IBM Security zSecure must implement organization-defined automated security responses if baseline zSecure configurations are changed in an unauthorized manner.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259735	ZSEC-00-000200	SV-259735r943239_rule		Medium

Description
Unauthorized changes to the zSecure baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the system. Changes to information system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the application. Examples of security responses include but are not limited to the following: halting application processing, halting selected application functions, or issuing alerts/notifications to organizational personnel when there is an unauthorized modification of a configuration item.

Description

Unauthorized changes to the zSecure baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the system. Changes to information system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the application. Examples of security responses include but are not limited to the following: halting application processing, halting selected application functions, or issuing alerts/notifications to organizational personnel when there is an unauthorized modification of a configuration item.

STIG	Date
IBM zSecure Suite Security Technical Implementation Guide	2024-01-18

Details

Check Text ( C-63474r943237_chk )
Verify that a (daily) scheduled batch job is defined and used or a custom alert is configured and activated to inform appropriate personnel, such as auditors and compliance officers, about successful changes to the zSecure configuration data sets on their z/OS systems. If SMF records regarding successful UPDATE(s) to zSecure configuration data sets are not reported to the information system security manager (ISSM), this is a finding.

Check Text ( C-63474r943237_chk )

Verify that a (daily) scheduled batch job is defined and used or a custom alert is configured and activated to inform appropriate personnel, such as auditors and compliance officers, about successful changes to the zSecure configuration data sets on their z/OS systems.

If SMF records regarding successful UPDATE(s) to zSecure configuration data sets are not reported to the information system security manager (ISSM), this is a finding.

Fix Text (F-63381r943238_fix)
The recipients of the SMF reports or alert messages must investigate whether the UPDATE is legitimate (e.g., is documented and approved in a change management request). If it is not, they must restore the original configuration setting.