Control options for the Top Secret CICS facilities must meet minimum requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-224737	ZCICT050	SV-224737r520315_rule		Medium

Description
TSS CICS facilities define the security controls in effect for CICS regions. Failure to code the appropriate values could result in degraded security. This exposure may result in unauthorized access impacting the confidentiality, integrity, and availability of the CICS region, applications, and customer data.

STIG	Date
z/OS IBM CICS Transaction Server for TSS Security Technical Implementation Guide	2021-12-14

Details

Check Text ( C-26428r520313_chk )
a) Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(CICSPROC) Refer to the following reports produced by the TSS Data Collection: - TSSCMDS.RPT(FACLIST) - Preferred report containing all control option values in effect including default values - TSSCMDS.RPT(TSSPRMFL) - Alternate report containing only control option values explicitly coded at TSS startup Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. b) Ensure the following items are in effect for each CICS region’s facility: 1) The TSS CICS facility is defined with the control option values specified in the TOP SECRET INITIALIZATION PARAMETERS FOR CICS REGION Table in the z/OS STIG Addendum . Note: An exception to the STIG is MRO CICS regions in production will use SIGN(M) appropriately. 2) XUSER=YES must be coded in each CICS facility. 3) CICS transactions defined in the BYPASS list are not sensitive transactions. c) If the items in (b) are true for all CICS region’s facility, there is NO FINDING. d) If any item in (b) is untrue for a CICS region’s facility, this is a FINDING.

Check Text ( C-26428r520313_chk )

a) Refer to the following report produced by the z/OS Data Collection:

- EXAM.RPT(CICSPROC)

Refer to the following reports produced by the TSS Data Collection:

- TSSCMDS.RPT(FACLIST) - Preferred report containing all control option values in effect including default values
- TSSCMDS.RPT(TSSPRMFL) - Alternate report containing only control option values explicitly coded at TSS startup

Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010.

b) Ensure the following items are in effect for each CICS region’s facility:

1) The TSS CICS facility is defined with the control option values specified in the TOP SECRET INITIALIZATION PARAMETERS FOR CICS REGION Table in the z/OS STIG Addendum .

Note: An exception to the STIG is MRO CICS regions in production will use SIGN(M) appropriately.

2) XUSER=YES must be coded in each CICS facility.
3) CICS transactions defined in the BYPASS list are not sensitive transactions.

c) If the items in (b) are true for all CICS region’s facility, there is NO FINDING.

d) If any item in (b) is untrue for a CICS region’s facility, this is a FINDING.

Fix Text (F-26416r520314_fix)
Review the TSS control option values for all CICS facilities. Ensure the following items are in effect for each CICS region’s facility: 1) The TSS CICS facility is defined with the control option values specified in table - "TOP SECRET INITIALIZATION PARAMETERS FOR CICS REGION" , in the zOS STIG Addendum. Note: An exception is MRO CICS regions in production will use SIGN(M) appropriately. 2) XUSER=YES must be coded in each CICS facility. 3) CICS transactions defined in the BYPASS list are not sensitive transactions.

Fix Text (F-26416r520314_fix)

Review the TSS control option values for all CICS facilities.
Ensure the following items are in effect for each CICS region’s facility:

1) The TSS CICS facility is defined with the control option values specified in table - "TOP SECRET INITIALIZATION PARAMETERS FOR CICS REGION" , in the zOS STIG Addendum. Note: An exception is MRO CICS regions in production will use SIGN(M) appropriately.
2) XUSER=YES must be coded in each CICS facility.
3) CICS transactions defined in the BYPASS list are not sensitive transactions.