An error occurred:

Check: ZCICA024

zOS ACF2 STIG: ZCICA024 (in versions v6 r43 through v6 r30)

Title

Sensitive CICS transactions are not protected in accordance with the proper security requirements. (Cat II impact)

Discussion

Sensitive CICS transactions offer the ability to circumvent transaction level controls for accessing resources under CICS. These transactions must be protected so that only authorized users can access them. Unauthorized use can result in the compromise of the confidentiality, integrity, and availability of the operating system or customer data.

Check Content

a) Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(CICSPROC) Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. b) Browse the ACF2/CICS data set allocated by the ACF2PARM DD statement in the JCL of each CICS procedure. c) Ensure the following items are in effect for entries specified in the SAFELIST parameter: 1) Transactions are uniquely identified. 2) Transactions are not masked. 3) Sensitive transactions are not included. NOTE: For information on transactions that are eligible for exemption from security checking refer to Category 3 Transactions for CICS TS 3.1 - 5.1 in the z/OS STIG addendum. d) If the items in (c) are true for all entries specified in the SAFELIST parameter for each CICS region, there is no finding. e) If any item in (c) is untrue for any entry specified in the SAFELIST parameter, this is a finding.

Fix Text

The Systems Programmer and IAO will ensure the ACF2/CICS parameter SAFELIST are coded with the values specified below. Browse the ACF2/CICS data set allocated by the ACF2PARM DD statement in the JCL of each CICS procedure. Ensure the following items are in effect for entries specified in the SAFELIST parameter: 1) Transactions are uniquely identified. 2) Transactions are not masked. 3) Sensitive transactions are not included. NOTE: For information on transactions that are eligible for exemption from security checking refer to Category 3 Transactions for CICS TS 3.1 - 5.1 in the z/OS STIG addendum.

Additional Identifiers

Rule ID: SV-7189r3_rule

Vulnerability ID: V-6894

Group Title: ZCICA024

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

The organization implements the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings