STIGQter: STIG Summary: z/OS IBM CICS Transaction Server for ACF2 STIG Version: 6 Release: 6 Benchmark Date: 24 Apr 2020:

Sensitive CICS transactions are not protected in accordance with the proper security requirements.

DISA Rule

SV-7189r4_rule

Vulnerability Number

V-6894

Group Title

ZCICA024

Rule Version

ZCICA024

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

The Systems Programmer and IAO will ensure the ACF2/CICS parameter SAFELIST are coded with the values specified below.

Browse the ACF2/CICS data set allocated by the ACF2PARM DD statement in the JCL of each CICS procedure.

Ensure the following items are in effect for entries specified in the SAFELIST parameter:

1) Transactions are uniquely identified.
2) Transactions are not masked.
3) Sensitive transactions are not included.

NOTE: For information on transactions that are eligible for exemption from security checking refer to Category 3 Transactions for CICS TS 3.1 - 5.1 in the z/OS STIG addendum.

Check Contents

a) Refer to the following report produced by the z/OS Data Collection:

- EXAM.RPT(CICSPROC)

Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010.

b) Browse the ACF2/CICS data set allocated by the ACF2PARM DD statement in the JCL of each CICS procedure.

c) Ensure the following items are in effect for entries specified in the SAFELIST parameter:

1) Transactions are uniquely identified.
2) Transactions are not masked.
3) Sensitive transactions are not included.

NOTE: For information on transactions that are eligible for exemption from security checking refer to Category 3 Transactions for CICS TS 3.1 - 5.1 in the z/OS STIG addendum.
d) If the items in (c) are true for all entries specified in the SAFELIST parameter for each CICS region, there is no finding.

e) If any item in (c) is untrue for any entry specified in the SAFELIST parameter, this is a finding.

Vulnerability Number

V-6894

Documentable

False

Rule Version

ZCICA024

Severity Override Guidance

a) Refer to the following report produced by the z/OS Data Collection:

- EXAM.RPT(CICSPROC)

Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010.

b) Browse the ACF2/CICS data set allocated by the ACF2PARM DD statement in the JCL of each CICS procedure.

c) Ensure the following items are in effect for entries specified in the SAFELIST parameter:

1) Transactions are uniquely identified.
2) Transactions are not masked.
3) Sensitive transactions are not included.

NOTE: For information on transactions that are eligible for exemption from security checking refer to Category 3 Transactions for CICS TS 3.1 - 5.1 in the z/OS STIG addendum.
d) If the items in (c) are true for all entries specified in the SAFELIST parameter for each CICS region, there is no finding.

e) If any item in (c) is untrue for any entry specified in the SAFELIST parameter, this is a finding.

Check Content Reference

M

Responsibility

Systems Programmer

Target Key

198

Comments