UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

IBM z/OS ACF2 Security Technical Implementation Guide


Overview

Date Finding Count (227)
2020-06-29 CAT I (High): 24 CAT II (Med): 201 CAT III (Low): 2
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Classified)

Finding ID Severity Title
V-97589 High CA-ACF2 must limit Write or greater access to SYS1.LPALIB to system programmers only.
V-97583 High CA-ACF2 access to the System Master Catalog must be properly protected.
V-97581 High CA-ACF2 must limit all system PROCLIB data sets to appropriate authorized users.
V-97587 High CA-ACF2 must limit Write or greater access to SYS1.NUCLEUS to system programmers only.
V-97577 High IBM z/OS Libraries included in the system REXXLIB concatenation must be properly protected.
V-97575 High IBM z/OS must protect dynamic lists in accordance with proper security requirements.
V-97579 High CA-ACF2 must limit Write or greater access to SYS1.UADS To system programmers only and read and update access must be limited to system programmer personnel and/or security personnel.
V-97609 High CA-ACF2 LOGONIDs must not be defined to SYS1.UADS for non-emergency use.
V-97603 High CA-ACF2 must limit Write or greater access to SYS1.SVCLIB to system programmers only.
V-97591 High CA-ACF2 must limit Write or greater access to SYS1.IMAGELIB to system programmers.
V-97593 High CA-ACF2 must limit Write or greater access to Libraries containing EXIT modules to system programmers only.
V-97595 High CA-ACF2 must limit Update and Allocate access to all APF-authorized libraries to system programmers only.
V-97597 High CA-ACF2 must limit Write or greater access to all LPA libraries to system programmers only.
V-97883 High IBM z/OS SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm.
V-97733 High ACF2 security data sets and/or databases must be properly protected.
V-97625 High CA-ACF2 must be installed, functional, and properly configured.
V-97685 High IBM z/OS UID(0) must be properly assigned.
V-97937 High IBM z/OS UNIX SUPERUSER resource must be protected in accordance with guidelines.
V-97713 High ACF2 must use NIST FIPS-validated cryptography to protect passwords in the security database.
V-97623 High IBM z/OS SYS1.PARMLIB must be properly protected.
V-97781 High IBM z/OS must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
V-97881 High IBM z/OS SSH daemon must be configured to only use the SSHv2 protocol.
V-97541 High CA-ACF2 OPTS GSO record must be set to ABORT mode.
V-97827 High Unsupported IBM z/OS system software must not be installed and/or active on the system.
V-97987 Medium IBM z/OS UNIX Telnet Server etc/banner file must have the Standard Mandatory DoD Notice and Consent Banner.
V-97985 Medium IBM z/OS HFS objects for the z/OS UNIX Telnet Server must be properly protected.
V-97983 Medium IBM z/OS startup user account for the z/OS UNIX Telnet Server must be defined properly.
V-97981 Medium IBM z/OS Attributes of UNIX user accounts used for account modeling must be defined in accordance with security requirements.
V-97669 Medium ACF2 LOGONIDs assigned for started tasks must have the STC attribute specified in the associated LOGONID record.
V-97667 Medium ACF2 LOGONIDs associated with started tasks that have the MUSASS attribute and the requirement to submit jobs on behalf of its users must have the JOBFROM attribute as required.
V-97665 Medium ACF2 LOGONIDs with the ACCOUNT, LEADER, or SECURITY attribute must be properly scoped.
V-97663 Medium ACF2 LOGONIDs with the NON-CNCL attribute specified in the associated LOGONID record must be listed as trusted and must be specifically approved.
V-97989 Medium IBM z/OS UNIX Telnet Server warning banner must be properly specified.
V-97661 Medium ACF2 maintenance LOGONIDs must have corresponding GSO MAINT records.
V-97873 Medium ACF2 system administrator must develop a procedure to disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
V-97871 Medium IBM z/OS must employ a session manager configured for users to directly initiate a session lock for all connection types.
V-97979 Medium IBM z/OS Attributes of z/OS UNIX user accounts must have a unique GID in the range of 1-99.
