Skip to content

IBM z/OS ACF2 Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • ACF2 REFRESH attribute must be restricted to security administrators' LOGON ID only.

    <VulnDiscussion>Users with the refresh attribute have the ability to effect changes to ESM global system options. Unauthorized use could resu...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • ACF2 maintenance LOGONIDs must have corresponding GSO MAINT records.

    &lt;VulnDiscussion&gt;Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours c...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • ACF2 LOGONIDs with the NON-CNCL attribute specified in the associated LOGONID record must be listed as trusted and must be specifically approved.

    &lt;VulnDiscussion&gt;Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours c...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • ACF2 LOGONIDs with the ACCOUNT, LEADER, or SECURITY attribute must be properly scoped.

    &lt;VulnDiscussion&gt;Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours c...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • ACF2 LOGONIDs associated with started tasks that have the MUSASS attribute and the requirement to submit jobs on behalf of its users must have the JOBFROM attribute as required.

    &lt;VulnDiscussion&gt;Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours c...
    Rule Medium Severity
  • IBM z/OS Started Tasks must be properly identified and defined to ACF2.

    &lt;VulnDiscussion&gt;Started procedures have system generated job statements that do not contain the user, group, or password statements. To enabl...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules