IBM z/OS ACF2 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000063-GPOS-00032
<GroupDescription></GroupDescription>Group -
IBM z/OS SYS1.PARMLIB must be properly protected.
<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-ap...Rule High Severity -
SRG-OS-000364-GPOS-00151
<GroupDescription></GroupDescription>Group -
CA-ACF2 must be installed, functional, and properly configured.
<VulnDiscussion>Failure to provide logical access restrictions associated with changes to system configuration may have significant effects o...Rule High Severity -
SRG-OS-000080-GPOS-00048
<GroupDescription></GroupDescription>Group -
CA-ACF2 must limit Write and allocate access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.
<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
<GroupDescription></GroupDescription>Group -
CA-ACF2 must limit Write or greater access to libraries that contain PPT modules to system programmers only.
<VulnDiscussion>If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented...Rule Low Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
IBM z/OS procedures must restrict ACF2 LOGONIDs with the READALL attribute to auditors and/or authorized users.
<VulnDiscussion>The use of security policy filters provides protection for the confidentiality of data by restricting the flow of data. A cru...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
IBM z/OS must have the RULEVLD and RSRCVLD attributes specified for LOGONIDs with the SECURITY attribute.
<VulnDiscussion>The use of security policy filters provides protection for the confidentiality of data by restricting the flow of data. A cru...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
IBM z/OS LOGONIDs with the AUDIT or CONSULT attribute must be properly scoped.
<VulnDiscussion>The use of security policy filters provides protection for the confidentiality of data by restricting the flow of data. A cru...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
IBM z/OS LOGONID with the ACCTPRIV attribute must be restricted to the ISSO.
<VulnDiscussion>The use of security policy filters provides protection for the confidentiality of data by restricting the flow of data. A cru...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
IBM z/OS batch jobs with restricted ACF2 LOGONIDs must have the PGM(xxxxxxxx) and SUBAUTH attributes or the SOURCE(xxxxxxxx) attribute assigned to the corresponding LOGONIDs.
<VulnDiscussion>Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours c...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
CA-ACF2 RULEOPTS GSO record values must be set to the values specified.
<VulnDiscussion>Configuring the operating system to implement organization-wide security implementation guides and security checklists ensure...Rule Medium Severity -
ACF2 REFRESH attribute must be restricted to security administrators' LOGON ID only.
<VulnDiscussion>Users with the refresh attribute have the ability to effect changes to ESM global system options. Unauthorized use could resu...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
ACF2 maintenance LOGONIDs must have corresponding GSO MAINT records.
<VulnDiscussion>Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours c...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
ACF2 LOGONIDs with the NON-CNCL attribute specified in the associated LOGONID record must be listed as trusted and must be specifically approved.
<VulnDiscussion>Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours c...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
ACF2 LOGONIDs with the ACCOUNT, LEADER, or SECURITY attribute must be properly scoped.
<VulnDiscussion>Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours c...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
ACF2 LOGONIDs associated with started tasks that have the MUSASS attribute and the requirement to submit jobs on behalf of its users must have the JOBFROM attribute as required.
<VulnDiscussion>Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours c...Rule Medium Severity -
IBM z/OS Started Tasks must be properly identified and defined to ACF2.
<VulnDiscussion>Started procedures have system generated job statements that do not contain the user, group, or password statements. To enabl...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
ACF2 emergency LOGONIDS with the REFRESH attribute must have the SUSPEND attribute specified.
<VulnDiscussion>Activity under unusual conditions can indicate hostile activity. For example, what is normal activity during business hours c...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
ACF2 BACKUP GSO record must be defined with a TIME value specifies greater than 00 unless the database is shared and backed up on another system.
<VulnDiscussion>Configuring the operating system to implement organization-wide security implementation guides and security checklists ensure...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
ACF2 APPLDEF GSO record if used must have supporting documentation indicating the reason it was used.
<VulnDiscussion>Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It al...Rule Low Severity -
SRG-OS-000368-GPOS-00154
<GroupDescription></GroupDescription>Group -
ACF2 MAINT GSO record value if specified must be restricted to production storage management user.
<VulnDiscussion>Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may pr...Rule Medium Severity -
SRG-OS-000368-GPOS-00154
<GroupDescription></GroupDescription>Group -
ACF2 LINKLST GSO record if specified must only contains trusted system data sets.
<VulnDiscussion>Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may pr...Rule Medium Severity -
SRG-OS-000096-GPOS-00050
<GroupDescription></GroupDescription>Group -
IBM z/OS must properly protect MCS console userid(s).
<VulnDiscussion>In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e....Rule Medium Severity -
SRG-OS-000096-GPOS-00050
<GroupDescription></GroupDescription>Group -
ACF2 BLPPGM GSO record must not be defined.
<VulnDiscussion>In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e....Rule Medium Severity -
SRG-OS-000104-GPOS-00051
<GroupDescription></GroupDescription>Group -
IBM z/OS UID(0) must be properly assigned.
<VulnDiscussion>To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to pre...Rule High Severity -
SRG-OS-000104-GPOS-00051
<GroupDescription></GroupDescription>Group -
IBM z/OS user account for the UNIX kernel (OMVS) must be properly defined to the security database.
<VulnDiscussion>To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to pre...Rule Medium Severity -
SRG-OS-000104-GPOS-00051
<GroupDescription></GroupDescription>Group -
IBM z/OS user account for the UNIX (RMFGAT) must be properly defined.
<VulnDiscussion>To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to pre...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.