| V-259727 | High | The IBM Security zSecure Suite products must use an external security manager (RACF, ACF2, or TSS) for all account management functions. | Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error.
A... |
| V-259735 | Medium | IBM Security zSecure must implement organization-defined automated security responses if baseline zSecure configurations are changed in an unauthorized manner. | Unauthorized changes to the zSecure baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the system. Changes to information system... |
| V-259734 | Medium | The zSecure programs CKFCOLL and CKGRACF, and the APF-authorized version of program CKRCARLA, must be restricted to security administrators, security batch jobs performing External Security Manager (ESM) maintenance, auditors, and systems programmers, and audited. | Users authorized to use the zSecure program CKFCOLL can collect z/OS system information that is not accessible to regular users.
Users authorized to use the zSecure program CKGRACF can change... |
| V-259737 | Medium | IBM Security zSecure system administrators must install security-relevant zSecure software updates within the time period directed by an authoritative source (e.g., IAVMs, CTOs, DTMs, and STIGs). | Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations... |
| V-259736 | Medium | IBM Security zSecure must remove all upgraded/replaced zSecure software components that are no longer required for operation after updated versions have been installed. | Previous versions of zSecure products and components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology... |
| V-259731 | Medium | Started tasks for zSecure products must be properly defined. | Started tasks and batch job IDs can be automatically revoked accidentally if not properly protected. When properly protected STCs prevent any attempts to log on with a password, it eliminates the... |
| V-259733 | Medium | zSecure must prevent nonprivileged users from executing privileged zSecure functions. | Preventing nonprivileged users from executing privileged zSecure functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or... |
| V-259732 | Medium | Access to IBM Security zSecure program resources must be limited to authorized users. | Functional access (which is controlled with access to XFACILIT profiles) must not commingle multiple functions under a single resource profile. |
| V-259728 | Medium | Access to zSecure installation data must be properly restricted and logged. | If the zSecure application were to allow any user to make changes to software libraries, those changes might be implemented without undergoing the appropriate testing and approvals that are part... |
| V-259729 | Medium | Access to IBM Security zSecure STC data sets must be properly restricted and logged. | IBM Security zSecure STC have the ability to use privileged functions and/or have access to sensitive data. Failure to properly restrict access to these zSecure STC data sets could result in... |
| V-259738 | Medium | XFACILIT class, or alternate class if specified in module CKRSITE, must be active. | The zSecure resource class that is configured for the zSecure access checks must be active to receive valid Allow/Deny responses from external security manager (ESM) resource checks. Activation is... |
| V-259730 | Medium | IBM Security zSecure access to user data sets must be properly restricted and logged. | If zSecure were to allow inappropriate reading or updating of user data sets, sensitive information could be disclosed, or changes might result in incorrect results reported by the product. Only... |
