Always review the Revision History document to see what was changed within the DoD STIG. Important to note:
The mainframe software vendor, Broadcom, has been creating their own VENDOR STIG Articles for ACF2, Top Secret (TSS), and many other solutions such as IDMS, Sysview, CA1, Endevor, OPS/MVS, and others.
Mainframe software vendors are the subject matter experts of their solutions, while DISA produces the DoD STIG. DISA’s knowledge is limited and may not be accurate within its STIG articles. Example: Within ACF2, NON-CNCL attribute allows a user to bypass all security controls, DISA’s STIG article (ACF2-ES-000640) rates the ability to bypass security and compromise the system via NON-CNCL as a “severity: CAT II” and the vendor Broadcom has NON-CNCL within ACF2 properly identified as a severity 1 – High.
With z/OS comes also z/OS UNIX, also referred to as USS (Unix System Services). Within the modern z/OS Mainframe, where many complex Groups are controlling Role-Based Access Controls via Role-Based Groups, often organizations may use USS ACLs or HFSSEC to secure the files and directories within USS. DISA’s z/OS STIGs have checks for USS file-level permission on critical files. Still, the STIG completely lacks any guidance on how to review and validate ACLs concerning controlling access to those same critical USS resources. Why is that vital to be aware of? Because ACLs override Unix bit-level security, validating only at the bit level might make you feel secure. Still, until you validate ACLs, you may not be as safe as you believe.
Another GAP within DISA’s z/OS STIG is the lack of a requirement for XFACILITY STGADMIN.** resource protection. For more on XFACILITY and STGADMIN.IGG.DELAUDIT.catalog_name see: https://www.ibm.com/docs/en/zos/3.1.0?topic=ccfrpifcxc-storage-administration-stgadmin-profiles-in-facility-class-xfacilit-class
Download
Download
Download
Download