IBM z/OS RACF Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000104-GPOS-00051
<GroupDescription></GroupDescription>Group -
The IBM RACF Automatic Data Set Protection (ADSP) SETROPTS value must be set to NOADSP.
<VulnDiscussion>To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to pre...Rule Medium Severity -
SRG-OS-000104-GPOS-00051
<GroupDescription></GroupDescription>Group -
IBM RACF user accounts must uniquely identify system users.
<VulnDiscussion>To assure individual accountability and prevent unauthorized access, organizational users must be individually identified and...Rule Medium Severity -
SRG-OS-000118-GPOS-00060
<GroupDescription></GroupDescription>Group -
The IBM RACF INACTIVE SETROPTS value must be set to 35 days.
<VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potenti...Rule Medium Severity -
SRG-OS-000069-GPOS-00037
<GroupDescription></GroupDescription>Group -
IBM RACF PASSWORD(RULEn) SETROPTS value(s) must be properly set.
<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is comprom...Rule Medium Severity -
SRG-OS-000070-GPOS-00038
<GroupDescription></GroupDescription>Group -
IBM RACF exit ICHPWX01 must be installed and properly configured.
<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, ...Rule Medium Severity -
SRG-OS-000075-GPOS-00043
<GroupDescription></GroupDescription>Group -
The IBM RACF SETROPTS PASSWORD(MINCHANGE) value must be set to 1.
<VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enfo...Rule Medium Severity -
SRG-OS-000076-GPOS-00044
<GroupDescription></GroupDescription>Group -
IBM RACF SETROPTS PASSWORD(INTERVAL) must be set to 60 days.
<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the ...Rule Medium Severity -
The IBM RACF PASSWORD(HISTORY) SETROPTS value must be set to five or more.
<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute...Rule Medium Severity -
NIST FIPS-validated cryptography must be used to protect passwords in the security database.
<VulnDiscussion>Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the pass...Rule High Severity -
SRG-OS-000138-GPOS-00069
<GroupDescription></GroupDescription>Group -
The IBM RACF ERASE ALL SETROPTS value must be set to ERASE(ALL) on all systems.
<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of infor...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
<GroupDescription></GroupDescription>Group -
IBM RACF DASD Management USERIDs must be properly controlled.
<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...Rule Medium Severity -
SRG-OS-000032-GPOS-00013
<GroupDescription></GroupDescription>Group -
IBM z/OS SMF recording options for the FTP Server must be configured to write SMF records for all eligible events.
<VulnDiscussion>The FTP Server can provide audit data in the form of SMF records. The SMF data produced by the FTP Server provides transactio...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
<GroupDescription></GroupDescription>Group -
IBM RACF permission bits and user audit bits for HFS objects that are part of the FTP server component must be properly configured.
<VulnDiscussion>MVS data sets of the FTP Server provide the configuration and operational characteristics of this product. Failure to properl...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
<GroupDescription></GroupDescription>Group -
IBM z/OS FTP.DATA configuration statements must indicate a BANNER statement with the proper content.
<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and se...Rule Medium Severity -
SRG-OS-000228-GPOS-00088
<GroupDescription></GroupDescription>Group -
IBM z/OS FTP.DATA configuration statements for the FTP server must specify the BANNER statement.
<VulnDiscussion>Display of a standardized and approved use notification before granting access to the publicly accessible operating system en...Rule Medium Severity -
SRG-OS-000480-GPOS-00227
<GroupDescription></GroupDescription>Group -
IBM z/OS FTP.DATA configuration statements for the FTP Server must be specified in accordance with requirements.
<VulnDiscussion>This requirement is intended to cover both traditional interactive logons to information systems and general accesses to info...Rule Medium Severity -
SRG-OS-000368-GPOS-00154
<GroupDescription></GroupDescription>Group -
The IBM z/OS TFTP server program must be properly protected.
<VulnDiscussion>Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may pr...Rule Medium Severity -
SRG-OS-000096-GPOS-00050
<GroupDescription></GroupDescription>Group -
IBM z/OS user exits for the FTP server must not be used without proper approval and documentation.
<VulnDiscussion>In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e....Rule Medium Severity -
SRG-OS-000104-GPOS-00051
<GroupDescription></GroupDescription>Group -
The IBM z/OS FTP server daemon must be defined with proper security parameters.
<VulnDiscussion>The FTP Server daemon requires special privileges and access to sensitive resources to provide its system services. Failure t...Rule Medium Severity -
SRG-OS-000163-GPOS-00072
<GroupDescription></GroupDescription>Group -
IBM FTP.DATA configuration for the FTP server must have the INACTIVE statement properly set.
<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take c...Rule Medium Severity -
SRG-OS-000163-GPOS-00072
<GroupDescription></GroupDescription>Group -
IBM z/OS startup parameters for the FTP server must have the INACTIVE statement properly set.
<VulnDiscussion>To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
<GroupDescription></GroupDescription>Group -
IBM z/OS RJE workstations and NJE nodes must be defined to the FACILITY resource class.
<VulnDiscussion>Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforceme...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
<GroupDescription></GroupDescription>Group -
IBM z/OS JES2 input sources must be controlled in accordance with the proper security requirements.
<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
<GroupDescription></GroupDescription>Group -
IBM z/OS JES2 input sources must be properly controlled.
<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
<GroupDescription></GroupDescription>Group -
IBM z/OS JES2 output devices must be controlled in accordance with the proper security requirements.
<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...Rule Medium Severity -
SRG-OS-000080-GPOS-00048
<GroupDescription></GroupDescription>Group -
IBM z/OS JES2 output devices must be properly controlled for classified systems.
<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.