| Finding ID |
Severity |
Title |
Description |
|
V-259738
|
Medium |
XFACILIT class, or alternate class if specified in module CKRSITE, must be active. |
The zSecure resource class that is configured for the zSecure access checks must be active to receive valid Allow/Deny responses from external security manager (ESM) resource checks. Activation is outside of zSecure, in the ESM. |
|
V-259737
|
Medium |
IBM Security zSecure system administrators must install security-relevant zSecure software updates within the time period directed by an authoritative source (e.g., IAVMs, CTOs, DTMs, and STIGs). |
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous... |
|
V-259736
|
Medium |
IBM Security zSecure must remove all upgraded/replaced zSecure software components that are no longer required for operation after updated versions have been installed. |
Previous versions of zSecure products and components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system. |
|
V-259735
|
Medium |
IBM Security zSecure must implement organization-defined automated security responses if baseline zSecure configurations are changed in an unauthorized manner. |
Unauthorized changes to the zSecure baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the system. Changes to information system configurations can have unintended side effects, some of which may be relevant to security.
Detecting such changes and providing an automated response can help... |
|
V-259734
|
Medium |
The IBM Security zSecure programs CKFCOLL and CKGRACF, and the APF-authorized version of program CKRCARLA, must be restricted to security administrators, security batch jobs performing External Security Manager (ESM) maintenance, auditors, and systems programmers, and must be audited. |
Users authorized to use the zSecure program CKFCOLL can collect z/OS system information that is not accessible to regular users.
Users authorized to use the zSecure program CKGRACF can change certain permitted RACF profile definitions that otherwise would not be allowed.
Users authorized to use the zSecure program CKRCARLX can... |
|
V-259733
|
Medium |
IBM Security zSecure must prevent nonprivileged users from executing privileged zSecure functions. |
Preventing nonprivileged users from executing privileged zSecure functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
Privileged functions include, for example, running COLLECT jobs, generating audit reports, and adjusting RACF security settings. Nonprivileged users are individuals who do not possess appropriate authorizations.... |
|
V-259732
|
Medium |
Access to IBM Security zSecure program resources must be limited to authorized users. |
Functional access (which is controlled with access to XFACILIT profiles) must not commingle multiple functions under a single resource profile. |
|
V-259731
|
Medium |
Started tasks for IBM Security zSecure products must be properly defined. |
Started tasks and batch job IDs can be automatically revoked accidentally if not properly protected. When properly protected STCs prevent any attempts to log on with a password, it eliminates the possibility of revocation due to excessive invalid password attempts (denial of service). |
|
V-259730
|
Medium |
Access to IBM Security zSecure user data sets must be properly restricted and logged. |
If zSecure were to allow inappropriate reading or updating of user data sets, sensitive information could be disclosed, or changes might result in incorrect results reported by the product. Only qualified and authorized individuals must be allowed to create, read, update, and delete zSecure user data sets. |
|
V-259729
|
Medium |
Access to IBM Security zSecure STC data sets must be properly restricted and logged. |
IBM Security zSecure STC have the ability to use privileged functions and/or have access to sensitive data. Failure to properly restrict access to these zSecure STC data sets could result in violating the integrity of the base product, which could compromise the operating system or sensitive data. |
|
V-259728
|
Medium |
Access to IBM Security zSecure installation data sets must be properly restricted and logged. |
If the zSecure application were to allow any user to make changes to software libraries, those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.
This requirement applies to applications with software libraries that are accessible and configurable, as... |
