STIGQter STIGQter: STIG Summary: z/OS RACF STIG

Version: 6

Release: 43 Benchmark Date: 24 Jan 2020

CheckedNameTitle
SV-7355r5_ruleDFSMS resources must be protected in accordance with the proper security requirements.
SV-34r3_ruleSystem programs (e.g., exits, SVCs, etc.) must have approval of appropriate authority and/or documented correctly.
SV-6409r8_ruleDynamic lists must be protected in accordance with proper security requirements.
SV-7532r3_ruleCICS region logonid(s) must be defined and/or controlled in accordance with the security requirements.
SV-7346r5_ruleSurrogate users must be controlled in accordance with proper security requirements.
SV-82r2_ruleA CMP (Change Management Process) is not being utilized on this system.
SV-83r2_ruleLNKAUTH=APFTAB is not specified in the IEASYSxx member(s) in the currently active parmlib data set(s).
SV-84r2_ruleInaccessible APF libraries defined.
SV-85r2_ruleDuplicated sensitive utilities and/or programs exist in APF libraries.
SV-86r4_ruleThe review of AC=1 modules in APF authorized libraries must be reviewed annually and documentation verifying the modules integrity must be available.
SV-90r2_ruleInapplicable PPT entries have not been invalidated.
SV-100r2_ruleNon-existent or inaccessible LINKLIST libraries.
SV-101r2_ruleNon-standard SMF data collection options specified.
SV-102r5_ruleRequired SMF data record types must be collected.
SV-103r2_ruleAn automated process is not in place to collect and retain SMF data.
SV-104r2_ruleACP database is not on a separate physical volume from its backup and recovery datasets.
SV-105r2_ruleACP database is not backed up on a scheduled basis.
SV-106r2_ruleSystem DASD backups are not performed on a regularly scheduled basis.
SV-107r2_rulePASSWORD data set and OS passwords are utilized.
SV-108r2_ruleSYS1.PARMLIB is not limited to only system programmers.
SV-109r2_ruleAccess to SYS1.LINKLIB is not properly protected.
SV-110r3_ruleWrite or greater access to SYS1.SVCLIB must be limited to system programmers only.
SV-111r4_ruleWrite or greater access to SYS1.IMAGELIB must be limited to system programmers only.
SV-112r3_ruleWrite or greater access to SYS1.LPALIB must be limited to system programmers only.
SV-113r2_ruleUpdate and allocate access to all APF -authorized libraries are not limited to system programmers only.
SV-114r3_ruleWrite or greater access to all LPA libraries must be limited to system programmers only.
SV-115r3_ruleWrite or greater access to SYS1.NUCLEUS must be limited to system programmers only.
SV-116r3_ruleWrite or greater access to libraries that contain PPT modules must be limited to system programmers only.
SV-117r2_ruleUpdate and allocate access to LINKLIST libraries are not limited to system programmers only.
SV-118r6_ruleThe ACP security data sets and/or databases must be properly protected.
SV-119r4_ruleAccess greater than Read to the System Master Catalog must be limited to system programmers only.
SV-120r2_ruleUpdate and allocate access to all system-level product installation libraries are not limited to system programmers only.
SV-121r2_ruleUpdate and allocate access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) are not limited to system programmers only.
SV-122r3_ruleWrite or greater access to SYS1.UADS must be limited to system programmers only and read and update access must be limited to system programmer personnel and/or security personnel.
SV-123r2_ruleUpdate and allocate access to SMF collection files (i.e., SYS1.MANx) are not limited to system programmers and/or batch jobs that perform SMF dump processing.
SV-124r2_ruleUpdate and allocate access to data sets used to backup and/or dump SMF collection files are not limited to system programmers and/or batch jobs that perform SMF dump processing.
SV-125r2_ruleAccess to SYSTEM DUMP data sets are not limited to system programmers only.
SV-126r2_ruleUpdate and allocate access to System backup files are not limited to system programmers and/or batch jobs that perform DASD backups.
SV-127r2_ruleAccess to SYS(x).TRACE is not limited to system programmers only.
SV-128r2_ruleAccess to System page data sets (i.e., PLPA, COMMON, and LOCALx) are not limited to system programmers.
SV-129r3_ruleWrite or greater access to Libraries containing EXIT modules must be limited to system programmers only.
SV-31711r5_ruleMemory and privileged program dumps must be protected in accordance with proper security requirements.
SV-184r3_ruleLOGONIDs must not be defined to SYS1.UADS for non-emergency use.
SV-234r3_ruleAll system PROCLIB data sets must be limited to system programmers only
SV-7528r2_ruleSensitive CICS transactions are not protected in accordance with security requirements.
SV-254r2_ruleThe Automatic Data Set Protection (ADSP) SETROPTS value is not set to NOADSP.
SV-255r2_ruleThe AUDIT SETROPTS value is improperly set.
SV-256r3_ruleThe CLASSACT SETROPTS must be specified for the TEMPDSN Class.
SV-257r2_ruleThe CMDVIOL SETROPTS value is not set to CMDVIOL.
SV-258r2_ruleThe EGN SETROPTS value specified is not set to EGN.
SV-259r4_ruleThe ERASE ALL SETROPTS value must be set to ERASE(ALL) on all systems.
SV-260r2_ruleThe GENCMD SETROPTS value is not enabled for ACTIVE classes.
SV-261r2_ruleThe GENERIC SETROPTS value is not enabled for ACTIVE classes.
SV-262r2_ruleThe TERMINAL SETROPTS value is not set to READ.
SV-263r3_ruleThe PASSWORD(MINCHANGE) value must be specified as (1).
SV-264r2_ruleThe INACTIVE SETROPTS value is not set to 35 days.
SV-265r2_ruleThe GRPLIST SETROPTS value is not set to ACTIVE.
SV-266r2_ruleThe INITSTATS SETROPTS value is not set to INITSTATS.
SV-267r2_ruleThe JES(BATCHALLRACF) SETROPTS value is not set to JES(BATCHALLRACF).
SV-269r2_ruleThe JES(XBMALLRACF) SETROPTS value is not set to JES(XBMALLRACF).
SV-270r2_ruleThe OPERAUDIT SETROPTS value is not set to OPERAUDIT.
SV-271r2_ruleThe PASSWORD(HISTORY) SETROPTS value is not set to 10.
SV-272r2_ruleThe PASSWORD(INTERVAL) SETROPTS value is not set to 60 days.
SV-273r2_ruleThe PASSWORD(REVOKE) SETROPTS value specified is not in accordance with security requirements.
SV-274r4_ruleThe PASSWORD(RULEn) SETROPTS value(s) must be properly set.
SV-275r2_ruleThe PASSWORD(WARNING) SETROPTS value is improperly set.
SV-276r3_ruleThe PROTECTALL SETROPTS value specified must be properly set.
SV-277r2_ruleThe REALDSN SETROPTS value specified is improperly set.
SV-278r2_ruleThe RETPD SETROPTS value specified is improperly set.
SV-279r4_ruleThe SETROPTS RVARYPW values must be properly set.
SV-280r2_ruleThe SAUDIT SETROPTS value specified is improperly set.
SV-282r2_ruleThe TAPEDSN SETROPTS value specified is improperly set.
SV-283r2_ruleThe WHEN(PROGRAM) SETROPTS value specified is not active.
SV-284r2_ruleRACF users do not have the required default fields.
SV-285r6_ruleInteractive USERIDs defined to RACF must have the required fields completed.
SV-286r2_ruleRACF batch jobs are improperly secured.
SV-287r2_ruleRACF batch jobs are not protected with propagation control.
SV-288r2_ruleStarted Tasks are not properly identified to RACF.
SV-289r2_ruleStarted Tasks are improperly defined to RACF.
SV-290r4_ruleDASD Management USERIDs must be properly controlled.
SV-291r2_ruleThere are started tasks defined to RACF with the trusted attribute that are not justified.
SV-292r2_ruleEmergency USERIDs must be properly defined.
SV-293r3_ruleThe use of the RACF SPECIAL Attribute is not justified.
SV-294r3_ruleAssignment of the RACF OPERATIONS attribute to individual userids must be fully justified.
SV-295r3_ruleThe use of the RACF AUDITOR privilege must be justified.
SV-296r2_ruleThe number of USERIDs possessing the Tape Bypass Label Processing (BLP) privilege is not justified.
SV-297r4_ruleTSOAUTH resources must be restricted to authorized users.
SV-298r5_ruleDASD Volume level protection must be properly defined.
SV-299r3_ruleSensitive Utility Controls will be properly defined and protected.
SV-301r2_ruleExternal RACF Classes are not active for CICS transaction checking.
SV-7530r3_ruleCICS System Initialization Table (SIT) parameter values must be specified in accordance with proper security requirements.
SV-3215r2_ruleConfiguration files for the TCP/IP stack are not properly specified.
SV-3216r4_ruleTCPIP.DATA configuration statements for the TCP/IP stack must be properly specified.
SV-3217r2_rulePROFILE.TCPIP configuration statements for the TCP/IP stack are not coded properly.
SV-3218r4_ruleThe permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be configured properly.
SV-7083r5_ruleTCP/IP resources must be properly protected.
SV-7087r3_ruleStarted tasks for the Base TCP/IP component must be defined in accordance with security requirements.
SV-3221r2_ruleMVS data sets for the Base TCP/IP component are not properly protected,
SV-3222r3_rulePROFILE.TCPIP configuration statements for the TN3270 Telnet Server must be properly specified.
SV-3223r4_ruleVTAM session setup controls for the TN3270 Telnet Server must be properly specified.
SV-3224r2_ruleThe warning banner for the TN3270 Telnet Server is not specified or properly specified.
SV-3226r3_ruleSSL encryption options for the TN3270 Telnet Server will be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
SV-3227r3_ruleSMF recording options for the TN3270 Telnet Server must be properly specified.
SV-3229r2_ruleThe startup user account for the z/OS UNIX Telnet Server is not defined properly.
SV-3230r2_ruleStartup parameters for the z/OS UNIX Telnet Server are not specified properly.
SV-3231r3_ruleThe warning banner for the z/OS UNIX Telnet Server must be properly specified
SV-3232r3_ruleHFS objects for the z/OS UNIX Telnet Server will be properly protected.
SV-13259r2_ruleThe FTP Server daemon is not defined with proper security parameters.
SV-3234r2_ruleThe startup parameters for the FTP include the ANONYMOUS, ANONYMOUS=, or INACTIVE keywords. The FTP daemon’s started task JCL does not specify the SYSTCPD and SYSFTPD DD statements for configuration files.
SV-3235r2_ruleFTP.DATA configuration statements for the FTP Server are not specified in accordance with requirements.
SV-3236r3_ruleUser exits for the FTP Server must not be used without proper approval and documentation.
SV-3237r3_ruleThe warning banner for the FTP Server must be specified properly.
SV-3238r4_ruleSMF recording options for the FTP Server must be configured to write SMF records for all eligible events.
SV-3239r3_ruleThe permission bits and user audit bits for HFS objects that are part of the FTP Server component will be properly configured.
SV-3240r2_ruleMVS data sets for the FTP Server are not properly protected.
SV-6924r2_ruleThe TFTP Server program is not properly protected.
SV-3242r2_ruleThe Syslog daemon is not started at z/OS initialization.
SV-7079r3_ruleThe Syslog daemon must be properly defined and secured.
SV-3244r3_ruleThe permission bits and user audit bits for HFS objects that are part of the Syslog daemon component will be configured properly.
SV-3331r3_ruleThe ACP audit logs must be reviewed on a regular basis .
SV-3716r2_ruleUser accounts defined to the ACP do not uniquely identify system users.
SV-7357r3_ruleDFSMS control data sets must be protected in accordance with security requirements.
SV-3896r2_ruleSYS(x).Parmlib(IEFSSNxx) SMS configuration parameter settings are not properly specified.
SV-3897r2_ruleMVS data sets for the WebSphere Application Server are not protected in accordance with the proper security requirements.
SV-3898r2_ruleHFS objects for the WebSphere Application Server are not protected in accordance with the proper security requirements.
SV-7265r2_ruleThe CBIND Resource Class for the WebSphere Application Server is not configured in accordance with security requirements.
SV-3900r3_ruleVendor-supplied user accounts for the WebSphere Application Server must be defined to the ACP.
SV-3901r2_ruleThe WebSphere Application Server plug-in is not specified in accordance with the proper security requirements.
SV-3903r2_ruleUser timeout parameter values for WebSphere MQ queue managers are not specified in accordance with security requirements.
SV-7526r2_ruleWebSphere MQ started tasks are not defined in accordance with the proper security requirements.
SV-3905r2_ruleWebSphere MQ all update and alter access to MQSeries/WebSphere MQ product and system data sets are not properly restricted
SV-4850r3_ruleAllocate access to system user catalogs must be limited to system programmers only.
SV-5605r2_ruleNon-existent or inaccessible Link Pack Area (LPA) libraries.
SV-5627r4_ruleThe hosts identified by the NSINTERADDR statement must be properly protected.
SV-7193r2_ruleCICS regions are improperly protected to prevent unauthorized propagation of the region userid.
SV-7195r2_ruleAll hardware components of the FEPs are not placed in secure locations where they cannot be stolen, damaged, or disturbed
SV-7196r2_ruleProcedures are not in place to restrict access to FEP functions of the service subsystem from operator consoles (local and/or remote), and to restrict access to the diskette drive of the service subsystem.
SV-7197r2_ruleA documented procedure is not available instructing how to load and dump the FEP NCP (Network Control Program).
SV-7198r2_ruleAn active log is not available to keep track of all hardware upgrades and software changes made to the FEP (Front End Processor).
SV-7199r2_ruleNCP (Net Work Control Program) Data set access authorization does not restricts UPDATE and/or ALLOCATE access to appropriate personnel.
SV-7200r2_ruleA password control is not in place to restrict access to the service subsystem via the operator consoles (local and/or remote) and a key-lock switch is not used to protect the modem supporting the remote console of the service subsystem.
SV-7314r2_ruleRJE workstations and NJE nodes are not controlled in accordance with security requirements.
SV-7318r2_ruleRJE workstations and NJE nodes are not controlled in accordance with STIG requirements.
SV-7323r2_ruleJES2 input sources are not controlled in accordance with theh proper security requirements.
SV-74863r1_ruleJES2 input sources must be properly controlled.
SV-7327r2_ruleJES2 output devices are not controlled in accordance with the proper security requirements.
SV-74871r1_ruleJES2 output devices must be properly controlled for Classified Systems.
SV-7332r2_ruleJESSPOOL resources are not protected in accordance with security requirements.
SV-7329r2_ruleJESNEWS rewsources are not protected in accordance with security requirements.
SV-7334r2_ruleJESTRACE and/or SYSLOG resources are not protected in accordance with security requirements.
SV-7336r3_ruleJES2 spool resources will be controlled in accordance with security requirements.
SV-17410r2_ruleJES2 system commands are not protected in accordance with security requirements.
SV-7350r4_ruleSMS Program Resources must be properly defined and protected.
SV-7237r2_ruleDFSMS control data sets are not properly protected.
SV-7238r2_ruleSYS(x).PARMLIB(IGDSMSxx), SMS parameter settings are not properly specified.
SV-7244r2_ruleDFSMS-related RACF classes are not active.
SV-7245r2_rulez/OS UNIX OMVS parameters in PARMLIB are not properly specified.
SV-7246r3_rulez/OS UNIX BPXPRMxx security parameters in PARMLIB must be properly specified.
SV-7247r2_rulez/OS UNIX HFS MapName files security parameters are not properly specified.
SV-7248r2_rulez/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf are not properly specified.
SV-7250r2_ruleThe VTAM USSTAB definitions are being used for unsecured terminals
SV-7359r2_ruleThe System datasets used to support the VTAM network are not properly secured.
SV-7259r5_ruleWebSphere MQ channel security must be implemented in accordance with security requirements.
SV-7534r2_ruleWebSphere MQ resource classes are not properly actived for security checking by the ACP.
SV-7538r3_ruleWebSphere MQ switch profiles must be properly defined to the MQADMIN class.
SV-7262r2_rulez/OS UNIX security parameters in etc/profile are not properly specified.
SV-7541r3_ruleWebSphere MQ MQCONN Class (Connection) resource definitions must be protected in accordance with security.
SV-7264r2_rulez/OS UNIX security parameters in /etc/rc not properly specified.
SV-7267r2_ruleWebSphere MQ dead letter and alias dead letter queues are not properly defined.
SV-7544r2_ruleWebSphere MQ MQQUEUE (Queue) resource profiles defined to the MQQUEUE class are not protected in accordance with security requirements.
SV-7546r2_ruleWebSphere MQ Process resource profiles defined in the MQPROC Class are not protected in accordance with security requirements.
SV-7548r2_ruleWebSphere MQ Namelist resource profiles defined in the MQNLIST Class are not protected in accordance with security requirements.
SV-7404r2_ruleBPX resource(s)s is(are) not protected in accordance with security requirements.
SV-7550r2_ruleWebSphere MQ Alternate User resources defined to MQADMIN resource class are not protected in accordance with security requirements.
SV-19746r3_rulez/OS UNIX resources must be protected in accordance with security requirements.
SV-7552r2_ruleWebSphere MQ context resources defined to the MQADMIN resource class are not protected in accordance with security requirements.
SV-19748r3_rulez/OS UNIX SUPERUSER resource must be protected in accordance with guidelines.
SV-7554r2_ruleWebSphere MQ command resources defined to MQCMDS resource class are not protected in accordance with security requirements.
SV-7277r2_rulez/OS UNIX MVS data sets or HFS objects are not properly protected.
SV-7556r2_ruleWebSphere MQ RESLEVEL resources in the MQADMIN resource class are not protected in accordance with security requirements.
SV-7279r2_rulez/OS UNIX MVS data sets WITH z/OS UNIX COMPONENTS are not properly protected
SV-7280r2_rulez/OS UNIX MVS data sets used as step libraries in /etc/steplib are not properly protected
SV-7281r3_rulez/OS UNIX HFS permission bits and audit bits for each directory will be properly protected or specified.
SV-7282r3_rulez/OS UNIX SYSTEM FILE SECURITY SETTINGS will be properly protected or specified.
SV-7283r2_ruleWebSphere MQ channel security is not implemented in accordance with security requirements.
SV-7284r2_rulez/OS UNIX MVS HFS directory(s) with "other" write permission bit set are not properly defined.
SV-7288r2_ruleAttributes of z/OS UNIX user accounts are not defined properly
SV-7289r2_rulez/OS UNIX each group is not defined with a unique GID.
SV-7290r2_ruleThe user account for the z/OS UNIX kernel (OMVS) is not properly defined to the security database.
SV-87465r1_ruleThe user account for the z/OS UNIX SUPERSUSER userid must be properly defined.
SV-87475r1_ruleThe user account for the z/OS UNIX (RMFGAT) must be properly defined.
SV-7294r3_ruleUID(0) must be properly assigned.
SV-7295r2_rulez/OS UNIX user accounts are not properly defined.
SV-7300r4_ruleThe z/OS Default profiles must not be defined in the corresponding FACILITY Class Profile for classified systems.
SV-7301r2_ruleThe RACF Classes required to properly security the z/OS UNIX environment are not ACTIVE.
SV-7302r2_ruleRACF Classes required to support z/OS UNIX security are not properly implemented with the SETROPTS RACLIST command.
SV-7940r5_ruleAttributes of z/OS UNIX user accounts used for account modeling must be defined in accordance with security requirements.
SV-7536r3_ruleCICS default logonid(s) must be defined and/or controlled in accordance with the security requirements.
SV-7540r3_ruleCICS logonid(s) must have time-out limit set to 15 minutes.
SV-7919r4_rulez/OS system commands must be properly protected.
SV-7923r4_ruleCONSOLxx members must be properly configured.
SV-7925r3_ruleMCS console userid(s) will be properly protected.
SV-7928r3_ruleMCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.
SV-7931r2_ruleUsers that have access to the CONSOLE resource in the TSOAUTH resource class are not properly defined.
SV-7935r2_ruleFACILITY resource class is inactive.
SV-7936r2_ruleMCS consoles are not active.
SV-7937r2_ruleThe OPERCMDS resource class is not active.
SV-7978r2_ruleCICS system data sets are not properly protected.
SV-8016r3_ruleUnsupported system software is installed and active on the system.
SV-8019r3_ruleSite must have a formal migration plan for removing or upgrading OS systems software prior to the date the vendor drops security patch support.
SV-8757r2_ruleFTP / Telnet unencryted transmissions require Acknowledgement of Risk Letter(AORL)
SV-15984r2_ruleSite does not maintain documented procedures to apply security related software patches to their system and does not maintain a log of when these patches were applied.
SV-19114r3_ruleBatch job user Ids must be properly defined.
SV-28773r3_rulez/OS Baseline reports are not reviewed and validated to ensure only authorized changes have been made within the z/OS operating system. This is a current DISA requirement for change management to system libraries.
SV-36387r2_rulez/OS USS Software owning Shared accounts do not meet strict security and creation restrictions.
SV-38886r5_ruleIEASYMUP resource will be protected in accordance with proper security requirements.
SV-39518r2_ruleFTP Control cards will be properly stored in a secure PDS file.
SV-41848r5_ruleProduction WebSphere MQ Remotes must utilize Certified Name Filters (CNF)
SV-44220r3_ruleSensitive and critical system data sets exist on shared DASD.
SV-73907r3_ruleRACF exit ICHPWX01 must be installed and properly configured.
SV-79293r1_ruleThe RACF System REXX IRRPWREX security data set must be properly protected.
SV-80139r1_ruleNIST FIPS-validated cryptography must be used to protect passwords in the security database.
SV-83837r1_ruleAll digital certificates in use must have a valid path to a trusted Certification authority.
SV-83841r1_ruleExpired Digital Certificates must not be used.
SV-83847r1_ruleCertificate Name Filtering must be implemented with appropriate authorization and documentation.
SV-83851r1_ruleThe SSH daemon must be configured to only use the SSHv2 protocol.
SV-83853r1_ruleThe SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm.
SV-83855r1_ruleThe SSH daemon must be configured with the Department of Defense (DoD) logon banner.
SV-83857r1_ruleSMF recording options for the SSH daemon must be configured to write SMF records for all eligible events.
SV-83859r1_ruleThe SSH daemon must be configured to use SAF keyrings for key storage.
SV-85827r1_ruleThe SETROPTS LOGOPTIONS must be properly configured.
SV-85847r1_ruleLibraries included in the system REXXLIB concatenation must be properly protected.
SV-89737r2_ruleThe RACF SERVAUTH resource class must be active for TCP/IP resources.
SV-89739r1_ruleRACF Global Access Checking must be restricted to appropriate classes and resources