| Checked | Name | Title |
|---|
| ☐ | SV-223646r604139_rule | Certificate Name Filtering must be implemented with appropriate authorization and documentation. |
| ☐ | SV-223647r604139_rule | Expired digital certificates must not be used. |
| ☐ | SV-223648r604139_rule | All digital certificates in use must have a valid path to a trusted Certification authority. |
| ☐ | SV-223649r604139_rule | IBM RACF must limit Write or greater access to SYS1.NUCLEUS to system programmers only. |
| ☐ | SV-223650r604139_rule | IBM RACF must limit Write or greater access to libraries that contain PPT modules to system programmers only. |
| ☐ | SV-223652r604139_rule | IBM RACF emergency USERIDs must be properly defined. |
| ☐ | SV-223653r604139_rule | IBM RACF SETROPTS LOGOPTIONS must be properly configured. |
| ☐ | SV-223654r604139_rule | IBM RACF must protect memory and privileged program dumps in accordance with proper security requirements. |
| ☐ | SV-223655r604139_rule | IBM z/OS system commands must be properly protected. |
| ☐ | SV-223656r604139_rule | IBM RACF must properly define users that have access to the CONSOLE resource in the TSOAUTH resource class. |
| ☐ | SV-223657r604139_rule | The IBM RACF FACILITY resource class must be active. |
| ☐ | SV-223658r604139_rule | The IBM RACF OPERCMDS resource class must be active. |
| ☐ | SV-223659r604139_rule | The IBM RACF MCS consoles resource class must be active. |
| ☐ | SV-223660r604139_rule | IBM RACF CLASSACT SETROPTS must be specified for the TEMPDSN class. |
| ☐ | SV-223661r604139_rule | IBM RACF started tasks defined with the trusted attribute must be justified. |
| ☐ | SV-223662r604139_rule | IBM RACF USERIDs possessing the Tape Bypass Label Processing (BLP) privilege must be justified. |
| ☐ | SV-223663r604139_rule | IBM RACF DASD volume-level protection must be properly defined. |
| ☐ | SV-223664r604139_rule | IBM Sensitive Utility Controls must be properly defined and protected. |
| ☐ | SV-223665r604139_rule | IBM RACF Global Access Checking must be restricted to appropriate classes and resources. |
| ☐ | SV-223666r604139_rule | IBM RACF access to the System Master Catalog must be properly protected. |
| ☐ | SV-223667r604139_rule | IBM RACF must limit Write or greater access to SYS1.UADS to system programmers only, and WRITE or greater access must be limited to system programmer personnel and/or security personnel. |
| ☐ | SV-223668r604139_rule | IBM z/OS must protect dynamic lists in accordance with proper security requirements. |
| ☐ | SV-223669r604139_rule | IBM RACF allocate access to system user catalogs must be properly protected. |
| ☐ | SV-223670r604139_rule | IBM RACF must limit WRITE or greater access to System backup files to system programmers and/or batch jobs that perform DASD backups. |
| ☐ | SV-223671r604139_rule | IBM RACF must limit access to SYS(x).TRACE to system programmers only. |
| ☐ | SV-223672r604139_rule | IBM RACF batch jobs must be properly secured. |
| ☐ | SV-223673r604139_rule | IBM RACF batch jobs must be protected with propagation control. |
| ☐ | SV-223674r604139_rule | IBM RACF must limit Write or greater access to SYS1.IMAGELIB to system programmers only. |
| ☐ | SV-223675r604139_rule | IBM RACF must limit Write or greater access to SYS1.SVCLIB to appropriate authorized users. |
| ☐ | SV-223676r604139_rule | IBM RACF must limit Write or greater access to SYS1.LPALIB to system programmers only. |
| ☐ | SV-223677r604139_rule | IBM z/OS libraries included in the system REXXLIB concatenation must be properly protected. |
| ☐ | SV-223678r604139_rule | IBM RACF must limit write or greater access to all LPA libraries to system programmers only. |
| ☐ | SV-223679r604139_rule | IBM RACF must limit Write or greater access to libraries containing EXIT modules to system programmers only. |
| ☐ | SV-223680r604139_rule | IBM RACF must limit WRITE or greater access to all system-level product installation libraries to system programmers. |
| ☐ | SV-223681r604139_rule | IBM RACF must limit access to SYSTEM DUMP data sets to system programmers only. |
| ☐ | SV-223682r604139_rule | IBM RACF must limit WRITE or greater access to all APF-authorized libraries to system programmers only. |
| ☐ | SV-223683r604139_rule | IBM RACF access to SYS1.LINKLIB must be properly protected. |
| ☐ | SV-223684r604139_rule | The IBM RACF System REXX IRRPWREX security data set must be properly protected. |
| ☐ | SV-223685r604139_rule | IBM RACF security data sets and/or databases must be properly protected. |
| ☐ | SV-223686r604139_rule | IBM RACF must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing. |
| ☐ | SV-223687r604139_rule | IBM RACF must limit all system PROCLIB data sets to system programmers only. |
| ☐ | SV-223688r604139_rule | IBM RACF must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers. |
| ☐ | SV-223689r604139_rule | IBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected. |
| ☐ | SV-223690r604139_rule | IBM RACF must limit WRITE or greater access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only. |
| ☐ | SV-223691r604139_rule | The IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements. |
| ☐ | SV-223692r604139_rule | The IBM RACF JES(BATCHALLRACF) SETROPTS value must be set to JES(BATCHALLRACF). |
| ☐ | SV-223693r604139_rule | The IBM z/OS JES(XBMALLRACF) SETROPTS value must be set to JES(XBMALLRACF). |
| ☐ | SV-223694r604139_rule | IBM RACF OPERAUDIT SETROPTS value must set to OPERAUDIT. |
| ☐ | SV-223695r604139_rule | The IBM RACF PASSWORD(REVOKE) SETROPTS value must be specified to revoke the userid after three invalid logon attempts. |
| ☐ | SV-223696r604139_rule | The IBM RACF PASSWORD(REVOKE) SETROPTS value must be set to automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur. |
| ☐ | SV-223697r604139_rule | IBM z/OS SYS1.PARMLIB must be properly protected. |
| ☐ | SV-223699r604139_rule | The IBM RACF SETROPTS SAUDIT value must be specified. |
| ☐ | SV-223700r604139_rule | The IBM RACF REALDSN SETROPTS value must be specified. |
| ☐ | SV-223701r604139_rule | IBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing. |
| ☐ | SV-223702r604139_rule | IBM RACF SETROPTS RVARYPW values must be properly set. |
| ☐ | SV-223703r604139_rule | IBM RACF must define WARN = NO on all profiles. |
| ☐ | SV-223704r604139_rule | The IBM RACF PROTECTALL SETROPTS value specified must be properly set. |
| ☐ | SV-223705r604139_rule | The IBM RACF GRPLIST SETROPTS value must be set to ACTIVE. |
| ☐ | SV-223706r604139_rule | The IBM RACF RETPD SETROPTS value specified must be properly set. |
| ☐ | SV-223707r604139_rule | The IBM RACF TAPEDSN SETROPTS value specified must be properly set. |
| ☐ | SV-223708r604139_rule | The IBM RACF WHEN(PROGRAM) SETROPTS value specified must be active. |
| ☐ | SV-223709r604139_rule | IBM RACF use of the AUDITOR privilege must be justified. |
| ☐ | SV-223710r604139_rule | The IBM RACF database must be on a separate physical volume from its backup and recovery datasets. |
| ☐ | SV-223711r604139_rule | The IBM RACF database must be backed up on a scheduled basis. |
| ☐ | SV-223712r604139_rule | IBM z/OS Batch job user IDs must be properly defined. |
| ☐ | SV-223713r604139_rule | IBM RACF use of the RACF SPECIAL Attribute must be justified. |
| ☐ | SV-223714r604139_rule | IBM RACF assignment of the RACF OPERATIONS attribute to individual userids must be fully justified. |
| ☐ | SV-223715r604139_rule | IBM z/OS must properly configure CONSOLxx members. |
| ☐ | SV-223716r604139_rule | IBM z/OS must properly protect MCS console userid(s). |
| ☐ | SV-223717r604139_rule | IBM RACF users must have the required default fields. |
| ☐ | SV-223718r604139_rule | IBM interactive USERIDs defined to RACF must have the required fields completed. |
| ☐ | SV-223719r604139_rule | IBM z/OS Started Tasks must be properly identified and defined to RACF. |
| ☐ | SV-223721r604139_rule | The IBM RACF Automatic Data Set Protection (ADSP) SETROPTS value must be set to NOADSP. |
| ☐ | SV-223722r604139_rule | IBM RACF user accounts must uniquely identify system users. |
| ☐ | SV-223723r604139_rule | The IBM RACF INACTIVE SETROPTS value must be set to 35 days. |
| ☐ | SV-223724r604139_rule | IBM RACF PASSWORD(RULEn) SETROPTS value(s) must be properly set. |
| ☐ | SV-223725r604139_rule | IBM RACF exit ICHPWX01 must be installed and properly configured. |
| ☐ | SV-223726r604139_rule | The IBM RACF SETROPTS PASSWORD(MINCHANGE) value must be set to 1. |
| ☐ | SV-223727r604139_rule | IBM RACF SETROPTS PASSWORD(INTERVAL) must be set to 60 days. |
| ☐ | SV-223728r604139_rule | The IBM RACF PASSWORD(HISTORY) SETROPTS value must be set to 5 or more. |
| ☐ | SV-223729r604139_rule | NIST FIPS-validated cryptography must be used to protect passwords in the security database. |
| ☐ | SV-223731r604139_rule | The IBM RACF ERASE ALL SETROPTS value must be set to ERASE(ALL) on all systems. |
| ☐ | SV-223732r604139_rule | IBM RACF DASD Management USERIDs must be properly controlled. |
| ☐ | SV-223733r604139_rule | IBM z/OS SMF recording options for the FTP Server must be configured to write SMF records for all eligible events. |
| ☐ | SV-223734r604139_rule | IBM RACF permission bits and user audit bits for HFS objects that are part of the FTP server component must be properly configured. |
| ☐ | SV-223735r604139_rule | IBM z/OS data sets for the FTP server must be properly protected. |
| ☐ | SV-223736r604139_rule | IBM z/OS FTP.DATA configuration statements must indicate a BANNER statement with the proper content. |
| ☐ | SV-223737r604139_rule | IBM z/OS FTP.DATA configuration statements for the FTP server must specify the BANNER statement. |
| ☐ | SV-223739r604139_rule | IBM z/OS FTP.DATA configuration statements for the FTP Server must be specified in accordance with requirements. |
| ☐ | SV-223740r604139_rule | The IBM z/OS TFTP server program must be properly protected. |
| ☐ | SV-223741r604139_rule | IBM z/OS user exits for the FTP server must not be used without proper approval and documentation. |
| ☐ | SV-223742r604139_rule | The IBM z/OS FTP server daemon must be defined with proper security parameters. |
| ☐ | SV-223743r604139_rule | IBM FTP.DATA configuration for the FTP server must have the INACTIVE statement properly set. |
| ☐ | SV-223744r604139_rule | IBM z/OS startup parameters for the FTP server must have the INACTIVE statement properly set. |
| ☐ | SV-223745r604139_rule | IBM z/OS RJE workstations and NJE nodes must be defined to the FACILITY resource class. |
| ☐ | SV-223746r604139_rule | IBM z/OS JES2 input sources must be controlled in accordance with the proper security requirements. |
| ☐ | SV-223747r604139_rule | IBM z/OS JES2 input sources must be properly controlled. |
| ☐ | SV-223748r604139_rule | IBM z/OS JES2 output devices must be controlled in accordance with the proper security requirements. |
| ☐ | SV-223749r604139_rule | IBM z/OS JES2 output devices must be properly controlled for classified systems. |
| ☐ | SV-223750r604139_rule | IBM z/OS JESSPOOL resources must be protected in accordance with security requirements. |
| ☐ | SV-223751r604139_rule | IBM z/OS JESNEWS resources must be protected in accordance with security requirements. |
| ☐ | SV-223752r604139_rule | IBM z/OS JESTRACE and/or SYSLOG resources must be protected in accordance with security requirements. |
| ☐ | SV-223753r604139_rule | IBM z/OS JES2 spool resources must be controlled in accordance with security requirements. |
| ☐ | SV-223754r604139_rule | IBM z/OS JES2 system commands must be protected in accordance with security requirements. |
| ☐ | SV-223755r604139_rule | IBM z/OS surrogate users must be controlled in accordance with proper security requirements. |
| ☐ | SV-223756r604139_rule | IBM z/OS RJE workstations and NJE nodes must be controlled in accordance with security requirements. |
| ☐ | SV-223757r604139_rule | IBM z/OS must configure system wait times to protect resource availability based on site priorities. |
| ☐ | SV-223758r604139_rule | The IBM z/OS BPX.SMF resource must be properly configured. |
| ☐ | SV-223759r604139_rule | IBM z/OS SMF recording options for the TN3270 Telnet Server must be properly specified. |
| ☐ | SV-223760r604139_rule | IBM RACF must be installed and active on the system. |
| ☐ | SV-223761r604139_rule | The IBM z/OS System Administrator (SA) must develop a process to disable emergency accounts after the crisis is resolved or 72 hours. |
| ☐ | SV-223762r604139_rule | The IBM z/OS System Administrator (SA) must develop a process to notify appropriate personnel when accounts are created. |
| ☐ | SV-223763r604139_rule | The IBM z/OS System Administrator (SA) must develop a process to notify appropriate personnel when accounts are modified. |
| ☐ | SV-223764r604139_rule | The IBM z/OS System Administrator (SA) must develop a process to notify appropriate personnel when accounts are deleted. |
| ☐ | SV-223765r604139_rule | The IBM z/OS System Administrator (SA) must develop a process to notify appropriate personnel when accounts are removed. |
| ☐ | SV-223766r604139_rule | The IBM z/OS System Administrator (SA) must develop a process to notify Information System Security Officers (ISSOs) of account enabling actions. |
| ☐ | SV-223767r604139_rule | IBM z/OS required SMF data record types must be collected. |
| ☐ | SV-223768r604139_rule | IBM z/OS must employ a session manager to manage display of the Standard Mandatory DoD Notice and Consent Banner. |
| ☐ | SV-223769r604139_rule | IBM z/OS must specify SMF data options to assure appropriate activation. |
| ☐ | SV-223770r604139_rule | IBM z/OS SMF collection files (system MANx datasets or LOGSTREAM DASD) must have storage capacity to store at least one weeks worth of audit data. |
| ☐ | SV-223771r604139_rule | IBM z/OS system administrators must develop an automated process to collect and retain SMF data. |
| ☐ | SV-223772r604139_rule | IBM z/OS BUFUSEWARN in the SMFPRMxx must be properly set. |
| ☐ | SV-223773r604139_rule | IBM z/OS NOBUFFS in SMFPRMxx must be properly set (default is MSG). |
| ☐ | SV-223774r604139_rule | The IBM z/OS SNTP daemon (SNTPD) must be active. |
| ☐ | SV-223775r604139_rule | IBM z/OS SNTP daemon (SNTPD) permission bits must be properly configured. |
| ☐ | SV-223776r604139_rule | IBM z/OS PARMLIB CLOCKxx must have the Accuracy PARM properly coded. |
| ☐ | SV-223777r604139_rule | IBM RACF must define UACC of NONE on all profiles. |
| ☐ | SV-223778r604139_rule | IBM z/OS PASSWORD data set and OS passwords must not be used. |
| ☐ | SV-223780r604139_rule | The IBM z/OS Policy Agent must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems. |
| ☐ | SV-223781r604139_rule | Unsupported system software must not be installed and/ or active on the system. |
| ☐ | SV-223782r604139_rule | IBM z/OS must not allow nonexistent or inaccessible LINKLIST libraries. |
| ☐ | SV-223783r604139_rule | IBM z/OS must not allow nonexistent or inaccessible Link Pack Area (LPA) libraries. |
| ☐ | SV-223784r604139_rule | IBM z/OS must not have inaccessible APF libraries defined. |
| ☐ | SV-223785r604139_rule | IBM zOS inapplicable PPT entries must be invalidated. |
| ☐ | SV-223786r604139_rule | IBM z/OS LNKAUTH=APFTAB must be specified in the IEASYSxx member(s) in the currently active parmlib data set(s). |
| ☐ | SV-223787r604139_rule | IBM z/OS must not have duplicated sensitive utilities and/or programs existing in APF libraries. |
| ☐ | SV-223788r604139_rule | The IBM z/OS systems requiring data at rest protection must properly employ IBM DS8880 for full disk encryption for classified systems. |
| ☐ | SV-223789r604139_rule | The IBM z/OS systems requiring data-at-rest protection must properly employ IBM DS8880 for full disk encryption. |
| ☐ | SV-223790r604139_rule | IBM z/OS must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest on all operating system components. |
| ☐ | SV-223791r604139_rule | IBM z/OS sensitive and critical system data sets must not exist on shared DASDs. |
| ☐ | SV-223792r604139_rule | The IBM z/OS Policy Agent must contain a policy that protects against or limits the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces. |
| ☐ | SV-223793r604139_rule | The IBM z/OS Policy Agent must contain a policy that manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks. |
| ☐ | SV-223794r604139_rule | The IBM z/OS must employ a session manager that conceals, via the session lock, information previously visible on the display with a publicly viewable image. |
| ☐ | SV-223795r604139_rule | IBM z/OS must employ a session manager to manage session lock after a 15-minute period of inactivity. |
| ☐ | SV-223796r604139_rule | IBM z/OS must employ a session for users to directly initiate a session lock for all connection types. |
| ☐ | SV-223797r604139_rule | IBM z/OS must employ a session manager to manage retaining a users session lock until that user reestablishes access using established identification and authentication procedures. |
| ☐ | SV-223798r604139_rule | IBM z/OS system administrator must develop a procedure to remove or disable temporary user accounts after 72 hours. |
| ☐ | SV-223799r604139_rule | IBM z/OS system administrator must develop a procedure to remove or disable emergency accounts after the crisis is resolved or 72 hours. |
| ☐ | SV-223800r604139_rule | IBM z/OS system administrator must develop a procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner. |
| ☐ | SV-223801r604139_rule | IBM z/OS system administrator must develop a procedure to provide an audit reduction capability that supports on-demand reporting requirements. |
| ☐ | SV-223802r604139_rule | IBM z/OS system administrator must develop a procedure to terminate all sessions and network connections related to nonlocal maintenance when nonlocal maintenance is completed. |
| ☐ | SV-223803r604139_rule | IBM z/OS system administrator must develop a procedure to remove all software components after updated versions have been installed. |
| ☐ | SV-223804r604139_rule | IBM z/OS must shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered. |
| ☐ | SV-223805r604139_rule | IBM z/OS system administrator must develop a procedure to offload SMF files to a different system or media than the system being audited. |
| ☐ | SV-223806r604139_rule | IBM z/OS SMF recording options for the SSH daemon must be configured to write SMF records for all eligible events. |
| ☐ | SV-223807r604139_rule | The IBM RACF SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm. |
| ☐ | SV-223808r604139_rule | The IBM z/OS must implement DoD-approved encryption to protect the confidentiality of remote access sessions. |
| ☐ | SV-223809r604139_rule | The SSH daemon must be configured with the Standard Mandatory DoD Notice and Consent Banner. |
| ☐ | SV-223810r604139_rule | IBM z/OS SSH daemon must be configured to only use the SSHv2 protocol. |
| ☐ | SV-223811r695458_rule | IBM z/OS, for PKI-based authentication, must use the ESM for key management. |
| ☐ | SV-223812r604139_rule | IBM z/OS permission bits and user audit bits for HFS objects that are part of the Syslog daemon component must be properly configured. |
| ☐ | SV-223813r604139_rule | The IBM z/OS Syslog daemon must be started at z/OS initialization. |
| ☐ | SV-223814r604139_rule | The IBM z/OS Syslog daemon must be properly defined and secured. |
| ☐ | SV-223815r604139_rule | IBM z/OS DFSMS Program Resources must be properly defined and protected. |
| ☐ | SV-223816r604139_rule | IBM z/OS DFSMS control data sets must be protected in accordance with security requirements. |
| ☐ | SV-223817r604139_rule | IBM z/OS DFSMS-related RACF classes must be active. |
| ☐ | SV-223818r604139_rule | IBM z/OS DFSMS resources must be protected in accordance with the proper security requirements. |
| ☐ | SV-223819r604139_rule | IBM z/OS using DFSMS must properly specify SYS(x).PARMLIB(IGDSMSxx), SMS parameter settings. |
| ☐ | SV-223820r604139_rule | IBM z/OS PROFILE.TCPIP configuration statements for the TCP/IP stack must be coded properly. |
| ☐ | SV-223821r604139_rule | IBM z/OS must be configured to restrict all TCP/IP ports to ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments. |
| ☐ | SV-223822r604139_rule | IBM z/OS permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be properly configured. |
| ☐ | SV-223823r604139_rule | IBM z/OS TCP/IP resources must be properly protected. |
| ☐ | SV-223824r604139_rule | The IBM RACF SERVAUTH resource class must be active for TCP/IP resources. |
| ☐ | SV-223826r604139_rule | IBM z/OS data sets for the Base TCP/IP component must be properly protected. |
| ☐ | SV-223827r604139_rule | IBM z/OS Configuration files for the TCP/IP stack must be properly specified. |
| ☐ | SV-223829r604139_rule | The IBM z/OS TCPIP.DATA configuration statement must contain the DOMAINORIGIN or DOMAIN specified for each TCP/IP defined. |
| ☐ | SV-223831r604139_rule | IBM z/OS SSL encryption options for the TN3270 Telnet Server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS. |
| ☐ | SV-223832r604139_rule | IBM z/OS TN3270 Telnet Server configuration statement MSG10 text must have the Standard Mandatory DoD Notice and Consent Banner. |
| ☐ | SV-223833r604139_rule | The IBM z/OS warning banner for the TN3270 Telnet server must contain the proper content of the Standard Mandatory DoD Notice and Consent Banner. |
| ☐ | SV-223834r604139_rule | IBM z/OS VTAM session setup controls for the TN3270 Telnet server must be properly specified. |
| ☐ | SV-223835r604139_rule | The IBM z/OS PROFILE.TCPIP configuration for the TN3270 Telnet server must have the INACTIVE statement properly specified. |
| ☐ | SV-223836r604139_rule | IBM Z/OS TSOAUTH resources must be restricted to authorized users. |
| ☐ | SV-223837r604139_rule | IBM RACF LOGONIDs must not be defined to SYS1.UADS for non-emergency use. |
| ☐ | SV-223838r604139_rule | The IBM z/OS UNIX SUPERUSER resources must be protected in accordance with guidelines. |
| ☐ | SV-223839r604139_rule | IBM z/OS BPX resource(s) must be protected in accordance with security requirements. |
| ☐ | SV-223840r604139_rule | IBM z/OS UNIX MVS HFS directories with other write permission bit set must be properly defined. |
| ☐ | SV-223842r604139_rule | IBM z/OS UNIX security parameters in etc/profile must be properly specified. |
| ☐ | SV-223843r604139_rule | IBM z/OS UNIX security parameters in /etc/rc must be properly specified. |
| ☐ | SV-223844r604139_rule | IBM z/OS UNIX resources must be protected in accordance with security requirements. |
| ☐ | SV-223845r604139_rule | IBM z/OS UNIX MVS data sets or HFS objects must be properly protected. |
| ☐ | SV-223846r604139_rule | IBM z/OS UNIX MVS data sets WITH z/OS UNIX COMPONENTS must be properly protected. |
| ☐ | SV-223847r604139_rule | IBM z/OS UNIX HFS permission bits and audit bits for each directory must be properly protected. |
| ☐ | SV-223848r604139_rule | IBM z/OS UNIX SYSTEM FILE SECURITY SETTINGS must be properly protected or specified. |
| ☐ | SV-223849r604139_rule | IBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected. |
| ☐ | SV-223850r604139_rule | The IBM RACF classes required to properly secure the z/OS UNIX environment must be ACTIVE. |
| ☐ | SV-223851r604139_rule | IBM z/OS UNIX OMVS parameters in PARMLIB must be properly specified. |
| ☐ | SV-223852r604139_rule | IBM z/OS UNIX BPXPRMxx security parameters in PARMLIB must be properly specified. |
| ☐ | SV-223853r604139_rule | IBM z/OS default profiles must be defined in the corresponding FACILITY Class Profile for classified systems. |
| ☐ | SV-223854r604139_rule | IBM z/OS UNIX HFS MapName files security parameters must be properly specified. |
| ☐ | SV-223855r604139_rule | IBM z/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf must be properly specified. |
| ☐ | SV-223856r604139_rule | IBM z/OS UID(0) must be properly assigned. |
| ☐ | SV-223857r604139_rule | IBM z/OS attributes of z/OS UNIX user accounts must have a unique GID in the range of 1-99. |
| ☐ | SV-223858r604139_rule | IBM z/OS UNIX groups must be defined with a unique GID. |
| ☐ | SV-223859r604139_rule | The IBM z/OS user account for the UNIX kernel (OMVS) must be properly defined to the security database. |
| ☐ | SV-223860r604139_rule | The IBM z/OS user account for the z/OS UNIX SUPERUSER userid must be properly defined. |
| ☐ | SV-223861r604139_rule | The IBM z/OS user account for the UNIX (RMFGAT) must be properly defined. |
| ☐ | SV-223862r604139_rule | IBM z/OS UNIX user accounts must be properly defined. |
| ☐ | SV-223863r604139_rule | IBM z/OS attributes of UNIX user accounts used for account modeling must be defined in accordance with security requirements. |
| ☐ | SV-223864r604139_rule | The IBM z/OS startup user account for the z/OS UNIX Telnet Server must be properly defined. |
| ☐ | SV-223865r604139_rule | IBM z/OS HFS objects for the z/OS UNIX Telnet Server must be properly protected. |
| ☐ | SV-223866r695468_rule | The IBM z/OS UNIX Telnet Server etc/banner file must have the Standard Mandatory DoD Notice and Consent Banner. |
| ☐ | SV-223867r604139_rule | IBM z/OS UNIX Telnet server Startup parameters must be properly specified. |
| ☐ | SV-223868r604139_rule | The IBM z/OS UNIX Telnet server warning banner must be properly specified. |
| ☐ | SV-223869r604139_rule | IBM z/OS System datasets used to support the VTAM network must be properly secured. |
| ☐ | SV-223870r604139_rule | IBM z/OS VTAM USSTAB definitions must not be used for unsecured terminals. |
| ☐ | SV-230209r604139_rule | The IBM RACF System REXX IRRPHREX security data set must be properly protected. |
| ☐ | SV-230210r695460_rule | IBM RACF exit ICHPWX11 must be installed and properly configured. |
| ☐ | SV-235033r619949_rule | IBM RACF must limit WRITE or greater access to LINKLIST libraries to system programmers only. |
STIGQter: STIG Summary: