UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

IBM z/OS RACF Security Technical Implementation Guide


Overview

Date Finding Count (225)
2020-06-29 CAT I (High): 27 CAT II (Med): 196 CAT III (Low): 2
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Public)

Finding ID Severity Title
V-98227 High IBM RACF must be installed and active on the system.
V-98419 High IBM z/OS UID(0) must be properly assigned.
V-98037 High IBM RACF access to the System Master Catalog must be properly protected.
V-98039 High IBM RACF must limit Write or greater access to SYS1.UADS to system programmers only, and WRITE or greater access must be limited to system programmer personnel and/or security personnel.
V-98041 High IBM z/OS must protect dynamic lists in accordance with proper security requirements.
V-98383 High The IBM z/OS UNIX SUPERUSER resource must be protected in accordance with guidelines.
V-98113 High IBM RACF must define WARN = NO on all profiles.
V-98115 High The IBM RACF PROTECTALL SETROPTS value specified must be properly set.
V-98055 High IBM RACF must limit Write or greater access to SYS1.SVCLIB to appropriate authorized users.
V-98057 High IBM RACF must limit Write or greater access to SYS1.LPALIB to system programmers only.
V-98053 High IBM RACF must limit Write or greater access to SYS1.IMAGELIB to system programmers only.
V-98059 High IBM z/OS libraries included in the system REXXLIB concatenation must be properly protected.
V-98323 High The IBM z/OS must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
V-98321 High The IBM RACF SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm.
V-98327 High IBM z/OS SSH daemon must be configured to only use the SSHv2 protocol.
V-98101 High IBM z/OS SYS1.PARMLIB must be properly protected.
V-98061 High IBM RACF must limit write or greater access to all LPA libraries to system programmers only.
V-98063 High IBM RACF must limit Write or greater access to libraries containing EXIT modules to system programmers only.
V-98069 High IBM RACF must limit WRITE or greater access to all APF-authorized libraries to system programmers only.
V-98079 High IBM RACF must limit all system PROCLIB data sets to system programmers only.
V-98075 High IBM RACF security data sets and/or databases must be properly protected.
V-98073 High The IBM RACF System REXX IRRPWREX security data set must be properly protected.
V-98261 High IBM RACF must define UACC of NONE on all profiles.
V-98269 High Unsupported system software must not be installed and/ or active on the system.
V-98165 High NIST FIPS-validated cryptography must be used to protect passwords in the security database.
V-98003 High IBM RACF must limit Write or greater access to SYS1.NUCLEUS to system programmers only.
V-98381 High IBM RACF LOGONIDs must not be defined to SYS1.UADS for non-emergency use.
V-98025 Medium IBM RACF CLASSACT SETROPTS must be specified for the TEMPDSN class.
V-98027 Medium IBM RACF started tasks defined with the trusted attribute must be justified.
V-98021 Medium The IBM RACF OPERCMDS resource class must be active.
V-98229 Medium The IBM z/OS System Administrator (SA) must develop a process to disable emergency accounts after the crisis is resolved or 72 hours.
V-98225 Medium IBM z/OS SMF recording options for the TN3270 Telnet Server must be properly specified.
V-98029 Medium IBM RACF USERIDs possessing the Tape Bypass Label Processing (BLP) privilege must be justified.
V-98221 Medium IBM z/OS must configure system wait times to protect resource availability based on site priorities.
V-98389 Medium IBM RACF classes required to properly secure the z/OS UNIX environment must be ACTIVE.
V-98149 Medium The IBM RACF Automatic Data Set Protection (ADSP) SETROPTS value must be set to NOADSP.
V-98147 Medium IBM z/OS Started Tasks must be properly defined to RACF.
V-98145 Medium IBM z/OS Started Tasks must be properly identified to RACF.
V-98155 Medium IBM RACF PASSWORD(RULEn) SETROPTS value(s) must be properly set.
V-98143 Medium IBM interactive USERIDs defined to RACF must have the required fields completed.
V-98159 Medium The IBM RACF SETROPTS PASSWORD(MINCHANGE) value must be set to 1.
V-98141 Medium IBM RACF users must have the required default fields.
V-97997 Medium Certificate Name Filtering must be implemented with appropriate authorization and documentation.
V-98023 Medium The IBM RACF MCS consoles resource class must be active.
V-98425 Medium The IBM z/OS user account for the UNIX kernel (OMVS) must be properly defined to the security database.
V-98313 Medium IBM z/OS system administrator must develop a procedure to remove all software components after updated versions have been installed.
V-98311 Medium IBM z/OS system administrator must develop a procedure to terminate all sessions and network connections related to nonlocal maintenance when nonlocal maintenance is completed.
V-98093 Medium The IBM z/OS JES(XBMALLRACF) SETROPTS value must be set to JES(XBMALLRACF).
V-98317 Medium IBM z/OS system administrator must develop a procedure to offload SMF files to a different system or media than the system being audited.
V-98095 Medium IBM RACF OPERAUDIT SETROPTS value must set to OPERAUDIT.
V-98315 Medium IBM z/OS must shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered.
V-98097 Medium The IBM RACF PASSWORD(REVOKE) SETROPTS value must be specified to revoke the userid after three invalid logon attempts.
V-98099 Medium The IBM RACF PASSWORD(REVOKE) SETROPTS value must be set to automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.
V-98319 Medium IBM z/OS SMF recording options for the SSH daemon must be configured to write SMF records for all eligible events.
V-98251 Medium IBM z/OS BUFUSEWARN in the SMFPRMxx must be properly set.
V-98257 Medium IBM z/OS SNTP daemon (SNTPD) permission bits must be properly configured.
V-98255 Medium The IBM z/OS SNTP daemon (SNTPD) must be active.
V-98033 Medium IBM Sensitive Utility Controls must be properly defined and protected.
V-98031 Medium IBM RACF DASD volume-level protection must be properly defined.
V-98035 Medium IBM RACF Global Access Checking must be restricted to appropriate classes and resources.
V-98223 Medium The IBM z/OS BPX.SMF resource must be properly configured.
V-97999 Medium Expired digital certificates must not be used.
V-98233 Medium The IBM z/OS System Administrator (SA) must develop a process to notify appropriate personnel when accounts are modified.
V-98429 Medium The IBM z/OS user account for the UNIX (RMFGAT) must be properly defined.
V-98089 Medium The IBM RACF JES(BATCHALLRACF) SETROPTS value must be set to JES(BATCHALLRACF).
V-98139 Medium IBM z/OS must properly protect MCS console userid(s).
V-98133 Medium IBM RACF use of the RACF SPECIAL Attribute must be justified.
V-98131 Medium IBM z/OS Batch job user IDs must be properly defined.
V-98137 Medium IBM z/OS must properly configure CONSOLxx members.
V-98135 Medium IBM RACF assignment of the RACF OPERATIONS attribute to individual userids must be fully justified.
V-98427 Medium The IBM z/OS user account for the z/OS UNIX SUPERUSER userid must be properly defined.
V-98301 Medium IBM z/OS must employ a session manager to manage retaining a users session lock until that user reestablishes access using established identification and authentication procedures.
V-98303 Medium IBM z/OS system administrator must develop a procedure to remove or disable temporary user accounts after 72 hours.
V-98305 Medium IBM z/OS system administrator must develop a procedure to remove or disable emergency accounts after the crisis is resolved or 72 hours.
V-98307 Medium IBM z/OS system administrator must develop a procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner.
V-98309 Medium IBM z/OS system administrator must develop a procedure to provide an audit reduction capability that supports on-demand reporting requirements.
V-98395 Medium IBM z/OS UNIX resources must be protected in accordance with security requirements.
V-98209 Medium IBM z/OS JESNEWS resources must be protected in accordance with security requirements.
V-98443 Medium The IBM z/OS UNIX Telnet server warning banner must be properly specified.
V-98435 Medium The IBM z/OS startup user account for the z/OS UNIX Telnet Server must be properly defined.
V-98111 Medium IBM RACF SETROPTS RVARYPW values must be properly set.
V-98433 Medium IBM z/OS attributes of UNIX user accounts used for account modeling must be defined in accordance with security requirements.
V-98431 Medium IBM z/OS UNIX user accounts must be properly defined.
V-98201 Medium IBM z/OS JES2 input sources must be properly controlled.
V-98203 Medium IBM z/OS JES2 output devices must be controlled in accordance with the proper security requirements.
V-98205 Medium IBM z/OS JES2 output devices must be properly controlled for classified systems.
V-98117 Medium The IBM RACF GRPLIST SETROPTS value must be set to ACTIVE.
V-98207 Medium IBM z/OS JESSPOOL resources must be protected in accordance with security requirements.
V-98439 Medium The IBM z/OS UNIX Telnet Server etc/banner file must have the Standard Mandatory DoD Notice and Consent Banner.
V-98047 Medium IBM RACF must limit access to SYS(x).TRACE to system programmers only.
V-98129 Medium The IBM RACF database must be backed up on a scheduled basis.
V-98045 Medium IBM RACF must limit WRITE or greater access to System backup files to system programmers and/or batch jobs that perform DASD backups.
V-98043 Medium IBM RACF allocate access to system user catalogs must be properly protected.
V-98415 Medium IBM z/OS UNIX HFS MapName files security parameters must be properly specified.
V-98289 Medium IBM z/OS sensitive and critical system data sets must not exist on shared DASDs.
V-98121 Medium The IBM RACF TAPEDSN SETROPTS value specified must be properly set.
V-98123 Medium The IBM RACF WHEN(PROGRAM) SETROPTS value specified must be active.
V-98125 Medium IBM RACF use of the AUDITOR privilege must be justified.
V-98049 Medium IBM RACF batch jobs must be properly secured.
V-98127 Medium The IBM RACF database must be on a separate physical volume from its backup and recovery datasets.
V-98161 Medium IBM RACF SETROPTS PASSWORD(INTERVAL) must be set to 60 days.
V-98385 Medium IBM z/OS BPX resource(s) must be protected in accordance with security requirements.
V-98339 Medium IBM z/OS DFSMS control data sets must be protected in accordance with security requirements.
V-98335 Medium The IBM z/OS Syslog daemon must be properly defined and secured.
V-98337 Medium IBM z/OS DFSMS Program Resources must be properly defined and protected.
V-98387 Medium IBM z/OS UNIX MVS HFS directories with other write permission bit set must be properly defined.
V-98331 Medium IBM z/OS permission bits and user audit bits for HFS objects that are part of the Syslog daemon component must be properly configured.
V-98333 Medium The IBM z/OS Syslog daemon must be started at z/OS initialization.
V-98441 Medium IBM z/OS UNIX Telnet server Startup parameters must be properly specified.
V-98447 Medium IBM z/OS VTAM USSTAB definitions must not be used for unsecured terminals.
V-98359 Medium IBM z/OS data sets for the Base TCP/IP component must be properly protected.
V-98357 Medium The IBM RACF SERVAUTH resource class must be active for TCP/IP resources.
V-98119 Medium The IBM RACF RETPD SETROPTS value specified must be properly set.
V-98355 Medium The IBM RACF SERVAUTH resource class must be active for TCP/IP resources.
V-98353 Medium IBM z/OS TCP/IP resources must be properly protected.
V-98351 Medium IBM z/OS permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be properly configured.
V-98051 Medium IBM RACF batch jobs must be protected with propagation control.
V-98249 Medium IBM z/OS system administrators must develop an automated process to collect and retain SMF data.
V-98297 Medium IBM z/OS must employ a session manager to manage session lock after a 15-minute period of inactivity.
V-98295 Medium The IBM z/OS must employ a session manager that conceals, via the session lock, information previously visible on the display with a publicly viewable image.
V-98291 Medium The IBM z/OS Policy Agent must contain a policy that protects against or limits the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.
V-98299 Medium IBM z/OS must employ a session for users to directly initiate a session lock for all connection types.
V-98109 Medium IBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing.
V-98153 Medium The IBM RACF INACTIVE SETROPTS value must be set to 35 days.
V-98157 Medium IBM RACF exit ICHPWX01 must be installed and properly configured.
V-98329 Medium IBM z/OS, for PKI-based authentication, must use the ESM for key management.
V-98413 Medium IBM z/OS default profiles must be defined in the corresponding FACILITY Class Profile for classified systems.
V-98325 Medium The SSH daemon must be configured with the Standard Mandatory DoD Notice and Consent Banner.
V-98103 Medium IBM z/OS SETROPTS Parm must be set to SAUDIT.
V-98107 Medium The IBM RACF REALDSN SETROPTS value must be specified.
V-98235 Medium The IBM z/OS System Administrator (SA) must develop a process to notify appropriate personnel when accounts are deleted.
V-98105 Medium The IBM RACF SETROPTS SAUDIT value must be specified.
V-98345 Medium IBM z/OS using DFSMS must properly specify SYS(x).PARMLIB(IGDSMSxx), SMS parameter settings.
V-98347 Medium IBM z/OS PROFILE.TCPIP configuration statements for the TCP/IP stack must be coded properly.
V-98341 Medium IBM z/OS DFSMS-related RACF classes must be active.
V-98343 Medium IBM z/OS DFSMS resources must be protected in accordance with the proper security requirements.
V-98393 Medium IBM z/OS UNIX security parameters in /etc/rc must be properly specified.
V-98065 Medium IBM RACF must limit WRITE or greater access to all system-level product installation libraries to system programmers.
V-98067 Medium IBM RACF must limit access to SYSTEM DUMP data sets to system programmers only.
V-98411 Medium IBM z/OS UNIX BPXPRMxx security parameters in PARMLIB must be properly specified.
V-98391 Medium IBM z/OS UNIX security parameters in etc/profile must be properly specified.
V-98397 Medium IBM z/OS UNIX MVS data sets or HFS objects must be properly protected.
V-98293 Medium The IBM z/OS Policy Agent must contain a policy that manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.
V-98217 Medium IBM z/OS surrogate users must be controlled in accordance with proper security requirements.
V-98259 Medium IBM z/OS PARMLIB CLOCKxx must have the Accuracy PARM properly coded.
V-98199 Medium IBM z/OS JES2 input sources must be controlled in accordance with the proper security requirements.
V-98213 Medium IBM z/OS JES2 spool resources must be controlled in accordance with security requirements.
V-98211 Medium IBM z/OS JESTRACE and/or SYSLOG resources must be protected in accordance with security requirements.
V-98445 Medium IBM z/OS System datasets used to support the VTAM network must be properly secured.
V-98197 Medium IBM z/OS RJE workstations and NJE nodes must be defined to the FACILITY resource class.
V-98191 Medium The IBM z/OS FTP server daemon must be defined with proper security parameters.
V-98193 Medium IBM FTP.DATA configuration for the FTP server must have the INACTIVE statement properly set.
V-98219 Medium IBM z/OS RJE workstations and NJE nodes must be controlled in accordance with security requirements.
V-98379 Medium IBM Z/OS TSOAUTH resources must be restricted to authorized users.
V-98215 Medium IBM z/OS JES2 system commands must be protected in accordance with security requirements.
V-98371 Medium IBM z/OS TN3270 Telnet Server configuration statement MSG10 text must have the Standard Mandatory DoD Notice and Consent Banner.
V-98373 Medium The IBM z/OS warning banner for the TN3270 Telnet server must be properly specified.
V-98375 Medium IBM z/OS VTAM session setup controls for the TN3270 Telnet server must be properly specified.
V-98377 Medium The IBM z/OS PROFILE.TCPIP configuration for the TN3270 Telnet server must have the INACTIVE statement properly specified.
V-98177 Medium IBM z/OS data sets for the FTP server must be properly protected.
V-98195 Medium IBM z/OS startup parameters for the FTP server must have the INACTIVE statement properly set.
V-98175 Medium IBM RACF permission bits and user audit bits for HFS objects that are part of the FTP server component must be properly configured.
V-98173 Medium IBM z/OS SMF recording options for the FTP Server must be configured to write SMF records for all eligible events.
V-98171 Medium IBM RACF DASD Management USERIDs must be properly controlled.
V-98077 Medium IBM RACF must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.
V-98179 Medium IBM z/OS FTP.DATA configuration statements must have a proper BANNER statement with the Standard Mandatory DoD Notice and Consent Banner.
V-98071 Medium IBM RACF access to SYS1.LINKLIB must be properly protected.
V-98283 Medium The IBM z/OS systems requiring data at rest protection must properly employ IBM DS8880 for full disk encryption for classified systems.
V-98263 Medium IBM z/OS PASSWORD data set and OS passwords must not be used.
V-98189 Medium IBM z/OS user exits for the FTP server must not be used without proper approval and documentation.
V-98267 Medium The IBM z/OS Policy Agent must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.
V-98265 Medium The IBM z/OS System Administrator (SA) must develop a process to notify Information System Security Officers (ISSOs) of account enabling actions.
V-98183 Medium The IBM z/OS warning banner for the FTP server must be properly specified.
V-98181 Medium IBM z/OS FTP.DATA configuration statements for the FTP server must specify the BANNER statement.
V-98187 Medium The IBM z/OS TFTP server program must be properly protected.
V-98185 Medium IBM z/OS FTP.DATA configuration statements for the FTP Server must be specified in accordance with requirements.
V-98287 Medium IBM z/OS must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest on all operating system components.
V-98009 Medium IBM RACF emergency USERIDs must be properly defined.
V-98167 Medium IBM z/OS, for PKI-based authentication, must use the ESM to store keys.
V-98253 Medium IBM z/OS NOBUFFS in SMFPRMxx must be properly set (default is MSG).
V-98163 Medium The IBM RACF PASSWORD(HISTORY) SETROPTS value must be set to 5 or more.
V-98001 Medium All digital certificates in use must have a valid path to a trusted Certification authority.
V-98007 Medium IBM RACF must limit WRITE or greater access to LINKLIST libraries to system programmers only.
V-98169 Medium The IBM RACF ERASE ALL SETROPTS value must be set to ERASE(ALL) on all systems.
V-98239 Medium The IBM z/OS System Administrator (SA) must develop a process to notify Information System Security Officers (ISSOs) of account enabling actions.
V-98285 Medium The IBM z/OS systems requiring data-at-rest protection must properly employ IBM DS8880 for full disk encryption.
V-98271 Medium IBM z/OS must not allow nonexistent or inaccessible LINKLIST libraries.
V-98437 Medium IBM z/OS HFS objects for the z/OS UNIX Telnet Server must be properly protected.
V-98273 Medium IBM z/OS must not allow nonexistent or inaccessible Link Pack Area (LPA) libraries.
V-98275 Medium IBM z/OS must not have inaccessible APF libraries defined.
V-98277 Medium IBM zOS inapplicable PPT entries must be invalidated.
V-98421 Medium IBM z/OS attributes of z/OS UNIX user accounts must have a unique GID in the range of 1-99.
V-98279 Medium IBM z/OS LNKAUTH=APFTAB must be specified in the IEASYSxx member(s) in the currently active parmlib data set(s).
V-98237 Medium The IBM z/OS System Administrator (SA) must develop a process to notify appropriate personnel when accounts are removed.
V-98349 Medium IBM z/OS must be configured to restrict all TCP/IP ports to ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.
V-98231 Medium The IBM z/OS System Administrator (SA) must develop a process to notify appropriate personnel when accounts are created.
V-98151 Medium IBM RACF user accounts must uniquely identify system users.
V-98019 Medium The IBM RACF FACILITY resource class must be active.
V-98399 Medium IBM z/OS UNIX MVS data sets WITH z/OS UNIX COMPONENTS must be properly protected.
V-98409 Medium IBM z/OS UNIX OMVS parameters in PARMLIB must be properly specified.
V-98407 Medium The IBM RACF classes required to properly secure the z/OS UNIX environment must be ACTIVE.
V-98011 Medium IBM RACF SETROPTS LOGOPTIONS must be properly configured.
V-98405 Medium IBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected.
V-98013 Medium IBM RACF must protect memory and privileged program dumps in accordance with proper security requirements.
V-98403 Medium IBM z/OS UNIX SYSTEM FILE SECURITY SETTINGS must be properly protected or specified.
V-98015 Medium IBM z/OS system commands must be properly protected.
V-98401 Medium IBM z/OS UNIX HFS permission bits and audit bits for each directory must be properly protected.
V-98017 Medium IBM RACF must properly define users that have access to the CONSOLE resource in the TSOAUTH resource class.
V-98417 Medium IBM z/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf must be properly specified.
V-98083 Medium IBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.
V-98367 Medium The IBM z/OS PROFILE.TCPIP configuration for the TN3270 Telnet server must have the INACTIVE statement properly specified.
V-98081 Medium IBM RACF must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers.
V-98365 Medium The IBM z/OS TCPIP.DATA configuration statement must contain the DOMAINORIGIN or DOMAIN specified for each TCP/IP defined.
V-98423 Medium IBM z/OS UNIX groups must be defined with a unique GID.
V-98363 Medium The IBM z/OS PROFILE.TCPIP configuration statement must include a SMFPARMS and/or SMFCONFIG statement for each TCP/IP stack.
V-98085 Medium IBM RACF must limit WRITE or greater access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.
V-98361 Medium IBM z/OS Configuration files for the TCP/IP stack must be properly specified.
V-98245 Medium IBM z/OS must specify SMF data options to assure appropriate activation.
V-98247 Medium IBM z/OS SMF collection files (system MANx datasets or LOGSTREAM DASD) must have storage capacity to store at least one weeks worth of audit data.
V-98087 Medium The IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements.
V-98241 Medium IBM z/OS required SMF data record types must be collected.
V-98243 Medium IBM z/OS must employ a session manager to manage display of the Standard Mandatory DoD Notice and Consent Banner.
V-98369 Medium IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
V-98281 Low IBM z/OS must not have duplicated sensitive utilities and/or programs existing in APF libraries.
V-98005 Low IBM RACF must limit Write or greater access to libraries that contain PPT modules to system programmers only.