UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

IBM z/OS TSS Security Technical Implementation Guide


Overview

Date Finding Count (232)
2022-01-05 CAT I (High): 32 CAT II (Med): 197 CAT III (Low): 3
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-223876 High CA-TSS MODE Control Option must be set to FAIL.
V-223874 High CA-TSS Security control ACIDs must be limited to the administrative authorities authorized and that require these privileges to perform their job duties.
V-223947 High The CA-TSS PASSWORD(NOPW) option must not be specified for any ACID type.
V-224017 High Unsupported IBM z/OS system software must not be installed and/or active on the system.
V-223925 High CA-TSS Emergency ACIDs must be properly limited and must audit all resource access.
V-223967 High The CA-TSS BYPASS attribute must be limited to trusted STCs only.
V-223969 High CA-TSS ACIDs granted the CONSOLE attribute must be justified.
V-224096 High IBM z/OS UID(0) must be properly assigned.
V-223900 High CA-TSS must limit Write or greater access to SYS1.NUCLEUS to system programmers only.
V-223914 High CA-TSS must limit WRITE or greater access to libraries containing EXIT modules to system programmers only.
V-223915 High CA-TSS must limit all system PROCLIB data sets to system programmers only and appropriate authorized users.
V-223917 High IBM z/OS must protect dynamic lists in accordance with proper security requirements.
V-223923 High Access to the CA-TSS MODE resource class must be appropriate.
V-223904 High CA-TSS must limit access to the System Master Catalog to appropriate authorized users.
V-223908 High CA-TSS must limit Write or greater access to SYS1.UADS to system programmers only, and Read and Update access must be limited to system programmer personnel and/or security personnel.
V-224045 High IBM z/OS SSH daemon must be configured to only use the SSHv2 protocol.
V-224044 High The SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm.
V-223957 High The CA-TSS Facility Control Option must specify the sub option of MODE=FAIL.
V-223899 High CA-TSS must limit Write or greater access to all LPA libraries to system programmers only.
V-223898 High IBM z/OS libraries included in the system REXXLIB concatenation must be properly protected.
V-223882 High IBM z/OS SYS1.PARMLIB must be properly protected.
V-224020 High CA-TSS must be installed and properly configured.
V-223929 High IBM z/OS DASD Volume access greater than CREATE found in the CA-TSS database must be limited to authorized information technology personnel requiring access to perform their job duties.
V-223887 High IBM z/OS must use NIST FIPS-validated cryptography to protect passwords in the security database.
V-223895 High CA-TSS must limit Write or greater access to SYS1.IMAGELIB to system programmers only.
V-223894 High CA-TSS must limit Write or greater access to SYS1.SVCLIB to system programmers only.
V-223897 High CA-TSS must limit WRITE or greater access to all APF-authorized libraries to system programmers only.
V-223896 High CA-TSS must limit Write or greater access to SYS1.LPALIB to system programmers only.
V-224085 High The CA-TSS HFSSEC resource class must be defined with DEFPROT.
V-223903 High CA-TSS security data sets and/or databases must be properly protected.
V-224073 High CA-TSS LOGONIDs must not be defined to SYS1.UADS for non-emergency use.
V-224078 High IBM z/OS UNIX SUPERUSER resources must be protected in accordance with guidelines.
V-223879 Medium The CA-TSS PTHRESH Control Option must be set to 2.
V-223878 Medium The CA-TSS NPPTHRESH Control Option must be properly set.
V-223873 Medium IBM z/OS must have Certificate Name Filtering implemented with appropriate authorization and documentation.
V-223872 Medium Expired IBM z/OS digital certificates must not be used.
V-223871 Medium All IBM z/OS digital certificates in use must have a valid path to a trusted Certification Authority (CA).
V-223877 Medium The CA-TSS NPWRTHRESH Control Option must be properly set.
V-223875 Medium The number of CA-TSS ACIDs possessing the tape Bypass Label Processing (BLP) privilege must be limited.
V-223927 Medium The CA-TSS ALL record must have appropriate access to Facility Matrix Tables.
V-223926 Medium CA-TSS ACIDs must not have access to FAC(*ALL*).
V-224072 Medium IBM Z/OS TSOAUTH resources must be restricted to authorized users.
V-224090 Medium IBM z/OS Default profiles must not be defined in TSS OMVS UNIX security parameters for classified systems.
V-224091 Medium IBM z/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf must be properly specified.
V-224092 Medium IBM z/OS attributes of z/OS UNIX user accounts must have a unique GID in the range of 1-99.
V-224093 Medium The IBM z/OS user account for the UNIX kernel (OMVS) must be properly defined to the security database.
V-224094 Medium The IBM z/OS user account for the z/OS UNIX SUPERUSER userid must be properly defined.
V-224095 Medium The IBM z/OS user account for the UNIX (RMFGAT) must be properly defined.
V-223949 Medium Started tasks must be properly defined to CA-TSS.
V-223945 Medium The CA-TSS CPFTARGET Control Option value specified must be set to LOCAL.
V-223944 Medium The CA-TSS CPFRCVUND Control Option value specified must be set to NO.
V-223943 Medium IBM z/OS must properly protect MCS console userid(s).
V-223942 Medium IBM z/OS must properly configure CONSOLxx members.
V-223941 Medium CA-TSS RECOVER Control Option must be set to ON.
V-223940 Medium The CA-TSS Automatic Data Set Protection (ADSP) Control Option must be set to NO.
V-224018 Medium IBM z/OS must not allow nonexistent or inaccessible Link Pack Area (LPA) libraries.
V-224019 Medium IBM z/OS must not allow nonexistent or inaccessible LINKLIST libraries.
V-223937 Medium The number of CA-TSS control ACIDs must be justified and properly assigned.
V-224010 Medium IBM z/OS sensitive and critical system data sets must not exist on shared DASD.
V-224011 Medium The IBM z/OS Policy Agent must contain a policy that manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.
V-224013 Medium The IBM z/OS System Administrator must develop a process to notify appropriate personnel when accounts are created.
V-224014 Medium The IBM z/OS System Administrator must develop a process to notify appropriate personnel when accounts are modified.
V-224015 Medium The IBM z/OS System Administrator must develop a process to notify appropriate personnel when accounts are deleted.
V-224016 Medium The IBM z/OS System Administrator must develop a process to notify appropriate personnel when accounts are removed.
V-224083 Medium IBM z/OS UNIX system file security settings must be properly protected or specified.
V-224082 Medium IBM z/OS UNIX HFS permission bits and audit bits for each directory must be properly protected.
V-224081 Medium IBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected.
V-224080 Medium IBM z/OS UNIX MVS data sets with z/OS UNIX components must be properly protected.
V-223954 Medium The CA-TSS INACTIVE Control Option must be properly set.
V-224087 Medium IBM z/OS UNIX BPXPRMxx security parameters in PARMLIB must be properly specified.
V-224034 Medium IBM z/OS must employ a session manager to manage retaining a users session lock until that user reestablishes access using established identification and authentication procedures.
V-224086 Medium IBM z/OS UNIX OMVS parameters in PARMLIB must be properly specified.
V-223972 Medium CA-TSS VTHRESH Control Option values specified must be set to (10,NOT,CAN).
V-223973 Medium IBM z/OS FTP.DATA configuration statements must have a proper banner statement with the Standard Mandatory DoD Notice and Consent Banner.
V-223970 Medium CA-TSS ACIDs defined as security administrators must have the NOATS attribute.
V-223971 Medium The CA-TSS PTHRESH Control Option must be properly set.
V-223976 Medium IBM z/OS data sets for the FTP server must be properly protected.
V-223977 Medium IBM z/OS FTP Control cards must be properly stored in a secure PDS file.
V-223974 Medium IBM z/OS SMF recording options for the FTP server must be configured to write SMF records for all eligible events.
V-224084 Medium IBM z/OS UNIX MVS HFS directory(s) with OTHER write permission bit set must be properly defined.
V-223978 Medium IBM z/OS user exits for the FTP server must not be used without proper approval and documentation.
V-224088 Medium IBM z/OS UNIX security parameters in etc/profile must be properly specified.
V-223933 Medium The CA-TSS HPBPW Control Option must be set to three days maximum.
V-224009 Medium IBM z/OS LNKAUTH=APFTAB must be specified in the IEASYSxx member(s) in the currently active parmlib data set(s).
V-224008 Medium IBM z/OS inapplicable PPT entries must be invalidated.
V-224003 Medium IBM z/OS PASSWORD data set and OS passwords must not be used.
V-224002 Medium IBM z/OS BUFUSEWARN in the SMFPRMxx must be properly set.
V-224001 Medium IBM z/OS must specify SMF data options to ensure appropriate activation.
V-224000 Medium The IBM z/OS BPX.SMF resource must be properly configured.
V-224007 Medium IBM z/OS must not have Inaccessible APF libraries defined.
V-224006 Medium The IBM z/OS Policy Agent must be configured to deny-all, allow-by-exception firewall policy for allowing connections to other systems.
V-224005 Medium The CA-TSS database must be backed up on a scheduled basis.
V-224004 Medium The CA-TSS database must be on a separate physical volume from its backup and recovery data sets.
V-223998 Medium IBM z/OS required SMF data record types must be collected.
V-223999 Medium IBM z/OS Session manager must properly configure wait time limits.
V-223979 Medium The IBM z/OS FTP server daemon must be defined with proper security parameters.
V-223990 Medium IBM z/OS JES2 output devices must be properly controlled for classified systems.
V-223991 Medium IBM z/OS JESSPOOL resources must be protected in accordance with security requirements.
V-223992 Medium IBM z/OS JESNEWS resources must be protected in accordance with security requirements.
V-223993 Medium IBM z/OS JESTRACE and/or SYSLOG resources must be protected in accordance with security requirements.
V-223994 Medium IBM z/OS JES2 spool resources must be controlled in accordance with security requirements.
V-223995 Medium IBM z/OS JES2 system commands must be protected in accordance with security requirements.
V-223996 Medium IBM z/OS Surrogate users must be controlled in accordance with proper security requirements.
V-223997 Medium Duplicated IBM z/OS sensitive utilities and/or programs must not exist in APF libraries.
V-223932 Medium The CA-TSS CANCEL Control Option must not be specified.
V-223950 Medium CA-TSS Batch ACID(s) submitted through RJE and NJE must be sourced.
V-223965 Medium The IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements.
V-223964 Medium CA-TSS MSCA ACID password changes must be documented in the change log.
V-223966 Medium CA-TSS Default ACID must be properly defined.
V-223961 Medium IBM z/OS scheduled production batch ACIDs must specify the CA-TSS BATCH Facility, and the Batch Job Scheduler must be authorized to the Scheduled production CA-TSS batch ACID.
V-223960 Medium CA-TSS must use propagation control to eliminate ACID inheritance.
V-223963 Medium CA-TSS LOG Control Option must be set to (SMF,INIT, SEC9, MSG).
V-223962 Medium CA-TSS ADMINBY Control Option must be set to ADMINBY.
V-223968 Medium CA-TSS MSCA ACID must perform security administration only.
V-223935 Medium The CA-TSS OPTIONS Control Option must include option 4 at a minimum.
V-224038 Medium IBM z/OS system administrator must develop a procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner.
V-224039 Medium IBM z/OS system administrator must develop a procedure to terminate all sessions and network connections related to nonlocal maintenance when nonlocal maintenance is completed.
V-224036 Medium IBM z/OS system administrator must develop a procedure to remove or disable emergency accounts after the crisis is resolved or 72 hours.
V-224037 Medium IBM z/OS system administrator must develop a procedure to notify System Administrators and ISSOs of account enabling actions.
V-251108 Medium The IBM z/OS systems requiring data at rest protection must properly employ IBM DS8880 or equivalent hardware solutions for full disk encryption.
V-224035 Medium IBM z/OS system administrator must develop a procedure to remove or disable temporary user accounts after 72 hours.
V-224032 Medium IBM z/OS must employ a session manager to conceal, via the session lock, information previously visible on the display with a publicly viewable image.
V-224033 Medium IBM z/OS must employ a session manager to initiate a session lock after a 15-minute period of inactivity for all connection types.
V-224030 Medium The IBM z/OS System Administrator must develop a process to notify Information System Security Officers (ISSOs) of account enabling actions.
V-224031 Medium IBM z/OS must configure system wait times to protect resource availability based on site priorities.
V-223989 Medium IBM z/OS JES2 output devices must be controlled in accordance with the proper security requirements.
V-223988 Medium IBM z/OS JES2 input sources must be properly controlled.
V-223930 Medium IBM z/OS Sensitive Utility Controls must be properly defined and protected.
V-223983 Medium The IBM z/OS warning banner for the FTP server must be properly specified.
V-223982 Medium IBM z/OS FTP.DATA configuration statements for the FTP server must specify the Standard Mandatory DoD Notice and Consent Banner statement.
V-223981 Medium IBM z/OS startup parameters for the FTP server must have the INACTIVE statement properly set.
V-223980 Medium IBM z/OS FTP.DATA configuration for the FTP server must have the INACTIVE statement properly set.
V-223987 Medium IBM z/OS JES2 input sources must be controlled in accordance with the proper security requirements.
V-223986 Medium IBM z/OS RJE workstations and NJE nodes must be controlled in accordance with STIG requirements.
V-223985 Medium IBM z/OS JES2.** resource must be properly protected in the CA-TSS database.
V-223984 Medium The IBM z/OS TFTP server program must be properly protected.
V-223955 Medium The CA-TSS AUTOERASE Control Option must be set to ALL for all systems.
V-224097 Medium IBM z/OS UNIX user accounts must be properly defined.
V-224021 Medium IBM z/OS SMF collection files (system MANx data sets or LOGSTREAM DASD) must have storage capacity to store at least one weeks worth of audit data.
V-223911 Medium CA-TSS WRITE or Greater access to System backup files must be limited to system programmers and/or batch jobs that perform DASD backups.
V-223912 Medium CA-TSS must limit access to SYS(x).TRACE to system programmers only.
V-223913 Medium CA-TSS must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers only.
V-223916 Medium CA-TSS must protect memory and privileged program dumps in accordance with proper security requirements.
V-223918 Medium IBM z/OS system commands must be properly protected.
V-223919 Medium IBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.
V-223939 Medium The CA-TSS LUUPDONCE Control Option value specified must be set to NO.
V-223902 Medium CA-TSS must limit WRITE or greater access to LINKLIST libraries to system programmers only.
V-252554 Medium IBM z/OS TCP/IP AT-TLS policy must be properly configured in Policy Agent.
V-224098 Medium IBM z/OS attributes of UNIX user accounts used for account modeling must be defined in accordance with security requirements.
V-224071 Medium IBM z/OS TELNETPARMS or TELNETGLOBALS must specify a SECUREPORT statement for systems requiring confidentiality and integrity.
V-223951 Medium IBM z/OS DASD management ACIDs must be properly defined to CA-TSS.
V-223922 Medium CA-TSS AUTH Control Option values specified must be set to (OVERRIDE,ALLOVER) or (MERGE,ALLOVER).
V-224102 Medium The IBM z/OS UNIX Telnet server Startup parameters must be properly specified.
V-224103 Medium The IBM z/OS UNIX Telnet server warning banner must be properly specified.
V-224100 Medium The IBM z/OS startup user account for the z/OS UNIX Telnet server must be properly defined.
V-224101 Medium IBM z/OS HFS objects for the z/OS UNIX Telnet server must be properly protected.
V-224104 Medium IBM z/OS System data sets used to support the VTAM network must be properly secured.
V-224105 Medium IBM z/OS VTAM USSTAB definitions must not be used for unsecured terminals.
V-224054 Medium IBM z/OS SMF recording options for the SSH daemon must be configured to write SMF records for all eligible events.
V-224055 Medium The IBM z/OS SSH daemon must be configured with the Standard Mandatory DoD Notice and Consent Banner.
V-224056 Medium IBM z/OS PROFILE.TCPIP configuration statements for the TCP/IP stack must be properly coded.
V-224057 Medium IBM z/OS permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be configured properly.
V-223907 Medium CA-TSS must limit WRITE or greater access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only.
V-223906 Medium CA-TSS must limit WRITE or greater access to all system-level product installation libraries to system programmers only.
V-223905 Medium CA-TSS allocate access to system user catalogs must be limited to system programmers only.
V-224050 Medium IBM z/OS DFSMS Program Resources must be properly defined and protected.
V-223909 Medium CA-TSS must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing.
V-224058 Medium IBM z/OS TCP/IP resources must be properly protected.
V-224059 Medium IBM z/OS data sets for the Base TCP/IP component must be properly protected.
V-224051 Medium IBM z/OS DFSMS control data sets must be protected in accordance with security requirements.
V-224052 Medium IBM z/OS using DFSMS must properly specify SYS(x).PARMLIB(IGDSMSxx), SMS parameter settings.
V-224077 Medium IBM z/OS UNIX resources must be protected in accordance with security requirements.
V-224053 Medium IBM z/OS DFSMS control data sets must be properly protected.
V-223924 Medium Data set masking characters must be properly defined to the CA-TSS security database.
V-223975 Medium CA-TSS permission bits and user audit bits for HFS objects that are part of the FTP server component must be properly configured.
V-223891 Medium The CA-TSS PPHIST Control Option must be properly set.
V-224068 Medium IBM z/OS VTAM session setup controls for the TN3270 Telnet server must be properly specified.
V-224047 Medium The IBM z/OS Syslog daemon must not be started at z/OS initialization.
V-224046 Medium IBM z/OS permission bits and user audit bits for HFS objects that are part of the Syslog daemon component must be configured properly.
V-224043 Medium IBM z/OS must employ a session manager for users to directly initiate a session lock for all connection types.
V-224042 Medium IBM z/OS system administrator must develop a procedure to offload SMF files to a different system or media than the system being audited.
V-224041 Medium IBM z/OS system administrator must develop a procedure to shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered.
V-224040 Medium IBM z/OS system administrator must develop a procedure to remove all software components after updated versions have been installed.
V-223890 Medium The CA-TSS PWHIST Control Option must be set to 10 or greater.
V-223956 Medium CA-TSS DOWN Control Option values must be properly specified.
V-223938 Medium The number of CA-TSS ACIDs with MISC9 authority must be justified.
V-224048 Medium The IBM z/OS Syslog daemon must be properly defined and secured.
V-245537 Medium The IBM z/OS TCPIP.DATA configuration statement must contain the DOMAINORIGIN or DOMAIN specified for each TCP/IP defined.
V-223953 Medium CA-TSS security administrator must develop a process to suspend userids found inactive for more than 35 days.
V-223936 Medium CA-TSS TEMPDS Control Option must be set to YES.
V-223910 Medium CA-TSS must limit access to SYSTEM DUMP data sets to system programmers only.
V-223880 Medium The CA-TSS NPPTHRESH Control Option must be properly set.
V-223881 Medium IBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing.
V-223886 Medium The CA-TSS NEWPW control options must be properly set.
V-224089 Medium IBM z/OS UNIX security parameters in /etc/rc must be properly specified.
V-223921 Medium IBM z/OS Operating system commands (MVS.) of the OPERCMDS resource class must be properly owned.
V-223920 Medium CA-TSS must properly define users that have access to the CONSOLE resource in the TSOAUTH resource class.
V-224070 Medium The IBM z/OS warning banner for the TN3270 Telnet server must be properly specified.
V-223889 Medium The CA-TSS PPEXP Control Option must be properly set.
V-224076 Medium IBM z/OS BPX resource(s) must be protected in accordance with security requirements.
V-224023 Medium The IBM z/OS SNTP daemon (SNTPD) must be active.
V-224074 Medium IBM z/OS UNIX HFS MapName file security parameters must be properly specified.
V-224075 Medium IBM z/OS NOBUFFS in SMFPRMxx must be properly set (default is MSG).
V-224022 Medium IBM z/OS System Administrators must develop an automated process to collect and retain SMF data.
V-224049 Medium IBM z/OS DFSMS resources must be protected in accordance with the proper security requirements.
V-223931 Medium IBM z/OS Started tasks must be properly defined to CA-TSS.
V-224025 Medium IBM z/OS PARMLIB CLOCKxx must have the Accuracy PARM coded properly.
V-224024 Medium IBM z/OS SNTP daemon (SNTPD) permission bits must be properly configured.
V-223885 Medium The CA-TSS NEWPHRASE and PPSCHAR Control Options must be properly set.
V-223883 Medium IBM z/OS for PKI-based authentication must use ICSF or the ESM to store keys.
V-224026 Medium The IBM z/OS Policy Agent must contain a policy that protects against or limits the effects of denial-of-service (DoS) attacks by ensuring IBM z/OS is implementing rate-limiting measures on impacted network interfaces.
V-224069 Medium IBM z/OS PROFILE.TCPIP configuration for the TN3270 Telnet server must have the INACTIVE statement properly specified.
V-224029 Medium IBM z/OS must employ a session manager to manage retaining a users session lock until that user reestablishes access using established identification and authentication procedures.
V-224079 Medium IBM z/OS UNIX MVS data sets or HFS objects must be properly protected.
V-223934 Medium The CA-TSS INSTDATA Control Option must be set to 0.
V-223958 Medium CA-TSS ACID creation must use the EXP option.
V-223959 Medium The CA-TSS SUBACID Control Option must be set to U,8.
V-223893 Medium CA-TSS access to SYS1.LINKLIB must be properly protected.
V-223892 Medium The IBM z/OS operating system must enforce a minimum eight-character password length.
V-224065 Medium IBM z/OS TN3270 Telnet server configuration statement MSG10 text must have the Standard Mandatory DoD Notice and Consent Banner.
V-224067 Medium IBM z/OS SSL encryption options for the TN3270 Telnet server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
V-224066 Medium IBM z/OS SMF recording options for the TN3270 Telnet server must be properly specified.
V-224061 Medium IBM z/OS started tasks for the Base TCP/IP component must be defined in accordance with security requirements.
V-224060 Medium IBM z/OS Configuration files for the TCP/IP stack must be properly specified.
V-223952 Medium CA-TSS user accounts must uniquely identify system users.
V-224062 Medium IBM z//OS must be configured to restrict all TCP/IP ports to ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.
V-223928 Medium Data set masking characters allowing access to all data sets must be properly restricted in the CA-TSS security database.
V-224099 Medium The IBM z/OS UNIX Telnet server etc/banner file must have the Standard Mandatory DoD Notice and Consent Banner.
V-223888 Medium The CA-TSS PWEXP Control Option must be set to 60.
V-223948 Low Interactive ACIDs defined to CA-TSS must have the required fields completed.
V-223946 Low CA-TSS User ACIDs and Control ACIDs must have the NAME field completed.
V-223901 Low CA-TSS must limit Write or greater access to libraries that contain PPT modules to system programmers only.