CA IDMS Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000080-DB-000063
<GroupDescription></GroupDescription>Group -
IDMS must protect against the use of numbered exits that change the userid to a shared id.
<VulnDiscussion>Non-repudiation of actions taken is required to maintain data integrity. Examples of particular actions taken by individuals ...Rule Low Severity -
SRG-APP-000080-DB-000063
<GroupDescription></GroupDescription>Group -
IDMS must protect against the use of web-based applications that use generic IDs.
<VulnDiscussion>Web-based applications that allow a generic ID can be a door into IDMS allowing unauthorized changes whose authors may not be...Rule Low Severity -
SRG-APP-000080-DB-000063
<GroupDescription></GroupDescription>Group -
IDMS must protect against the use web services that do not require a sign on when actions are performed that may be audited.
<VulnDiscussion>IDMS web services provide a way for web-based applications to access an IDMS database. If not secured, the Web services inter...Rule Low Severity -
SRG-APP-000089-DB-000064
<GroupDescription></GroupDescription>Group -
IDMS must use the ESM to generate auditable records for resources when DoD-defined auditable events occur.
<VulnDiscussion>Audit records provide a tool to help research events within IDMS. IDMS does not produce audit records, but when using externa...Rule High Severity -
SRG-APP-000089-DB-000064
<GroupDescription></GroupDescription>Group -
IDMS must use the ESM to generate auditable records for commands and utilities when DoD-defined auditable events occur.
<VulnDiscussion>Audit records provide a tool to help research events within IDMS. IDMS itself does not produce audit records but, when extern...Rule High Severity -
SRG-APP-000133-DB-000200
<GroupDescription></GroupDescription>Group -
Database objects in an IDMS environment must be secured to prevent privileged actions from being performed by unauthorized users.
<VulnDiscussion>If database objects like areas, schemas, and run units are not secured, they may be changed or deleted by unauthorized users....Rule Medium Severity -
SRG-APP-000133-DB-000362
<GroupDescription></GroupDescription>Group -
The programs that can be run through a CA IDMS CV must be defined to the CV to prevent installation of unauthorized programs; must have the ability to dynamically register new programs; and must have the ability to secure tasks.
<VulnDiscussion>The IDMS SYSGEN must be protected against unauthorized changes. Satisfies: SRG-APP-000133-DB-000362, SRG-APP-000378-DB-00036...Rule Medium Severity -
SRG-APP-000133-DB-000362
<GroupDescription></GroupDescription>Group -
The commands that allow dynamic definitions of PROGRAM/TASK and the dynamic varying of memory must be secured.
<VulnDiscussion>IDMS provides commands that can change memory, the attributes of programs, or tasks and are meant for use by the appropriate ...Rule Medium Severity -
SRG-APP-000133-DB-000362
<GroupDescription></GroupDescription>Group -
Databases must be secured to protect from structural changes.
<VulnDiscussion>Database objects, like areas and run units, can be changed or deleted if not protected. Steps must be taken to secure these o...Rule Medium Severity -
SRG-APP-000133-DB-000362
<GroupDescription></GroupDescription>Group -
Database utilities must be secured in CA IDMS and permissions given to appropriate role(s)/groups(s) in the external security manager (ESM).
<VulnDiscussion>IDMS has tasks that are used to perform necessary maintenance, but in the wrong hands could damage the integrity of the DBMS....Rule Medium Severity -
SRG-APP-000133-DB-000362
<GroupDescription></GroupDescription>Group -
The online debugger which can change programs and storage in the CA IDMS address space must be secured.
<VulnDiscussion>If the DBMS were to allow any user to make changes to database structure or logic, then those changes might be implemented wi...Rule Medium Severity -
SRG-APP-000133-DB-000362
<GroupDescription></GroupDescription>Group -
CA IDMS must secure the ability to create, alter, drop, grant, and revoke user and/or system profiles to users or groups.
<VulnDiscussion>Even when using an external security manager (ESM), IDMS system and user profiles which reside in an IDMS user catalog may be...Rule Medium Severity -
SRG-APP-000141-DB-000090
<GroupDescription></GroupDescription>Group -
The EMPDEMO databases, database objects, and applications must be removed.
<VulnDiscussion>Demonstration and sample database objects and applications present publicly known attack points for malicious users. These de...Rule Low Severity -
SRG-APP-000141-DB-000091
<GroupDescription></GroupDescription>Group -
Default demonstration and sample databases, database objects, and applications must be removed.
<VulnDiscussion>Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, pr...Rule Low Severity -
SRG-APP-000141-DB-000092
<GroupDescription></GroupDescription>Group -
IDMS components that cannot be uninstalled must be disabled.
<VulnDiscussion>DBMSs must adhere to the principles of least functionality by providing only essential capabilities. At installation, all CA ...Rule Low Severity -
SRG-APP-000142-DB-000094
<GroupDescription></GroupDescription>Group -
IDMS nodes, lines, and pterms must be protected from unauthorized use.
<VulnDiscussion>In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e....Rule Medium Severity -
SRG-APP-000148-DB-000103
<GroupDescription></GroupDescription>Group -
The IDMS environment must require sign-on for users and restrict them to only authorized functions.
<VulnDiscussion>To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to pre...Rule Medium Severity -
SRG-APP-000164-DB-000401
<GroupDescription></GroupDescription>Group -
DBMS authentication using passwords must be avoided.
<VulnDiscussion>Passwords that are easy to guess open a vulnerability allowing an unauthorized user to potentially gain access to the DBMS. I...Rule Medium Severity -
SRG-APP-000172-DB-000075
<GroupDescription></GroupDescription>Group -
Passwords sent through ODBC/JDBC must be encrypted.
<VulnDiscussion>Unencrypted passwords transmitted from ODBC and JDBC may be intercepted to prevent their being intercepted in a plain-text fo...Rule Low Severity -
SRG-APP-000180-DB-000115
<GroupDescription></GroupDescription>Group -
The DBMS must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
<VulnDiscussion>Non-organizational users include all information system users other than organizational users, which include organizational e...Rule Medium Severity -
SRG-APP-000225-DB-000153
<GroupDescription></GroupDescription>Group -
IDMS executing in a local mode batch environment must be able to manually recover or restore database areas affected by failed transactions.
<VulnDiscussion>Local mode update jobs can either use local mode journaling or perform a backup of the database prior to executing the local ...Rule Low Severity -
SRG-APP-000233-DB-000124
<GroupDescription></GroupDescription>Group -
CA IDMS must isolate the security manager to which users, groups, roles are assigned authorities/permissions to resources.
<VulnDiscussion>An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform...Rule Medium Severity -
SRG-APP-000243-DB-000373
<GroupDescription></GroupDescription>Group -
IDMS must prevent unauthorized and unintended information transfer via database buffers.
<VulnDiscussion>The purpose of this control is to prevent information, including encrypted representations of information, produced by the ac...Rule Medium Severity -
SRG-APP-000251-DB-000160
<GroupDescription></GroupDescription>Group -
IDMS must check the validity of all data input unless the organization says otherwise.
<VulnDiscussion>Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application ...Rule Medium Severity -
SRG-APP-000251-DB-000391
<GroupDescription></GroupDescription>Group -
CA IDMS must permit the use of dynamic code execution only in circumstances determined by the organization and limit use of online and batch command facilities from which dynamic statements can be issued.
<VulnDiscussion>The IDMS Common Facilities (BCF and OCF) can execute commands that can make updates to IDMS, and their use should be protecte...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.