Check: ZCLSR042
z/OS CL/SuperSession for RACF STIG:
ZCLSR042
(in version v6 r12)
Title
CL/SuperSession KLVINNAM member must be configured in accordance to security requirements. (Cat II impact)
Discussion
CL/SuperSession configuration/parameters control the security and operational characteristics of products. If these parameter values are improperly specified, security and operational controls may be weakened. This exposure may threaten the availability of the product applications, and compromise the confidentiality of customer data.
Check Content
Review the member KLVINNAM in the TLVPARM DD statement concatenation of the CL/SuperSession STC procedure. (This member is located in SYS3.OMEGAMON.qualifier.RLSPARM.) Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ZCLS0042) If one of the following configuration settings is specified for each control point defined in the KLVINNAM member, this is not a finding. DEFAULT DSNAME(SYS3.OMEGAMON.qualifier.RLSNAM) - RACF - CLASSES=APPCLASS - NODB EXIT=KLVRACVR (The following is for z/OS CAC logon processing) DEFAULT DSNAME(SYS3.OMEGAMON.qualifier.RLSNAM) - SAF - (RACF is also acceptable) CLASSES=APPCLASS - NODB - EXIT=KLSNFPTX
Fix Text
Ensure that the parameter options for member KLVINNAM are coded to the below specifications. (Note: The data set identified below is an example of a possible installation. The actual data set is determined when the product is actually installed on a system through the product's installation guide and can be site specific.) Review the member KLVINNAM in the TLVPARM DD statement concatenation of the CL/SuperSession STC procedure. (This member is located in SYS3.OMEGAMON.qualifier.RLSPARM.) Ensure all session manager security parameters and control options are in compliance according to the following: DEFAULT DSNAME(SYS3.OMEGAMON.qualifier.RLSNAM) - RACF - CLASSES=APPCLASS - NODB EXIT=KLVRACVR (The following is for z/OS CAC logon processing) DEFAULT DSNAME(SYS3.OMEGAMON.qualifier.RLSNAM) - SAF - (RACF is also acceptable) CLASSES=APPCLASS - NODB - EXIT=KLSNFPTX
Additional Identifiers
Rule ID: SV-224468r868336_rule
Vulnerability ID: V-224468
Group Title: SRG-OS-000018
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000035 |
The information system provides the capability for privileged administrators to configure the organization-defined security policy filters to support different security policies. |
Controls
Number | Title |
---|---|
AC-4 (11) |
Configuration Of Security Policy Filters |