Skip to content

I - Mission Critical Classified

Rules and Groups employed by this XCCDF Profile

  • SRG-OS-000104-GPOS-00051

    <GroupDescription></GroupDescription>
    Group
  • Certificate Name Filtering must be implemented with appropriate authorization and documentation.

    &lt;VulnDiscussion&gt;To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to pre...
    Rule Medium Severity
  • SRG-OS-000066-GPOS-00034

    <GroupDescription></GroupDescription>
    Group
  • Expired digital certificates must not be used.

    &lt;VulnDiscussion&gt;The longer and more often a key is used, the more susceptible it is to loss or discovery. This weakens the assurance provided...
    Rule Medium Severity
  • SRG-OS-000066-GPOS-00034

    <GroupDescription></GroupDescription>
    Group
  • All digital certificates in use must have a valid path to a trusted Certification authority.

    &lt;VulnDiscussion&gt;The origin of a certificate, the Certificate Authority (i.e., CA), is crucial in determining if the certificate should be tru...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM RACF must limit Write or greater access to SYS1.NUCLEUS to system programmers only.

    &lt;VulnDiscussion&gt;This data set contains a large portion of the system initialization (IPL) programs and pointers to the master and alternate m...
    Rule High Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM RACF must limit Write or greater access to libraries that contain PPT modules to system programmers only.

    &lt;VulnDiscussion&gt;Specific PPT designated program modules possess significant security bypass capabilities. Unauthorized access could result in...
    Rule Low Severity
  • SRG-OS-000123-GPOS-00064

    <GroupDescription></GroupDescription>
    Group
  • IBM RACF emergency USERIDs must be properly defined.

    &lt;VulnDiscussion&gt;Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid acc...
    Rule Medium Severity
  • SRG-OS-000004-GPOS-00004

    <GroupDescription></GroupDescription>
    Group
  • IBM RACF SETROPTS LOGOPTIONS must be properly configured.

    &lt;VulnDiscussion&gt;Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing ...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM RACF must protect memory and privileged program dumps in accordance with proper security requirements.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS system commands must be properly protected.

    &lt;VulnDiscussion&gt;z/OS system commands provide a method of controlling the operating environment. Failure to properly control access to z/OS sy...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM RACF must properly define users that have access to the CONSOLE resource in the TSOAUTH resource class.

    &lt;VulnDiscussion&gt;MCS consoles can be used to issue operator commands. Failure to properly control access to MCS consoles could result in unaut...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • The IBM RACF FACILITY resource class must be active.

    &lt;VulnDiscussion&gt;IBM Provides the FACILITY Class for use in protecting a variety of features/functions/products both IBM and third-party. The ...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • The IBM RACF OPERCMDS resource class must be active.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • The IBM RACF MCS consoles resource class must be active.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM RACF CLASSACT SETROPTS must be specified for the TEMPDSN class.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM RACF started tasks defined with the trusted attribute must be justified.

    &lt;VulnDiscussion&gt;Trusted Started tasks bypass RACF checking. It is vital that this attribute is NOT granted to unauthorized Started Tasks whic...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM RACF USERIDs possessing the Tape Bypass Label Processing (BLP) privilege must be justified.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM RACF DASD volume-level protection must be properly defined.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM Sensitive Utility Controls must be properly defined and protected.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM RACF Global Access Checking must be restricted to appropriate classes and resources.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM RACF access to the System Master Catalog must be properly protected.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule High Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM RACF must limit Write or greater access to SYS1.UADS to system programmers only, and WRITE or greater access must be limited to system programmer personnel and/or security personnel.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule High Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM z/OS must protect dynamic lists in accordance with proper security requirements.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule High Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM RACF allocate access to system user catalogs must be properly protected.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM RACF must limit WRITE or greater access to System backup files to system programmers and/or batch jobs that perform DASD backups.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule Medium Severity
  • SRG-OS-000080-GPOS-00048

    <GroupDescription></GroupDescription>
    Group
  • IBM RACF must limit access to SYS(x).TRACE to system programmers only.

    &lt;VulnDiscussion&gt;To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-ap...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules