Navigate

Check: RACF-OS-000240

IBM z/OS RACF STIG: RACF-OS-000240 (in versions v8 r14 through v7 r1)

Title

The IBM z/OS Policy Agent must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems. (Cat II impact)

Discussion

Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data.

Check Content

Examine the policy agent policy statements. If it can be determined that the policy agent employs a deny-all, allow-by exception firewall policy for allowing connections to other systems this is not a finding.

Fix Text

Develop a policy application and policy agent to employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.

Additional Identifiers

Rule ID: SV-223780r853620_rule

Vulnerability ID: V-223780

Group Title: SRG-OS-000480-GPOS-00232

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000366	The organization implements the security configuration settings.
CCI-002080	The organization employs either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing organization-defined information systems to connect to external information systems.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
CA-3 (5)	Restrictions On External System Connections
CM-6	Configuration Settings