STIGQter STIGQter: STIG Summary: z/OS IBM CICS Transaction Server for ACF2 STIG Version: 6 Release: 6 Benchmark Date: 24 Apr 2020:

CICS logonid(s) must be configured with proper timeout and signon limits.

DISA Rule

SV-7524r4_rule

Vulnerability Number

V-7120

Group Title

ZCIC0042

Rule Version

ZCIC0042

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Ensure that all userids with a CICS segment have the TIMEOUT parameter set to 15 minutes.
Ensure that all LIDs authorized to access a CICS facility restrict MULTSIGN to test and development use.

Examples:
SET LID
LIST CICS
CHANGE CICS IDLE(15)

Check Contents

a) Refer to the following report produced by the ACF2 Data Collection:

- ACF2CMDS.RPT(LOGONIDS)

Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010.

Note: Any logonid that does not have an IDLE value specified will obtain its IDLE value from the default value set in ZCIC0041. Any logonid that specifies an IDLE value must meet the requirements specified below.

b) For all logonids with the CICS attribute that have IDLE(15) specified this is not a finding.

NOTE: If the time-out limit is greater than 15 minutes, and the system is processing unclassified information, review the following items. If any of these is true, this is not a finding.

If a session is not terminated, but instead is locked out after 15 minutes of inactivity, a process must be in place that requires user identification and authentication before the session is unlocked. Session lock-out will be implemented through system controls or terminal screen protection.
A system's default time for terminal lock-out or session termination may be lengthened to 30 minutes at the discretion of the ISSM. The ISSM will maintain the documentation for each system with a time-out adjusted beyond the 15-minute recommendation to explain the basis for this decision.
The ISSM may set selected userids to have a time-out of up to 60 minutes in order to complete critical reports or transactions without timing out. Each exception must meet the following criteria:

The time-out exception cannot exceed 60 minutes.
A letter of justification fully documenting the user requirement(s) must be submitted and approved by the site IAM. In addition, this letter must identify an alternate means of access control for the terminal(s) involved (e.g., a room that is locked at all times, a room with a cipher lock to limit access, a password protected screen saver set to 30 minutes or less, etc.). The requirement must be revalidated on an annual basis.


c) If the MULTSIGN option in the logonid record field is restricted to test or development use, this is not a finding.

Vulnerability Number

V-7120

Documentable

True

Rule Version

ZCIC0042

Severity Override Guidance

a) Refer to the following report produced by the ACF2 Data Collection:

- ACF2CMDS.RPT(LOGONIDS)

Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010.

Note: Any logonid that does not have an IDLE value specified will obtain its IDLE value from the default value set in ZCIC0041. Any logonid that specifies an IDLE value must meet the requirements specified below.

b) For all logonids with the CICS attribute that have IDLE(15) specified this is not a finding.

NOTE: If the time-out limit is greater than 15 minutes, and the system is processing unclassified information, review the following items. If any of these is true, this is not a finding.

If a session is not terminated, but instead is locked out after 15 minutes of inactivity, a process must be in place that requires user identification and authentication before the session is unlocked. Session lock-out will be implemented through system controls or terminal screen protection.
A system's default time for terminal lock-out or session termination may be lengthened to 30 minutes at the discretion of the ISSM. The ISSM will maintain the documentation for each system with a time-out adjusted beyond the 15-minute recommendation to explain the basis for this decision.
The ISSM may set selected userids to have a time-out of up to 60 minutes in order to complete critical reports or transactions without timing out. Each exception must meet the following criteria:

The time-out exception cannot exceed 60 minutes.
A letter of justification fully documenting the user requirement(s) must be submitted and approved by the site IAM. In addition, this letter must identify an alternate means of access control for the terminal(s) involved (e.g., a room that is locked at all times, a room with a cipher lock to limit access, a password protected screen saver set to 30 minutes or less, etc.). The requirement must be revalidated on an annual basis.


c) If the MULTSIGN option in the logonid record field is restricted to test or development use, this is not a finding.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

198

Comments