UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

z/OS TSS STIG



Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
V-69231 High The SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm.
V-6991 High UID(0) is improperly assigned.
V-184 High LOGONIDs must not be defined to SYS1.UADS for non-emergency use.
V-108 High SYS1.PARMLIB is not limited to only system programmers.
V-114 High Write or greater access to all LPA libraries must be limited to system programmers only.
V-118 High The ACP security data sets and/or databases must be properly protected.
V-119 High Access greater than Read to the System Master Catalog must be limited to system programmers only.
V-112 High Write or greater access to SYS1.LPALIB must be limited to system programmers only.
V-113 High Update and allocate access to all APF -authorized libraries are not limited to system programmers only.
V-110 High Write or greater access to SYS1.SVCLIB must be limited to system programmers only.
V-111 High Write or greater access to SYS1.IMAGELIB must be limited to system programmers only.
V-116 High Write or greater access to libraries that contain PPT modules must be limited to system programmers only.
V-115 High Write or greater access to SYS1.NUCLEUS must be limited to system programmers only.
V-71223 High Libraries included in the system REXXLIB concatenation must be properly protected.
V-7021 High The HFSSEC resource class is not defined with DEFPROT.
V-15209 High Site does not maintain documented procedures to apply security related software patches to their system and does not maintain a log of when these patches were applied.
V-122 High Write or greater access to SYS1.UADS must be limited to system programmers only and read and update access must be limited to system programmer personnel and/or security personnel.
V-240 High Security control ACIDs must be limited to the administrative authorities authorized and that require these privileges to perform their job duties.
V-129 High Write or greater access to Libraries containing EXIT modules must be limited to system programmers only.
V-79049 High NIST FIPS-validated cryptography must be used to protect passwords in the security database.
V-205 High The MODE Control Option is not set to (FAIL).
V-237 High ACIDs granted the CONSOLE attribute must be justified.
V-234 High All system PROCLIB data sets must be limited to system programmers only
V-233 High Emergency ACIDs must be properly limited and auditing resource access.
V-229 High The BYPASS attribute must be limited to just trusted STCs.
V-225 High PASSWORD(NOPW) option must not be specified for any ACID type.
V-6958 High WebSphere MQ channel security must be implemented in accordance with security requirements.
V-3900 High Vendor-supplied user accounts for the WebSphere Application Server are defined to the ACP.
V-15098 High The Facility Control Option does not specify the sub option of MODE=FAIL.
V-36 High Dynamic lists must be protected in accordance with proper security requirements.
V-6960 High Websphere MQ "switch" profiles are improperly defined to the MQADMIN class.
V-6972 High z/OS UNIX SUPERUSER resource must be protected in accordance with guidelines.
V-19893 High Access to the TSS MODE resource class is inappropriate.
V-69229 High The SSH daemon must be configured to only use the SSHv2 protocol.
V-7545 High Unsupported system software is installed and active on the system.
V-247 High Volume access greater than CREATE found in CA-Top Secret (TSS) database must be limited to authorized information technology personnel requiring access to perform their job duties.
V-243 High The number of ACIDs with MISC9 authority must be justified. ACIDs with MISC9 must be limited to the administrative authorities authorized and that require these privileges to perform their job duties.
V-6970 High z/OS UNIX resources must be protected in accordance with security requirements.
V-3899 Medium The CBIND Resource(s) for the WebSphere Application Server is(are) not protected in accordance with security requirements.
V-3898 Medium HFS objects for the WebSphere Application Server are not protected in accordance with the proper security requirements.
V-6919 Medium JES2 input sources are improperly protected.
V-6918 Medium RJE workstations and NJE nodes are not controlled in accordance with STIG requirements.
V-3897 Medium MVS data sets for the WebSphere Application Server are not protected in accordance with the proper security requirements.
V-3895 Medium DFSMS control data sets must be protected in accordance with security requirements.
V-69233 Medium The SSH daemon must be configured with the Department of Defense (DoD) logon banner.
V-36851 Medium NPPTHRESH Control Option will be properly set.
V-21948 Medium The TSS ALL record has inappropriate access to Facility Matrix Tables.
V-36853 Medium PPHIST Control Option will be properly set.
V-222 Medium The TIMER Control Option is not set to (30).
V-3237 Medium The warning banner for the FTP Server is not specified properely.
V-28603 Medium z/OS USS Software owning Shared accounts do not meet strict security and creation restrictions.
V-3236 Medium User exits for the FTP Server must not be used without proper approval and documentation.
V-83 Medium LNKAUTH=APFTAB is not specified in the IEASYSxx member(s) in the currently active parmlib data set(s).
V-86 Medium The review of AC=1 modules in APF authorized libraries will be reviewed annually and documentation verifying the modules integrity is available.
V-226 Medium Propagation control is not in use, thus allowing ACID inheritance.
V-3233 Medium The FTP Server daemon is defined improperly.
V-3232 Medium HFS objects for the z/OS UNIX Telnet Server will be properly protected.
V-6928 Medium JES2 system commands are not protected in accordance with security requirements.
V-3223 Medium VTAM session setup controls for the TN3270 Telnet Server are not properly specified.
V-6920 Medium JES2 input sources must be properly controlled.
V-5627 Medium The hosts identified by the NSINTERADDR statement will be properly protected.
V-34 Medium System programs (e.g., exits, SVCs, etc.) must have approval of appropriate authority and/or documented correctly.
V-6923 Medium JESSPOOL resources are improperly protected.
V-6924 Medium JESNEWS resources are improperly protected.
V-6925 Medium JESTRACE and/or SYSLOG resources are improperly protected.
V-6926 Medium JES2 spool resources will be controlled in accordance with security requirements.
V-31 Medium DFSMS resources must be protected in accordance with the proper security requirements.
V-4850 Medium Allocate access to system user catalogs are not limited to system programmers only.
V-182 Medium Memory and privileged program dumps must be protected in accordance with proper security requirements.
V-189 Medium The AUTH Control Option values specified are not set to (OVERRIDE,ALLOVER) or (MERGE,ALLOVER).
V-188 Medium The ADSP (Automatic DataSet Protection) Control Option is not set to (NO).
V-6966 Medium WebSphere MQ Process resources are not protected in accordance with security requirements.
V-6967 Medium WebSphere MQ Namelist resources are not protected in accordance with security requirements.
V-7555 Medium Control options for the Top Secret CICS facilities do not meet minimum requirements.
V-3239 Medium The permission bits and user audit bits for HFS objects that are part of the FTP Server component will be properly configured.
V-109 Medium Access to SYS1.LINKLIB is not properly protected.
V-6974 Medium z/OS UNIX MVS data sets or HFS objects are not properly protected.
V-101 Medium Non-standard SMF data collection options specified.
V-103 Medium An automated process is not in place to collect and retain SMF data.
V-102 Medium Required SMF data record types must be collected.
V-105 Medium ACP database is not backed up on a scheduled basis.
V-104 Medium ACP database is not on a separate physical volume from its backup and recovery datasets.
V-107 Medium PASSWORD data set and OS passwords are utilized.
V-106 Medium System DASD backups are not performed on a regularly scheduled basis.
V-36852 Medium PPEXP Control Option will be properly set.
V-6977 Medium z/OS UNIX MVS data sets used as step libraries in /etc/steplib are not properly protected
V-22 Medium Dataset masking characters are not properly defined to the security database.
V-211 Medium The PTHRESH Control Option is not set to (2).
V-193 Medium The DEBUG Control Option value is not set to (OFF).
V-213 Medium The PWHIST Control Option is not set to (10) or greater.
V-191 Medium The CPFRCVUND Control Option value specified is not set to (NO).
V-196 Medium The DOWN Control Option values specified are not set to (BW,SB,OW) and TW if users are still defined in SYS1.UADS, TN if only systems personnel are defined in SYS1.UADS.
V-197 Medium The EXIT Control Option is not set to (ON) for DISA sites.
V-217 Medium The SUBACID Control Option is not set to (U,8).
V-195 Medium The DL1B Control Option is not set to (NO).
V-198 Medium The HPBPW Control Option is not set to (3) days maximum.
V-199 Medium The INACTIVE Control Option must be properly set.
V-221 Medium The TEMPDS Control Option is not set to (YES).
V-44 Medium CICS region logonid(s) must be defined and/or controlled in accordance with the security requirements.
V-3230 Medium Startup parameters for the z/OS UNIX Telnet Server are not specified properly.
V-215 Medium The RECOVER Control Option is not set to (ON).
V-117 Medium Update and allocate access to LINKLIST libraries are not limited to system programmers only.
V-297 Medium TSOAUTH resources must be restricted to authorized users.
V-3219 Medium TCP/IP resources must be properly protected.
V-3218 Medium The permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be configured properly.
V-3215 Medium Configuration files for the TCP/IP stack are not properly specified.
