Navigate

Check: ACF2-OS-000240

IBM z/OS ACF2 STIG: ACF2-OS-000240 (in versions v9 r2 through v7 r1)

Title

IBM z/OS Policy Agent must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems. (Cat II impact)

Discussion

Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data.

Check Content

Examine the Policy Agent policy statements. If it can be determined that the policy agent employs a deny-all, allow-by exception firewall policy for allowing connections to other systems, this is not a finding.

Fix Text

Develop a policy application and policy agent to employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.

Additional Identifiers

Rule ID: SV-223560r991593_rule

Vulnerability ID: V-223560

Group Title: SRG-OS-000480-GPOS-00232

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000366	Implement the security configuration settings.
CCI-002080	The organization employs either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing organization-defined information systems to connect to external information systems.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
CA-3(5)	Restrictions On External System Connections
CM-6	Configuration Settings