UCF STIG Viewer Logo

z/OS ACF2 STIG



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-6991 High UID(0) is improperly assigned.
V-142 High The OPTS GSO record value will be set to the values specified.
V-184 High LOGONIDs must not be defined to SYS1.UADS for non-emergency use.
V-108 High SYS1.PARMLIB is not limited to only system programmers.
V-6958 High WebSphere MQ channel security must be implemented in accordance with security requirements.
V-118 High The ACP security data sets and/or databases must be properly protected.
V-119 High Access greater than Read to the System Master Catalog must be limited to system programmers only.
V-112 High Write or greater access to SYS1.LPALIB must be limited to system programmers only.
V-113 High Update and allocate access to all APF -authorized libraries are not limited to system programmers only.
V-110 High Write or greater access to SYS1.SVCLIB must be limited to system programmers only.
V-111 High Write or greater access to SYS1.IMAGELIB must be limited to system programmers only.
V-116 High Write or greater access to libraries that contain PPT modules must be limited to system programmers only.
V-114 High Write or greater access to all LPA libraries must be limited to system programmers only.
V-115 High Write or greater access to SYS1.NUCLEUS must be limited to system programmers only.
V-15209 High Site does not maintain documented procedures to apply security related software patches to their system and does not maintain a log of when these patches were applied.
V-122 High Write or greater access to SYS1.UADS must be limited to system programmers only and read and update access must be limited to system programmer personnel and/or security personnel.
V-129 High Write or greater access to Libraries containing EXIT modules must be limited to system programmers only.
V-234 High All system PROCLIB data sets must be limited to system programmers only
V-3900 High Vendor-supplied user accounts for the WebSphere Application Server are defined to the ACP.
V-36 High Dynamic lists must be protected in accordance with proper security requirements.
V-6960 High Websphere MQ "switch" profiles are improperly defined to the MQADMIN class.
V-7545 High Unsupported system software is installed and active on the system.
V-6972 High z/OS UNIX SUPERUSER resource must be protected in accordance with guidelines.
V-6970 High z/OS UNIX resources must be protected in accordance with security requirements.
V-3899 Medium The CBIND Resource(s) for the WebSphere Application Server is(are) not protected in accordance with security requirements.
V-3898 Medium HFS objects for the WebSphere Application Server are not protected in accordance with the proper security requirements.
V-6919 Medium JES2 input sources are not controlled in accordance with the proper security requirements.
V-3897 Medium MVS data sets for the WebSphere Application Server are not protected in accordance with the proper security requirements.
V-3895 Medium DFSMS control data sets are not protected in accordance with security requirements.
V-6995 Medium The CLASSMAP DEFINITIONS list does not include entires for the FACILITY, SURROGAT, and UNIXPRIV resource classes in accordance with security requirements.
V-6994 Medium The GSO UNIXOPTS record must specify CHOWNRES.
V-6996 Medium The INFODIR record does not include entries for the FACILITY, SURROGAT, and UNIXPRIV resource classes in accordance with security requirements.
V-6993 Medium The GSO UNIXOPTS record does not specify proper security settings for DFTGROUP and DFTUSER control options.
V-6992 Medium z/OS UNIX user accounts are not properly defined.
V-156 Medium The TSO2741 GSO record values specified are not in accordance with the proper security requirements.
V-28603 Medium z/OS USS Software owning Shared accounts do not meet strict security and creation restrictions.
V-3236 Medium User exits for the FTP Server are in use without proper approval or proper documentation.
V-83 Medium LNKAUTH=APFTAB is not specified in the IEASYSxx member(s) in the currently active parmlib data set(s).
V-86 Medium The review of AC=1 modules in APF authorized libraries will be reviewed annually and documentation verifying the modules integrity is available.
V-178 Medium The number of users granted the special privilege CONSOLE is not justified.
V-179 Medium The number of users granted the special privilege ALLCMDS is not justified.
V-174 Medium The LOGONIDs with the AUDIT or CONSULT attribute must be properly scoped.
V-175 Medium Procedures are not in place to ensure all LOGONIDs with the READALL attribute are used and controlled.
V-176 Medium The number of users granted the special privilege TAPE-LBL or TAPE-BLP is not justified or limited.
V-177 Medium The special privileges must be assigned on an as-needed basis to LOGONIDs associated with STCs and LOGONIDs that need to execute TSO in batch.
V-171 Medium LOGONIDs with the ACCOUNT, LEADER, or SECURITY attribute must be properly scoped.
V-172 Medium There are LOGONIDs with the SECURITY attribute that do not have the RULEVLD and RSRCVLD attributes specified.
V-173 Medium The LOGONID with the ACCTPRIV attribute must be restricted to the IAO.
V-6928 Medium JES2 system commands are not protected in accordance with security requirements..
V-150 Medium The SECVOLS GSO record value is set to VOLMASK(). Any local changes are justified and documented with the IAO.
V-6920 Medium JES2 input sources must be properly controlled.
V-6921 Medium JES2 output devices are not controlled in accordance with the proper security requirements.
V-34 Medium System programs (e.g., exits, SVCs, etc.) must have approval of appropriate authority and/or documented correctly.
V-151 Medium The SYNCOPTS GSO record values are set to the values specified.
V-6924 Medium JESNEWS resources are not protected in accordance with security requirements.
V-6925 Medium JESTRACE and/or SYSLOG resources are not protected in accordance with security requirements.
V-6926 Medium JES2 spool resources will be controlled in accordance with security requirements.
V-31 Medium DFSMS resources must be protected in accordance with the proper security requirements.
V-181 Medium The number of users granted the special privilege OPERATOR is not justified.
V-180 Medium The number of users granted the special privilege PPGM is not justified.
V-183 Medium Sensitive Utility Controls will be properly defined and protected.
V-182 Medium Memory and privileged program dumps must be protected in accordance with proper security requirements.
V-6965 Medium WebSphere MQ queue resource defined to the MQQUEUE resource class are not protected in accordance with security requirements.
V-6967 Medium WebSphere MQ Namelist resources are not protected in accordance with security requirements.
V-109 Medium Access to SYS1.LINKLIB is not properly protected.
V-297 Medium TSOAUTH resources must be restricted to authorized users.
V-6974 Medium z/OS UNIX MVS data sets or HFS objects are not properly protected.
V-101 Medium Non-standard SMF data collection options specified.
V-103 Medium An automated process is not in place to collect and retain SMF data.
V-102 Medium Required SMF data record types must be collected.
V-105 Medium ACP database is not backed up on a scheduled basis.
V-104 Medium ACP database is not on a separate physical volume from its backup and recovery datasets.
V-107 Medium PASSWORD data set and OS passwords are utilized.
V-106 Medium System DASD backups are not performed on a regularly scheduled basis.
V-163 Medium There are LOGONIDs associated with started tasks that have the MUSASS attribute and the requirement to submit jobs on behalf of its users but do not have the JOBFROM attribute as required.
V-29952 Medium FTP Control cards will be properly stored in a secure PDS file.
V-7516 Medium CICS system data sets are not properly protected.
V-168 Medium Emergency LOGONIDs are not properly defined.
V-44 Medium CICS region logonid(s) must be defined and/or controlled in accordance with the security requirements.
V-159 Medium Interactive LOGONIDs defined to ACF2 must have the required fields completed.
V-117 Medium Update and allocate access to LINKLIST libraries are not limited to system programmers only.
V-161 Medium There are LOGONIDs assigned for started tasks that do not have the STC attribute specified in the associated LOGONID record.
V-3219 Medium TCP/IP resources must be properly protected.
V-3218 Medium The permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be configured properly.
V-7091 Medium ACF2/CICS parameter data sets are not protected in accordance with the proper security requirements.
V-3215 Medium Configuration files for the TCP/IP stack are not properly specified.
V-3217 Medium PROFILE.TCPIP configuration statements for the TCP/IP stack are not coded properly.
V-3216 Medium TCPIP.DATA configuration statements for the TCP/IP stack will be properly specified.
V-3239 Medium The permission bits and user audit bits for HFS objects that are part of the FTP Server component will be properly configured.
V-54 Medium Surrogate users must be controlled in accordance with the proper requirements.
V-160 Medium There are batch jobs with restricted LOGONIDs that do not have the PGM(xxxxxxxx) and SUBAUTH attributes or the SOURCE(xxxxxxxx) attribute assigned to the corresponding LOGONIDs.
V-127 Medium Access to SYS(x).TRACE is not limited to system programmers only.
V-126 Medium Update and allocate access to System backup files are not limited to system programmers and/or batch jobs that perform DASD backups.
V-125 Medium Access to SYSTEM DUMP data sets are not limited to system programmers only.
V-124 Medium Update and allocate access to data sets used to backup and/or dump SMF collection files are not limited to system programmers and/or batch jobs that perform SMF dump processing.
V-123 Medium Update and allocate access to SMF collection files (i.e., SYS1.MANx) are not limited to system programmers and/or batch jobs that perform SMF dump processing.
V-121 Medium Update and allocate access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) are not limited to system programmers only.
V-120 Medium Update and allocate access to all system-level product installation libraries are not limited to system programmers only.
V-128 Medium Access to System page data sets (i.e., PLPA, COMMON, and LOCALx) are not limited to system programmers.
V-6937 Medium SYS(x).PARMLIB(IGDSMSxx), SMS parameter settings are not properly specified.
V-6936 Medium DFSMS control data sets are not properly protected.
V-6934 Medium DFSMS DFP Resource Ownership is not configured in accordance with security requirements.
V-6933 Medium SMS Program Resources must be properly defined and protected.
V-7050 Medium Attributes of z/OS UNIX user accounts are not defined in accordance with security requirements.
V-2 Medium The LOGONIDs specified In GSO MAINT records will have the JOB and MAINT attributes specified In the associated LOGONID record.
V-6939 Medium DFSMS resource type(s) is(are) not defined to the GSO INFODIR record in accordance with security requirements.
V-1 Medium There are started task LOGONIDs with the NON-CNCL attribute specified In the associated LOGONID record that are not listed as trusted and have not been specifically approved.
V-3229 Medium The startup user account for the z/OS UNIX Telnet Server is not defined properly.
V-3220 Medium Started tasks for the Base TCP/IP component must be defined in accordance with security requirements.
V-3221 Medium MVS data sets for the Base TCP/IP component are not properly protected,
V-3222 Medium PROFILE.TCPIP configuration statements for the TN3270 Telnet Server are not properly specified.
V-3223 Medium VTAM session setup controls for the TN3270 Telnet Server are not properly specified.
V-3224 Medium The warning banner for the TN3270 Telnet Server is not specified or properly specified.
V-3225 Medium The use of Digital Certificates must be implemented in accordance with security requirements.
V-3226 Medium SSL encryption options for the TN3270 Telnet Server will be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
V-3227 Medium SMF recording options for the TN3270 Telnet Server must be properly specified.
V-6893 Medium CICS startup JCL statement is not specified in accordance with the proper security requirements.
V-6894 Medium Sensitive CICS transactions are not protected in accordance with the proper security requirements.
V-6896 Medium Sensitive CICS transactions are not protected in accordance with the proper security requirements.
V-131 Medium The AUTHEXIT GSO record value is used to define an extended user authentication exit at TSO logon, for Operator Identification (OID) card usage. DISA requires the use of NCPASS on all of its domains. DISA sites require the use of AUTHEXIT for other non DISA sites this value is optional.
V-132 Medium The AUTOERAS GSO record value must be set to indicate that ACF2 is controlling the automatic physical erasure of VSAM or non VSAM data sets.
V-133 Medium The BACKUP GSO record value specifies a time field and Time(00:00 ) is not specified unless the database is shared and backed up on another system.
V-134 Medium The BLPPGM GSO record value indicates that ACF2 does not control the programs authorized to use tape bypass label processing (BLP).
V-135 Medium The CLASMAP GSO record value translates an eight-character SAF resource class into a three character ACF2 resource type code.
V-136 Medium The EXITS GSO record value specifies the module names of site written ACF2 exit routines.
V-138 Medium The LINKLST GSO record value if specified only contains trusted system datasets.
V-154 Medium The TSOKEYS GSO record values specified are not in accordance with security requirements.
V-6942 Medium DFSMS resource class(es) is(are) not defined to the GSO CLASMAP record in accordance with security requirements.
V-6941 Medium DFMSM resource class(es) is(are) not defined to the GSO SAFDEF record in accordance with security requirements
V-6946 Medium z/OS UNIX HFS MapName files security parameters are not properly specified.
V-6947 Medium z/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf are not properly specified.
V-6944 Medium z/OS UNIX OMVS parameters in PARMLIB are not properly specified.
V-6945 Medium z/OS UNIX BPXPRMxx security parameters in PARMLIB are not properly specified.
V-6949 Medium The VTAM USSTAB definitions are being used for unsecured terminals
V-29532 Medium IEASYMUP resource will be protected in accordance with proper security requirements.
V-6978 Medium z/OS UNIX HFS permission bits and audit bits for each directory will be properly protected or specified.
V-33795 Medium Sensitive and critical system data sets exist on shared DASD.
V-155 Medium The TSOTWX GSO record values are set to the values specified.
V-3331 Medium The ACP audit logs must be reviewed on a regular basis .
V-6922 Medium JES2 output devices must be properly controlled for Classified Systems.
V-3905 Medium WebSphere MQ all update and alter access to MQSeries/WebSphere MQ product and system data sets are not properly restricted
V-3904 Medium WebSphere MQ started tasks are not defined in accordance with the proper security requirements.
V-3901 Medium The WebSphere Application Server plug-in is not specified in accordance with the proper security requirements.
V-3903 Medium User timeout parameter values for WebSphere MQ queue managers are not specified in accordance with security requirements.
V-302 Medium CICS System Initialization Table (SIT) parameter values must be specified in accordance with proper security requirements.
V-152 Medium The TSO GSO record values must be set to the values specified.
V-7486 Medium MCS console userid(s) will be properly protected.
V-31561 Medium Production WebSphere MQ Remotes must utilize Certified Name Filters (CNF)
V-145 Medium The PWPHRASE GSO record must be properly defined.
V-144 Medium The PSWD GSO record values must be set to the values specified in the checks portion below.
V-147 Medium The RESVOLS GSO record value is set to Volmask(-). Any other setting requires documentation justifying the change.
V-146 Medium The RESRULE GSO record value is set to NONE any other setting requires documentation justifying the change.
V-141 Medium The NJE GSO record value indicates validation options that apply to jobs submitted through a network job entry subsystem (JES2, JES3, RSCS).
V-140 Medium The MAINT GSO record value if specified will be restricted to production storage management user accounts and programs.
V-143 Medium The PPGM GSO record value indicates protected programs that are only executed by privileged users.
V-6956 Medium The System datasets used to support the VTAM network are not properly secured.
V-6959 Medium WebSphere MQ resource classes are not properly activated.
V-36899 Medium The OPTS GSO record value must be set to the values specified.
V-149 Medium The SAFDEF GSO record baseline values are not are set to the values previously documented.
V-148 Medium The RULEOPTS GSO record values are set to the values specified.
V-153 Medium The TSOCRT GSO record values are set to the appropriate values.
V-7485 Medium The system programmer will ensure that the CONSOLxx members are properly configured.
V-7558 Medium Userids found inactive for more than 35 days are not suspended.
V-7487 Medium MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.
V-3238 Medium SMF recording options for the FTP Server must be configured to write SMF records for all eligible events.
V-7482 Medium z/OS system commands are improperly protected.
V-6968 Medium BPX resource(s) is(are) not protected in accordance with security requirements.
V-7488 Medium Users that have access to the CONSOLE resource in the TSOAUTH resource class are not properly defined.
V-7554 Medium Key ACF2/CICS parameters must be properly coded.
V-3240 Medium MVS data sets for the FTP Server are not properly protected.
V-6989 Medium The user account for the z/OS UNIX (RMFGAT ) is not properly defined.
V-162 Medium There are LOGONIDs associated with started tasks that have the MUSASS requirement but do not have both the MUSASS and NO-SMC specified in corresponding LOGONID records.
V-251 Medium Sensitive CICS transactions are not protected in accordance with security requirements.
V-3716 Medium User accounts defined to the ACP do not uniquely identify system users.
V-3237 Medium The warning banner for the FTP Server is not specified properely.
V-3235 Medium FTP.DATA configuration statements for the FTP Server are not specified in accordance with requirements.
V-3234 Medium The startup parameters for the FTP include the ANONYMOUS, ANONYMOUS=, or INACTIVE keywords. The FTP daemon’s started task JCL does not specify the SYSTCPD and SYSFTPD DD statements for configuration files.
V-3233 Medium The FTP Server daemon is not defined with proper security parameters.
V-3232 Medium HFS objects for the z/OS UNIX Telnet Server will be properly protected.
V-3231 Medium The warning banner for the z/OS UNIX Telnet Server is not specified or not properly specified.
V-3230 Medium Startup parameters for the z/OS UNIX Telnet Server are not specified properly.
V-6964 Medium WebSphere MQ dead letter and alias dead letter queues are not properly defined.
V-6969 Medium WebSphere MQ alternate user resources defined to MQADMIN resource class are not protected in accordance with security requirements.
V-6966 Medium WebSphere MQ Process resources are not protected in accordance with security requirements.
V-7120 Medium CICS logonid(s) do not have time-out limit set to 15 minutes.
V-6961 Medium z/OS UNIX security parameters in etc/profile are not properly specified.
V-6962 Medium WebSphere MQ MQCONN Class resources are not protected in accordance with security.
V-6963 Medium z/OS UNIX security parameters in /etc/rc not properly specified.
V-6923 Medium JESSPOOL resources are not protected in accordance with security requirements.
V-6904 Medium NCP (Net Work Control Program) Data set access authorization does not restricts UPDATE and/or ALLOCATE access to appropriate personnel.
V-6905 Medium A password control is not in place to restrict access to the service subsystem via the operator consoles (local and/or remote) and a key-lock switch is not used to protect the modem supporting the remote console of the service subsystem.
V-6902 Medium A documented procedure is not available instructing how to load and dump the FEP NCP (Network Control Program).
V-6903 Medium An active log is not available to keep track of all hardware upgrades and software changes made to the FEP (Front End Processor).
V-6900 Medium All hardware components of the FEPs are not placed in secure locations where they cannot be stolen, damaged, or disturbed
V-6901 Medium Procedures are not in place to restrict access to FEP functions of the service subsystem from operator consoles (local and/or remote), and to restrict access to the diskette drive of the service subsystem.
V-6986 Medium z/OS UNIX each group is not defined with a unique GID.
V-6987 Medium The user account for the z/OS UNIX kernel (OMVS) is not properly defined to the security database.
V-6985 Medium Attributes of z/OS UNIX user accounts are not defined properly
V-6980 Medium WebSphere MQ channel security is not implemented in accordance with security requirements.
V-6981 Medium z/OS UNIX MVS HFS directory(s) with "other" write permission bit set are not properly defined.
V-6927 Medium JES2.** resource is not protected in accordance with security requirements.
V-6988 Medium The user account for the z/OS UNIX BPXROOT is not properly defined.
V-7546 Medium Site must have a formal migration plan for removing or upgrading OS systems software prior to the date the vendor drops security patch support.
V-7119 Medium CICS default logonid(s) must be defined and/or controlled in accordance with the security requirements.
V-5627 Medium The hosts identified by the NSINTERADDR statement will be properly protected.
V-8271 Medium FTP / Telnet unencryted transmissions require Acknowledgement of Risk Letter(AORL)
V-90 Medium Inapplicable PPT entries have not been invalidated.
V-7547 Medium The IAO or Site does not subscribe to the DOD-CERT/VCTS (Vulnerability Compliance Tracking System) bulletin mailing list.
V-4850 Medium Allocate access to system user catalogs are not limited to system programmers only.
V-3242 Medium The Syslog daemon is not started at z/OS initialization.
V-3243 Medium The Syslog daemon must be properly defined and secured.
V-6979 Medium z/OS UNIX SYSTEM FILE SECURITY SETTINGS will be properly protected or specified.
V-3241 Medium The TFTP Server program is not properly protected.
V-3244 Medium The permission bits and user audit bits for HFS objects that are part of the Syslog daemon component will be configured properly.
V-6973 Medium WebSphere MQ command resources defined to MQCMDS resource class are not protected in accordance with security requirements.
V-6971 Medium WebSphere MQ context resources defined to the MQADMIN resource class are not protected in accordance with security requirements.
V-6977 Medium z/OS UNIX MVS data sets used as step libraries in /etc/steplib are not properly protected
V-6976 Medium z/OS UNIX MVS data sets WITH z/OS UNIX COMPONENTS are not properly protected
V-6975 Medium WebSphere MQ RESLEVEL resources in the MQADMIN resource class are not protected in accordance with security requirements.
V-23837 Medium z/OS Baseline reports are not reviewed and validated to ensure only authorized changes have been made within the z/OS operating system. This is a current DISA requirement for change management to system libraries.
V-3896 Low SYS(x).Parmlib(IEFSSNxx) SMS configuration parameter settings are not properly specified.
V-82 Low A CMP (Change Management Process) is not being utilized on this system.
V-85 Low Duplicated sensitive utilities and/or programs exist in APF libraries.
V-84 Low Inaccessible APF libraries defined.
V-170 Low There are no procedures to utilize the LOGONID with the REFRESH attribute.
V-100 Low Non-existent or inaccessible LINKLIST libraries.
V-23 Low The REFRESH attribute must be restricted.
V-158 Low There are LOGONIDs defined to ACF2 that do not have the required fields completed.
V-5605 Low Non-existent or inaccessible Link Pack Area (LPA) libraries.
V-130 Low The APPLDEF GSO record if used has supporting documentation indicating the reason it was used.
V-169 Low LOGONIDS with the REFRESH attribute must have the SUSPEND attribute specified.
V-167 Low There are GSO MAINT records that do not have corresponding maintenance LOGONIDs.
V-166 Low There are maintenance LOGONIDs that do not have corresponding GSO MAINT records.