V-3217 Medium PROFILE.TCPIP configuration statements for the TCP/IP stack are not coded properly.
V-3216 Medium TCPIP.DATA configuration statements for the TCP/IP stack must be properly specified.
V-203 Medium The LOG Control Option is not set to (SMF,INIT, SEC9, MSG). .
V-200 Medium The INSTDATA Control Option is not set to (0).
V-201 Medium The IOTRACE Control option is not set to (OFF)
V-206 Medium The MSUSPEND Control Option is not set to (YES).
V-207 Medium NEWPW Control Options must be properly set.
V-204 Medium The LUUPDONCE Control Option value specified is not set to (NO).
V-54 Medium Surrogate users or Cross-Authorized ACIDs must be controlled in accordance with the proper requirements.
V-208 Medium The NJEUSER Control Option is not set to (NJESTORE).
V-209 Medium The NPWRTHRESH Control Option is not set to (02).
V-127 Medium Access to SYS(x).TRACE is not limited to system programmers only.
V-22648 Medium Data set masking characters allowing access to all data sets must be properly restricted in the security database.
V-125 Medium Access to SYSTEM DUMP data sets are not limited to system programmers only.
V-124 Medium Update and allocate access to data sets used to backup and/or dump SMF collection files are not limited to system programmers and/or batch jobs that perform SMF dump processing.
V-123 Medium Update and allocate access to SMF collection files (i.e., SYS1.MANx) are not limited to system programmers and/or batch jobs that perform SMF dump processing.
V-121 Medium Update and allocate access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) are not limited to system programmers only.
V-120 Medium Update and allocate access to all system-level product installation libraries are not limited to system programmers only.
V-128 Medium Access to System page data sets (i.e., PLPA, COMMON, and LOCALx) are not limited to system programmers.
V-6937 Medium SYS(x).PARMLIB(IGDSMSxx), SMS parameter settings are not properly specified.
V-6936 Medium DFSMS control data sets are not properly protected.
V-6933 Medium SMS Program Resources must be properly defined and protected.
V-3229 Medium The startup user account for the z/OS UNIX Telnet Server is not defined properly.
V-6980 Medium WebSphere MQ channel security is not implemented in accordance with security requirements.
V-7119 Medium CICS default logonid(s) must be defined and/or controlled in accordance with the security requirements.
V-3220 Medium Started tasks for the Base TCP/IP component must be defined in accordance with security requirements.
V-3221 Medium MVS data sets for the Base TCP/IP component are not properly protected,
V-3222 Medium PROFILE.TCPIP configuration statements for the TN3270 Telnet Server are not properly specified.
V-3224 Medium The warning banner for the TN3270 Telnet Server is not specified or properly specified.
V-3226 Medium SSL encryption options for the TN3270 Telnet Server will be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
V-3227 Medium SMF recording options for the TN3270 Telnet Server must be properly specified.
V-239 Medium Number of control ACIDs is not justified and properly assigned.
V-238 Medium ACIDs defined as security administrators do not have the attribute of NOATS.
V-236 Medium Password changes to the MSCA ACID will be documented in the change log.
V-235 Medium MSCA ACID will perform security administration only.
V-232 Medium DASD management ACIDs are not properly defined.
V-231 Medium Batch ACID(s) submitted through RJE and NJE is (are) not sourced.
V-230 Medium Started tasks must be properly defined to Top Secret.
V-31561 Medium Production WebSphere MQ Remotes must utilize Certified Name Filters (CNF)
V-7493 Medium Operating system commands (MVS.) of the OPERCMDS resource class are not properly owned..
V-6947 Medium z/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf are not properly specified.
V-6944 Medium z/OS UNIX OMVS parameters in PARMLIB are not properly specified.
V-6945 Medium z/OS UNIX BPXPRMxx security parameters in PARMLIB are not properly specified.
V-6946 Medium z/OS UNIX HFS MapName files security parameters are not properly specified.
V-6948 Medium TSS UNIX control option CHOWNURS must be properly set.
V-6949 Medium The VTAM USSTAB definitions are being used for unsecured terminals
V-29532 Medium IEASYMUP resource will be protected in accordance with proper security requirements.
V-29952 Medium FTP Control cards will be properly stored in a secure PDS file.
V-33795 Medium Sensitive and critical system data sets exist on shared DASD.
V-126 Medium Update and allocate access to System backup files are not limited to system programmers and/or batch jobs that perform DASD backups.
V-7000 Medium The z/OS Default profiles must not be defined in TSS OMVS UNIX security parameters for classified systems.
