UCF STIG Viewer Logo

IBM z/OS RACF Security Technical Implementation Guide


Overview

Date Finding Count (219)
2022-09-19 CAT I (High): 26 CAT II (Med): 191 CAT III (Low): 2
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-223781 High Unsupported system software must not be installed and/ or active on the system.
V-223679 High IBM RACF must limit Write or greater access to libraries containing EXIT modules to system programmers only.
V-223678 High IBM RACF must limit write or greater access to all LPA libraries to system programmers only.
V-223649 High IBM RACF must limit Write or greater access to SYS1.NUCLEUS to system programmers only.
V-223729 High NIST FIPS-validated cryptography must be used to protect passwords in the security database.
V-223697 High IBM z/OS SYS1.PARMLIB must be properly protected.
V-223837 High IBM RACF LOGONIDs must not be defined to SYS1.UADS for non-emergency use.
V-223838 High The IBM z/OS UNIX SUPERUSER resources must be protected in accordance with guidelines.
V-223704 High The IBM RACF PROTECTALL SETROPTS value specified must be properly set.
V-223703 High IBM RACF must define WARN = NO on all profiles.
V-223668 High IBM z/OS must protect dynamic lists in accordance with proper security requirements.
V-223666 High IBM RACF access to the System Master Catalog must be properly protected.
V-223667 High IBM RACF must limit Write or greater access to SYS1.UADS to system programmers only, and WRITE or greater access must be limited to system programmer personnel and/or security personnel.
V-223856 High IBM z/OS UID(0) must be properly assigned.
V-223675 High IBM RACF must limit Write or greater access to SYS1.SVCLIB to appropriate authorized users.
V-223674 High IBM RACF must limit Write or greater access to SYS1.IMAGELIB to system programmers only.
V-223677 High IBM z/OS libraries included in the system REXXLIB concatenation must be properly protected.
V-223676 High IBM RACF must limit Write or greater access to SYS1.LPALIB to system programmers only.
V-223777 High IBM RACF must define UACC of NONE on all profiles.
V-223684 High The IBM RACF System REXX IRRPWREX security data set must be properly protected.
V-223685 High IBM RACF security data sets and/or databases must be properly protected.
V-223687 High IBM RACF must limit all system PROCLIB data sets to system programmers only.
V-223682 High IBM RACF must limit WRITE or greater access to all APF-authorized libraries to system programmers only.
V-223760 High IBM RACF must be installed and active on the system.
V-223807 High The IBM RACF SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm to protect confidential information and remote access sessions.
V-223810 High IBM z/OS SSH daemon must be configured to only use the SSHv2 protocol.
V-223785 Medium IBM zOS inapplicable PPT entries must be invalidated.
V-223784 Medium IBM z/OS must not have inaccessible APF libraries defined.
V-223870 Medium IBM z/OS VTAM USSTAB definitions must not be used for unsecured terminals.
V-223695 Medium The IBM RACF PASSWORD(REVOKE) SETROPTS value must be specified to revoke the userid after three invalid logon attempts.
V-223786 Medium IBM z/OS LNKAUTH=APFTAB must be specified in the IEASYSxx member(s) in the currently active parmlib data set(s).
V-223646 Medium Certificate Name Filtering must be implemented with appropriate authorization and documentation.
V-223728 Medium The IBM RACF PASSWORD(HISTORY) SETROPTS value must be set to 5 or more.
V-223741 Medium IBM z/OS user exits for the FTP server must not be used without proper approval and documentation.
V-223740 Medium The IBM z/OS TFTP server program must be properly protected.
V-223743 Medium IBM FTP.DATA configuration for the FTP server must have the INACTIVE statement properly set.
V-223742 Medium The IBM z/OS FTP server daemon must be defined with proper security parameters.
V-223745 Medium IBM z/OS RJE workstations and NJE nodes must be defined to the FACILITY resource class.
V-223744 Medium IBM z/OS startup parameters for the FTP server must have the INACTIVE statement properly set.
V-223747 Medium IBM z/OS JES2 input sources must be properly controlled.
V-223746 Medium IBM z/OS JES2 input sources must be controlled in accordance with the proper security requirements.
V-223749 Medium IBM z/OS JES2 output devices must be properly controlled for classified systems.
V-223748 Medium IBM z/OS JES2 output devices must be controlled in accordance with the proper security requirements.
V-223782 Medium IBM z/OS must not allow nonexistent or inaccessible LINKLIST libraries.
V-223694 Medium IBM RACF OPERAUDIT SETROPTS value must set to OPERAUDIT.
V-223671 Medium IBM RACF must limit access to SYS(x).TRACE to system programmers only.
V-223848 Medium IBM z/OS UNIX SYSTEM FILE SECURITY SETTINGS must be properly protected or specified.
V-223849 Medium IBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected.
V-223846 Medium IBM z/OS UNIX MVS data sets WITH z/OS UNIX COMPONENTS must be properly protected.
V-223847 Medium IBM z/OS UNIX HFS permission bits and audit bits for each directory must be properly protected.
V-223844 Medium IBM z/OS UNIX resources must be protected in accordance with security requirements.
V-223845 Medium IBM z/OS UNIX MVS data sets or HFS objects must be properly protected.
V-223842 Medium IBM z/OS UNIX security parameters in etc/profile must be properly specified.
V-223843 Medium IBM z/OS UNIX security parameters in /etc/rc must be properly specified.
V-223840 Medium IBM z/OS UNIX MVS HFS directories with other write permission bit set must be properly defined.
V-223824 Medium The IBM RACF SERVAUTH resource class must be active for TCP/IP resources.
V-223734 Medium IBM RACF permission bits and user audit bits for HFS objects that are part of the FTP server component must be properly configured.
V-223735 Medium IBM z/OS data sets for the FTP server must be properly protected.
V-223736 Medium IBM z/OS FTP.DATA configuration statements must indicate a BANNER statement with the proper content.
V-223737 Medium IBM z/OS FTP.DATA configuration statements for the FTP server must specify the BANNER statement.
V-223731 Medium The IBM RACF ERASE ALL SETROPTS value must be set to ERASE(ALL) on all systems.
V-223732 Medium IBM RACF DASD Management USERIDs must be properly controlled.
V-223733 Medium IBM z/OS SMF recording options for the FTP Server must be configured to write SMF records for all eligible events.
V-223739 Medium IBM z/OS FTP.DATA configuration statements for the FTP Server must be specified in accordance with requirements.
V-252886 Medium IBM Integrated Crypto Service Facility (ICSF) Configuration parameters must be correctly specified.
V-223850 Medium The IBM RACF classes required to properly secure the z/OS UNIX environment must be ACTIVE.
V-223853 Medium IBM z/OS default profiles must be defined in the corresponding FACILITY Class Profile for classified systems.
V-223852 Medium IBM z/OS UNIX BPXPRMxx security parameters in PARMLIB must be properly specified.
V-223855 Medium IBM z/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf must be properly specified.
V-223854 Medium IBM z/OS UNIX HFS MapName files security parameters must be properly specified.
V-223857 Medium IBM z/OS UNIX groups must be defined with a unique GID.
V-252553 Medium IBM z/OS TCP/IP AT-TLS policy must be properly configured in Policy Agent.
V-223859 Medium The IBM z/OS user account for the UNIX kernel (OMVS) must be properly defined to the security database.
V-223759 Medium IBM z/OS SMF recording options for the TN3270 Telnet Server must be properly specified.
V-252888 Medium IBM Integrated Crypto Service Facility (ICSF) STC data sets must be properly protected.
V-252889 Medium IBM Integrated Crypto Service Facility (ICSF) Started Task name is not properly identified / defined to the system ACP.
V-223820 Medium IBM z/OS PROFILE.TCPIP configuration statements for the TCP/IP stack must be coded properly.
V-223821 Medium IBM z/OS must be configured to restrict all TCP/IP ports to ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.
V-223648 Medium All digital certificates in use must have a valid path to a trusted Certification authority.
V-223725 Medium IBM RACF exit ICHPWX01 must be installed and properly configured.
V-223724 Medium IBM RACF PASSWORD(RULEn) SETROPTS value(s) must be properly set.
V-223723 Medium The IBM RACF INACTIVE SETROPTS value must be set to 35 days.
V-223722 Medium IBM RACF user accounts must uniquely identify system users.
V-223721 Medium The IBM RACF Automatic Data Set Protection (ADSP) SETROPTS value must be set to NOADSP.
V-223665 Medium IBM RACF Global Access Checking must be restricted to appropriate classes and resources.
V-223823 Medium IBM z/OS TCP/IP resources must be properly protected.
V-223647 Medium Expired digital certificates must not be used.
V-251107 Medium IBM z/OS sensitive and critical system data sets must not exist on shared DASDs.
V-223696 Medium The IBM RACF PASSWORD(REVOKE) SETROPTS value must be set to automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur.
V-223798 Medium IBM z/OS system administrator must develop a procedure to remove or disable temporary user accounts after 72 hours.
V-223792 Medium The IBM z/OS Policy Agent must contain a policy that protects against or limits the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.
V-223793 Medium The IBM z/OS Policy Agent must contain a policy that manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.
V-223826 Medium IBM z/OS data sets for the Base TCP/IP component must be properly protected.
V-223827 Medium IBM z/OS Configuration files for the TCP/IP stack must be properly specified.
V-223796 Medium IBM z/OS must employ a session for users to directly initiate a session lock for all connection types.
V-223797 Medium IBM z/OS must employ a session manager to manage retaining a users session lock until that user reestablishes access using established identification and authentication procedures.
V-223794 Medium The IBM z/OS must employ a session manager that conceals, via the session lock, information previously visible on the display with a publicly viewable image.
V-223795 Medium IBM z/OS must employ a session manager to manage session lock after a 15-minute period of inactivity.
V-223693 Medium The IBM z/OS JES(XBMALLRACF) SETROPTS value must be set to JES(XBMALLRACF).
V-223851 Medium IBM z/OS UNIX OMVS parameters in PARMLIB must be properly specified.
V-223799 Medium IBM z/OS system administrator must develop a procedure to remove or disable emergency accounts after the crisis is resolved or 72 hours.
V-223692 Medium The IBM RACF JES(BATCHALLRACF) SETROPTS value must be set to JES(BATCHALLRACF).
V-223718 Medium IBM interactive USERIDs defined to RACF must have the required fields completed.
V-223719 Medium IBM z/OS Started Tasks must be properly identified and defined to RACF.
V-223691 Medium The IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements.
V-223712 Medium IBM z/OS Batch job user IDs must be properly defined.
V-223713 Medium IBM RACF use of the RACF SPECIAL Attribute must be justified.
V-223710 Medium The IBM RACF database must be on a separate physical volume from its backup and recovery datasets.
V-223711 Medium The IBM RACF database must be backed up on a scheduled basis.
V-223716 Medium IBM z/OS must properly protect MCS console userid(s).
V-223717 Medium IBM RACF users must have the required default fields.
V-223714 Medium IBM RACF assignment of the RACF OPERATIONS attribute to individual userids must be fully justified.
V-223715 Medium IBM z/OS must properly configure CONSOLxx members.
V-223659 Medium The IBM RACF MCS consoles resource class must be active.
V-223658 Medium The IBM RACF OPERCMDS resource class must be active.
V-223653 Medium IBM RACF SETROPTS LOGOPTIONS must be properly configured.
V-223652 Medium IBM RACF emergency USERIDs must be properly defined.
V-223657 Medium The IBM RACF FACILITY resource class must be active.
V-223656 Medium IBM RACF must properly define users that have access to the CONSOLE resource in the TSOAUTH resource class.
V-223655 Medium IBM z/OS system commands must be properly protected.
V-223654 Medium IBM RACF must protect memory and privileged program dumps in accordance with proper security requirements.
V-223836 Medium IBM Z/OS TSOAUTH resources must be restricted to authorized users.
V-223835 Medium The IBM z/OS PROFILE.TCPIP configuration for the TN3270 Telnet server must have the INACTIVE statement properly specified.
V-223834 Medium IBM z/OS VTAM session setup controls for the TN3270 Telnet server must be properly specified.
V-223833 Medium The IBM z/OS warning banner for the TN3270 Telnet server must contain the proper content of the Standard Mandatory DoD Notice and Consent Banner.
V-223780 Medium The IBM z/OS Policy Agent must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.
V-223831 Medium IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
V-252887 Medium IBM Integrated Crypto Service Facility (ICSF) install data sets are not properly protected.
V-223788 Medium The IBM z/OS systems requiring data-at-rest protection must properly employ IBM DS8880 or equivalent hardware solutions for full disk encryption.
V-223839 Medium IBM z/OS BPX resource(s) must be protected in accordance with security requirements.
V-223822 Medium IBM z/OS permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be properly configured.
V-223709 Medium IBM RACF use of the AUDITOR privilege must be justified.
V-223708 Medium The IBM RACF WHEN(PROGRAM) SETROPTS value specified must be active.
V-223705 Medium The IBM RACF GRPLIST SETROPTS value must be set to ACTIVE.
V-223707 Medium The IBM RACF TAPEDSN SETROPTS value specified must be properly set.
V-223706 Medium The IBM RACF RETPD SETROPTS value specified must be properly set.
V-223701 Medium IBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing.
V-223700 Medium The IBM RACF REALDSN SETROPTS value must be specified.
V-223702 Medium IBM RACF SETROPTS RVARYPW values must be properly set.
V-223669 Medium IBM RACF allocate access to system user catalogs must be properly protected.
V-223664 Medium IBM Sensitive Utility Controls must be properly defined and protected.
V-223662 Medium IBM RACF USERIDs possessing the Tape Bypass Label Processing (BLP) privilege must be justified.
V-223663 Medium IBM RACF DASD volume-level protection must be properly defined.
V-223660 Medium IBM RACF CLASSACT SETROPTS must be specified for the TEMPDSN class.
V-223661 Medium IBM RACF started tasks defined with the trusted attribute must be justified.
V-252890 Medium IBM Integrated Crypto Service Facility (ICSF) Started task(s) must be properly defined to the STARTED resource class for RACF.
V-223727 Medium IBM RACF SETROPTS PASSWORD(INTERVAL) must be set to 60 days.
V-223778 Medium IBM z/OS PASSWORD data set and OS passwords must not be used.
V-223670 Medium IBM RACF must limit WRITE or greater access to System backup files to system programmers and/or batch jobs that perform DASD backups.
V-223673 Medium IBM RACF batch jobs must be protected with propagation control.
V-223672 Medium IBM RACF batch jobs must be properly secured.
V-223770 Medium IBM z/OS SMF collection files (system MANx datasets or LOGSTREAM DASD) must have storage capacity to store at least one weeks worth of audit data.
V-223771 Medium IBM z/OS system administrators must develop an automated process to collect and retain SMF data.
V-223772 Medium IBM z/OS BUFUSEWARN in the SMFPRMxx must be properly set.
V-223773 Medium IBM z/OS NOBUFFS in SMFPRMxx must be properly set (default is MSG).
V-223774 Medium The IBM z/OS SNTP daemon (SNTPD) must be active.
V-223775 Medium IBM z/OS SNTP daemon (SNTPD) permission bits must be properly configured.
V-223776 Medium IBM z/OS PARMLIB CLOCKxx must have the Accuracy PARM properly coded.
V-230209 Medium The IBM RACF System REXX IRRPHREX security data set must be properly protected.
V-223688 Medium IBM RACF must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers.
V-223689 Medium IBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.
V-223686 Medium IBM RACF must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.
V-223680 Medium IBM RACF must limit WRITE or greater access to all system-level product installation libraries to system programmers.
V-223681 Medium IBM RACF must limit access to SYSTEM DUMP data sets to system programmers only.
V-223683 Medium IBM RACF access to SYS1.LINKLIB must be properly protected.
V-245536 Medium The IBM z/OS TCPIP.DATA configuration statement must contain the DOMAINORIGIN or DOMAIN specified for each TCP/IP defined.
V-223769 Medium IBM z/OS must specify SMF data options to assure appropriate activation.
V-223768 Medium IBM z/OS must employ a session manager to manage display of the Standard Mandatory DoD Notice and Consent Banner.
V-223763 Medium The IBM z/OS System Administrator (SA) must develop a process to notify appropriate personnel when accounts are modified.
V-223762 Medium The IBM z/OS System Administrator (SA) must develop a process to notify appropriate personnel when accounts are created.
V-223761 Medium The IBM z/OS System Administrator (SA) must develop a process to disable emergency accounts after the crisis is resolved or 72 hours.
V-223767 Medium IBM z/OS required SMF data record types must be collected.
V-223766 Medium The IBM z/OS System Administrator (SA) must develop a process to notify Information System Security Officers (ISSOs) of account enabling actions.
V-223765 Medium The IBM z/OS System Administrator (SA) must develop a process to notify appropriate personnel when accounts are removed.
V-223764 Medium The IBM z/OS System Administrator (SA) must develop a process to notify appropriate personnel when accounts are deleted.
V-223809 Medium The SSH daemon must be configured with the Standard Mandatory DoD Notice and Consent Banner.
V-230210 Medium IBM RACF exit ICHPWX11 must be installed and properly configured.
V-223802 Medium IBM z/OS system administrator must develop a procedure to terminate all sessions and network connections related to nonlocal maintenance when nonlocal maintenance is completed.
V-223803 Medium IBM z/OS system administrator must develop a procedure to remove all software components after updated versions have been installed.
V-223800 Medium IBM z/OS system administrator must develop a procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner.
V-223801 Medium IBM z/OS system administrator must develop a procedure to provide an audit reduction capability that supports on-demand reporting requirements.
V-223806 Medium IBM z/OS SMF recording options for the SSH daemon must be configured to write SMF records for all eligible events.
V-223804 Medium IBM z/OS must shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered.
V-223805 Medium IBM z/OS system administrator must develop a procedure to offload SMF files to a different system or media than the system being audited.
V-223868 Medium The IBM z/OS UNIX Telnet server warning banner must be properly specified.
V-223869 Medium IBM z/OS System datasets used to support the VTAM network must be properly secured.
V-223699 Medium The IBM RACF SETROPTS SAUDIT value must be specified.
V-223726 Medium The IBM RACF SETROPTS PASSWORD(MINCHANGE) value must be set to 1.
V-223860 Medium The IBM z/OS user account for the z/OS UNIX SUPERUSER userid must be properly defined.
V-223861 Medium The IBM z/OS user account for the UNIX (RMFGAT) must be properly defined.
V-223862 Medium IBM z/OS UNIX user accounts must be properly defined.
V-223863 Medium IBM z/OS attributes of UNIX user accounts used for account modeling must be defined in accordance with security requirements.
V-223864 Medium The IBM z/OS startup user account for the z/OS UNIX Telnet Server must be properly defined.
V-223865 Medium IBM z/OS HFS objects for the z/OS UNIX Telnet Server must be properly protected.
V-223866 Medium The IBM z/OS UNIX Telnet Server etc/banner file must have the Standard Mandatory DoD Notice and Consent Banner.
V-223690 Medium IBM RACF must limit WRITE or greater access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.
V-223867 Medium IBM z/OS UNIX Telnet server Startup parameters must be properly specified.
V-223758 Medium The IBM z/OS BPX.SMF resource must be properly configured.
V-235033 Medium IBM RACF must limit WRITE or greater access to LINKLIST libraries to system programmers only.
V-223756 Medium IBM z/OS RJE workstations and NJE nodes must be controlled in accordance with security requirements.
V-223757 Medium IBM z/OS must configure system wait times to protect resource availability based on site priorities.
V-223754 Medium IBM z/OS JES2 system commands must be protected in accordance with security requirements.
V-223755 Medium IBM z/OS surrogate users must be controlled in accordance with proper security requirements.
V-223752 Medium IBM z/OS JESTRACE and/or SYSLOG resources must be protected in accordance with security requirements.
V-223753 Medium IBM z/OS JES2 spool resources must be controlled in accordance with security requirements.
V-223750 Medium IBM z/OS JESSPOOL resources must be protected in accordance with security requirements.
V-223751 Medium IBM z/OS JESNEWS resources must be protected in accordance with security requirements.
V-223783 Medium IBM z/OS must not allow nonexistent or inaccessible Link Pack Area (LPA) libraries.
V-223819 Medium IBM z/OS using DFSMS must properly specify SYS(x).PARMLIB(IGDSMSxx), SMS parameter settings.
V-223818 Medium IBM z/OS DFSMS resources must be protected in accordance with the proper security requirements.
V-223815 Medium IBM z/OS DFSMS Program Resources must be properly defined and protected.
V-223814 Medium The IBM z/OS Syslog daemon must be properly defined and secured.
V-223817 Medium IBM z/OS DFSMS-related RACF classes must be active.
V-223816 Medium IBM z/OS DFSMS control data sets must be protected in accordance with security requirements.
V-223811 Medium IBM z/OS, for PKI-based authentication, must use the ICSF or ESM for key management.
V-223813 Medium The IBM z/OS Syslog daemon must be started at z/OS initialization.
V-223812 Medium IBM z/OS permission bits and user audit bits for HFS objects that are part of the Syslog daemon component must be properly configured.
V-223787 Low IBM z/OS must not have duplicated sensitive utilities and/or programs existing in APF libraries.
V-223650 Low IBM RACF must limit Write or greater access to libraries that contain PPT modules to system programmers only.