STIGQter STIGQter: STIG Summary: IBM z/OS TSS Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

IBM z/OS Configuration files for the TCP/IP stack must be properly specified.

DISA Rule

SV-224060r561402_rule

Vulnerability Number

V-224060

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

TSS0-TC-000050

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Review the TCP/IP started task JCL to ensure the configuration file names are specified on the appropriate DD statements and parameter option.

During initialization the TCP/IP stack uses fixed search sequences to locate the PROFILE.TCPIP and TCPIP.DATA files. However, uncertainty is reduced and security auditing is enhanced by explicitly specifying the locations of the files. In the TCP/IP started task’s JCL, Data Definition (DD) statements can be used to specify the locations of the files. The PROFILE DD statement identifies the PROFILE.TCPIP file and the SYSTCPD DD statement identifies the TCPIP.DATA file.

The location of the TCPIP.DATA file can also be specified by coding the RESOLVER_CONFIG environment variable as a parameter of the ENVAR option in the TCP/IP started task’s JCL. In fact, the value of this variable is checked before the SYSTCPD DD statement by some processes. However, not all processes (e.g., TN3270 Telnet Server) will access the variable to get the file location. Therefore specifying the file location explicitly, both on a DD statement and through the RESOLVER_CONFIG environment variable, reduces ambiguity.

The systems programmer responsible for supporting ICS will ensure that the TCP/IP started task’s JCL specifies the PROFILE and SYSTCPD DD statements for the PROFILE.TCPIP and TCPIP.DATA configuration files and TCP/IP started task’s JCL includes the RESOLVER_CONFIG variable, set to the name of the file specified on the SYSTCPD DD statement.

Check Contents

Refer to the procedure libraries defined to JES2 and locate the TCPIP JCL member.

If the PROFILE and SYSTCPD DD statements specify the TCP/IP Profile and Data configuration files respectively this not a finding.

If the RESOLVER_CONFIG variable on the EXEC statement is set to the same file name specified on the SYSTCPD DD statement this is not a finding.

Vulnerability Number

V-224060

Documentable

False

Rule Version

TSS0-TC-000050

Severity Override Guidance

Refer to the procedure libraries defined to JES2 and locate the TCPIP JCL member.

If the PROFILE and SYSTCPD DD statements specify the TCP/IP Profile and Data configuration files respectively this not a finding.

If the RESOLVER_CONFIG variable on the EXEC statement is set to the same file name specified on the SYSTCPD DD statement this is not a finding.

Check Content Reference

M

Target Key

4102

Comments