CA IDMS Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Custom database code and associated application code must reveal detailed error messages only to the Information System Security Officer (ISSO), Information System Security manager (ISSM), Systems Administrator (SA), and Database Administrator (DBA).
<VulnDiscussion>Detailed error messages issued by custom or user-written code can possibly give too much detail to the users. This code shoul...Rule Medium Severity -
SRG-APP-000295-DB-000305
<GroupDescription></GroupDescription>Group -
All installation-delivered IDMS DC-Administrator-level programs must be properly secured.
<VulnDiscussion>DC Administrator-level programs that are not secured may allow unauthorized users to use them to access and manipulate variou...Rule Medium Severity -
SRG-APP-000080-DB-000063
<GroupDescription></GroupDescription>Group -
IDMS must protect against the use of default userids.
<VulnDiscussion>Default sign-ons can be used by individuals to perform adverse actions anonymously.</VulnDiscussion><FalsePositives&...Rule Low Severity -
SRG-APP-000080-DB-000063
<GroupDescription></GroupDescription>Group -
CA IDMS and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
<VulnDiscussion>When the use of dynamic SQL is necessary, the code should be written so that the invalid data can be found and the appropriat...Rule Medium Severity -
SRG-APP-000266-DB-000162
<GroupDescription></GroupDescription>Group -
IDMS must suppress security-related messages so that no information is returned that can be exploited.
<VulnDiscussion>Error messages issued to non-privileged users may have contents that should be considered confidential. IDMS should be config...Rule Medium Severity -
SRG-APP-000266-DB-000162
<GroupDescription></GroupDescription>Group -
Custom database code and associated application code must not contain information beyond what is needed for troubleshooting.
<VulnDiscussion>Error codes issued by custom code could provide more information than needed for problem resolution and should be vetted to m...Rule Medium Severity -
SRG-APP-000267-DB-000163
<GroupDescription></GroupDescription>Group -
IDMS must reveal security-related messages only to authorized users.
<VulnDiscussion>Error messages issued to non-privileged users may have contents that should be considered confidential. IDMS should be config...Rule Medium Severity -
SRG-APP-000267-DB-000163
<GroupDescription></GroupDescription>Group -
CA IDMS programs that can be run through a CA IDMS CV must be defined to the CV.
<VulnDiscussion>The ability to add programs to be executed under IDMS can be a problem if malicious programs are added. CA IDMS must prevent ...Rule Medium Severity -
SRG-APP-000383-DB-000364
<GroupDescription></GroupDescription>Group -
IDMS terminal and lines that are not secure must be disabled.
<VulnDiscussion>Use of nonsecure network functions, ports, protocols, and services exposes the system to avoidable threats.</VulnDiscussio...Rule Medium Severity -
SRG-APP-000431-DB-000388
<GroupDescription></GroupDescription>Group -
All installation-delivered IDMS Developer-level Programs must be properly secured.
<VulnDiscussion>Developer-level programs that are not secured may allow unauthorized users to access and manipulate various resources within ...Rule Medium Severity -
SRG-APP-000033-DB-000084
<GroupDescription></GroupDescription>Group -
IDMS must protect its user catalogs and system dictionaries to prevent unauthorized users from bypassing or updating security settings.
<VulnDiscussion>Unauthorized access to user profiles, dictionaries, and user catalogs provides the ability to damage the IDMS system.</Vul...Rule Medium Severity -
SRG-APP-000342-DB-000302
<GroupDescription></GroupDescription>Group -
IDMS must restrict the use of code that provides elevated privileges to specific instances.
<VulnDiscussion>When a user has elevated privileges, they may be able to deliberately or inadvertently make alterations to the DBMS structure...Rule Medium Severity -
SRG-APP-000380-DB-000360
<GroupDescription></GroupDescription>Group -
All installation-delivered IDMS DEVELOPER-level tasks must be properly secured.
<VulnDiscussion>Developer-level tasks that are not secured may allow anyone who signs on to IDMS to use them to access and manipulate various...Rule Medium Severity -
SRG-APP-000033-DB-000084
<GroupDescription></GroupDescription>Group -
All installation-delivered IDMS DBADMIN-level tasks must be properly secured.
<VulnDiscussion>DBA-level tasks that are not secured may allow anyone who signs on to IDMS to use them to access and manipulate various resou...Rule Medium Severity -
SRG-APP-000033-DB-000084
<GroupDescription></GroupDescription>Group -
All installation-delivered IDMS Database-Administrator-level programs must be properly secured.
<VulnDiscussion>DBA-level programs that are not secured may allow unauthorized users to use them to access and manipulate various resources w...Rule Medium Severity -
SRG-APP-000033-DB-000084
<GroupDescription></GroupDescription>Group -
All installation-delivered IDMS DCADMIN-level tasks must be properly secured.
<VulnDiscussion>If DC Administrator-level tasks are not secured, any user logged on to IDMS may use them to access and manipulate various res...Rule Medium Severity -
SRG-APP-000033-DB-000084
<GroupDescription></GroupDescription>Group -
All installation-delivered IDMS User-level programs must be properly secured.
<VulnDiscussion>If user-level programs are not secured, then unauthorized users may use them to access and manipulate various resources withi...Rule Medium Severity -
SRG-APP-000033-DB-000084
<GroupDescription></GroupDescription>Group -
CA IDMS must limit use of IDMS server used in issuing dynamic statements from client applications circumstances determined by the organization.
<VulnDiscussion>Server tasks can execute dynamic SQL code and should be protected.</VulnDiscussion><FalsePositives></FalsePosi...Rule Medium Severity -
SRG-APP-000251-DB-000392
<GroupDescription></GroupDescription>Group -
SRG-APP-000033-DB-000084
<GroupDescription></GroupDescription>Group -
SRG-APP-000296-DB-000306
<GroupDescription></GroupDescription>Group -
SRG-APP-000340-DB-000304
<GroupDescription></GroupDescription>Group -
All installation-delivered IDMS USER-level tasks must be properly secured.
<VulnDiscussion>User-level tasks that are not secured may allow anyone who signs on to IDMS to use them to access and manipulate various reso...Rule Medium Severity -
SRG-APP-000033-DB-000084
<GroupDescription></GroupDescription>Group -
SRG-APP-000001-DB-000031
<GroupDescription></GroupDescription>Group -
For interactive sessions, IDMS must limit the number of concurrent sessions for the same user to one or allow unlimited sessions.
<VulnDiscussion>Multiple interactive sessions can provide a way to cause a DoS attack against IDMS if a user ID and password were compromised...Rule Medium Severity -
SRG-APP-000023-DB-000001
<GroupDescription></GroupDescription>Group -
IDMS must support the implementation of an external security manager (ESM) to handle account management and user accesses, etc.
<VulnDiscussion>Internal security in a DBMS can be complex to implement and maintain with the increased possibility of no access or the wrong...Rule Medium Severity -
SRG-APP-000033-DB-000084
<GroupDescription></GroupDescription>Group -
IDMS must allow only authorized users to sign on to an IDMS CV.
<VulnDiscussion>Unauthorized users signing on to IDMS can pose varying amounts of risk depending upon the security of the IDMS resources in a...Rule High Severity -
SRG-APP-000033-DB-000084
<GroupDescription></GroupDescription>Group -
IDMS must enforce applicable access control policies, even after a user successfully signs on to CV.
<VulnDiscussion>Unless the DBMS is secured properly, there are innumerable ways that a system and its data can be compromised. The IDMS SRTT ...Rule High Severity -
IDMS must protect against the use of external request exits that change the userid to a shared id when actions are performed that may be audited.
<VulnDiscussion>Non-repudiation of actions taken is required in order to maintain data integrity. Examples of particular actions taken by ind...Rule Low Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.