UCF STIG Viewer Logo

IBM z/OS TSS Security Technical Implementation Guide


Overview

Date Finding Count (236)
2020-06-29 CAT I (High): 32 CAT II (Med): 201 CAT III (Low): 3
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-98557 High CA-TSS Emergency ACIDs must be properly limited and must audit all resource access.
V-98553 High Access to the CA-TSS MODE resource class must be appropriate.
V-98495 High CA-TSS must limit Write or greater access to SYS1.SVCLIB to system programmers only.
V-98497 High CA-TSS must limit Write or greater access to SYS1.IMAGELIB to system programmers only.
V-98641 High The CA-TSS BYPASS attribute must be limited to trusted STCs only.
V-98863 High IBM z/OS UNIX SUPERUSER resources must be protected in accordance with guidelines.
V-98499 High CA-TSS must limit Write or greater access to SYS1.LPALIB to system programmers only.
V-98459 High CA-TSS MODE Control Option must be set to FAIL.
V-98621 High The CA-TSS Facility Control Option must specify the sub option of MODE=FAIL.
V-98541 High IBM z/OS must protect dynamic lists in accordance with proper security requirements.
V-98877 High The CA-TSS HFSSEC resource class must be defined with DEFPROT.
V-98471 High IBM z/OS SYS1.PARMLIB must be properly protected.
V-98537 High CA-TSS must limit all system PROCLIB data sets to system programmers only and appropriate authorized users.
V-98535 High CA-TSS must limit WRITE or greater access to libraries containing EXIT modules to system programmers only.
V-98515 High CA-TSS must limit access to the System Master Catalog to appropriate authorized users.
V-98797 High IBM z/OS SSH daemon must be configured to only use the SSHv2 protocol.
V-98601 High The CA-TSS PASSWORD(NOPW) option must not be specified for any ACID type.
V-98523 High CA-TSS must limit Write or greater access to SYS1.UADS to system programmers only, and Read and Update access must be limited to system programmer personnel and/or security personnel.
V-98899 High IBM z/OS UID(0) must be properly assigned.
V-98455 High CA-TSS Security control ACIDs must be limited to the administrative authorities authorized and that require these privileges to perform their job duties.
V-98513 High CA-TSS security data sets and/or databases must be properly protected.
V-98743 High Unsupported IBM z/OS system software must not be installed and/or active on the system.
V-98747 High CA-TSS must be installed and properly configured.
V-98507 High CA-TSS must limit Write or greater access to SYS1.NUCLEUS to system programmers only.
V-98505 High CA-TSS must limit Write or greater access to all LPA libraries to system programmers only.
V-98503 High IBM z/OS libraries included in the system REXXLIB concatenation must be properly protected.
V-98501 High CA-TSS must limit WRITE or greater access to all APF-authorized libraries to system programmers only.
V-98645 High CA-TSS ACIDs granted the CONSOLE attribute must be justified.
V-98565 High IBM z/OS DASD Volume access greater than CREATE found in the CA-TSS database must be limited to authorized information technology personnel requiring access to perform their job duties.
V-98795 High The SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm.
V-98481 High IBM z/OS must use NIST FIPS-validated cryptography to protect passwords in the security database.
V-98853 High CA-TSS LOGONIDs must not be defined to SYS1.UADS for non-emergency use.
V-98657 Medium CA-TSS permission bits and user audit bits for HFS objects that are part of the FTP server component must be properly configured.
V-98655 Medium IBM z/OS SMF recording options for the FTP server must be configured to write SMF records for all eligible events.
V-98559 Medium CA-TSS ACIDs must not have access to FAC(*ALL*).
V-98653 Medium IBM z/OS FTP.DATA configuration statements must have a proper banner statement with the Standard Mandatory DoD Notice and Consent Banner.
V-98651 Medium CA-TSS VTHRESH Control Option values specified must be set to (10,NOT,CAN).
V-98555 Medium Data set masking characters must be properly defined to the CA-TSS security database.
V-98785 Medium IBM z/OS system administrator must develop a procedure to terminate all sessions and network connections related to nonlocal maintenance when nonlocal maintenance is completed.
V-98787 Medium IBM z/OS system administrator must develop a procedure to remove all software components after updated versions have been installed.
V-98551 Medium CA-TSS AUTH Control Option values specified must be set to (OVERRIDE,ALLOVER) or (MERGE,ALLOVER).
V-98781 Medium IBM z/OS system administrator must develop a procedure to notify System Administrators and ISSOs of account enabling actions.
V-98659 Medium IBM z/OS data sets for the FTP server must be properly protected.
V-98705 Medium IBM z/OS Session manager must properly configure wait time limits.
V-98707 Medium The IBM z/OS BPX.SMF resource must be properly configured.
V-98701 Medium Duplicated IBM z/OS sensitive utilities and/or programs must not exist in APF libraries.
V-98703 Medium IBM z/OS required SMF data record types must be collected.
V-98903 Medium IBM z/OS attributes of UNIX user accounts used for account modeling must be defined in accordance with security requirements.
V-98901 Medium IBM z/OS UNIX user accounts must be properly defined.
V-98709 Medium IBM z/OS must specify SMF data options to ensure appropriate activation.
V-98789 Medium IBM z/OS system administrator must develop a procedure to shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered.
V-98869 Medium IBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected.
V-98491 Medium The IBM z/OS operating system must enforce a minimum eight-character password length.
V-98493 Medium CA-TSS access to SYS1.LINKLIB must be properly protected.
V-98861 Medium IBM z/OS UNIX resources must be protected in accordance with security requirements.
V-100515 Medium IBM z/OS must not allow nonexistent or inaccessible LINKLIST libraries.
V-98865 Medium IBM z/OS UNIX MVS data sets or HFS objects must be properly protected.
V-98867 Medium IBM z/OS UNIX MVS data sets with z/OS UNIX components must be properly protected.
V-98623 Medium CA-TSS ACID creation must use the EXP option.
V-98693 Medium IBM z/OS JESTRACE and/or SYSLOG resources must be protected in accordance with security requirements.
V-98549 Medium IBM z/OS Operating system commands (MVS.) of the OPERCMDS resource class must be properly owned.
V-98627 Medium CA-TSS must use propagation control to eliminate ACID inheritance.
V-98625 Medium The CA-TSS SUBACID Control Option must not be set to U,8.
V-98543 Medium IBM z/OS system commands must be properly protected.
V-98629 Medium IBM z/OS scheduled production batch ACIDs must specify the CA-TSS BATCH Facility, and the Batch Job Scheduler must be authorized to the Scheduled production CA-TSS batch ACID.
V-98547 Medium CA-TSS must properly define users that have access to the CONSOLE resource in the TSOAUTH resource class.
V-98545 Medium IBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.
V-98731 Medium The IBM z/OS Policy Agent must contain a policy that manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.
V-98733 Medium The IBM z/OS systems requiring data at rest protection must properly employ IBM DS8880 for full disk encryption.
V-98875 Medium IBM z/OS UNIX MVS HFS directory(s) with OTHER write permission bit set must be properly defined.
V-98735 Medium The IBM z/OS System Administrator must develop a process to notify appropriate personnel when accounts are created.
V-98873 Medium IBM z/OS UNIX system file security settings must be properly protected or specified.
V-98737 Medium The IBM z/OS System Administrator must develop a process to notify appropriate personnel when accounts are modified.
V-98871 Medium IBM z/OS UNIX HFS permission bits and audit bits for each directory must be properly protected.
V-98739 Medium The IBM z/OS System Administrator must develop a process to notify appropriate personnel when accounts are deleted.
V-98783 Medium IBM z/OS system administrator must develop a procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner.
V-98879 Medium IBM z/OS UNIX OMVS parameters in PARMLIB must be properly specified.
V-98643 Medium CA-TSS MSCA ACID must perform security administration only.
V-102937 Medium IBM z/OS system administrator must develop a procedure to remove or disable emergency accounts after the crisis is resolved or 72 hours.
V-98909 Medium IBM z/OS HFS objects for the z/OS UNIX Telnet server must be properly protected.
V-98631 Medium CA-TSS ADMINBY Control Option must be set to ADMINBY.
V-98633 Medium CA-TSS LOG Control Option must be set to (SMF,INIT, SEC9, MSG).
V-98635 Medium CA-TSS MSCA ACID password changes must be documented in the change log.
V-98637 Medium The IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements.
V-98639 Medium CA-TSS Default ACID must be properly defined.
V-98695 Medium IBM z/OS JES2 spool resources must be controlled in accordance with security requirements.
V-98803 Medium The IBM z/OS Syslog daemon must be properly defined and secured.
V-98511 Medium CA-TSS must limit WRITE or greater access to LINKLIST libraries to system programmers only.
V-98801 Medium The IBM z/OS Syslog daemon must not be started at z/OS initialization.
V-98807 Medium IBM z/OS DFSMS Program Resources must be properly defined and protected.
V-98805 Medium IBM z/OS DFSMS resources must be protected in accordance with the proper security requirements.
V-98729 Medium IBM z/OS sensitive and critical system data sets must not exist on shared DASD.
V-98727 Medium IBM z/OS LNKAUTH=APFTAB must be specified in the IEASYSxx member(s) in the currently active parmlib data set(s).
V-98725 Medium IBM z/OS inapplicable PPT entries must be invalidated.
V-98533 Medium CA-TSS must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers only.
V-98723 Medium IBM z/OS must not have Inaccessible APF libraries defined.
V-98531 Medium CA-TSS must limit access to SYS(x).TRACE to system programmers only.
V-98721 Medium The IBM z/OS Policy Agent must be configured to deny-all, allow-by-exception firewall policy for allowing connections to other systems.
V-98699 Medium IBM z/OS Surrogate users must be controlled in accordance with proper security requirements.
V-98907 Medium The IBM z/OS startup user account for the z/OS UNIX Telnet server must be properly defined.
V-98889 Medium IBM z/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf must be properly specified.
V-98517 Medium CA-TSS allocate access to system user catalogs must be limited to system programmers only.
V-98569 Medium IBM z/OS Started tasks must be properly defined to CA-TSS.
V-98883 Medium IBM z/OS UNIX security parameters in etc/profile must be properly specified.
V-98881 Medium IBM z/OS UNIX BPXPRMxx security parameters in PARMLIB must be properly specified.
V-98905 Medium The IBM z/OS UNIX Telnet server etc/banner file must have the Standard Mandatory DoD Notice and Consent Banner.
V-98887 Medium IBM z/OS Default profiles must not be defined in TSS OMVS UNIX security parameters for classified systems.
V-98449 Medium All IBM z/OS digital certificates in use must have a valid path to a trusted Certification Authority (CA).
V-98885 Medium IBM z/OS UNIX security parameters in /etc/rc must be properly specified.
V-98609 Medium IBM z/OS DASD management ACIDs must be properly defined to CA-TSS.
V-98605 Medium Started tasks must be properly defined to CA-TSS.
V-98607 Medium CA-TSS Batch ACID(s) submitted through RJE and NJE must be sourced.
V-98685 Medium IBM z/OS JES2 output devices must be controlled in accordance with the proper security requirements.
V-98811 Medium IBM z/OS using DFSMS must properly specify SYS(x).PARMLIB(IGDSMSxx), SMS parameter settings.
V-98687 Medium IBM z/OS JES2 output devices must be properly controlled for classified systems.
V-98813 Medium IBM z/OS DFSMS control data sets must be properly protected.
V-98681 Medium IBM z/OS JES2 input sources must be controlled in accordance with the proper security requirements.
V-98529 Medium CA-TSS WRITE or Greater access to System backup files must be limited to system programmers and/or batch jobs that perform DASD backups.
V-98683 Medium IBM z/OS JES2 input sources must be properly controlled.
V-98817 Medium The IBM z/OS SSH daemon must be configured with the Standard Mandatory DoD Notice and Consent Banner.
V-98647 Medium CA-TSS ACIDs defined as security administrators must have the NOATS attribute.
V-98819 Medium IBM z/OS PROFILE.TCPIP configuration statements for the TCP/IP stack must be properly coded.
V-98751 Medium IBM z/OS System Administrators must develop an automated process to collect and retain SMF data.
V-98527 Medium CA-TSS must limit access to SYSTEM DUMP data sets to system programmers only.
V-98689 Medium IBM z/OS JESSPOOL resources must be protected in accordance with security requirements.
V-98521 Medium CA-TSS must limit WRITE or greater access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.
V-98755 Medium The IBM z/OS SNTP daemon (SNTPD) must be active.
V-98649 Medium The CA-TSS PTHRESH Control Option must be properly set.
V-98759 Medium IBM z/OS PARMLIB CLOCKxx must have the Accuracy PARM coded properly.
V-98891 Medium IBM z/OS attributes of z/OS UNIX user accounts must have a unique GID in the range of 1-99.
V-98893 Medium The IBM z/OS user account for the UNIX kernel (OMVS) must be properly defined to the security database.
V-98895 Medium The IBM z/OS user account for the z/OS UNIX SUPERUSER userid must be properly defined.
V-98815 Medium IBM z/OS SMF recording options for the SSH daemon must be configured to write SMF records for all eligible events.
V-98451 Medium Expired IBM z/OS digital certificates must not be used.
V-98619 Medium CA-TSS DOWN Control Option values must be properly specified.
V-98457 Medium The number of CA-TSS ACIDs possessing the tape Bypass Label Processing (BLP) privilege must be limited.
V-98613 Medium CA-TSS security administrator must develop a process to suspend userids found inactive for more than 35 days.
V-98611 Medium CA-TSS user accounts must uniquely identify system users.
V-98617 Medium The CA-TSS AUTOERASE Control Option must be set to ALL for all systems.
V-98615 Medium The CA-TSS INACTIVE Control Option must be properly set.
V-98519 Medium CA-TSS must limit WRITE or greater access to all system-level product installation libraries to system programmers only.
V-98749 Medium IBM z/OS SMF collection files (system MANx data sets or LOGSTREAM DASD) must have storage capacity to store at least one weeks worth of audit data.
V-98691 Medium IBM z/OS JESNEWS resources must be protected in accordance with security requirements.
V-98829 Medium IBM z/OS started tasks for the Base TCP/IP component must be defined in accordance with security requirements.
V-98697 Medium IBM z/OS JES2 system commands must be protected in accordance with security requirements.
V-98525 Medium CA-TSS must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.
V-98825 Medium IBM z/OS data sets for the Base TCP/IP component must be properly protected.
V-98741 Medium The IBM z/OS System Administrator must develop a process to notify appropriate personnel when accounts are removed.
V-98821 Medium IBM z/OS permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be configured properly.
V-98745 Medium IBM z/OS must not allow nonexistent or inaccessible Link Pack Area (LPA) libraries.
V-98823 Medium IBM z/OS TCP/IP resources must be properly protected.
V-98591 Medium IBM z/OS must properly configure CONSOLxx members.
V-98593 Medium IBM z/OS must properly protect MCS console userid(s).
V-98595 Medium The CA-TSS CPFRCVUND Control Option value specified must be set to NO.
V-98597 Medium The CA-TSS CPFTARGET Control Option value specified must be set to LOCAL.
V-98757 Medium IBM z/OS SNTP daemon (SNTPD) permission bits must be properly configured.
V-98913 Medium The IBM z/OS UNIX Telnet server warning banner must be properly specified.
V-98775 Medium IBM z/OS must employ a session manager to initiate a session lock after a 15-minute period of inactivity for all connection types.
V-98777 Medium IBM z/OS must employ a session manager to manage retaining a users session lock until that user reestablishes access using established identification and authentication procedures.
V-98771 Medium IBM z/OS must configure system wait times to protect resource availability based on site priorities.
V-98773 Medium IBM z/OS must employ a session manager to conceal, via the session lock, information previously visible on the display with a publicly viewable image.
V-98465 Medium The CA-TSS PTHRESH Control Option must be set to 2.
V-98467 Medium The CA-TSS NPPTHRESH Control Option must be properly set.
V-98779 Medium IBM z/OS system administrator must develop a procedure to remove or disable temporary user accounts after 72 hours.
V-98463 Medium The CA-TSS NPPTHRESH Control Option must be properly set.
V-98839 Medium IBM z/OS SMF recording options for the TN3270 Telnet server must be properly specified.
V-98669 Medium IBM z/OS startup parameters for the FTP server must have the INACTIVE statement properly set.
V-98667 Medium IBM z/OS FTP.DATA configuration for the FTP server must have the INACTIVE statement properly set.
V-98833 Medium The IBM z/OS TCPIP.DATA configuration statement must contain the DOMAINORIGIN or DOMAIN specified for each TCP/IP defined.
V-98665 Medium The IBM z/OS FTP server daemon must be defined with proper security parameters.
V-98831 Medium IBM z//OS must be configured to restrict all TCP/IP ports to ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.
V-98663 Medium IBM z/OS user exits for the FTP server must not be used without proper approval and documentation.
V-98837 Medium IBM z/OS TN3270 Telnet server configuration statement MSG10 text must have the Standard Mandatory DoD Notice and Consent Banner.
V-98661 Medium IBM z/OS FTP Control cards must be properly stored in a secure PDS file.
V-98835 Medium The IBM z/OS PROFILE.TCPIP configuration statement must include SMFPARMS and/or SMFCONFIG Statement for each TCP/IP stack.
V-98589 Medium CA-TSS RECOVER Control Option must be set to ON.
V-98587 Medium The CA-TSS Automatic Data Set Protection (ADSP) Control Option must be set to NO.
V-98585 Medium The CA-TSS LUUPDONCE Control Option value specified must be set to NO.
V-98583 Medium The number of CA-TSS ACIDs with MISC9 authority must be justified.
V-98581 Medium The number of CA-TSS control ACIDs must be justified and properly assigned.
V-98573 Medium The CA-TSS HPBPW Control Option must be set to three days maximum.
V-98763 Medium The IBM z/OS systems requiring data at rest protection must properly employ IBM DS8880 for full disk encryption for classified systems.
V-98571 Medium The CA-TSS CANCEL Control Option must not be specified.
V-98479 Medium The CA-TSS NEWPW control options must be properly set.
V-98577 Medium The CA-TSS OPTIONS Control Option must include option 4 at a minimum.
V-98539 Medium CA-TSS must protect memory and privileged program dumps in accordance with proper security requirements.
V-98575 Medium The CA-TSS INSTDATA Control Option must be set to 0.
V-98765 Medium The IBM z/OS systems requiring data at rest protection must properly employ IBM DS8880 for full disk encryption.
V-98473 Medium IBM z/OS for PKI-based authentication must use the ESM to store keys.
V-98579 Medium CA-TSS TEMPDS Control Option must be set to YES.
V-98769 Medium The IBM z/OS System Administrator must develop a process to notify Information System Security Officers (ISSOs) of account enabling actions.
V-98761 Medium The IBM z/OS Policy Agent must contain a policy that protects against or limits the effects of denial-of-service (DoS) attacks by ensuring IBM z/OS is implementing rate-limiting measures on impacted network interfaces.
V-98477 Medium The CA-TSS NEWPHRASE and PPSCHAR Control Options must be properly set.
V-98475 Medium IBM z/OS for PKI-based authentication must use the ESM for key management.
V-98679 Medium IBM z/OS RJE workstations and NJE nodes must be controlled in accordance with STIG requirements.
V-98675 Medium The IBM z/OS TFTP server program must be properly protected.
V-98469 Medium IBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing.
V-98677 Medium IBM z/OS JES2.** resource must be properly protected in the CA-TSS database.
V-98809 Medium IBM z/OS DFSMS control data sets must be protected in accordance with security requirements.
V-98673 Medium The IBM z/OS warning banner for the FTP server must be properly specified.
V-98849 Medium IBM z/OS TELNETPARMS or TELNETGLOBALS must specify a SECUREPORT statement for systems requiring confidentiality and integrity.
V-98847 Medium The IBM z/OS warning banner for the TN3270 Telnet server must be properly specified.
V-98845 Medium IBM z/OS PROFILE.TCPIP configuration for the TN3270 Telnet server must have the INACTIVE statement properly specified.
V-98843 Medium IBM z/OS VTAM session setup controls for the TN3270 Telnet server must be properly specified.
V-98841 Medium IBM z/OS SSL encryption options for the TN3270 Telnet server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
V-98671 Medium IBM z/OS FTP.DATA configuration statements for the FTP server must specify the Standard Mandatory DoD Notice and Consent Banner statement.
V-98561 Medium The CA-TSS ALL record must have appropriate access to Facility Matrix Tables.
V-98563 Medium Data set masking characters allowing access to all data sets must be properly restricted in the CA-TSS security database.
V-98799 Medium IBM z/OS permission bits and user audit bits for HFS objects that are part of the Syslog daemon component must be configured properly.
V-98567 Medium IBM z/OS Sensitive Utility Controls must be properly defined and protected.
V-98767 Medium IBM z/OS must employ a session manager to manage retaining a users session lock until that user reestablishes access using established identification and authentication procedures.
V-98461 Medium The CA-TSS NPWRTHRESH Control Option must be properly set.
V-98793 Medium IBM z/OS must employ a session manager for users to directly initiate a session lock for all connection types.
V-98791 Medium IBM z/OS system administrator must develop a procedure to offload SMF files to a different system or media than the system being audited.
V-98717 Medium The CA-TSS database must be backed up on a scheduled basis.
V-98715 Medium The CA-TSS database must be on a separate physical volume from its backup and recovery data sets.
V-98713 Medium IBM z/OS PASSWORD data set and OS passwords must not be used.
V-98711 Medium IBM z/OS BUFUSEWARN in the SMFPRMxx must be properly set.
V-98915 Medium IBM z/OS System data sets used to support the VTAM network must be properly secured.
V-98917 Medium IBM z/OS VTAM USSTAB definitions must not be used for unsecured terminals.
V-98911 Medium The IBM z/OS UNIX Telnet server Startup parameters must be properly specified.
V-98719 Medium The IBM z/OS Policy Agent must be configured to deny-all, allow-by-exception firewall policy for allowing connections to other systems.
V-98487 Medium The CA-TSS PWHIST Control Option must be set to 10 or greater.
V-98485 Medium The CA-TSS PPEXP Control Option must be properly set.
V-98483 Medium The CA-TSS PWEXP Control Option must be set to 60.
V-98859 Medium IBM z/OS BPX resource(s) must be protected in accordance with security requirements.
V-98855 Medium IBM z/OS UNIX HFS MapName file security parameters must be properly specified.
V-98857 Medium IBM z/OS NOBUFFS in SMFPRMxx must be properly set (default is MSG).
V-98851 Medium IBM Z/OS TSOAUTH resources must be restricted to authorized users.
V-98489 Medium The CA-TSS PPHIST Control Option must be properly set.
V-98453 Medium IBM z/OS must have Certificate Name Filtering implemented with appropriate authorization and documentation.
V-98827 Medium IBM z/OS Configuration files for the TCP/IP stack must be properly specified.
V-98897 Medium The IBM z/OS user account for the UNIX (RMFGAT) must be properly defined.
V-98603 Low Interactive ACIDs defined to CA-TSS must have the required fields completed.
V-98599 Low CA-TSS User ACIDs and Control ACIDs must have the NAME field completed.
V-98509 Low CA-TSS must limit Write or greater access to libraries that contain PPT modules to system programmers only.