STIGQter STIGQter: STIG Summary:

IBM z/OS ACF2 Security Technical Implementation Guide

Version: 8

Release: 2 Benchmark Date: 23 Apr 2021

CheckedNameTitle
SV-223419r533198_ruleIBM z/OS Certificate Name Filtering must be implemented with appropriate authorization and documentation.
SV-223420r533198_ruleIBM z/OS must not use Expired Digital Certificates.
SV-223421r533198_ruleAll IBM z/OS digital certificates in use must have a valid path to a trusted Certification authority.
SV-223422r533198_ruleCA-ACF2 OPTS GSO record must be set to ABORT mode.
SV-223423r533198_ruleThe number of ACF2 users granted the special privilege PPGM must be justified.
SV-223424r533198_ruleThe number of ACF2 users granted the special privilege OPERATOR must be kept to a strictly controlled minimum.
SV-223425r533198_ruleThe number of ACF2 users granted the special privilege CONSOLE must be justified.
SV-223426r533198_ruleThe number of ACF2 users granted the special privilege ALLCMDS must be justified.
SV-223427r533198_ruleIBM z/OS system commands must be properly protected.
SV-223428r533198_ruleIBM z/OS Sensitive Utility Controls must be properly defined and protected.
SV-223429r533198_ruleCA-ACF2 NJE GSO record value must indicate validation options that apply to jobs submitted through a network job entry subsystem (JES2, JES3, RSCS).
SV-223430r533198_ruleCA-ACF2 must protect Memory and privileged program dumps in accordance with proper security requirements.
SV-223431r533198_ruleCA-ACF2 must properly define users that have access to the CONSOLE resource in the TSOAUTH resource class.
SV-223432r533198_ruleCA-ACF2 must limit update and allocate access to system backup files to system programmers and/or batch jobs that perform DASD backups.
SV-223433r533198_ruleCA-ACF2 must limit access to SYSTEM DUMP data sets to appropriate authorized users.
SV-223434r533198_ruleCA-ACF2 must limit access to SYS(x).TRACE to system programmers only.
SV-223435r560937_ruleCA-ACF2 allocate access to system user catalogs must be properly protected.
SV-223436r533198_ruleACF2 Classes required to properly security the z/OS UNIX environment must be ACTIVE.
SV-223437r533198_ruleAccess to IBM z/OS special privilege TAPE-LBL or TAPE-BLP must be limited and/or justified.
SV-223438r533198_ruleCA-ACF2 must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers.
SV-223439r533198_ruleIBM z/OS must protect dynamic lists in accordance with proper security requirements.
SV-223440r533198_ruleIBM z/OS Libraries included in the system REXXLIB concatenation must be properly protected.
SV-223441r533198_ruleCA-ACF2 must limit Write or greater access to SYS1.UADS To system programmers only and read and update access must be limited to system programmer personnel and/or security personnel.
SV-223442r533198_ruleCA-ACF2 must limit all system PROCLIB data sets to appropriate authorized users.
SV-223443r560998_ruleCA-ACF2 access to the System Master Catalog must be properly protected.
SV-223444r533198_ruleIBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.
SV-223445r533198_ruleCA-ACF2 must limit Write or greater access to SYS1.NUCLEUS to system programmers only.
SV-223446r533198_ruleCA-ACF2 must limit Write or greater access to SYS1.LPALIB to system programmers only.
SV-223447r533198_ruleCA-ACF2 must limit Write or greater access to SYS1.IMAGELIB to system programmers.
SV-223448r533198_ruleCA-ACF2 must limit Write or greater access to Libraries containing EXIT modules to system programmers only.
SV-223449r533198_ruleCA-ACF2 must limit Update and Allocate access to all APF-authorized libraries to system programmers only.
SV-223450r533198_ruleCA-ACF2 must limit Write or greater access to all LPA libraries to system programmers only.
SV-223451r533198_ruleCA-ACF2 must limit Update and Allocate access to LINKLIST libraries to system programmers only.
SV-223452r533198_ruleCA-ACF2 must limit update and allocate access to all system-level product installation libraries to system programmers only.
SV-223453r533198_ruleCA-ACF2 must limit Write or greater access to SYS1.SVCLIB to system programmers only.
SV-223454r533198_ruleCA-ACF2 Access to SYS1.LINKLIB must be properly protected.
SV-223455r533198_ruleCA-ACF2 must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.
SV-223456r533198_ruleCA-ACF2 LOGONIDs must not be defined to SYS1.UADS for non-emergency use.
SV-223457r533198_ruleIBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements.
SV-223458r533198_ruleCA-ACF2 must limit Update and Allocate access to system backup files to system programmers and/or batch jobs that perform DASD backups.
SV-223459r533198_ruleACF2 PPGM GSO record value must specify protected programs that are only executed by privileged users.
SV-223462r533198_ruleThe CA-ACF2 PSWD GSO record values for MAXTRY and PASSLMT must be properly set.
SV-223463r533198_ruleIBM z/OS SYS1.PARMLIB must be properly protected.
SV-223464r533198_ruleCA-ACF2 must be installed, functional, and properly configured.
SV-223465r533198_ruleCA-ACF2 must limit update and allocate access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.
SV-223466r533198_ruleCA-ACF2 must limit Write or greater access to libraries that contain PPT modules to system programmers only.
SV-223467r533198_ruleThe EXITS GSO record value must specify the module names of site written ACF2 exit routines.
SV-223468r533198_ruleThe CA-ACF2 LOGONID with the REFRESH attribute must have procedures for utilization.
SV-223469r533198_ruleIBM z/OS TSO GSO record values must be set to the values specified.
SV-223470r533198_ruleIBM z/OS procedures must restrict ACF2 LOGONIDs with the READALL attribute to auditors and/or authorized users.
SV-223471r533198_ruleIBM z/OS must have the RULEVLD and RSRCVLD attributes specified for LOGONIDs with the SECURITY attribute.
SV-223472r533198_ruleIBM z/OS LOGONIDs with the AUDIT or CONSULT attribute must be properly scoped.
SV-223473r533198_ruleIBM z/OS LOGONID with the ACCTPRIV attribute must be restricted to the ISSO.
SV-223474r533198_ruleIBM z/OS batch jobs with restricted ACF2 LOGONIDs must have the PGM(xxxxxxxx) and SUBAUTH attributes or the SOURCE(xxxxxxxx) attribute assigned to the corresponding LOGONIDs.
SV-223475r695416_ruleCA-ACF2 RULEOPTS GSO record values must be set to the values specified.
SV-223476r695413_ruleThe CA-ACF2 GSO OPTS record value must be properly specified.
SV-223477r533198_ruleCA-ACF2 must prevent the use of dictionary words for passwords.
SV-223478r533198_ruleCA-ACF2 database must be on a separate physical volume from its backup and recovery data sets.
SV-223479r533198_ruleCA-ACF2 database must be backed up on a scheduled basis.
SV-223480r533198_ruleACF2 REFRESH attribute must be restricted to security administrators only.
SV-223481r695419_ruleACF2 maintenance LOGONIDs must have corresponding GSO MAINT records.
SV-223482r533198_ruleACF2 LOGONIDs with the NON-CNCL attribute specified in the associated LOGONID record must be listed as trusted and must be specifically approved.
SV-223483r533198_ruleACF2 LOGONIDs with the ACCOUNT, LEADER, or SECURITY attribute must be properly scoped.
SV-223484r533198_ruleACF2 LOGONIDs associated with started tasks that have the MUSASS attribute and the requirement to submit jobs on behalf of its users must have the JOBFROM attribute as required.
SV-223485r533198_ruleACF2 LOGONIDs assigned for started tasks must have the STC attribute specified in the associated LOGONID record.
SV-223486r533198_ruleACF2 emergency LOGONIDS with the REFRESH attribute must have the SUSPEND attribute specified.
SV-223487r533198_ruleACF2 BACKUP GSO record must be defined with a TIME value specifies greater than 00 unless the database is shared and backed up on another system.
SV-223488r533198_ruleACF2 APPLDEF GSO record if used must have supporting documentation indicating the reason it was used.
SV-223489r533198_ruleACF2 MAINT GSO record value if specified must be restricted to production storage management user.
SV-223490r533198_ruleACF2 LINKLST GSO record if specified must only contains trusted system data sets.
SV-223491r533198_ruleIBM z/OS must properly protect MCS console userid(s).
SV-223492r533198_ruleACF2 BLPPGM GSO record must not be defined.
SV-223493r695420_ruleIBM z/OS UID(0) must be properly assigned.
SV-223494r533198_ruleIBM z/OS user account for the UNIX kernel (OMVS) must be properly defined to the security database.
SV-223495r533198_ruleIBM z/OS user account for the UNIX (RMFGAT) must be properly defined.
SV-223496r533198_ruleACF2 LOGONIDs must be defined with the required fields completed.
SV-223497r533198_ruleCA-ACF2 defined user accounts must uniquely identify system users.
SV-223498r533198_ruleCA-ACF2 userids found inactive for more than 35 days must be suspended.
SV-223499r695422_ruleCA-ACF2 PWPHRASE GSO record must be properly defined.
SV-223500r695424_ruleCA-ACF2 must enforce password complexity by requiring that at least one special character be used.
SV-223501r695426_ruleACF2 PSWD GSO record value must be set to require at least one upper-case character be used.
SV-223502r695429_ruleACF2 PSWD GSO record value must be set to require at least one numeric character be used.
SV-223503r695431_ruleACF2 PSWD GSO record value must be set to require at least one lower-case character be used.
SV-223504r695433_ruleACF2 PSWD GSO record value must be set to require the change of at least 50% of the total number of characters when passwords are changed.
SV-223505r695435_ruleACF2 must use NIST FIPS-validated cryptography to protect passwords in the security database.
SV-223506r695437_ruleACF2 PSWD GSO record value must be set to require a 60-day maximum password lifetime restriction.
SV-223507r695439_ruleACF2 PSWD GSO record value must be set to require 24 hours/1 day as the minimum password lifetime.
SV-223508r695441_ruleACF2 PSWD GSO record value must be set to prohibit password reuse for a minimum of five generations or more.
SV-223509r695443_ruleACF2 TSOTWX GSO record values must be set to obliterate the logon password on TWX devices.
SV-223510r533198_ruleACF2 TSOCRT GSO record values must be set to obliterate the logon to ASCII CRT devices.
SV-223511r695445_ruleACF2 TSO2741 GSO record values must be set to obliterate the logon password on 2741 devices.
SV-223512r695447_ruleACF2 SECVOLS GSO record value must be set to VOLMASK(). Any local changes are justified and documented with the ISSO.
SV-223513r695449_ruleACF2 RESVOLS GSO record value must be set to Volmask(-). Any other setting requires documentation justifying the change.
SV-223514r533198_ruleACF2 security data sets and/or databases must be properly protected.
SV-223515r533198_ruleACF2 AUTOERAS GSO record value must be set to indicate that ACF2 is controlling the automatic physical erasure of VSAM or non VSAM data sets.
SV-223516r695451_ruleThe operating system must enforce a minimum 8-character password length.
SV-223517r533198_ruleIBM z/OS SMF recording options for the FTP Server must be configured to write SMF records for all eligible events.
SV-223518r533198_ruleIBM z/OS data sets for the FTP Server must be properly protected.
SV-223519r533198_ruleIBM z/OS permission bits and user audit bits for HFS objects that are part of the FTP Server component must be properly configured.
SV-223520r533198_ruleIBM z/OS FTP.DATA configuration statements must have a proper BANNER statement with the Standard Mandatory DoD Notice and Consent Banner.
SV-223521r533198_ruleIBM z/OS warning banner for the FTP Server must be properly specified.
SV-223522r533198_ruleIBM z/OS FTP.DATA configuration statements for the FTP Server must specify the BANNER statement.
SV-223523r533198_ruleIBM z/OS FTP Control cards must be properly stored in a secure PDS file.
SV-223524r533198_ruleThe IBM z/OS TFTP Server program must be properly protected.
SV-223525r533198_ruleIBM z/OS FTP Server daemon must be defined with proper security parameters.
SV-223526r533198_ruleIBM z/OS startup parameters for the FTP Server must be defined in the SYSTCPD and SYSFTPD DD statements for configuration files.
SV-223527r533198_ruleIBM z/OS FTP.DATA configuration for the FTP Server must have INACTIVE statement properly set.
SV-223528r533198_ruleIBM z/OS JESTRACE and/or SYSLOG resources must be protected in accordance with security requirements.
SV-223529r533198_ruleIBM z/OS JESSPOOL resources must be protected in accordance with security requirements.
SV-223530r533198_ruleIBM z/OS JESNEWS resources must be protected in accordance with security requirements.
SV-223531r533198_ruleIBM z/OS JES2 system commands must be protected in accordance with security requirements.
SV-223532r533198_ruleIBM z/OS JES2 spool resources must be controlled in accordance with security requirements.
SV-223533r533198_ruleIBM z/OS JES2 output devices must be properly controlled for Classified Systems.
SV-223534r533198_ruleIBM z/OS JES2 output devices must be controlled in accordance with the proper security requirements.
SV-223535r533198_ruleIBM z/OS JES2 input sources must be controlled in accordance with the proper security requirements.
SV-223536r533198_ruleIBM z/OS Surrogate users must be controlled in accordance with proper security requirements.
SV-223537r533198_ruleThe IBM z/OS BPX.SMF resource must be properly configured.
SV-223538r533198_ruleIBM z/OS must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
SV-223539r533198_ruleIBM z/OS Inapplicable PPT entries must be invalidated.
SV-223540r533198_ruleIBM z/OS system administrator must develop a process notify appropriate personnel when accounts are removed.
SV-223541r533198_ruleIBM z/OS system administrator must develop a process notify appropriate personnel when accounts are modified.
SV-223542r533198_ruleIBM z/OS system administrator must develop a process notify appropriate personnel when accounts are deleted.
SV-223543r533198_ruleIBM z/OS system administrator must develop a process notify appropriate personnel when accounts are created.
SV-223544r533198_ruleIBM z/OS Required SMF data record types must be collected.
SV-223545r533198_ruleIBM z/OS special privileges must be assigned on an as-needed basis to LOGONIDs associated with STCs and LOGONIDs that need to execute TSO in batch.
SV-223546r533198_ruleIBM z/OS must specify SMF data options to assure appropriate activation.
SV-223547r533198_ruleIBM z/OS SMF collection files (system MANx data sets or LOGSTREAM DASD) must have storage capacity to store at least one weeks worth of audit data.
SV-223548r533198_ruleIBM z/OS system administrators must develop an automated process to collect and retain SMF data.
SV-223549r533198_ruleIBM z/OS BUFUSEWARN in the SMFPRMxx must be properly set.
SV-223550r533198_ruleIBM z/OS NOBUFFS in SMFPRMxx must be properly set (Default is MSG).
SV-223551r533198_ruleIBM z/OS SNTP daemon (SNTPD) permission bits must be properly configured.
SV-223552r533198_ruleIBM z/OS SNTP daemon (SNTPD) must be active.
SV-223553r533198_ruleIBM z/OS PARMLIB CLOCKxx must have the Accuracy PARM coded properly.
SV-223554r533198_ruleIBM z/OS SMF collection files (i.e., SYS1.MANx) access must be limited to appropriate users and/or batch jobs that perform SMF dump processing.
SV-223555r533198_ruleIBM z/OS system administrator must develop a process to notify ISSOs of account enabling actions.
SV-223556r533198_ruleIBM z/OS PASSWORD data set and OS passwords must not be used.
SV-223557r533198_ruleIBM z/OS must configure system waittimes to protect resource availability based on site priorities.
SV-223558r533198_ruleIBM z/OS Emergency LOGONIDs must be properly defined.
SV-223559r533198_ruleIBM z/OS DFSMS control data sets must reside on separate storage volumes.
SV-223560r533198_ruleIBM z/OS Policy Agent must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.
SV-223561r533198_ruleUnsupported IBM z/OS system software must not be installed and/or active on the system.
SV-223562r533198_ruleIBM z/OS must not allow non-existent or inaccessible LINKLIST libraries.
SV-223563r533198_ruleIBM z/OS must not allow non-existent or inaccessible Link Pack Area (LPA) libraries.
SV-223564r533198_ruleIBM z/OS must not have inaccessible APF libraries defined.
SV-223565r533198_ruleIBM z/OS LNKAUTH=APFTAB must be specified in the IEASYSxx member(s) in the currently active parmlib data set(s).
SV-223566r533198_ruleDuplicated IBM z/OS sensitive utilities and/or programs must not exist in APF libraries.
SV-223567r533198_ruleIBM z/OS must properly configure CONSOLxx members.
SV-223568r695454_ruleIBM z/OS must use SAF Key Rings for key management.
SV-223569r533198_ruleThe IBM z/OS systems requiring data at rest protection must properly employ IBM DS8880 for full disk encryption.
SV-223570r533198_ruleIBM z/OS sensitive and critical system data sets must not exist on shared DASD.
SV-223571r533198_ruleIBM z/OS Policy agent must contain a policy that protects against or limits the effects of Denial of Service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.
SV-223572r533198_ruleIBM z/OS Policy agent must contain a policy that manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
SV-223573r533198_ruleIBM z/OS must employ a session manager to manage retaining a users session lock until that user reestablishes access using established identification and authentication procedures.
SV-223574r533198_ruleIBM z/OS system administrator must develop a procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner.
SV-223575r533198_ruleIBM z/OS must employ a session manager that conceal, via the session lock, information previously visible on the display with a publicly viewable image.
SV-223576r533198_ruleIBM z/OS must employ a session manager to manage session lock after a 15-minute period of inactivity.
SV-223577r533198_ruleIBM z/OS System Administrator must develop a procedure to automatically remove or disable temporary user accounts after 72 hours.
SV-223578r533198_ruleIBM z/OS system administrator must develop a procedure to automatically remove or disable emergency accounts after the crisis is resolved or 72 hours.
SV-223579r533198_ruleIBM z/OS system administrator must develop a procedure to notify system administrators and ISSOs of account enabling actions.
SV-223580r533198_ruleIBM z/OS system administrator must develop a procedure to terminate all sessions and network connections related to nonlocal maintenance when nonlocal maintenance is completed.
SV-223581r533198_ruleIBM z/OS system administrator must develop a procedure to remove all software components after updated versions have been installed.
SV-223582r533198_ruleIBM z/OS system administrator must develop a procedure to shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered.
SV-223583r533198_ruleIBM z/OS must employ a session manager configured for users to directly initiate a session lock for all connection types.
SV-223584r533198_ruleACF2 system administrator must develop a procedure to disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
SV-223585r533198_ruleIBM z/OS system administrator must develop a procedure to offload SMF files to a different system or media than the system being audited.
SV-223586r533198_ruleIBM z/OS SMF recording options for the SSH daemon must be configured to write SMF records for all eligible events.
SV-223587r533198_ruleIBM z/OS SSH daemon must be configured with the Department of Defense (DoD) logon banner.
SV-223588r533198_ruleIBM z/OS SSH daemon must be configured to only use the SSHv2 protocol.
SV-223589r533198_ruleIBM z/OS SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm.
SV-223590r533198_ruleIBM z/OS permission bits and user audit bits for HFS objects that are part of the Syslog daemon component must be configured properly.
SV-223591r533198_ruleIBM z/OS Syslog daemon must be started at z/OS initialization.
SV-223592r533198_ruleIBM z/OS Syslog daemon must be properly defined and secured.
SV-223593r533198_ruleIBM z/OS DFSMS resource class(es) must be defined to the GSO CLASMAP record in accordance with security requirements.
SV-223594r533198_ruleIBM z/OS DFSMS Program Resources must be properly defined and protected.
SV-223595r533198_ruleIBM z/OS DFSMS control data sets must be protected in accordance with security requirements.
SV-223596r533198_ruleIBM z/OS DFMSM resource class(es)must be defined to the GSO SAFDEF record in accordance with security requirements.
SV-223597r533198_ruleIBM z/OS DFSMS resources must be protected in accordance with the proper security requirements.
SV-223598r533198_ruleIBM z/OS using DFSMS must properly specify SYS(x).PARMLIB(IGDSMSxx), SMS parameter settings.
SV-223599r533198_ruleIBM z/OS PROFILE.TCPIP configuration statements for the TCP/IP stack must be coded properly.
SV-223600r533198_ruleIBM z//OS must be configured to restrict all TCP/IP ports to ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.
SV-223601r533198_ruleIBM z/OS TCP/IP resources must be properly protected.
SV-223602r533198_ruleIBM z/OS permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be configured properly.
SV-223603r533198_ruleIBM z/OS data sets for the Base TCP/IP component must be properly protected.
SV-223604r533198_ruleIBM z/OS Configuration files for the TCP/IP stack must be properly specified.
SV-223605r533198_ruleIBM z/OS Started tasks for the Base TCP/IP component must be defined in accordance with security requirements.
SV-223606r533198_ruleIBM z/OS PROFILE.TCPIP configuration statement must include SMFPARMS and/or SMFCONFIG statement for each TCP/IP stack.
SV-223607r533198_ruleIBM z/OS TCPIP.DATA configuration statement must contain the DOMAINORIGIN or DOMAIN specified for each TCP/IP defined.
SV-223608r533198_ruleIBM z/OS PROFILE.TCPIP configuration INACTIVITY statement must be configured to 900 seconds.
SV-223609r533198_ruleIBM z/OS SMF recording options for the TN3270 Telnet Server must be properly specified.
SV-223610r533198_ruleIBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
SV-223611r533198_ruleIBM z/OS TN3270 Telnet Server configuration statement MSG10 text must have the Standard Mandatory DoD Notice and Consent Banner.
SV-223612r533198_ruleIBM z/OS warning banner for the TN3270 Telnet Server must be properly specified.
SV-223613r533198_ruleIBM z/OS VTAM session setup controls for the TN3270 Telnet Server must be properly specified.
SV-223614r533198_ruleIBM z/OS PROFILE.TCPIP configuration for the TN3270 Telnet Server must have INACTIVE statement properly specified.
SV-223615r533198_ruleIBM z/OS TSOAUTH resources must be restricted to authorized users.
SV-223616r533198_ruleIBM z/OS UNIX SUPERUSER resource must be protected in accordance with guidelines.
SV-223617r533198_ruleIBM z/OS UNIX security parameters in etc/profile must be properly specified.
SV-223618r533198_ruleIBM z/OS UNIX security parameters in /etc/rc must be properly specified.
SV-223619r561301_ruleIBM z/OS UNIX resources must be protected in accordance with security requirements.
SV-223620r533198_ruleIBM z/OS UNIX MVS HFS directory(s) with other write permission bit set must be properly defined.
SV-223621r533198_ruleIBM z/OS BPX resource(s) must be protected in accordance with security requirements.
SV-223622r533198_ruleIBM z/OS UNIX SYSTEM FILE SECURITY SETTINGS must be properly protected or specified.
SV-223623r533198_ruleIBM z/OS UNIX MVS data sets with z/OS UNIX components must be properly protected.
SV-223624r533198_ruleIBM z/OS UNIX MVS data sets or HFS objects must be properly protected.
SV-223625r533198_ruleIBM z/OS UNIX HFS permission bits and audit bits for each directory must be properly protected.
SV-223626r533198_ruleIBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected.
SV-223627r533198_ruleIBM z/OS UNIX SYSTEM FILE SECURITY SETTINGS must be properly protected or specified.
SV-223628r533198_ruleIBM z/OS UNIX HFS permission bits and audit bits for each directory must be properly protected or specified.
SV-223629r533198_ruleIBM z/OS UNIX OMVS parameters in PARMLIB must be properly specified.
SV-223630r533198_ruleIBM z/OS UNIX HFS MapName files security parameters must be properly specified.
SV-223631r533198_ruleIBM z/OS UNIX BPXPRMxx security parameters in PARMLIB must be properly specified.
SV-223632r533198_ruleIBM z/OS User exits for the FTP Server must not be used without proper approval and documentation.
SV-223633r695457_ruleIBM z/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf must be properly specified.
SV-223634r533198_ruleIBM z/OS user account for the z/OS UNIX SUPERSUSER userid must be properly defined.
SV-223635r533198_ruleIBM z/OS UNIX user accounts must be properly defined.
SV-223636r533198_ruleIBM z/OS UNIX groups must be defined with a unique GID.
SV-223637r533198_ruleIBM z/OS Attributes of z/OS UNIX user accounts must have a unique GID in the range of 1-99.
SV-223638r533198_ruleIBM z/OS Attributes of UNIX user accounts used for account modeling must be defined in accordance with security requirements.
SV-223639r533198_ruleIBM z/OS startup user account for the z/OS UNIX Telnet Server must be defined properly.
SV-223640r533198_ruleIBM z/OS HFS objects for the z/OS UNIX Telnet Server must be properly protected.
SV-223641r560914_ruleIBM z/OS UNIX Telnet Server etc/banner file must have the Standard Mandatory DoD Notice and Consent Banner.
SV-223642r533198_ruleIBM z/OS UNIX Telnet Server warning banner must be properly specified.
SV-223643r533198_ruleIBM z/OS UNIX Telnet Server Startup parameters must be properly specified to display the banner.
SV-223644r533198_ruleIBM z/OS System data sets used to support the VTAM network must be properly secured.
SV-223645r533198_ruleIBM z/OS VTAM USSTAB definitions must not be used for unsecured terminals.