V-97877 Medium IBM z/OS SMF recording options for the SSH daemon must be configured to write SMF records for all eligible events.
V-97875 Medium IBM z/OS system administrator must develop a procedure to offload SMF files to a different system or media than the system being audited.
V-97973 Medium IBM z/OS user account for the z/OS UNIX SUPERSUSER userid must be properly defined.
V-97879 Medium IBM z/OS SSH daemon must be configured with the Department of Defense (DoD) logon banner.
V-97971 Medium IBM z/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf must be properly specified.
V-97977 Medium IBM z/OS UNIX groups must be defined with a unique GID.
V-97975 Medium IBM z/OS UNIX user accounts must be properly defined.
V-97757 Medium IBM z/OS startup parameters for the FTP Server must be defined in the SYSTCPD and SYSFTPD DD statements for configuration files.
V-97995 Medium IBM z/OS VTAM USSTAB definitions must not be used for unsecured terminals.
V-97619 Medium CA-ACF2 PSWD GSO record value must be set to limit three consecutive invalid logon attempts by a user during a 15-minute time period.
V-97991 Medium IBM z/OS UNIX Telnet Server Startup parameters must be properly specified to display the banner.
V-97993 Medium IBM z/OS System data sets used to support the VTAM network must be properly secured.
V-97613 Medium CA-ACF2 must limit Update and Allocate access to system backup files to system programmers and/or batch jobs that perform DASD backups.
V-97611 Medium IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements.
V-97617 Medium IBM z/OS BPX.SRV.user SURROGAT resources must be protected appropriately.
V-97615 Medium ACF2 PPGM GSO record value must specify protected programs that are only executed by privileged users.
V-97585 Medium IBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.
V-97861 Medium IBM z/OS system administrator must develop a procedure to automatically remove or disable emergency accounts after the crisis is resolved or 72 hours.
V-97863 Medium IBM z/OS system administrator must develop a procedure to notify system administrators and ISSOs of account enabling actions.
V-97865 Medium IBM z/OS system administrator must develop a procedure to terminate all sessions and network connections related to nonlocal maintenance when nonlocal maintenance is completed.
V-97867 Medium IBM z/OS system administrator must develop a procedure to remove all software components after updated versions have been installed.
V-97869 Medium IBM z/OS system administrator must develop a procedure to shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered.
V-97629 Medium CA-ACF2 must limit update and allocate access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.
V-97745 Medium IBM z/OS FTP.DATA configuration statements must have a proper BANNER statement with the Standard Mandatory DoD Notice and Consent Banner.
V-97747 Medium IBM z/OS warning banner for the FTP Server must be properly specified.
V-97741 Medium IBM z/OS data sets for the FTP Server must be properly protected.
V-97573 Medium CA-ACF2 must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers.
V-97909 Medium IBM z/OS permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be configured properly.
V-97571 Medium Access to IBM z/OS special privilege TAPE-LBL or TAPE-BLP must be limited and/or justified.
V-97907 Medium IBM z/OS TCP/IP resources must be properly protected.
V-97905 Medium IBM z//OS must be configured to restrict all TCP/IP ports to ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.
V-97749 Medium IBM z/OS FTP.DATA configuration statements for the FTP Server must specify the BANNER statement.
V-97901 Medium IBM z/OS using DFSMS must properly specify SYS(x).PARMLIB(IGDSMSxx), SMS parameter settings.
V-97727 Medium ACF2 SECVOLS GSO record value must be set to VOLMASK(). Any local changes are justified and documented with the ISSO.
V-97725 Medium ACF2 TSO2741 GSO record values must be set to obliterate the logon password on 2741 devices.
V-97723 Medium ACF2 TSOCRT GSO record values must be set to obliterate the logon to ASCII CRT devices.
V-97721 Medium ACF2 TSOTWX GSO record values must be set to obliterate the logon password on TWX devices.
V-97601 Medium CA-ACF2 must limit update and allocate access to all system-level product installation libraries to system programmers only.
V-97605 Medium CA-ACF2 Access to SYS1.LINKLIB must be properly protected.
V-97607 Medium CA-ACF2 must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.
V-97599 Medium CA-ACF2 must limit Update and Allocate access to LINKLIST libraries to system programmers only.
V-97693 Medium CA-ACF2 defined user accounts must uniquely identify system users.
V-97691 Medium ACF2 LOGONIDs must be defined with the required fields completed.
V-97697 Medium CA-ACF2 PWPHRASE GSO record must be properly defined.
V-97695 Medium CA-ACF2 userids found inactive for more than 35 days must be suspended.
V-97855 Medium IBM z/OS must employ a session manager that conceal, via the session lock, information previously visible on the display with a publicly viewable image.
V-97699 Medium CA-ACF2 must enforce password complexity by requiring that at least one special character be used.
V-97851 Medium IBM z/OS must employ a session manager to manage retaining a users session lock until that user reestablishes access using established identification and authentication procedures.
V-97853 Medium IBM z/OS system administrator must develop a procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner.
V-97753 Medium The IBM z/OS TFTP Server program must be properly protected.
V-97751 Medium IBM z/OS FTP Control cards must be properly stored in a secure PDS file.
V-97919 Medium IBM z/OS TCPIP.DATA configuration statement must contain the DOMAINORIGIN or DOMAIN specified for each TCP/IP defined.
V-97755 Medium IBM z/OS FTP Server daemon must be defined with proper security parameters.
V-97915 Medium IBM z/OS Started tasks for the Base TCP/IP component must be defined in accordance with security requirements.
V-97917 Medium IBM z/OS PROFILE.TCPIP configuration statement must include SMFPARMS and/or SMFCONFIG statement for each TCP/IP stack.
V-97911 Medium IBM z/OS data sets for the Base TCP/IP component must be properly protected.
V-97913 Medium IBM z/OS Configuration files for the TCP/IP stack must be properly specified.
V-97735 Medium ACF2 AUTOERAS GSO record value must be set to indicate that ACF2 is controlling the automatic physical erasure of VSAM or non VSAM data sets.
V-97737 Medium The operating system must enforce a minimum 8-character password length.
V-97743 Medium IBM z/OS permission bits and user audit bits for HFS objects that are part of the FTP Server component must be properly configured.
V-97739 Medium IBM z/OS SMF recording options for the FTP Server must be configured to write SMF records for all eligible events.
V-97681 Medium IBM z/OS must properly protect MCS console userid(s).
V-97683 Medium ACF2 BLPPGM GSO record must not be defined.
V-97687 Medium IBM z/OS user account for the UNIX kernel (OMVS) must be properly defined to the security database.
V-97843 Medium The IBM z/OS systems requiring data at rest protection must properly employ IBM DS8880 for full disk encryption.
V-97841 Medium IBM z/OS must use SAF Key Rings for key management.
V-97847 Medium IBM z/OS Policy agent must contain a policy that protects against or limits the effects of Denial of Service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.
V-97537 Medium IBM z/OS must not use Expired Digital Certificates.
V-97929 Medium IBM z/OS warning banner for the TN3270 Telnet Server must be properly specified.
V-97921 Medium IBM z/OS PROFILE.TCPIP configuration INACTIVITY statement must be configured to 900 seconds.
V-97923 Medium IBM z/OS SMF recording options for the TN3270 Telnet Server must be properly specified.
V-97535 Medium IBM z/OS Certificate Name Filtering must be implemented with appropriate authorization and documentation.
V-97925 Medium IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
V-97927 Medium IBM z/OS TN3270 Telnet Server configuration statement MSG10 text must have the Standard Mandatory DoD Notice and Consent Banner.
V-97703 Medium ACF2 PSWD GSO record value must be set to require at least one upper-case character be used.
V-97705 Medium ACF2 PSWD GSO record value must be set to require at least one numeric character be used.
V-97707 Medium ACF2 PSWD GSO record value must be set to require at least one lower-case character be used.
V-97645 Medium IBM z/OS LOGONID with the ACCTPRIV attribute must be restricted to the ISSO.
V-97709 Medium ACF2 PSWD GSO record value must be set to require the change of at least 50% of the total number of characters when passwords are changed.
V-97569 Medium ACF2 Classes required to properly security the z/OS UNIX environment must be ACTIVE.
V-97679 Medium ACF2 LINKLST GSO record if specified must only contains trusted system data sets.
V-97559 Medium CA-ACF2 must properly define users that have access to the CONSOLE resource in the TSOAUTH resource class.
V-97935 Medium IBM z/OS TSOAUTH resources must be restricted to authorized users.
V-97933 Medium IBM z/OS PROFILE.TCPIP configuration for the TN3270 Telnet Server must have INACTIVE statement properly specified.
V-97931 Medium IBM z/OS VTAM session setup controls for the TN3270 Telnet Server must be properly specified.
V-97643 Medium IBM z/OS LOGONIDs with the AUDIT or CONSULT attribute must be properly scoped.
V-97939 Medium IBM z/OS UNIX security parameters in etc/profile must be properly specified.
V-97635 Medium The CA-ACF2 LOGONID with the REFRESH attribute must have procedures for utilization.
V-97637 Medium IBM z/OS TSO GSO record values must be set to the values specified.
V-97759 Medium IBM z/OS FTP.DATA configuration for the FTP Server must have INACTIVE statement properly set.
V-97633 Medium The EXITS GSO record value must specify the module names of site written ACF2 exit routines.
V-97555 Medium CA-ACF2 NJE GSO record value must indicate validation options that apply to jobs submitted through a network job entry subsystem (JES2, JES3, RSCS).
V-97837 Medium Duplicated IBM z/OS sensitive utilities and/or programs must not exist in APF libraries.
V-97835 Medium IBM z/OS LNKAUTH=APFTAB must be specified in the IEASYSxx member(s) in the currently active parmlib data set(s).
V-97639 Medium IBM z/OS procedures must restrict ACF2 LOGONIDs with the READALL attribute to auditors and/or authorized users.
V-97549 Medium The number of ACF2 users granted the special privilege ALLCMDS must be justified.
V-97831 Medium IBM z/OS must not allow non-existent or inaccessible Link Pack Area (LPA) libraries.
V-97891 Medium IBM z/OS DFSMS resource class(es) must be defined to the GSO CLASMAP record in accordance with security requirements.
V-97893 Medium IBM z/OS DFSMS Program Resources must be properly defined and protected.
V-97557 Medium CA-ACF2 must protect Memory and privileged program dumps in accordance with proper security requirements.
V-97653 Medium CA-ACF2 must prevent the use of dictionary words for passwords.
V-97839 Medium IBM z/OS must properly configure CONSOLxx members.
V-97897 Medium IBM z/OS DFMSM resource class(es)must be defined to the GSO SAFDEF record in accordance with security requirements.
V-97719 Medium ACF2 PSWD GSO record value must be set to prohibit password reuse for a minimum of five generations or more.
V-97547 Medium The number of ACF2 users granted the special privilege CONSOLE must be justified.
V-97717 Medium ACF2 PSWD GSO record value must be set to require 24 hours/1 day as the minimum password lifetime.
V-97545 Medium The number of ACF2 users granted the special privilege OPERATOR must be kept to a strictly controlled minimum.
V-97715 Medium ACF2 PSWD GSO record value must be set to require a 60-day maximum password lifetime restriction.
V-97543 Medium The number of ACF2 users granted the special privilege PPGM must be justified.
V-97659 Medium ACF2 REFRESH attribute must be restricted to security administrators only.
V-97649 Medium CA-ACF2 RULEOPTS GSO record values must be set to the values specified.
V-97903 Medium IBM z/OS PROFILE.TCPIP configuration statements for the TCP/IP stack must be coded properly.
V-97849 Medium IBM z/OS Policy agent must contain a policy that manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
V-97553 Medium IBM z/OS Sensitive Utility Controls must be properly defined and protected.
V-97943 Medium IBM z/OS UNIX resources must be protected in accordance with security requirements.
V-97941 Medium IBM z/OS UNIX security parameters in /etc/rc must be properly specified.
V-97947 Medium IBM z/OS BPX resource(s) must be protected in accordance with security requirements.
V-97945 Medium IBM z/OS UNIX MVS HFS directory(s) with other write permission bit set must be properly defined.
V-97833 Medium IBM z/OS must not have inaccessible APF libraries defined.
V-97949 Medium IBM z/OS UNIX SYSTEM FILE SECURITY SETTINGS must be properly protected or specified.
V-97789 Medium IBM z/OS system administrator must develop a process notify appropriate personnel when accounts are deleted.
V-97539 Medium All IBM z/OS digital certificates in use must have a valid path to a trusted Certification authority.
V-97829 Medium IBM z/OS must not allow non-existent or inaccessible LINKLIST libraries.
V-97689 Medium IBM z/OS user account for the UNIX (RMFGAT) must be properly defined.
V-97825 Medium IBM z/OS Policy Agent must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.
V-97783 Medium IBM z/OS Inapplicable PPT entries must be invalidated.
V-97621 Medium The CA-ACF2 PSWD GSO record values for MAXTRY and PASSLMT must be properly set.
V-97785 Medium IBM z/OS system administrator must develop a process notify appropriate personnel when accounts are removed.
V-97821 Medium IBM z/OS Emergency LOGONIDs must be properly defined.
V-97787 Medium IBM z/OS system administrator must develop a process notify appropriate personnel when accounts are modified.
V-97823 Medium IBM z/OS DFSMS control data sets must reside on separate storage volumes.
V-97657 Medium CA-ACF2 database must be backed up on a scheduled basis.
V-97769 Medium IBM z/OS JES2 spool resources must be controlled in accordance with security requirements.
V-97647 Medium IBM z/OS batch jobs with restricted ACF2 LOGONIDs must have the PGM(xxxxxxxx) and SUBAUTH attributes or the SOURCE(xxxxxxxx) attribute assigned to the corresponding LOGONIDs.
V-97641 Medium IBM z/OS must have the RULEVLD and RSRCVLD attributes specified for LOGONIDs with the SECURITY attribute.
V-97889 Medium IBM z/OS Syslog daemon must be properly defined and secured.
V-97763 Medium IBM z/OS JESSPOOL resources must be protected in accordance with security requirements.
V-97887 Medium IBM z/OS Syslog daemon must be started at z/OS initialization.
V-97761 Medium IBM z/OS JESTRACE and/or SYSLOG resources must be protected in accordance with security requirements.
V-97885 Medium IBM z/OS permission bits and user audit bits for HFS objects that are part of the Syslog daemon component must be configured properly.
V-97767 Medium IBM z/OS JES2 system commands must be protected in accordance with security requirements.
V-97655 Medium CA-ACF2 database must be on a separate physical volume from its backup and recovery data sets.
V-97765 Medium IBM z/OS JESNEWS resources must be protected in accordance with security requirements.
V-97895 Medium IBM z/OS DFSMS control data sets must be protected in accordance with security requirements.
V-97845 Medium IBM z/OS sensitive and critical system data sets must not exist on shared DASD.
V-97797 Medium IBM z/OS must specify SMF data options to assure appropriate activation.
V-97795 Medium IBM z/OS special privileges must be assigned on an as-needed basis to LOGONIDs associated with STCs and LOGONIDs that need to execute TSO in batch.
V-97955 Medium IBM z/OS UNIX HFS permission bits and audit bits for each directory must be properly protected.
V-97791 Medium IBM z/OS system administrator must develop a process notify appropriate personnel when accounts are created.
V-97551 Medium IBM z/OS system commands must be properly protected.
V-97959 Medium IBM z/OS UNIX SYSTEM FILE SECURITY SETTINGS must be properly protected or specified.
V-97799 Medium IBM z/OS SMF collection files (system MANx data sets or LOGSTREAM DASD) must have storage capacity to store at least one weeks worth of audit data.
V-97819 Medium IBM z/OS must configure system waittimes to protect resource availability based on site priorities.
V-97899 Medium IBM z/OS DFSMS resources must be protected in accordance with the proper security requirements.
V-97651 Medium The CA-ACF2 GSO OPTS record value must be properly specified.
V-97811 Medium IBM z/OS PARMLIB CLOCKxx must have the Accuracy PARM coded properly.
V-97813 Medium IBM z/OS SMF collection files (i.e., SYS1.MANx) access must be limited to appropriate users and/or batch jobs that perform SMF dump processing.
V-97815 Medium IBM z/OS system administrator must develop a process to notify ISSOs of account enabling actions.
V-97817 Medium IBM z/OS PASSWORD data set and OS passwords must not be used.
V-97671 Medium ACF2 emergency LOGONIDS with the REFRESH attribute must have the SUSPEND attribute specified.
V-97779 Medium The IBM z/OS BPX.SMF resource must be properly configured.
V-97673 Medium ACF2 BACKUP GSO record must be defined with a TIME value specifies greater than 00 unless the database is shared and backed up on another system.
V-97677 Medium ACF2 MAINT GSO record value if specified must be restricted to production storage management user.
V-97951 Medium IBM z/OS UNIX MVS data sets with z/OS UNIX components must be properly protected.
V-97561 Medium CA-ACF2 must limit update and allocate access to system backup files to system programmers and/or batch jobs that perform DASD backups.
V-97771 Medium IBM z/OS JES2 output devices must be properly controlled for Classified Systems.
V-97563 Medium CA-ACF2 must limit access to SYSTEM DUMP data sets to appropriate authorized users.
V-97773 Medium IBM z/OS JES2 output devices must be controlled in accordance with the proper security requirements.
V-97565 Medium CA-ACF2 must limit access to SYS(x).TRACE to system programmers only.
V-97775 Medium IBM z/OS JES2 input sources must be controlled in accordance with the proper security requirements.
V-97567 Medium CA-ACF2 allocate access to system user catalogs must be properly protected.
V-97777 Medium IBM z/OS Surrogate users must be controlled in accordance with proper security requirements.
V-97953 Medium IBM z/OS UNIX MVS data sets or HFS objects must be properly protected.
V-97859 Medium IBM z/OS System Administrator must develop a procedure to automatically remove or disable temporary user accounts after 72 hours.
V-97793 Medium IBM z/OS Required SMF data record types must be collected.
V-97807 Medium IBM z/OS SNTP daemon (SNTPD) permission bits must be properly configured.
V-97805 Medium IBM z/OS NOBUFFS in SMFPRMxx must be properly set (Default is MSG).
V-97969 Medium IBM z/OS User exits for the FTP Server must not be used without proper approval and documentation.
V-97803 Medium IBM z/OS BUFUSEWARN in the SMFPRMxx must be properly set.
V-97801 Medium IBM z/OS system administrators must develop an automated process to collect and retain SMF data.
V-97965 Medium IBM z/OS UNIX HFS MapName files security parameters must be properly specified.
V-97967 Medium IBM z/OS UNIX BPXPRMxx security parameters in PARMLIB must be properly specified.
V-97957 Medium IBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected.
V-97961 Medium IBM z/OS UNIX HFS permission bits and audit bits for each directory must be properly protected or specified.
V-97963 Medium IBM z/OS UNIX OMVS parameters in PARMLIB must be properly specified.
V-97809 Medium IBM z/OS SNTP daemon (SNTPD) must be active.
V-97731 Medium ACF2 RESVOLS GSO record value must be set to Volmask(-). Any other setting requires documentation justifying the change.
V-97857 Medium IBM z/OS must employ a session manager to manage session lock after a 15-minute period of inactivity.
V-97631 Low CA-ACF2 must limit Write or greater access to libraries that contain PPT modules to system programmers only.
V-97675 Low ACF2 APPLDEF GSO record if used must have supporting documentation indicating the reason it was used.