| Checked | Name | Title |
|---|
| ☐ | SV-223871r561402_rule | All IBM z/OS digital certificates in use must have a valid path to a trusted Certification Authority (CA). |
| ☐ | SV-223872r561402_rule | Expired IBM z/OS digital certificates must not be used. |
| ☐ | SV-223873r561402_rule | IBM z/OS must have Certificate Name Filtering implemented with appropriate authorization and documentation. |
| ☐ | SV-223874r561402_rule | CA-TSS Security control ACIDs must be limited to the administrative authorities authorized and that require these privileges to perform their job duties. |
| ☐ | SV-223875r561402_rule | The number of CA-TSS ACIDs possessing the tape Bypass Label Processing (BLP) privilege must be limited. |
| ☐ | SV-223876r561402_rule | CA-TSS MODE Control Option must be set to FAIL. |
| ☐ | SV-223877r561402_rule | The CA-TSS NPWRTHRESH Control Option must be properly set. |
| ☐ | SV-223878r561402_rule | The CA-TSS NPPTHRESH Control Option must be properly set. |
| ☐ | SV-223879r561402_rule | The CA-TSS PTHRESH Control Option must be set to 2. |
| ☐ | SV-223880r561402_rule | The CA-TSS NPPTHRESH Control Option must be properly set. |
| ☐ | SV-223881r561402_rule | IBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing. |
| ☐ | SV-223882r561402_rule | IBM z/OS SYS1.PARMLIB must be properly protected. |
| ☐ | SV-223883r695461_rule | IBM z/OS for PKI-based authentication must use the ESM to store keys. |
| ☐ | SV-223885r561402_rule | The CA-TSS NEWPHRASE and PPSCHAR Control Options must be properly set. |
| ☐ | SV-223886r561402_rule | The CA-TSS NEWPW control options must be properly set. |
| ☐ | SV-223887r561402_rule | IBM z/OS must use NIST FIPS-validated cryptography to protect passwords in the security database. |
| ☐ | SV-223888r561402_rule | The CA-TSS PWEXP Control Option must be set to 60. |
| ☐ | SV-223889r561402_rule | The CA-TSS PPEXP Control Option must be properly set. |
| ☐ | SV-223890r561402_rule | The CA-TSS PWHIST Control Option must be set to 10 or greater. |
| ☐ | SV-223891r561402_rule | The CA-TSS PPHIST Control Option must be properly set. |
| ☐ | SV-223892r561402_rule | The IBM z/OS operating system must enforce a minimum eight-character password length. |
| ☐ | SV-223893r561402_rule | CA-TSS access to SYS1.LINKLIB must be properly protected. |
| ☐ | SV-223894r561402_rule | CA-TSS must limit Write or greater access to SYS1.SVCLIB to system programmers only. |
| ☐ | SV-223895r561402_rule | CA-TSS must limit Write or greater access to SYS1.IMAGELIB to system programmers only. |
| ☐ | SV-223896r561402_rule | CA-TSS must limit Write or greater access to SYS1.LPALIB to system programmers only. |
| ☐ | SV-223897r561402_rule | CA-TSS must limit WRITE or greater access to all APF-authorized libraries to system programmers only. |
| ☐ | SV-223898r561402_rule | IBM z/OS libraries included in the system REXXLIB concatenation must be properly protected. |
| ☐ | SV-223899r561402_rule | CA-TSS must limit Write or greater access to all LPA libraries to system programmers only. |
| ☐ | SV-223900r561402_rule | CA-TSS must limit Write or greater access to SYS1.NUCLEUS to system programmers only. |
| ☐ | SV-223901r561402_rule | CA-TSS must limit Write or greater access to libraries that contain PPT modules to system programmers only. |
| ☐ | SV-223902r561402_rule | CA-TSS must limit WRITE or greater access to LINKLIST libraries to system programmers only. |
| ☐ | SV-223903r561402_rule | CA-TSS security data sets and/or databases must be properly protected. |
| ☐ | SV-223904r695470_rule | CA-TSS must limit access to the System Master Catalog to appropriate authorized users. |
| ☐ | SV-223905r695473_rule | CA-TSS allocate access to system user catalogs must be limited to system programmers only. |
| ☐ | SV-223906r561402_rule | CA-TSS must limit WRITE or greater access to all system-level product installation libraries to system programmers only. |
| ☐ | SV-223907r561402_rule | CA-TSS must limit WRITE or greater access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only. |
| ☐ | SV-223908r561402_rule | CA-TSS must limit Write or greater access to SYS1.UADS to system programmers only, and Read and Update access must be limited to system programmer personnel and/or security personnel. |
| ☐ | SV-223909r561402_rule | CA-TSS must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing. |
| ☐ | SV-223910r561402_rule | CA-TSS must limit access to SYSTEM DUMP data sets to system programmers only. |
| ☐ | SV-223911r561402_rule | CA-TSS WRITE or Greater access to System backup files must be limited to system programmers and/or batch jobs that perform DASD backups. |
| ☐ | SV-223912r561402_rule | CA-TSS must limit access to SYS(x).TRACE to system programmers only. |
| ☐ | SV-223913r561402_rule | CA-TSS must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers only. |
| ☐ | SV-223914r561402_rule | CA-TSS must limit WRITE or greater access to libraries containing EXIT modules to system programmers only. |
| ☐ | SV-223915r561402_rule | CA-TSS must limit all system PROCLIB data sets to system programmers only and appropriate authorized users. |
| ☐ | SV-223916r561402_rule | CA-TSS must protect memory and privileged program dumps in accordance with proper security requirements. |
| ☐ | SV-223917r561402_rule | IBM z/OS must protect dynamic lists in accordance with proper security requirements. |
| ☐ | SV-223918r561402_rule | IBM z/OS system commands must be properly protected. |
| ☐ | SV-223919r561402_rule | IBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected. |
| ☐ | SV-223920r561402_rule | CA-TSS must properly define users that have access to the CONSOLE resource in the TSOAUTH resource class. |
| ☐ | SV-223921r561402_rule | IBM z/OS Operating system commands (MVS.) of the OPERCMDS resource class must be properly owned. |
| ☐ | SV-223922r561402_rule | CA-TSS AUTH Control Option values specified must be set to (OVERRIDE,ALLOVER) or (MERGE,ALLOVER). |
| ☐ | SV-223923r561402_rule | Access to the CA-TSS MODE resource class must be appropriate. |
| ☐ | SV-223924r561402_rule | Data set masking characters must be properly defined to the CA-TSS security database. |
| ☐ | SV-223925r561402_rule | CA-TSS Emergency ACIDs must be properly limited and must audit all resource access. |
| ☐ | SV-223926r561402_rule | CA-TSS ACIDs must not have access to FAC(*ALL*). |
| ☐ | SV-223927r561402_rule | The CA-TSS ALL record must have appropriate access to Facility Matrix Tables. |
| ☐ | SV-223928r561402_rule | Data set masking characters allowing access to all data sets must be properly restricted in the CA-TSS security database. |
| ☐ | SV-223929r561402_rule | IBM z/OS DASD Volume access greater than CREATE found in the CA-TSS database must be limited to authorized information technology personnel requiring access to perform their job duties. |
| ☐ | SV-223930r561402_rule | IBM z/OS Sensitive Utility Controls must be properly defined and protected. |
| ☐ | SV-223931r561402_rule | IBM z/OS Started tasks must be properly defined to CA-TSS. |
| ☐ | SV-223932r561402_rule | The CA-TSS CANCEL Control Option must not be specified. |
| ☐ | SV-223933r561402_rule | The CA-TSS HPBPW Control Option must be set to three days maximum. |
| ☐ | SV-223934r561402_rule | The CA-TSS INSTDATA Control Option must be set to 0. |
| ☐ | SV-223935r561402_rule | The CA-TSS OPTIONS Control Option must include option 4 at a minimum. |
| ☐ | SV-223936r561402_rule | CA-TSS TEMPDS Control Option must be set to YES. |
| ☐ | SV-223937r561402_rule | The number of CA-TSS control ACIDs must be justified and properly assigned. |
| ☐ | SV-223938r561402_rule | The number of CA-TSS ACIDs with MISC9 authority must be justified. |
| ☐ | SV-223939r561402_rule | The CA-TSS LUUPDONCE Control Option value specified must be set to NO. |
| ☐ | SV-223940r561402_rule | The CA-TSS Automatic Data Set Protection (ADSP) Control Option must be set to NO. |
| ☐ | SV-223941r561402_rule | CA-TSS RECOVER Control Option must be set to ON. |
| ☐ | SV-223942r561402_rule | IBM z/OS must properly configure CONSOLxx members. |
| ☐ | SV-223943r561402_rule | IBM z/OS must properly protect MCS console userid(s). |
| ☐ | SV-223944r561402_rule | The CA-TSS CPFRCVUND Control Option value specified must be set to NO. |
| ☐ | SV-223945r561402_rule | The CA-TSS CPFTARGET Control Option value specified must be set to LOCAL. |
| ☐ | SV-223946r561402_rule | CA-TSS User ACIDs and Control ACIDs must have the NAME field completed. |
| ☐ | SV-223947r561402_rule | The CA-TSS PASSWORD(NOPW) option must not be specified for any ACID type. |
| ☐ | SV-223948r561402_rule | Interactive ACIDs defined to CA-TSS must have the required fields completed. |
| ☐ | SV-223949r561402_rule | Started tasks must be properly defined to CA-TSS. |
| ☐ | SV-223950r561402_rule | CA-TSS Batch ACID(s) submitted through RJE and NJE must be sourced. |
| ☐ | SV-223951r561402_rule | IBM z/OS DASD management ACIDs must be properly defined to CA-TSS. |
| ☐ | SV-223952r561402_rule | CA-TSS user accounts must uniquely identify system users. |
| ☐ | SV-223953r561402_rule | CA-TSS security administrator must develop a process to suspend userids found inactive for more than 35 days. |
| ☐ | SV-223954r561402_rule | The CA-TSS INACTIVE Control Option must be properly set. |
| ☐ | SV-223955r561402_rule | The CA-TSS AUTOERASE Control Option must be set to ALL for all systems. |
| ☐ | SV-223956r561402_rule | CA-TSS DOWN Control Option values must be properly specified. |
| ☐ | SV-223957r561402_rule | The CA-TSS Facility Control Option must specify the sub option of MODE=FAIL. |
| ☐ | SV-223958r561402_rule | CA-TSS ACID creation must use the EXP option. |
| ☐ | SV-223959r561402_rule | The CA-TSS SUBACID Control Option must not be set to U,8. |
| ☐ | SV-223960r561402_rule | CA-TSS must use propagation control to eliminate ACID inheritance. |
| ☐ | SV-223961r561402_rule | IBM z/OS scheduled production batch ACIDs must specify the CA-TSS BATCH Facility, and the Batch Job Scheduler must be authorized to the Scheduled production CA-TSS batch ACID. |
| ☐ | SV-223962r561402_rule | CA-TSS ADMINBY Control Option must be set to ADMINBY. |
| ☐ | SV-223963r561402_rule | CA-TSS LOG Control Option must be set to (SMF,INIT, SEC9, MSG). |
| ☐ | SV-223964r561402_rule | CA-TSS MSCA ACID password changes must be documented in the change log. |
| ☐ | SV-223965r561402_rule | The IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements. |
| ☐ | SV-223966r561402_rule | CA-TSS Default ACID must be properly defined. |
| ☐ | SV-223967r561402_rule | The CA-TSS BYPASS attribute must be limited to trusted STCs only. |
| ☐ | SV-223968r561402_rule | CA-TSS MSCA ACID must perform security administration only. |
| ☐ | SV-223969r561402_rule | CA-TSS ACIDs granted the CONSOLE attribute must be justified. |
| ☐ | SV-223970r561402_rule | CA-TSS ACIDs defined as security administrators must have the NOATS attribute. |
| ☐ | SV-223971r561402_rule | The CA-TSS PTHRESH Control Option must be properly set. |
| ☐ | SV-223972r561402_rule | CA-TSS VTHRESH Control Option values specified must be set to (10,NOT,CAN). |
| ☐ | SV-223973r561402_rule | IBM z/OS FTP.DATA configuration statements must have a proper banner statement with the Standard Mandatory DoD Notice and Consent Banner. |
| ☐ | SV-223974r561402_rule | IBM z/OS SMF recording options for the FTP server must be configured to write SMF records for all eligible events. |
| ☐ | SV-223975r561402_rule | CA-TSS permission bits and user audit bits for HFS objects that are part of the FTP server component must be properly configured. |
| ☐ | SV-223976r561402_rule | IBM z/OS data sets for the FTP server must be properly protected. |
| ☐ | SV-223977r561402_rule | IBM z/OS FTP Control cards must be properly stored in a secure PDS file. |
| ☐ | SV-223978r561402_rule | IBM z/OS user exits for the FTP server must not be used without proper approval and documentation. |
| ☐ | SV-223979r561402_rule | The IBM z/OS FTP server daemon must be defined with proper security parameters. |
| ☐ | SV-223980r561402_rule | IBM z/OS FTP.DATA configuration for the FTP server must have the INACTIVE statement properly set. |
| ☐ | SV-223981r561402_rule | IBM z/OS startup parameters for the FTP server must have the INACTIVE statement properly set. |
| ☐ | SV-223982r561402_rule | IBM z/OS FTP.DATA configuration statements for the FTP server must specify the Standard Mandatory DoD Notice and Consent Banner statement. |
| ☐ | SV-223983r561402_rule | The IBM z/OS warning banner for the FTP server must be properly specified. |
| ☐ | SV-223984r561402_rule | The IBM z/OS TFTP server program must be properly protected. |
| ☐ | SV-223985r561402_rule | IBM z/OS JES2.** resource must be properly protected in the CA-TSS database. |
| ☐ | SV-223986r561402_rule | IBM z/OS RJE workstations and NJE nodes must be controlled in accordance with STIG requirements. |
| ☐ | SV-223987r561402_rule | IBM z/OS JES2 input sources must be controlled in accordance with the proper security requirements. |
| ☐ | SV-223988r561402_rule | IBM z/OS JES2 input sources must be properly controlled. |
| ☐ | SV-223989r561402_rule | IBM z/OS JES2 output devices must be controlled in accordance with the proper security requirements. |
| ☐ | SV-223990r561402_rule | IBM z/OS JES2 output devices must be properly controlled for classified systems. |
| ☐ | SV-223991r561402_rule | IBM z/OS JESSPOOL resources must be protected in accordance with security requirements. |
| ☐ | SV-223992r561402_rule | IBM z/OS JESNEWS resources must be protected in accordance with security requirements. |
| ☐ | SV-223993r561402_rule | IBM z/OS JESTRACE and/or SYSLOG resources must be protected in accordance with security requirements. |
| ☐ | SV-223994r561402_rule | IBM z/OS JES2 spool resources must be controlled in accordance with security requirements. |
| ☐ | SV-223995r561402_rule | IBM z/OS JES2 system commands must be protected in accordance with security requirements. |
| ☐ | SV-223996r561402_rule | IBM z/OS Surrogate users must be controlled in accordance with proper security requirements. |
| ☐ | SV-223997r561402_rule | Duplicated IBM z/OS sensitive utilities and/or programs must not exist in APF libraries. |
| ☐ | SV-223998r561402_rule | IBM z/OS required SMF data record types must be collected. |
| ☐ | SV-223999r561402_rule | IBM z/OS Session manager must properly configure wait time limits. |
| ☐ | SV-224000r561402_rule | The IBM z/OS BPX.SMF resource must be properly configured. |
| ☐ | SV-224001r561402_rule | IBM z/OS must specify SMF data options to ensure appropriate activation. |
| ☐ | SV-224002r561402_rule | IBM z/OS BUFUSEWARN in the SMFPRMxx must be properly set. |
| ☐ | SV-224003r561402_rule | IBM z/OS PASSWORD data set and OS passwords must not be used. |
| ☐ | SV-224004r561402_rule | The CA-TSS database must be on a separate physical volume from its backup and recovery data sets. |
| ☐ | SV-224005r561402_rule | The CA-TSS database must be backed up on a scheduled basis. |
| ☐ | SV-224006r561402_rule | The IBM z/OS Policy Agent must be configured to deny-all, allow-by-exception firewall policy for allowing connections to other systems. |
| ☐ | SV-224007r561402_rule | IBM z/OS must not have Inaccessible APF libraries defined. |
| ☐ | SV-224008r561402_rule | IBM z/OS inapplicable PPT entries must be invalidated. |
| ☐ | SV-224009r561402_rule | IBM z/OS LNKAUTH=APFTAB must be specified in the IEASYSxx member(s) in the currently active parmlib data set(s). |
| ☐ | SV-224010r561402_rule | IBM z/OS sensitive and critical system data sets must not exist on shared DASD. |
| ☐ | SV-224011r561402_rule | The IBM z/OS Policy Agent must contain a policy that manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks. |
| ☐ | SV-224012r561402_rule | The IBM z/OS systems requiring data at rest protection must properly employ IBM DS8880 for full disk encryption. |
| ☐ | SV-224013r561402_rule | The IBM z/OS System Administrator must develop a process to notify appropriate personnel when accounts are created. |
