STIGQter: STIG Summary: IBM z/OS TSS Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

Expired IBM z/OS digital certificates must not be used.

DISA Rule

SV-223872r561402_rule

Vulnerability Number

V-223872

Group Title

SRG-OS-000066-GPOS-00034

Rule Version

TSS0-CE-000020

Severity

CAT II

CCI(s)

• CCI-000185 - The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.

Weight

10

Fix Recommendation

If the certificate is a user or device certificate with a status of TRUST, follow procedures to obtain a new certificate or re-key certificate. If it is an expired CA certificate remove it.

Check Contents

Execute the CA-TSS SAFCRRPT using the following as SYSIN input:
RECORDID(-) DETAIL FIELDS(ISSUER SUBJECT ACTIVE EXPIRE TRUST)

If no certificate information is found, this is not a finding.

NOTE: Certificates are only valid when their Status is TRUST. Therefore, you may ignore certificates with the NOTRUST status during the following checks.

Check the expiration for each certificate with a status of TRUST.

If the expiration date has passed, this is a finding.

Vulnerability Number

V-223872

Documentable

False

Rule Version

TSS0-CE-000020

Severity Override Guidance

Execute the CA-TSS SAFCRRPT using the following as SYSIN input:
RECORDID(-) DETAIL FIELDS(ISSUER SUBJECT ACTIVE EXPIRE TRUST)

If no certificate information is found, this is not a finding.

NOTE: Certificates are only valid when their Status is TRUST. Therefore, you may ignore certificates with the NOTRUST status during the following checks.

Check the expiration for each certificate with a status of TRUST.

If the expiration date has passed, this is a finding.

Check Content Reference

M

Target Key

4102

Comments