Check: ITNT0010
zOS RACF STIG:
ITNT0010
(in versions v6 r43 through v6 r30)
Title
PROFILE.TCPIP configuration statements for the TN3270 Telnet Server must be properly specified. (Cat II impact)
Discussion
The PROFILE.TCPIP configuration file provides system operation and configuration parameters for the TN3270 Telnet Server. Several of these parameters have potential impact to system security. Failure to code the appropriate values could result in unexpected operations and degraded security. This exposure may result in unauthorized access impacting data integrity or the availability of some system services.
Check Content
a) Refer to the Profile configuration file specified on the PROFILE DD statement in the TCPIP started task JCL. Automated Analysis requires Additional Analysis. Refer to the following report produced by the IBM Communications Server Data Collection: - PDI(ITNT0010) b) Ensure the following items are in effect for the configuration statements specified in the TCP/IP Profile configuration file: NOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. TELNETGLOBAL Block (only one defined) 1) The KEYRING statement, if used, is only coded within the TELNETGLOBALS statement block. 2) The KEYRING statement, if used, specifies the SAF parameter. TELNETPARMS Block (one defined for each port the server is listening to, typically ports 23 and 992) 1) The TELNETPARMS INACTIVE statement is coded within each TELNETPARMS statement block and specifies a value between 1 and 900. NOTE: Effective in z/OS release 1.2, the INACTIVE statement can appear in both TELNETGLOBAL and TELNETPARM statement blocks. 2) The TELNETPARMS TKOSPECLURECON statement is not coded or commented out. BEGINVTAM Block (one or more defined) 1) The BEGINVTAM RESTRICTAPPL statement is not be coded or commented out. c) If all of the above are true, there is NO FINDING. d) If any of the above is untrue, this is a FINDING.
Fix Text
Review the configuration statements in the PROFILE.TCPIP file and ensure they conform to the specifications below: NOTE: If the INCLUDE statement is coded in the TCP/IP Profile configuration file, the data set specified on this statement must be checked for the following items as well. The KEYRING statement, if used, is only coded within the TELNETGLOBALS statement block. The KEYRING statement, if used, specifies the SAF parameter. "TELNETPARMS Block (one defined for each port the server is listening to, typically ports 23 and 992) " The TELNETPARMS INACTIVE statement is coded within each TELNETPARMS statement block and specifies a value between 1 and 900. INACTIVE statements should not be coded with a value greater than 900 or 0. 0 disables the inactivity timer check. NOTE: Effective in z/OS release 1.2, the INACTIVE statement can appear in both TELNETGLOBAL and TELNETPARM statement blocks. The TELNETPARMS TKOSPECLURECON statement should not be coded or it should be commented out. BEGINVTAM Block (one or more defined) The BEGINVTAM RESTRICTAPPL statement is not be coded or it should be commented out.
Additional Identifiers
Rule ID: SV-3222r3_rule
Vulnerability ID: V-3222
Group Title: ITNT0010
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000764 |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
Controls
Number | Title |
---|---|
IA-2 |
Identification And Authentication (Organizational Users) |