Check: ACF2-TN-000010
IBM z/OS ACF2 STIG:
ACF2-TN-000010
(in versions v8 r15 through v7 r1)
Title
IBM z/OS PROFILE.TCPIP configuration INACTIVITY statement must be configured to 900 seconds. (Cat II impact)
Discussion
Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. This capability is typically reserved for specific operating system functionality where the system owner, data owner, or organization requires additional assurance.
Check Content
Refer to the Profile configuration file specified on the PROFILE DD statement in the TCPIP started task JCL. NOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. TELNETPARMS Block (one defined for each port the server is listening to, typically ports 23 and 992) If the TELNETPARMS INACTIVE statement is coded within each TELNETPARMS statement block and specifies a value between 1 and 900, this is not a finding. NOTE: Effective in z/OS release 1.2, the INACTIVE statement can appear in both TELNETGLOBAL and TELNETPARM statement blocks.
Fix Text
Configure the PROFILE.TCPIP file as specified below: NOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. TELNETPARMS Block (one defined for each port the server is listening to, typically ports 23 and 992) The TELNETPARMS INACTIVE statement is coded within each TELNETPARMS statement block and specifies a value between 1 and 900. INACTIVE statements should not be coded with a value greater than 900 or 0. 0 disables the inactivity timer check. NOTE: Effective in z/OS release 1.2, the INACTIVE statement can appear in both TELNETGLOBAL and TELNETPARM statement blocks.
Additional Identifiers
Rule ID: SV-223608r853561_rule
Vulnerability ID: V-223608
Group Title: SRG-OS-000279-GPOS-00109
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002361 |
The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect. |
Controls
Number | Title |
---|---|
AC-12 |
Session Termination |