UCF STIG Viewer Logo

CA IDMS Security Technical Implementation Guide


Overview

Date Finding Count (74)
2021-11-10 CAT I (High): 4 CAT II (Med): 60 CAT III (Low): 10
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Classified)

Finding ID Severity Title
V-251584 High IDMS must allow only authorized users to sign on to an IDMS CV.
V-251585 High IDMS must enforce applicable access control policies, even after a user successfully signs on to CV.
V-251599 High IDMS must use the ESM to generate auditable records for resources when DoD-defined auditable events occur.
V-251600 High IDMS must use the ESM to generate auditable records for commands and utilities when DoD-defined auditable events occur.
V-251627 Medium Custom database code and associated application code must reveal detailed error messages only to the Information System Security Officer (ISSO), Information System Security manager (ISSM), Systems Administrator (SA), and Database Administrator (DBA).
V-251626 Medium IDMS must reveal security-related messages only to authorized users.
V-251625 Medium Custom database code and associated application code must not contain information beyond what is needed for troubleshooting.
V-251624 Medium IDMS must suppress security-related messages so that no information is returned that can be exploited.
V-251623 Medium CA IDMS and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
V-251622 Medium CA IDMS must limit use of IDMS server used in issuing dynamic statements from client applications circumstances determined by the organization.
V-251588 Medium All installation-delivered IDMS DBADMIN-level tasks must be properly secured.
V-251589 Medium All installation-delivered IDMS DCADMIN-level tasks must be properly secured.
V-251586 Medium All installation-delivered IDMS USER-level tasks must be properly secured.
V-251587 Medium All installation-delivered IDMS DEVELOPER-level tasks must be properly secured.
V-251582 Medium For interactive sessions, IDMS must limit the number of concurrent sessions for the same user to one or allow unlimited sessions.
V-251583 Medium IDMS must support the implementation of an external security manager (ESM) to handle account management and user accesses, etc.
V-251629 Medium CA IDMS must automatically terminate a batch external request unit after organization-defined conditions or trigger events after the batch program abnormally terminates.
V-251628 Medium CA IDMS must automatically terminate a terminal session after organization-defined conditions or trigger events of terminal inactivity time.
V-251592 Medium All installation-delivered IDMS Database-Administrator-level programs must be properly secured.
V-251642 Medium CA IDMS must protect the system code and storage from corruption by user programs.
V-251644 Medium CA IDMS must prevent user code from issuing selected SVC privileged functions.
V-251640 Medium CA IDMS programs that can be run through a CA IDMS CV must be defined to the CV.
V-251621 Medium CA IDMS must limit the use of dynamic statements in applications, procedures, and exits to circumstances determined by the organization.
V-251620 Medium CA IDMS must permit the use of dynamic code execution only in circumstances determined by the organization and limit use of online and batch command facilities from which dynamic statements can be issued.
V-251649 Medium IDMS must check for invalid data and behave in a predictable manner when encountered.
V-251618 Medium IDMS must prevent unauthorized and unintended information transfer via database buffers.
V-251619 Medium IDMS must check the validity of all data input unless the organization says otherwise.
V-251647 Medium The storage used for data collection by CA IDMS web services must be protected.
V-251648 Medium The storage used for data collection by CA IDMS Server and CA IDMS Web Services must be protected from online display and update.
V-251612 Medium The IDMS environment must require sign-on for users and restrict them to only authorized functions.
V-251613 Medium DBMS authentication using passwords must be avoided.
V-251611 Medium IDMS nodes, lines, and pterms must be protected from unauthorized use.
V-251617 Medium CA IDMS must isolate the security manager to which users, groups, roles are assigned authorities/permissions to resources.
V-251643 Medium CA IDMS must protect system and user code and storage from corruption by user programs.
V-251615 Medium The DBMS must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-251634 Medium CA IDMS CV must supply logout functionality to allow the user to implicitly terminate an external run-unit when a database request has not been made in an organizationally prescribed time frame.
V-251590 Medium All installation-delivered IDMS User-level programs must be properly secured.
V-251593 Medium All installation-delivered IDMS DC-Administrator-level programs must be properly secured.
V-251637 Medium IDMS must prevent unauthorized users from executing certain privileged commands that can be used to change the runtime IDMS environment.
V-251630 Medium CA IDMS must automatically terminate an external run-unit after organization-defined conditions or trigger events of time waiting to issue a database request.
V-251631 Medium CA IDMS must automatically terminate a task or session after organization-defined conditions or trigger events of time waiting to get a resource and/or time of inactivity.
V-251654 Medium CA IDMS must use pervasive encryption to cryptographically protect the confidentiality and integrity of all information at rest in accordance with data owner requirements.
V-251655 Medium The DBMS must associate organization-defined types of security labels having organization-defined security label values with information in process.
V-251638 Medium IDMS must protect its user catalogs and system dictionaries to prevent unauthorized users from bypassing or updating security settings.
V-251639 Medium IDMS must restrict the use of code that provides elevated privileges to specific instances.
V-251635 Medium CA IDMS CV must supply logout functionality to allow the user to implicitly terminate a batch external request unit when the batch job abnormally terminates.
V-251636 Medium IDMS must prevent users without the appropriate access from executing privileged functions or tasks within the IDMS environment.
V-251591 Medium All installation-delivered IDMS Developer-level Programs must be properly secured.
V-251641 Medium IDMS terminal and lines that are not secure must be disabled.
V-251646 Medium The cache table procedures and views used for performance enhancements for dynamic SQL must be protected.
V-251650 Medium Maintenance for security-related software updates for CA IDMS modules must be provided.
V-251652 Medium The DBMS must develop a procedure to limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.
V-251632 Medium CA IDMS CV must supply logout functionality to allow the user to implicitly terminate a session initiated by the terminal user.
V-251607 Medium CA IDMS must secure the ability to create, alter, drop, grant, and revoke user and/or system profiles to users or groups.
V-251656 Medium CA IDMS must implement NIST FIPS 140-2 validated cryptographic modules to protect data-in-transit.
V-251633 Medium CA IDMS CV must supply logout functionality to allow the user to implicitly terminate a session by disconnecting or ending before an explicit logout.
V-251653 Medium The DBMS must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
V-251605 Medium Database utilities must be secured in CA IDMS and permissions given to appropriate role(s)/groups(s) in the external security manager (ESM).
V-251604 Medium Databases must be secured to protect from structural changes.
V-251645 Medium The system storage used for data collection by the CA IDMS server must be protected.
V-251606 Medium The online debugger which can change programs and storage in the CA IDMS address space must be secured.
V-251601 Medium Database objects in an IDMS environment must be secured to prevent privileged actions from being performed by unauthorized users.
V-251603 Medium The commands that allow dynamic definitions of PROGRAM/TASK and the dynamic varying of memory must be secured.
V-251602 Medium The programs that can be run through a CA IDMS CV must be defined to the CV to prevent installation of unauthorized programs; must have the ability to dynamically register new programs; and must have the ability to secure tasks.
V-251595 Low IDMS must protect against the use of external request exits that change the userid to a shared id when actions are performed that may be audited.
V-251610 Low IDMS components that cannot be uninstalled must be disabled.
V-251616 Low IDMS executing in a local mode batch environment must be able to manually recover or restore database areas affected by failed transactions.
V-251597 Low IDMS must protect against the use of web-based applications that use generic IDs.
V-251596 Low IDMS must protect against the use of numbered exits that change the userid to a shared id.
V-251598 Low IDMS must protect against the use web services that do not require a sign on when actions are performed that may be audited.
V-251594 Low IDMS must protect against the use of default userids.
V-251608 Low The EMPDEMO databases, database objects, and applications must be removed.
V-251609 Low Default demonstration and sample databases, database objects, and applications must be removed.
V-251614 Low Passwords sent through ODBC/JDBC must be encrypted.