STIGQter: STIG Summary: z/OS IBM CICS Transaction Server for RACF STIG Version: 6 Release: 6 Benchmark Date: 24 Apr 2020: STIGQter: STIG Summary: z/OS IBM CICS Transaction Server for RACF STIG Version: 6 Release: 6 Benchmark Date: 24 Apr 2020:SV-7540r4_rule
V-7120
ZCIC0042
ZCIC0042
CAT II
10
Review all CICS region, default, and end-user userids to ensure they are defined and controlled as required.
Ensure that all userids with a CICS segment have the TIMEOUT parameter set to 15 minutes.
Examples: Use the RACF ALtUser command to assign the required value:
ALU <cics user> CICS(TIMEOUT(15))
a) Refer to the following report produced by the RACF Data Collection:
- RACFCMDS.RPT(LISTUSER)
Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010.
NOTE: Any userid that does not have a TIMEOUT parameter specified will obtain its TIMEOUT parameter from the default value set in ZCIC0041. Any userid that specifies a TIMEOUT parameter must meet the requirements specified below.
b) Ensure that all userids with a CICS segment have the TIMEOUT parameter set to 15 minutes.
c) If (b) is true for each CICS region and/or CICS user, there is NO FINDING.
NOTE: If the time-out limit is greater than 15 minutes, and the system is processing unclassified information, review the following items. If any of these is true, there is NO FINDING.
1) If a session is not terminated, but instead is locked out after 15 minutes of inactivity, a process must be in place that requires user identification and authentication before the session is unlocked. Session lock-out will be implemented through system controls or terminal screen protection.
2) A system’s default time for terminal lock-out or session termination may be lengthened to 30 minutes at the discretion of the IAM. The IAM will maintain the documentation for each system with a time-out adjusted beyond the 15-minute recommendation to explain the basis for this decision.
3) The IAM may set selected userids to have a time-out of up to 60 minutes in order to complete critical reports or transactions without timing out. Each exception must meet the following criteria:
(a) The time-out exception cannot exceed 60 minutes.
(b) A letter of justification fully documenting the user requirement(s) must be submitted and approved by the site IAM. In addition, this letter must identify an alternate means of access control for the terminal(s) involved (e.g., a room that is locked at all times, a room with a cipher lock to limit access, a password protected screen saver set to 30 minutes or less, etc.).
(c) The requirement must be revalidated on an annual basis.
c) If the CICS time-out limit is not specified for 15 minutes of inactivity, and the previously mentioned exceptions do not apply, this is a FINDING.
V-7120
True
ZCIC0042
a) Refer to the following report produced by the RACF Data Collection:
- RACFCMDS.RPT(LISTUSER)
Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010.
NOTE: Any userid that does not have a TIMEOUT parameter specified will obtain its TIMEOUT parameter from the default value set in ZCIC0041. Any userid that specifies a TIMEOUT parameter must meet the requirements specified below.
b) Ensure that all userids with a CICS segment have the TIMEOUT parameter set to 15 minutes.
c) If (b) is true for each CICS region and/or CICS user, there is NO FINDING.
NOTE: If the time-out limit is greater than 15 minutes, and the system is processing unclassified information, review the following items. If any of these is true, there is NO FINDING.
1) If a session is not terminated, but instead is locked out after 15 minutes of inactivity, a process must be in place that requires user identification and authentication before the session is unlocked. Session lock-out will be implemented through system controls or terminal screen protection.
2) A system’s default time for terminal lock-out or session termination may be lengthened to 30 minutes at the discretion of the IAM. The IAM will maintain the documentation for each system with a time-out adjusted beyond the 15-minute recommendation to explain the basis for this decision.
3) The IAM may set selected userids to have a time-out of up to 60 minutes in order to complete critical reports or transactions without timing out. Each exception must meet the following criteria:
(a) The time-out exception cannot exceed 60 minutes.
(b) A letter of justification fully documenting the user requirement(s) must be submitted and approved by the site IAM. In addition, this letter must identify an alternate means of access control for the terminal(s) involved (e.g., a room that is locked at all times, a room with a cipher lock to limit access, a password protected screen saver set to 30 minutes or less, etc.).
(c) The requirement must be revalidated on an annual basis.
c) If the CICS time-out limit is not specified for 15 minutes of inactivity, and the previously mentioned exceptions do not apply, this is a FINDING.
M
Information Assurance Officer
197