Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The IBM Security zSecure Suite products must use an external security manager (RACF, ACF2, or TSS) for all account management functions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-259727 | ZSEC-00-000020 | SV-259727r943215_rule | High |
| Description |
|---|
| Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. A comprehensive application account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include but are not limited to using automation to take action on multiple accounts designated as inactive, suspended, or terminated or by disabling accounts in noncentralized account stores, such as multiple servers. This requirement applies to all account types, including individual/user, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. The application must be configured to automatically provide account management functions, and these functions must immediately enforce the organization's current account policy. The automated mechanisms may reside within the application or be offered by the operating system or other infrastructure providing automated account management capabilities. Automated mechanisms may be composed of differing technologies that when placed together contain an overall automated mechanism supporting an organization's automated account management requirements. Account management functions include assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example, using email or text messaging to automatically notify account managers when users are terminated or transferred, using the information system to monitor account usage, and using automated telephonic notification to report atypical system account usage. |
| STIG | Date |
|---|---|
| IBM zSecure Suite Security Technical Implementation Guide | 2024-01-18 |
Details
| Check Text ( C-63466r943213_chk ) |
|---|
| None of the zSecure functional profiles must allow general access by means of UACC(NONE), WARNING, or global access. Review profile(s) protecting CKF.** resources in XFACILIT class. If only profile CKF.** exists, this is a finding. If READ access to any other CKF. Review profile(s) protecting CKN*.** resources in XFACILIT class. If only profile CKN*.** exists, this is a finding. If READ access to any other CKNADMIN.**, CKNDSN.** or CKNUMAP profiles is not restricted to security administrators (domain or decentralized), security batch jobs performing ESM maintenance, and trusted STC users, this is a finding. Review profile(s) protecting CKG.** resources in XFACILIT class. If only profile CKG.** exists, this is a finding. If READ access to any other CKG.CMD.**, CKG.RAC.**, CKG.SCHEDULE.**, CKG.SCP.**, CKG.UCAT.**, or CKG.USRDATA.** profiles is not restricted to security administrators (domain or decentralized), security batch jobs performing ESM maintenance, and trusted STC users, this is a finding. Review profile(s) protecting CKR.** resources in XFACILIT class. If only profile CKR.** exists, this is a finding. If READ access to any other CKR.ACTION.**, CKR.CKRCARLA.APF, CKR.CKXLOG.**, CKR.OPTION.**, or CKR.READALL profiles is not restricted to security administrators (domain or decentralized), security batch jobs performing ESM maintenance, and trusted STC users, this is a finding. Review profile(s) protecting C2R.** resources in XFACILIT class. If only profile C2R.** exists, this is a finding. If READ access to any other C2R.CLIENT.** or C2R.SERVER.ADMIN profiles is not restricted to security administrators (domain or decentralized), security batch jobs performing ESM maintenance, and trusted STC users, this is a finding. Review profile(s) protecting C2X.** resources in XFACILIT class. If only profile C2X.** exists, this is a finding. If UPDATE access to any other C2X.ICH* profile is not restricted to automated operation STCs/batch jobs or trusted STC users, this is a finding. |
| Fix Text (F-63373r943214_fix) |
|---|
| Ensure READ access to zSecure functional resources is restricted to the appropriate staff members. READ access can be given to security administrators (domain level and decentralized), security batch jobs that perform ESM maintenance, and trusted STC users. The following commands are provided as a sample for implementing zSecure functional resource controls: rdef xfacilit resource_profile_protecting_zSecure_CKF_ resource uacc(none) owner(zSecure owner) pe resource_profile_protecting_zSecure_CKF_ resource class(XFACILIT) id(SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ) rdef xfacilit CKNADMIN.TONODE. pe CKNADMIN.TONODE. rdef xfacilit CKNADMIN.FROMNODE. pe CKNADMIN.FROMNODE. rdef xfacilit CKNDSN. rdef xfacilit CKNDSN. rdef xfacilit CKNDSN. rdef xfacilit CKNDSN. pe CKNDSN. pe CKNDSN. pe CKNDSN. pe CKNDSN. pe CKNDSN. pe CKNDSN. pe CKNDSN. pe CKNDSN. rdef xfacilit CKNDSN. pe CKNDSN. rdef xfacilit CKR.ACTION.** uacc(none) owner(zSecure owner) pe CKR.ACTION.** class(xfacilit) id(SYSPAUDT, SECAAUDT, SECBAUDT, SECDAUDT) access(READ) rdef xfacilit CKR.CKRCARLA.APF uacc(none) owner(zSecure owner) pe CKR.CKRCARLA.APF class(xfacilit) id(SECAUDT, SECBAUDT) access(READ) rdef xfacilit CKR.READALL uacc(none) owner(zSecure owner) pe CKR.READALL class(xfacilit) id(SECAAUDT, SECBAUDT, TSTCAUDT) access(READ) |