privileged actions from being performed by unauthorized users.

    If database objects like areas, schemas, and run units are not secured, they may be changed or deleted by unauthorized users.
    Rule Medium Severity
    Show

  • SRG-APP-000133-DB-000362

    Group
    Show

  • The programs that can be run through a CA IDMS CV must be defined to the CV to prevent installation of unauthorized programs; must have the ability to dynamically register new programs; and must have the ability to secure tasks.

    The IDMS SYSGEN must be protected against unauthorized changes. Satisfies: SRG-APP-000133-DB-000362, SRG-APP-000378-DB-000365
    Rule Medium Severity
    Show

  • SRG-APP-000133-DB-000362

    Group
    Show

  • The commands that allow dynamic definitions of PROGRAM/TASK and the dynamic varying of memory must be secured.

    IDMS provides commands that can change memory, the attributes of programs, or tasks and are meant for use by the appropriate administrators. These commands must be protected from use by the wrong p...
    Rule Medium Severity
    Show

  • SRG-APP-000133-DB-000362

    Group
    Show

  • Databases must be secured to protect from structural changes.

    Database objects, like areas and run units, can be changed or deleted if not protected. Steps must be taken to secure these objects via the external security manager (ESM). Satisfies: SRG-APP-0001...
    Rule Medium Severity
    Show

  • SRG-APP-000133-DB-000362

    Group
    Show

  • Database utilities must be secured in CA IDMS and permissions given to appropriate role(s)/groups(s) in the external security manager (ESM).

    IDMS has tasks that are used to perform necessary maintenance, but in the wrong hands could damage the integrity of the DBMS. Tasks that can change database structure must be protected. Satisfies:...
    Rule Medium Severity
    Show

  • SRG-APP-000133-DB-000362

    Group
    Show

  • The online debugger which can change programs and storage in the CA IDMS address space must be secured.

    If the DBMS were to allow any user to make changes to database structure or logic, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of ...
    Rule Medium Severity
    Show

  • CA IDMS must secure the ability to create, alter, drop, grant, and revoke user and/or system profiles to users or groups.

    Even when using an external security manager (ESM), IDMS system and user profiles which reside in an IDMS user catalog may be assigned to users or groups. The ability to administer user and system ...
    Rule Medium Severity
    Show

  • SRG-APP-000141-DB-000090

    Group
    Show

  • The EMPDEMO databases, database objects, and applications must be removed.

    Demonstration and sample database objects and applications present publicly known attack points for malicious users. These demonstration and sample objects are meant to provide simple examples of c...
    Rule Low Severity
    Show

  • SRG-APP-000141-DB-000091

    Group
    Show

  • Default demonstration and sample databases, database objects, and applications must be removed.

    Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizatio...
    Rule Low Severity
    Show

  • SRG-APP-000141-DB-000092

    Group
    Show

  • IDMS components that cannot be uninstalled must be disabled.

    DBMSs must adhere to the principles of least functionality by providing only essential capabilities. At installation, all CA IDMS products are installed but can be disabled (i.e., forced to fail if...
    Rule Low Severity
    Show

  • SRG-APP-000142-DB-000094

    Group
    Show

  • IDMS nodes, lines, and pterms must be protected from unauthorized use.

    In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable...
    Rule Medium Severity
    Show

  • SRG-APP-000148-DB-000103

    Group
    Show

  • SRG-APP-000164-DB-000401

    Group
    Show

  • DBMS authentication using passwords must be avoided.

    Passwords that are easy to guess open a vulnerability allowing an unauthorized user to potentially gain access to the DBMS. IDMS uses the External Security Manager (ESM) to enforce complexity and l...
    Rule Medium Severity
    Show

  • SRG-APP-000172-DB-000075

    Group
    Show

  • Passwords sent through ODBC/JDBC must be encrypted.

    Unencrypted passwords transmitted from ODBC and JDBC may be intercepted to prevent their being intercepted in a plain-text format.
    Rule Low Severity
    Show

  • SRG-APP-000180-DB-000115

    Group
    Show

  • The DBMS must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).

    Non-organizational users include all information system users other than organizational users, which include organizational employees or individuals the organization deems to have equivalent status...
    Rule Medium Severity
    Show

  • SRG-APP-000225-DB-000153

    Group
    Show

  • IDMS executing in a local mode batch environment must be able to manually recover or restore database areas affected by failed transactions.

    Local mode update jobs can either use local mode journaling or perform a backup of the database prior to executing the local mode updates. Local mode journaling could be completed if the database ...
    Rule Low Severity
    Show

  • SRG-APP-000233-DB-000124

    Group
    Show

  • CA IDMS must limit use of IDMS server used in issuing dynamic statements from client applications circumstances determined by the organization.

    Server tasks can execute dynamic SQL code and should be protected.
    Rule Medium Severity
    Show

  • SRG-APP-000243-DB-000373

    Group
    Show

  • IDMS must prevent unauthorized and unintended information transfer via database buffers.

    The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf...
    Rule Medium Severity
    Show

  • SRG-APP-000251-DB-000160

    Group
    Show

  • SRG-APP-000251-DB-000391

    Group
    Show

  • CA IDMS must permit the use of dynamic code execution only in circumstances determined by the organization and limit use of online and batch command facilities from which dynamic statements can be issued.

    The IDMS Common Facilities (BCF and OCF) can execute commands that can make updates to IDMS, and their use should be protected.
    Rule Medium Severity
    Show

  • SRG-APP-000251-DB-000391

    Group
    Show

  • CA IDMS must limit the use of dynamic statements in applications, procedures, and exits to circumstances determined by the organization.

    Dynamic SQL statements are compiled at runtime and, if manipulated by an unauthorized user, can produce an innumerable array of undesired results. These statements should not be used casually.
    Rule Medium Severity
    Show

  • SRG-APP-000251-DB-000391

    Group
    Show

  • SRG-APP-000251-DB-000392

    Group
    Show

  • SRG-APP-000266-DB-000162

    Group
    Show

  • IDMS must suppress security-related messages so that no information is returned that can be exploited.

    Error messages issued to non-privileged users may have contents that should be considered confidential. IDMS should be configured so that these messages are not issued to those users.
    Rule Medium Severity
    Show

  • SRG-APP-000266-DB-000162

    Group
    Show

  • Custom database code and associated application code must not contain information beyond what is needed for troubleshooting.

    Error codes issued by custom code could provide more information than needed for problem resolution and should be vetted to make sure this does not occur.
    Rule Medium Severity
    Show

  • SRG-APP-000267-DB-000163

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules