UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

z/OS RACF STIG



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-184 High LOGONIDs must not be defined to SYS1.UADS for non-emergency use.
V-69231 High The SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm.
V-6991 High UID(0) must be properly assigned.
V-276 High The PROTECTALL SETROPTS value specified must be properly set.
V-112 High Write or greater access to SYS1.LPALIB must be limited to system programmers only.
V-111 High Write or greater access to SYS1.IMAGELIB must be limited to system programmers only.
V-108 High SYS1.PARMLIB is not limited to only system programmers.
V-114 High Write or greater access to all LPA libraries must be limited to system programmers only.
V-118 High The ACP security data sets and/or databases must be properly protected.
V-119 High Access greater than Read to the System Master Catalog must be limited to system programmers only.
V-113 High Update and allocate access to all APF -authorized libraries are not limited to system programmers only.
V-110 High Write or greater access to SYS1.SVCLIB must be limited to system programmers only.
V-116 High Write or greater access to libraries that contain PPT modules must be limited to system programmers only.
V-115 High Write or greater access to SYS1.NUCLEUS must be limited to system programmers only.
V-71223 High Libraries included in the system REXXLIB concatenation must be properly protected.
V-15209 High Site does not maintain documented procedures to apply security related software patches to their system and does not maintain a log of when these patches were applied.
V-122 High Write or greater access to SYS1.UADS must be limited to system programmers only and read and update access must be limited to system programmer personnel and/or security personnel.
V-129 High Write or greater access to Libraries containing EXIT modules must be limited to system programmers only.
V-234 High All system PROCLIB data sets must be limited to system programmers only
V-3900 High Vendor-supplied user accounts for the WebSphere Application Server must be defined to the ACP.
V-65649 High NIST FIPS-validated cryptography must be used to protect passwords in the security database.
V-6958 High WebSphere MQ channel security must be implemented in accordance with security requirements.
V-36 High Dynamic lists must be protected in accordance with proper security requirements.
V-6960 High WebSphere MQ switch profiles must be properly defined to the MQADMIN class.
V-64803 High The RACF System REXX IRRPWREX security data set must be properly protected.
V-69229 High The SSH daemon must be configured to only use the SSHv2 protocol.
V-7545 High Unsupported system software is installed and active on the system.
V-6970 High z/OS UNIX resources must be protected in accordance with security requirements.
V-6972 High z/OS UNIX SUPERUSER resource must be protected in accordance with guidelines.
V-3899 Medium The CBIND Resource Class for the WebSphere Application Server is not configured in accordance with security requirements.
V-3898 Medium HFS objects for the WebSphere Application Server are not protected in accordance with the proper security requirements.
V-6919 Medium JES2 input sources are not controlled in accordance with theh proper security requirements.
V-6918 Medium RJE workstations and NJE nodes are not controlled in accordance with STIG requirements.
V-6916 Medium RJE workstations and NJE nodes are not controlled in accordance with security requirements.
V-3897 Medium MVS data sets for the WebSphere Application Server are not protected in accordance with the proper security requirements.
V-269 Medium The JES(XBMALLRACF) SETROPTS value is not set to JES(XBMALLRACF).
V-6997 Medium The z/OS Default profiles must not be defined in the corresponding FACILITY Class Profile for classified systems.
V-69233 Medium The SSH daemon must be configured with the Department of Defense (DoD) logon banner.
V-69235 Medium SMF recording options for the SSH daemon must be configured to write SMF records for all eligible events.
V-6992 Medium z/OS UNIX user accounts are not properly defined.
V-6999 Medium RACF Classes required to support z/OS UNIX security are not properly implemented with the SETROPTS RACLIST command.
V-6998 Medium The RACF Classes required to properly security the z/OS UNIX environment are not ACTIVE.
V-279 Medium The SETROPTS RVARYPW values must be properly set.
V-278 Medium The RETPD SETROPTS value specified is improperly set.
V-28603 Medium z/OS USS Software owning Shared accounts do not meet strict security and creation restrictions.
V-3236 Medium User exits for the FTP Server must not be used without proper approval and documentation.
V-273 Medium The PASSWORD(REVOKE) SETROPTS value specified is not in accordance with security requirements.
V-272 Medium The PASSWORD(INTERVAL) SETROPTS value is not set to 60 days.
V-271 Medium The PASSWORD(HISTORY) SETROPTS value is not set to 10.
V-270 Medium The OPERAUDIT SETROPTS value is not set to OPERAUDIT.
V-275 Medium The PASSWORD(WARNING) SETROPTS value is improperly set.
V-274 Medium The PASSWORD(RULEn) SETROPTS value(s) must be properly set.
V-75057 Medium The RACF SERVAUTH resource class must be active for TCP/IP resources.
V-3234 Medium The startup parameters for the FTP include the ANONYMOUS, ANONYMOUS=, or INACTIVE keywords. The FTP daemon’s started task JCL does not specify the SYSTCPD and SYSFTPD DD statements for configuration files.
V-3233 Medium The FTP Server daemon is not defined with proper security parameters.
V-75059 Medium RACF Global Access Checking must be restricted to appropriate classes and resources
V-6985 Medium Attributes of z/OS UNIX user accounts are not defined properly
V-3232 Medium HFS objects for the z/OS UNIX Telnet Server will be properly protected.
V-6928 Medium JES2 system commands are not protected in accordance with security requirements.
V-6920 Medium JES2 input sources must be properly controlled.
V-5627 Medium The hosts identified by the NSINTERADDR statement must be properly protected.
V-34 Medium System programs (e.g., exits, SVCs, etc.) must have approval of appropriate authority and/or documented correctly.
V-6923 Medium JESSPOOL resources are not protected in accordance with security requirements.
V-6924 Medium JESNEWS rewsources are not protected in accordance with security requirements.
V-6925 Medium JESTRACE and/or SYSLOG resources are not protected in accordance with security requirements.
V-6926 Medium JES2 spool resources will be controlled in accordance with security requirements.
V-31 Medium DFSMS resources must be protected in accordance with the proper security requirements.
V-264 Medium The INACTIVE SETROPTS value is not set to 35 days.
V-266 Medium The INITSTATS SETROPTS value is not set to INITSTATS.
V-182 Medium Memory and privileged program dumps must be protected in accordance with proper security requirements.
V-260 Medium The GENCMD SETROPTS value is not enabled for ACTIVE classes.
V-261 Medium The GENERIC SETROPTS value is not enabled for ACTIVE classes.
V-262 Medium The TERMINAL SETROPTS value is not set to READ.
V-290 Medium DASD Management USERIDs must be properly controlled.
V-293 Medium The use of the RACF SPECIAL Attribute is not justified.
V-295 Medium The use of the RACF AUDITOR privilege must be justified.
V-6967 Medium WebSphere MQ Namelist resource profiles defined in the MQNLIST Class are not protected in accordance with security requirements.
V-117 Medium Update and allocate access to LINKLIST libraries are not limited to system programmers only.
V-109 Medium Access to SYS1.LINKLIB is not properly protected.
V-267 Medium The JES(BATCHALLRACF) SETROPTS value is not set to JES(BATCHALLRACF).
V-101 Medium Non-standard SMF data collection options specified.
V-103 Medium An automated process is not in place to collect and retain SMF data.
V-296 Medium The number of USERIDs possessing the Tape Bypass Label Processing (BLP) privilege is not justified.
V-105 Medium ACP database is not backed up on a scheduled basis.
V-104 Medium ACP database is not on a separate physical volume from its backup and recovery datasets.
V-107 Medium PASSWORD data set and OS passwords are utilized.
V-106 Medium System DASD backups are not performed on a regularly scheduled basis.
V-29952 Medium FTP Control cards will be properly stored in a secure PDS file.
V-7516 Medium CICS system data sets are not properly protected.
V-59477 Medium RACF exit ICHPWX01 must be installed and properly configured.
V-17839 Medium Batch job user Ids must be properly defined.
V-44 Medium CICS region logonid(s) must be defined and/or controlled in accordance with the security requirements.
V-3230 Medium Startup parameters for the z/OS UNIX Telnet Server are not specified properly.
V-265 Medium The GRPLIST SETROPTS value is not set to ACTIVE.
V-299 Medium Sensitive Utility Controls will be properly defined and protected.
V-298 Medium DASD Volume level protection must be properly defined.
V-291 Medium There are started tasks defined to RACF with the trusted attribute that are not justified.
V-292 Medium Emergency USERIDs must be properly defined.
V-294 Medium Assignment of the RACF OPERATIONS attribute to individual userids must be fully justified.
V-297 Medium TSOAUTH resources must be restricted to authorized users.
V-6905 Medium A password control is not in place to restrict access to the service subsystem via the operator consoles (local and/or remote) and a key-lock switch is not used to protect the modem supporting the remote console of the service subsystem.
V-3219 Medium TCP/IP resources must be properly protected.
V-3218 Medium The permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be configured properly.
V-6987 Medium The user account for the z/OS UNIX kernel (OMVS) is not properly defined to the security database.
V-3215 Medium Configuration files for the TCP/IP stack are not properly specified.
V-3217 Medium PROFILE.TCPIP configuration statements for the TCP/IP stack are not coded properly.
V-3216 Medium TCPIP.DATA configuration statements for the TCP/IP stack must be properly specified.
V-54 Medium Surrogate users must be controlled in accordance with proper security requirements.
V-127 Medium Access to SYS(x).TRACE is not limited to system programmers only.
V-126 Medium Update and allocate access to System backup files are not limited to system programmers and/or batch jobs that perform DASD backups.
V-125 Medium Access to SYSTEM DUMP data sets are not limited to system programmers only.
V-124 Medium Update and allocate access to data sets used to backup and/or dump SMF collection files are not limited to system programmers and/or batch jobs that perform SMF dump processing.
V-123 Medium Update and allocate access to SMF collection files (i.e., SYS1.MANx) are not limited to system programmers and/or batch jobs that perform SMF dump processing.
V-121 Medium Update and allocate access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) are not limited to system programmers only.
V-120 Medium Update and allocate access to all system-level product installation libraries are not limited to system programmers only.
V-128 Medium Access to System page data sets (i.e., PLPA, COMMON, and LOCALx) are not limited to system programmers.
V-6937 Medium SYS(x).PARMLIB(IGDSMSxx), SMS parameter settings are not properly specified.
V-83 Medium LNKAUTH=APFTAB is not specified in the IEASYSxx member(s) in the currently active parmlib data set(s).
V-288 Medium Started Tasks are not properly identified to RACF.
V-289 Medium Started Tasks are improperly defined to RACF.
V-6933 Medium SMS Program Resources must be properly defined and protected.
V-282 Medium The TAPEDSN SETROPTS value specified is improperly set.
V-283 Medium The WHEN(PROGRAM) SETROPTS value specified is not active.
V-280 Medium The SAUDIT SETROPTS value specified is improperly set.
V-7050 Medium Attributes of z/OS UNIX user accounts used for account modeling must be defined in accordance with security requirements.
V-286 Medium RACF batch jobs are improperly secured.
V-287 Medium RACF batch jobs are not protected with propagation control.
V-285 Medium Interactive USERIDs defined to RACF must have the required fields completed.
V-3229 Medium The startup user account for the z/OS UNIX Telnet Server is not defined properly.
V-6980 Medium WebSphere MQ channel security is not implemented in accordance with security requirements.
V-3220 Medium Started tasks for the Base TCP/IP component must be defined in accordance with security requirements.
V-3221 Medium MVS data sets for the Base TCP/IP component are not properly protected,
V-3222 Medium PROFILE.TCPIP configuration statements for the TN3270 Telnet Server must be properly specified.
V-3223 Medium VTAM session setup controls for the TN3270 Telnet Server must be properly specified.
V-3224 Medium The warning banner for the TN3270 Telnet Server is not specified or properly specified.
V-86 Medium The review of AC=1 modules in APF authorized libraries must be reviewed annually and documentation verifying the modules integrity must be available.
V-3226 Medium SSL encryption options for the TN3270 Telnet Server will be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
V-3227 Medium SMF recording options for the TN3270 Telnet Server must be properly specified.
V-6898 Medium CICS regions are improperly protected to prevent unauthorized propagation of the region userid.
V-31561 Medium Production WebSphere MQ Remotes must utilize Certified Name Filters (CNF)
V-6943 Medium DFSMS-related RACF classes are not active.
V-6946 Medium z/OS UNIX HFS MapName files security parameters are not properly specified.
V-6947 Medium z/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf are not properly specified.
V-6944 Medium z/OS UNIX OMVS parameters in PARMLIB are not properly specified.
V-6945 Medium z/OS UNIX BPXPRMxx security parameters in PARMLIB must be properly specified.
V-6949 Medium The VTAM USSTAB definitions are being used for unsecured terminals
V-29532 Medium IEASYMUP resource will be protected in accordance with proper security requirements.
V-33795 Medium Sensitive and critical system data sets exist on shared DASD.
V-3331 Medium The ACP audit logs must be reviewed on a regular basis .
V-6922 Medium JES2 output devices must be properly controlled for Classified Systems.
V-3905 Medium WebSphere MQ all update and alter access to MQSeries/WebSphere MQ product and system data sets are not properly restricted
V-3904 Medium WebSphere MQ started tasks are not defined in accordance with the proper security requirements.
V-263 Medium The PASSWORD(MINCHANGE) value must be specified as (1).
V-3901 Medium The WebSphere Application Server plug-in is not specified in accordance with the proper security requirements.
V-3903 Medium User timeout parameter values for WebSphere MQ queue managers are not specified in accordance with security requirements.
V-3895 Medium DFSMS control data sets must be protected in accordance with security requirements.
V-302 Medium CICS System Initialization Table (SIT) parameter values must be specified in accordance with proper security requirements.
V-301 Medium External RACF Classes are not active for CICS transaction checking.
V-3240 Medium MVS data sets for the FTP Server are not properly protected.
V-6956 Medium The System datasets used to support the VTAM network are not properly secured.
V-6959 Medium WebSphere MQ resource classes are not properly actived for security checking by the ACP.
V-69237 Medium The SSH daemon must be configured to use SAF keyrings for key storage.
V-7485 Medium CONSOLxx members must be properly configured.
V-7486 Medium MCS console userid(s) will be properly protected.
V-7487 Medium MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.
V-3238 Medium SMF recording options for the FTP Server must be configured to write SMF records for all eligible events.
V-7482 Medium z/OS system commands must be properly protected.
V-7488 Medium Users that have access to the CONSOLE resource in the TSOAUTH resource class are not properly defined.
V-3239 Medium The permission bits and user audit bits for HFS objects that are part of the FTP Server component will be properly configured.
V-259 Medium The ERASE ALL SETROPTS value must be set to ERASE(ALL) on all systems.
V-258 Medium The EGN SETROPTS value specified is not set to EGN.
V-6989 Medium The user account for the z/OS UNIX (RMFGAT) must be properly defined.
V-6936 Medium DFSMS control data sets are not properly protected.
V-255 Medium The AUDIT SETROPTS value is improperly set.
V-254 Medium The Automatic Data Set Protection (ADSP) SETROPTS value is not set to NOADSP.
V-257 Medium The CMDVIOL SETROPTS value is not set to CMDVIOL.
V-256 Medium The CLASSACT SETROPTS must be specified for the TEMPDSN Class.
V-251 Medium Sensitive CICS transactions are not protected in accordance with security requirements.
V-3716 Medium User accounts defined to the ACP do not uniquely identify system users.
V-3237 Medium The warning banner for the FTP Server must be specified properly.
V-3235 Medium FTP.DATA configuration statements for the FTP Server are not specified in accordance with requirements.
V-6978 Medium z/OS UNIX HFS permission bits and audit bits for each directory will be properly protected or specified.
V-6968 Medium BPX resource(s)s is(are) not protected in accordance with security requirements.
V-6969 Medium WebSphere MQ Alternate User resources defined to MQADMIN resource class are not protected in accordance with security requirements.
V-3231 Medium The warning banner for the z/OS UNIX Telnet Server must be properly specified
V-6921 Medium JES2 output devices are not controlled in accordance with the proper security requirements.
V-6964 Medium WebSphere MQ dead letter and alias dead letter queues are not properly defined.
V-6965 Medium WebSphere MQ MQQUEUE (Queue) resource profiles defined to the MQQUEUE class are not protected in accordance with security requirements.
V-6966 Medium WebSphere MQ Process resource profiles defined in the MQPROC Class are not protected in accordance with security requirements.
V-7120 Medium CICS logonid(s) must have time-out limit set to 15 minutes.
V-6961 Medium z/OS UNIX security parameters in etc/profile are not properly specified.
V-6962 Medium WebSphere MQ MQCONN Class (Connection) resource definitions must be protected in accordance with security.
V-6963 Medium z/OS UNIX security parameters in /etc/rc not properly specified.
V-6904 Medium NCP (Net Work Control Program) Data set access authorization does not restricts UPDATE and/or ALLOCATE access to appropriate personnel.
V-6902 Medium A documented procedure is not available instructing how to load and dump the FEP NCP (Network Control Program).
V-6903 Medium An active log is not available to keep track of all hardware upgrades and software changes made to the FEP (Front End Processor).
V-6900 Medium All hardware components of the FEPs are not placed in secure locations where they cannot be stolen, damaged, or disturbed
V-6901 Medium Procedures are not in place to restrict access to FEP functions of the service subsystem from operator consoles (local and/or remote), and to restrict access to the diskette drive of the service subsystem.
V-69223 Medium All digital certificates in use must have a valid path to a trusted Certification authority.
V-7492 Medium The OPERCMDS resource class is not active.
V-7491 Medium MCS consoles are not active.
V-7490 Medium FACILITY resource class is inactive.
V-69227 Medium Certificate Name Filtering must be implemented with appropriate authorization and documentation.
V-69225 Medium Expired Digital Certificates must not be used.
V-6981 Medium z/OS UNIX MVS HFS directory(s) with "other" write permission bit set are not properly defined.
V-6988 Medium The user account for the z/OS UNIX SUPERSUSER userid must be properly defined.
V-7546 Medium Site must have a formal migration plan for removing or upgrading OS systems software prior to the date the vendor drops security patch support.
V-7119 Medium CICS default logonid(s) must be defined and/or controlled in accordance with the security requirements.
V-6986 Medium z/OS UNIX each group is not defined with a unique GID.
V-8271 Medium FTP / Telnet unencryted transmissions require Acknowledgement of Risk Letter(AORL)
V-90 Medium Inapplicable PPT entries have not been invalidated.
V-4850 Medium Allocate access to system user catalogs must be limited to system programmers only.
V-3242 Medium The Syslog daemon is not started at z/OS initialization.
V-3243 Medium The Syslog daemon must be properly defined and secured.
V-6979 Medium z/OS UNIX SYSTEM FILE SECURITY SETTINGS will be properly protected or specified.
V-3241 Medium The TFTP Server program is not properly protected.
V-102 Medium Required SMF data record types must be collected.
V-3244 Medium The permission bits and user audit bits for HFS objects that are part of the Syslog daemon component will be configured properly.
V-6973 Medium WebSphere MQ command resources defined to MQCMDS resource class are not protected in accordance with security requirements.
V-6971 Medium WebSphere MQ context resources defined to the MQADMIN resource class are not protected in accordance with security requirements.
V-23837 Medium z/OS Baseline reports are not reviewed and validated to ensure only authorized changes have been made within the z/OS operating system. This is a current DISA requirement for change management to system libraries.
V-6977 Medium z/OS UNIX MVS data sets used as step libraries in /etc/steplib are not properly protected
V-6976 Medium z/OS UNIX MVS data sets WITH z/OS UNIX COMPONENTS are not properly protected
V-6975 Medium WebSphere MQ RESLEVEL resources in the MQADMIN resource class are not protected in accordance with security requirements.
V-6974 Medium z/OS UNIX MVS data sets or HFS objects are not properly protected.
V-3896 Low SYS(x).Parmlib(IEFSSNxx) SMS configuration parameter settings are not properly specified.
V-277 Low The REALDSN SETROPTS value specified is improperly set.
V-71203 Low The SETROPTS LOGOPTIONS must be properly configured.
V-100 Low Non-existent or inaccessible LINKLIST libraries.
V-5605 Low Non-existent or inaccessible Link Pack Area (LPA) libraries.
V-82 Low A CMP (Change Management Process) is not being utilized on this system.
V-284 Low RACF users do not have the required default fields.
V-85 Low Duplicated sensitive utilities and/or programs exist in APF libraries.
V-84 Low Inaccessible APF libraries defined.