STIGQter: STIG Summary: IBM z/OS TSS Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

IBM z/OS must have Certificate Name Filtering implemented with appropriate authorization and documentation.

DISA Rule

SV-223873r561402_rule

Vulnerability Number

V-223873

Group Title

SRG-OS-000104-GPOS-00051

Rule Version

TSS0-CE-000030

Severity

CAT II

CCI(s)

CCI-000764 - The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Weight

Fix Recommendation

Ensure any certificate name filtering rules in use are documented and approved by the ISSM.

Check Contents

If certificate name filtering is in use, the ISSM should document each active filter rule and have written approval to use the rule.

Issue the following TSS command to list any certificate name filters defined to TSS:

TSS LIST(SDT) CERTMAP(ALL)

If there is nothing to list, this is not a finding.

NOTE: Certificate name filters are only valid when their Status is TRUST. Therefore, you may ignore filters with the NOTRUST status.

If certificate name filters are defined and they have a Status of TRUST, certificate name filtering is in use.

If certificate name filtering is in use and filtering rules have been documented and approved by the ISSM, this is not a finding.

If certificate name filtering is in use and filtering rules have not been documented and approved by the ISSM, this is a finding.

IBM z/OS must have Certificate Name Filtering implemented with appropriate authorization and documentation.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments