STIGQter: STIG Summary: z/OS IBM CICS Transaction Server for ACF2 STIG Version: 6 Release: 6 Benchmark Date: 24 Apr 2020:

IBM CICS Transaction Server SPI command resources must be properly defined and protected.

DISA Rule

SV-43206r4_rule

Vulnerability Number

V-17982

Group Title

ZB000021

Rule Version

ZCICA021

Severity

CAT II

CCI(s)

• CCI-000035 - The information system provides the capability for privileged administrators to configure the organization-defined security policy filters to support different security policies.
• CCI-002234 - The information system audits the execution of privileged functions.

Weight

10

Fix Recommendation

Ensure that the IBM CICS Transaction Server SPI command resources defined in the IBM CICS-RACF Security Guide access is in accordance with those outlined in the site security plan use CICS SPI Resources table in the zOS STIG Addendum as a guide.

These tables list the resources and access requirements for IBM CICS Transaction Server; ensure the following guidelines are followed:

The ACF2 resources and/or generic equivalent as designated in the above table are defined with a default access of PREVENT.

The ACF2 resource access authorizations restrict access to the appropriate personnel as designated in the above table.

The following commands are provided as a sample for implementing resource controls:

$KEY(ASSOCIATION) TYPE(XCD)
- UID(CICSAUDT) SERVICE(READ) ALLOW
- UID(CICUAUDT) SERVICE(READ) ALLOW
- UID(SYSCAUDT) SERVICE(READ) ALLOW
- UID(*) PREVENT

Check Contents

Refer to the following report produced by the ACF2 Data Collection and Data Set and Resource Data Collection:

- SENSITVE.RPT(XCMD)
- ACF2CMDS.RPT(RESOURCE) – Alternate report

Automated Analysis:
Refer to the following report produced by the ACF2 Data Collection Checklist:
- PDI (ZCIC0021)

Ensure that all IBM CICS Transaction Server SPI command resources defined in the IBM CICS-RACF Security Guide are properly protected according to the requirements specified in the site security plan, use CICS SPI Resources table in the zOS STIG Addendum as a guide. If the following guidance is true, this is not a finding.

The ACF2 resources and/or generic equivalent as designated in the above table are defined with a default access of PREVENT.

The ACF2 resource access authorizations restrict access to the appropriate personnel as designated in the above table.

Vulnerability Number

V-17982

Documentable

False

Rule Version

ZCICA021

Severity Override Guidance

Refer to the following report produced by the ACF2 Data Collection and Data Set and Resource Data Collection:

- SENSITVE.RPT(XCMD)
- ACF2CMDS.RPT(RESOURCE) – Alternate report

Automated Analysis:
Refer to the following report produced by the ACF2 Data Collection Checklist:
- PDI (ZCIC0021)

Ensure that all IBM CICS Transaction Server SPI command resources defined in the IBM CICS-RACF Security Guide are properly protected according to the requirements specified in the site security plan, use CICS SPI Resources table in the zOS STIG Addendum as a guide. If the following guidance is true, this is not a finding.

The ACF2 resources and/or generic equivalent as designated in the above table are defined with a default access of PREVENT.

The ACF2 resource access authorizations restrict access to the appropriate personnel as designated in the above table.

Check Content Reference

M

Responsibility

Systems Programmer

Target Key

2018

Comments