STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

IBM z/OS Certificate Name Filtering must be implemented with appropriate authorization and documentation.

DISA Rule

SV-223419r533198_rule

Vulnerability Number

V-223419

Group Title

SRG-OS-000104-GPOS-00051

Rule Version

ACF2-CE-000010

Severity

CAT II

CCI(s)

CCI-000764 - The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Weight

Fix Recommendation

Define any Certificate Name Filtering rules when required with documentation and approval by the ISSM.

Check Contents

If Certificate Name Filtering is in use, collect documentation describing each active filter rule and written approval from the ISSM to use the rule.

Issue the following ACF2 commands to list the certificate name filters defined to ACF2:
SET CONTROL(GSO)
SHOW CERTMAP

If no CERTMAP FILTERING TABLES are present, this not a finding.

NOTE: Certificate name filters are only valid when their Status is TRUST. Therefore, you may ignore filters with the NOTRUST status.

If CERTMAP FILTERING TABLES are present and certificate name filters have a Status of TRUST, certificate name filtering is in use.

If Certificate Name Filtering is in use and filtering rules have been documented and approved by the ISSM, this is not a finding.

If Certificate Name Filtering is in use and filtering rules have not been documented and approved by the ISSM, this is a finding.

IBM z/OS Certificate Name Filtering must be implemented with appropriate authorization and documentation.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments