The IBM z/OS PROFILE.TCPIP configuration for the TN3270 Telnet server must have the INACTIVE statement properly specified.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-98367	RACF-TN-000010	SV-107471r1_rule		Medium

Description
To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

STIG	Date
IBM z/OS RACF Security Technical Implementation Guide	2020-06-29

Details

Check Text ( C-97203r1_chk )
Refer to the Profile configuration file specified on the PROFILE DD statement in the TN3270 started task JCL. Note: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. TELNETGLOBAL Block (only one defined) TELNETPARMS Block (one defined for each port the server is listening to, typically ports 23 and 992) If the TELNETPARMS INACTIVE statement is coded either in the TELNETGLOBALS or within each TELNETPARMS statement block and specifies a value between "1" and "900", this is not a finding.

Check Text ( C-97203r1_chk )

Refer to the Profile configuration file specified on the PROFILE DD statement in the TN3270 started task JCL.

Note: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well.

TELNETGLOBAL Block (only one defined)

TELNETPARMS Block (one defined for each port the server is listening to, typically ports 23 and 992)

If the TELNETPARMS INACTIVE statement is coded either in the TELNETGLOBALS or within each TELNETPARMS statement block and specifies a value between "1" and "900", this is not a finding.

Fix Text (F-104043r1_fix)
Configure the configuration statements in the PROFILE.Tn3270 to conform to the specifications below: NOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. The TELNETPARMS INACTIVE statement is coded either within the TELNETGLOBALS OR within each TELNETPARMS statement block and specifies a value between "1" and "900".

Fix Text (F-104043r1_fix)

Configure the configuration statements in the PROFILE.Tn3270 to conform to the specifications below:

NOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well.

The TELNETPARMS INACTIVE statement is coded either within the TELNETGLOBALS OR within each TELNETPARMS statement block and specifies a value between "1" and "900".