V-3331 Medium The ACP audit logs must be reviewed on a regular basis .
V-228 Medium Default ACID has not been properly defined.
V-6922 Medium JES2 output devices must be properly controlled for Classified Systems.
V-3905 Medium WebSphere MQ all update and alter access to MQSeries/WebSphere MQ product and system data sets are not properly restricted
V-3904 Medium WebSphere MQ started tasks are not defined in accordance with the proper security requirements.
V-70 Medium The ADMINBY Control Option is not set to ADMINBY.
V-223 Medium The VTHRESH Control Option values specified are not set to (10,NOT,CAN).
V-3903 Medium User timeout parameter values for WebSphere MQ queue managers are not specified in accordance with security requirements.
V-227 Medium Scheduled production batch ACIDs must specify the BATCH Facility and the Batch Job Scheduler must be authorized to the Scheduled production batch ACID.
V-7516 Medium CICS system data sets are not properly protected.
V-210 Medium The PRODUCTS Control Option is not set to (TSO/E) .
V-3901 Medium The WebSphere Application Server plug-in is not specified in accordance with the proper security requirements.
V-302 Medium CICS System Initialization Table (SIT) parameter values must be specified in accordance with proper security requirements.
V-190 Medium The AUTOERASE Control Option must be set to (ALL) for all systems.
V-3240 Medium MVS data sets for the FTP Server are not properly protected.
V-90 Medium Inapplicable PPT entries have not been invalidated.
V-212 Medium The PWEXP Control Option is not set to (60).
V-6956 Medium The System datasets used to support the VTAM network are improperly secured.
V-6959 Medium WebSphere MQ security class(es) is(are) defined improperly.
V-25483 Medium The CPFTARGET Control Option value specified is not set to (LOCAL).
V-194 Medium TSS MODIFY output does not specify "ACTIVE DIAGTRAP ENTRIES: ON = 00".
V-6988 Medium The user account for the z/OS UNIX SUPERUSER userid must be properly defined.
V-216 Medium The SECTRACE Control Option is not set to (OFF).
V-69237 Medium The SSH daemon must be configured to use SAF keyrings for key storage.
V-68 Medium The CANCEL Control Option value specified is set to CANCEL.
V-7485 Medium CONSOLxx members must be properly configured.
V-7558 Medium Userids found inactive for more than 35 days are not suspended.
V-7487 Medium MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.
V-3238 Medium SMF recording options for the FTP Server must be configured to write SMF records for all eligible events.
V-7482 Medium z/OS system commands must be properly protected.
V-7488 Medium Attributes for Users with the TSO CONSOLE privilege are inappropriate.
V-3242 Medium The Syslog daemon is not started at z/OS initialization.
V-6989 Medium The user account for the z/OS UNIX (RMFGAT) must be properly defined.
V-251 Medium Sensitive CICS transactions are not protected in accordance with security requirements.
V-3716 Medium User accounts defined to the ACP do not uniquely identify system users.
V-69235 Medium SMF recording options for the SSH daemon must be configured to write SMF records for all eligible events.
V-3235 Medium FTP.DATA configuration statements for the FTP Server are not specified in accordance with requirements.
V-3234 Medium The startup parameters for the FTP include the ANONYMOUS, ANONYMOUS=, or INACTIVE keywords. The FTP daemon’s started task JCL does not specify the SYSTCPD and SYSFTPD DD statements for configuration files.
V-6968 Medium BPX resource(s) is(are) not protected in accordance with security requirements.
V-6969 Medium WebSphere MQ alternate user resources defined to MQADMIN resource class are not protected in accordance with security requirements.
V-3231 Medium The warning banner for the z/OS UNIX Telnet Server is not specified or not properly specified.
V-6921 Medium JES2 output devices are improperly protected.
V-6964 Medium WebSphere MQ dead letter and alias dead letter queues are not properly defined.
V-6965 Medium WebSphere MQ queue resource defined to the MQQUEUE resource class are not protected in accordance with security requirements.
V-7121 Medium CICS userids are not defined and/or controlled in accordance with proper security requirements.
V-7120 Medium CICS logonid(s) do not have time-out limit set to 15 minutes.
V-6961 Medium z/OS UNIX security parameters in etc/profile are not properly specified.
V-6962 Medium WebSphere MQ MQCONN Class resources are protected improperly.
V-6963 Medium z/OS UNIX security parameters in /etc/rc not properly specified.
V-220 Medium The TAPE Control Option is not set to (OFF).
V-6904 Medium NCP (Net Work Control Program) Data set access authorization does not restricts UPDATE and/or ALLOCATE access to appropriate personnel.
V-6905 Medium A password control is not in place to restrict access to the service subsystem via the operator consoles (local and/or remote) and a key-lock switch is not used to protect the modem supporting the remote console of the service subsystem.
V-6902 Medium A documented procedure is not available instructing how to load and dump the FEP NCP (Network Control Program).
V-6903 Medium An active log is not available to keep track of all hardware upgrades and software changes made to the FEP (Front End Processor).
V-6900 Medium All hardware components of the FEPs are not placed in secure locations where they cannot be stolen, damaged, or disturbed
V-6901 Medium Procedures are not in place to restrict access to FEP functions of the service subsystem from operator consoles (local and/or remote), and to restrict access to the diskette drive of the service subsystem.
V-69223 Medium All digital certificates in use must have a valid path to a trusted Certification authority.
V-6987 Medium The user account for the z/OS UNIX kernel (OMVS) is not properly defined to the security database.
V-6985 Medium Attributes of z/OS UNIX user accounts are not defined properly
V-69227 Medium Certificate Name Filtering must be implemented with appropriate authorization and documentation.
V-69225 Medium Expired Digital Certificates must not be used.
V-6981 Medium z/OS UNIX MVS HFS directory(s) with "other" write permission bit set are not properly defined.
V-6927 Medium JES2.** resource is improperly protected.
V-36849 Medium NEWPHRASE and PPSCHAR Control Options must be properly set.
V-7546 Medium Site must have a formal migration plan for removing or upgrading OS systems software prior to the date the vendor drops security patch support.
V-7050 Medium Attributes of z/OS UNIX user accounts used for account modeling must be defined in accordance with security requirements.
V-6986 Medium z/OS UNIX each group is not defined with a unique GID.
V-248 Medium Sensitive Utility Controls will be properly defined and protected.
V-8271 Medium FTP / Telnet unencryted transmissions require Acknowledgement of Risk Letter(AORL)
V-246 Medium ACIDs were found having access FAC(*ALL*).
V-244 Medium TRACE attribute has been found assigned to ACIDs.
V-245 Medium Documentation confirming the necessity of NO***CHK attributes is not available.
V-4836 Medium The OPTIONS Control Option does not include option (4) at a minimum.
V-241 Medium The number of ACIDs possessing the tape Bypass Label Processing (BLP) privilege is not limited.
V-25505 Medium Interactive ACIDs defined to TSS must have the required fields completed.
V-3243 Medium The Syslog daemon must be defined properly.
V-6979 Medium z/OS UNIX SYSTEM FILE SECURITY SETTINGS will be properly protected or specified.
V-6978 Medium z/OS UNIX HFS permission bits and audit bits for each directory will be properly protected or specified.
V-6992 Medium z/OS UNIX user accounts are not properly defined.
V-3244 Medium The permission bits and user audit bits for HFS objects that are part of the Syslog daemon component will be configured properly.
V-6973 Medium WebSphere MQ command resources defined to MQCMDS resource class are not protected in accordance with security requirements.
V-3241 Medium The TFTP Server program is controlled improperly.
V-6971 Medium WebSphere MQ context resources defined to the MQADMIN resource class are not protected in accordance with security requirements.
V-7486 Medium MCS console userid(s) will be properly protected.
V-6976 Medium z/OS UNIX MVS data sets WITH z/OS UNIX COMPONENTS are not properly protected
V-6975 Medium WebSphere MQ RESLEVEL resources in the MQADMIN resource class are not protected in accordance with security requirements.
V-23837 Medium z/OS Baseline reports are not reviewed and validated to ensure only authorized changes have been made within the z/OS operating system. This is a current DISA requirement for change management to system libraries.
V-3896 Low SYS(x).Parmlib(IEFSSNxx) SMS configuration parameter settings are not properly specified.
V-82 Low A CMP (Change Management Process) is not being utilized on this system.
V-85 Low Duplicated sensitive utilities and/or programs exist in APF libraries.
V-84 Low Inaccessible APF libraries defined.
V-100 Low Non-existent or inaccessible LINKLIST libraries.
V-219 Low The SYSOUT Control Option is not set to (x,LOCAL). **Note: 'x' represents a site defined JES SYSOUT class
V-5605 Low Non-existent or inaccessible Link Pack Area (LPA) libraries.
V-224 Low User ACIDs and Control ACIDs do not have the NAME field completed.