Title

IBM Security zSecure must implement organization-defined automated security responses if baseline zSecure configurations are changed in an unauthorized manner. (Cat II impact)

Discussion

Unauthorized changes to the zSecure baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the system. Changes to information system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the application. Examples of security responses include but are not limited to the following: halting application processing, halting selected application functions, or issuing alerts/notifications to organizational personnel when there is an unauthorized modification of a configuration item.

Check Content

Verify that a (daily) scheduled batch job is defined and used or a custom alert is configured and activated to inform appropriate personnel, such as auditors and compliance officers, about successful changes to the zSecure configuration data sets on their z/OS systems. If SMF records regarding successful UPDATE(s) to zSecure configuration data sets are not reported to the information system security manager (ISSM), this is a finding.

Fix Text

The recipients of the SMF reports or alert messages must investigate whether the UPDATE is legitimate (e.g., is documented and approved in a change management request). If it is not, they must restore the original configuration setting.

Additional Identifiers

Rule ID: SV-259735r961458_rule

Vulnerability ID: V-259735

Group Title: SRG-APP-000379-MFP-000186

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.