| ☐ | SV-224014r561402_rule | The IBM z/OS System Administrator must develop a process to notify appropriate personnel when accounts are modified. |
| ☐ | SV-224015r561402_rule | The IBM z/OS System Administrator must develop a process to notify appropriate personnel when accounts are deleted. |
| ☐ | SV-224016r561402_rule | The IBM z/OS System Administrator must develop a process to notify appropriate personnel when accounts are removed. |
| ☐ | SV-224017r561402_rule | Unsupported IBM z/OS system software must not be installed and/or active on the system. |
| ☐ | SV-224018r561402_rule | IBM z/OS must not allow nonexistent or inaccessible Link Pack Area (LPA) libraries. |
| ☐ | SV-224019r561402_rule | IBM z/OS must not allow nonexistent or inaccessible LINKLIST libraries. |
| ☐ | SV-224020r561402_rule | CA-TSS must be installed and properly configured. |
| ☐ | SV-224021r561402_rule | IBM z/OS SMF collection files (system MANx data sets or LOGSTREAM DASD) must have storage capacity to store at least one weeks worth of audit data. |
| ☐ | SV-224022r561402_rule | IBM z/OS System Administrators must develop an automated process to collect and retain SMF data. |
| ☐ | SV-224023r561402_rule | The IBM z/OS SNTP daemon (SNTPD) must be active. |
| ☐ | SV-224024r561402_rule | IBM z/OS SNTP daemon (SNTPD) permission bits must be properly configured. |
| ☐ | SV-224025r561402_rule | IBM z/OS PARMLIB CLOCKxx must have the Accuracy PARM coded properly. |
| ☐ | SV-224026r561402_rule | The IBM z/OS Policy Agent must contain a policy that protects against or limits the effects of denial-of-service (DoS) attacks by ensuring IBM z/OS is implementing rate-limiting measures on impacted network interfaces. |
| ☐ | SV-224027r561402_rule | The IBM z/OS systems requiring data at rest protection must properly employ IBM DS8880 for full disk encryption for classified systems. |
| ☐ | SV-224028r561402_rule | The IBM z/OS systems requiring data at rest protection must properly employ IBM DS8880 for full disk encryption. |
| ☐ | SV-224029r561402_rule | IBM z/OS must employ a session manager to manage retaining a users session lock until that user reestablishes access using established identification and authentication procedures. |
| ☐ | SV-224030r561402_rule | The IBM z/OS System Administrator must develop a process to notify Information System Security Officers (ISSOs) of account enabling actions. |
| ☐ | SV-224031r561402_rule | IBM z/OS must configure system wait times to protect resource availability based on site priorities. |
| ☐ | SV-224032r561402_rule | IBM z/OS must employ a session manager to conceal, via the session lock, information previously visible on the display with a publicly viewable image. |
| ☐ | SV-224033r561402_rule | IBM z/OS must employ a session manager to initiate a session lock after a 15-minute period of inactivity for all connection types. |
| ☐ | SV-224034r561402_rule | IBM z/OS must employ a session manager to manage retaining a users session lock until that user reestablishes access using established identification and authentication procedures. |
| ☐ | SV-224035r561402_rule | IBM z/OS system administrator must develop a procedure to remove or disable temporary user accounts after 72 hours. |
| ☐ | SV-224036r561402_rule | IBM z/OS system administrator must develop a procedure to remove or disable emergency accounts after the crisis is resolved or 72 hours. |
| ☐ | SV-224037r561402_rule | IBM z/OS system administrator must develop a procedure to notify System Administrators and ISSOs of account enabling actions. |
| ☐ | SV-224038r561402_rule | IBM z/OS system administrator must develop a procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner. |
| ☐ | SV-224039r561402_rule | IBM z/OS system administrator must develop a procedure to terminate all sessions and network connections related to nonlocal maintenance when nonlocal maintenance is completed. |
| ☐ | SV-224040r561402_rule | IBM z/OS system administrator must develop a procedure to remove all software components after updated versions have been installed. |
| ☐ | SV-224041r561402_rule | IBM z/OS system administrator must develop a procedure to shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered. |
| ☐ | SV-224042r561402_rule | IBM z/OS system administrator must develop a procedure to offload SMF files to a different system or media than the system being audited. |
| ☐ | SV-224043r561402_rule | IBM z/OS must employ a session manager for users to directly initiate a session lock for all connection types. |
| ☐ | SV-224044r561402_rule | The SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm. |
| ☐ | SV-224045r561402_rule | IBM z/OS SSH daemon must be configured to only use the SSHv2 protocol. |
| ☐ | SV-224046r561402_rule | IBM z/OS permission bits and user audit bits for HFS objects that are part of the Syslog daemon component must be configured properly. |
| ☐ | SV-224047r561402_rule | The IBM z/OS Syslog daemon must not be started at z/OS initialization. |
| ☐ | SV-224048r561402_rule | The IBM z/OS Syslog daemon must be properly defined and secured. |
| ☐ | SV-224049r561402_rule | IBM z/OS DFSMS resources must be protected in accordance with the proper security requirements. |
| ☐ | SV-224050r561402_rule | IBM z/OS DFSMS Program Resources must be properly defined and protected. |
| ☐ | SV-224051r561402_rule | IBM z/OS DFSMS control data sets must be protected in accordance with security requirements. |
| ☐ | SV-224052r561402_rule | IBM z/OS using DFSMS must properly specify SYS(x).PARMLIB(IGDSMSxx), SMS parameter settings. |
| ☐ | SV-224053r561402_rule | IBM z/OS DFSMS control data sets must be properly protected. |
| ☐ | SV-224054r561402_rule | IBM z/OS SMF recording options for the SSH daemon must be configured to write SMF records for all eligible events. |
| ☐ | SV-224055r561402_rule | The IBM z/OS SSH daemon must be configured with the Standard Mandatory DoD Notice and Consent Banner. |
| ☐ | SV-224056r561402_rule | IBM z/OS PROFILE.TCPIP configuration statements for the TCP/IP stack must be properly coded. |
| ☐ | SV-224057r561402_rule | IBM z/OS permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be configured properly. |
| ☐ | SV-224058r561402_rule | IBM z/OS TCP/IP resources must be properly protected. |
| ☐ | SV-224059r561402_rule | IBM z/OS data sets for the Base TCP/IP component must be properly protected. |
| ☐ | SV-224060r561402_rule | IBM z/OS Configuration files for the TCP/IP stack must be properly specified. |
| ☐ | SV-224061r561402_rule | IBM z/OS started tasks for the Base TCP/IP component must be defined in accordance with security requirements. |
| ☐ | SV-224062r561402_rule | IBM z//OS must be configured to restrict all TCP/IP ports to ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments. |
| ☐ | SV-224063r561402_rule | The IBM z/OS TCPIP.DATA configuration statement must contain the DOMAINORIGIN or DOMAIN specified for each TCP/IP defined. |
| ☐ | SV-224064r561402_rule | The IBM z/OS PROFILE.TCPIP configuration statement must include SMFPARMS and/or SMFCONFIG Statement for each TCP/IP stack. |
| ☐ | SV-224065r561402_rule | IBM z/OS TN3270 Telnet server configuration statement MSG10 text must have the Standard Mandatory DoD Notice and Consent Banner. |
| ☐ | SV-224066r561402_rule | IBM z/OS SMF recording options for the TN3270 Telnet server must be properly specified. |
| ☐ | SV-224067r561402_rule | IBM z/OS SSL encryption options for the TN3270 Telnet server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS. |
| ☐ | SV-224068r561402_rule | IBM z/OS VTAM session setup controls for the TN3270 Telnet server must be properly specified. |
| ☐ | SV-224069r561402_rule | IBM z/OS PROFILE.TCPIP configuration for the TN3270 Telnet server must have the INACTIVE statement properly specified. |
| ☐ | SV-224070r561402_rule | The IBM z/OS warning banner for the TN3270 Telnet server must be properly specified. |
| ☐ | SV-224071r561402_rule | IBM z/OS TELNETPARMS or TELNETGLOBALS must specify a SECUREPORT statement for systems requiring confidentiality and integrity. |
| ☐ | SV-224072r561402_rule | IBM Z/OS TSOAUTH resources must be restricted to authorized users. |
| ☐ | SV-224073r561402_rule | CA-TSS LOGONIDs must not be defined to SYS1.UADS for non-emergency use. |
| ☐ | SV-224074r561402_rule | IBM z/OS UNIX HFS MapName file security parameters must be properly specified. |
| ☐ | SV-224075r561402_rule | IBM z/OS NOBUFFS in SMFPRMxx must be properly set (default is MSG). |
| ☐ | SV-224076r695474_rule | IBM z/OS BPX resource(s) must be protected in accordance with security requirements. |
| ☐ | SV-224077r695477_rule | IBM z/OS UNIX resources must be protected in accordance with security requirements. |
| ☐ | SV-224078r561402_rule | IBM z/OS UNIX SUPERUSER resources must be protected in accordance with guidelines. |
| ☐ | SV-224079r561402_rule | IBM z/OS UNIX MVS data sets or HFS objects must be properly protected. |
| ☐ | SV-224080r561402_rule | IBM z/OS UNIX MVS data sets with z/OS UNIX components must be properly protected. |
| ☐ | SV-224081r561402_rule | IBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected. |
| ☐ | SV-224082r561402_rule | IBM z/OS UNIX HFS permission bits and audit bits for each directory must be properly protected. |
| ☐ | SV-224083r561402_rule | IBM z/OS UNIX system file security settings must be properly protected or specified. |
| ☐ | SV-224084r561402_rule | IBM z/OS UNIX MVS HFS directory(s) with OTHER write permission bit set must be properly defined. |
| ☐ | SV-224085r561402_rule | The CA-TSS HFSSEC resource class must be defined with DEFPROT. |
| ☐ | SV-224086r561402_rule | IBM z/OS UNIX OMVS parameters in PARMLIB must be properly specified. |
| ☐ | SV-224087r561402_rule | IBM z/OS UNIX BPXPRMxx security parameters in PARMLIB must be properly specified. |
| ☐ | SV-224088r561402_rule | IBM z/OS UNIX security parameters in etc/profile must be properly specified. |
| ☐ | SV-224089r561402_rule | IBM z/OS UNIX security parameters in /etc/rc must be properly specified. |
| ☐ | SV-224090r561402_rule | IBM z/OS Default profiles must not be defined in TSS OMVS UNIX security parameters for classified systems. |
| ☐ | SV-224091r561402_rule | IBM z/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf must be properly specified. |
| ☐ | SV-224092r561402_rule | IBM z/OS attributes of z/OS UNIX user accounts must have a unique GID in the range of 1-99. |
| ☐ | SV-224093r561402_rule | The IBM z/OS user account for the UNIX kernel (OMVS) must be properly defined to the security database. |
| ☐ | SV-224094r561402_rule | The IBM z/OS user account for the z/OS UNIX SUPERUSER userid must be properly defined. |
| ☐ | SV-224095r561402_rule | The IBM z/OS user account for the UNIX (RMFGAT) must be properly defined. |
| ☐ | SV-224096r561402_rule | IBM z/OS UID(0) must be properly assigned. |
| ☐ | SV-224097r561402_rule | IBM z/OS UNIX user accounts must be properly defined. |
| ☐ | SV-224098r561402_rule | IBM z/OS attributes of UNIX user accounts used for account modeling must be defined in accordance with security requirements. |
| ☐ | SV-224099r695479_rule | The IBM z/OS UNIX Telnet server etc/banner file must have the Standard Mandatory DoD Notice and Consent Banner. |
| ☐ | SV-224100r561402_rule | The IBM z/OS startup user account for the z/OS UNIX Telnet server must be properly defined. |
| ☐ | SV-224101r561402_rule | IBM z/OS HFS objects for the z/OS UNIX Telnet server must be properly protected. |
| ☐ | SV-224102r561402_rule | The IBM z/OS UNIX Telnet server Startup parameters must be properly specified. |
| ☐ | SV-224103r561402_rule | The IBM z/OS UNIX Telnet server warning banner must be properly specified. |
| ☐ | SV-224104r561402_rule | IBM z/OS System data sets used to support the VTAM network must be properly secured. |
| ☐ | SV-224105r561402_rule | IBM z/OS VTAM USSTAB definitions must not be used for unsecured terminals. |
STIGQter: STIG Summary: