z/OS ICSF for TSS STIG Version Comparison

z/OS ICSF for TSS Security Technical Implementation Guide

Comparison

There are 1 differences between versions v6 r4 (July 24, 2015) (the "left" version) and v6 r6 (April 23, 2021) (the "right" version).

Check ZICS0040 was added to the benchmark in the "right" version.

This check's original form is available here.

Text Differences

Title

IBM Integrated Crypto Service Facility (ICSF) Configuration parameters must be correctly specified.

Check Content

Refer to the CSFPRMxx member in the logical PARMLIB concatenation. If the configuration parameters are specified as follows this is not a finding. REASONCODES(ICSF) COMPAT(NO) SSM(YES) CHECKAUTH(YES) FIPSMODE(YES,FAIL(YES)) AUDITKEYLIFECKDS (TOKEN(YES),LABEL(YES)). AUDITKEYLIFEPKDS (TOKEN(YES),LABEL(YES)). AUDITKEYLIFETKDS (TOKENOBJ(YES),SESSIONOBJ(YES)). AUDITKEYUSGCKDS (TOKEN(YES),LABEL(YES),INTERVAL(n)). AUDITKEYUSGPKDS (TOKEN(YES),LABEL(YES),INTERVAL(n)). AUDITPKCS11USG (TOKENOBJ(YES),SESSIONOBJ(YES),NOKEY(YES),INTERVAL(n)). DEFAULTWRAP should not be specified. Note: Other options may be site defined.

Discussion

IBM Integrated Crypto Service Facility (ICSF) product has the ability to use privileged functions and/or have access to sensitive data. Failure to properly configure parameter values could potentially the integrity of the base product which could result in compromising the operating system or sensitive data.

Fix

Refer to the CSFPRMxx member in the logical PARMLIB concatenation. If the configuration parameters are specified as follows this is not a finding. REASONCODES(ICSF) COMPAT(NO) SSM(YES) CHECKAUTH(YES) FIPSMODE(YES,FAIL(YES)) AUDITKEYLIFECKDS (TOKEN(YES),LABEL(YES)). AUDITKEYLIFEPKDS (TOKEN(YES),LABEL(YES)). AUDITKEYLIFETKDS (TOKENOBJ(YES),SESSIONOBJ(YES)). AUDITKEYUSGCKDS (TOKEN(YES),LABEL(YES),INTERVAL(n)). AUDITKEYUSGPKDS (TOKEN(YES),LABEL(YES),INTERVAL(n)). AUDITPKCS11USG (TOKENOBJ(YES),SESSIONOBJ(YES),NOKEY(YES),INTERVAL(n)). DEFAULTWRAP should not be specified. Note: Other options may be site defined.