CICS System Initialization Table (SIT) parameter values are not specified in accordance with proper security requirements.

From z/OS ACF2 STIG

Part of ZCIC0030

Associated with IA controls: DCCS-1, DCCS-2, ECSD-2, ECSD-1

SV-302r1_rule CICS System Initialization Table (SIT) parameter values are not specified in accordance with proper security requirements.

Vulnerability discussion

The CICS SIT is used to define system operation and configuration parameters of a CICS system. Several of these parameters control the security within a CICS region. Failure to code the appropriate values could result in unexpected operations and degraded security. This exposure may result in unauthorized access impacting the confidentiality, integrity, and availability of the CICS region, applications, and customer data.

Check content

a) Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(CICSPROC) Refer to the following report produced by the CICS Data Collection: - CICS.RPT(DFHSITxx) Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. Refer to the CICS region SYSLOG - (Alternate source of SIT parameters) Be sure to process DFHSIT based on the order specified in Note 2. b) Ensure the following CICS System Initialization Table (SIT) parameter settings are specified for each CICS region: 1) SEC=YES If SEC is not coded in the CICS region startup JCL, go to offset x’117’ from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the security byte flag. Below are the hex and bit settings for this flag with the external security setting bolded: X’80’ EQU B’10000000’ EXTERNAL SECURITY REQUESTED X’40’ EQU B’01000000’ RESOURCE PREFIX REQUIRED X’10’ EQU B’00010000’ RACLIST class APPCLU required X’08’ EQU B’00001000’ ESM INSTLN data is required X’04’ EQU B’00000100’ Surrogate User Checking required X’02’ EQU B’00000010’ Always enact resource check X’01’ EQU B’00000001’ Always enact command check 2) DFLTUSER=CICSUSER If DFLTUSER is not coded in the CICS region startup JCL, go to offset x’118’ from the beginning on the SIT dump (record sequence number - 6) for a length of 8 bytes. The value will be the CICS default userid. 3) XUSER=YES If XUSER is not coded in the CICS region startup JCL, go to offset x’117’ from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the security byte flag. Below are the hex and bit settings for this flag with the surrogate user checking setting bolded: X’80’ EQU B’10000000’ EXTERNAL SECURITY REQUESTED X’40’ EQU B’01000000’ RESOURCE PREFIX REQUIRED X’10’ EQU B’00010000’ RACLIST class APPCLU required X’08’ EQU B’00001000’ ESM INSTLN data is required X’04’ EQU B’00000100’ Surrogate User Checking required X’02’ EQU B’00000010’ Always enact resource check X’01’ EQU B’00000001’ Always enact command check 4) SNSCOPE=NONE|CICS|MVSIMAGE|SYSPLEX If SNSCOPE is not coded in the CICS region startup JCL, go to offset x’124’ from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the signon scope byte flag. Below are the hex settings for this flag: X’01’ EQU 1 SIGNON SCOPE = NONE X’02’ EQU 2 SIGNON SCOPE = CICS X’03’ EQU 3 SIGNON SCOPE = MVSIMAGE X’04’ EQU 4 SIGNON SCOPE = SYSPLEX NOTE: SNSCOPE=NONE is only allowed with test/development regions. 5) XTRAN=YES|ssrrTRN If XTRAN is not coded in the CICS region startup JCL, go to offset x’CA’ from the beginning on the SIT dump (record sequence number - 6) for a length of 7 bytes. The value will be the resource class name used for that region. If XTRAN=YES is coded, c’CICSTRN’ will be present. 6) SECPRFX=YES If SECPRFX is not coded in the CICS region startup JCL, go to offset x’117’ from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the security byte flag. Below are the hex and bit settings for this flag with the resource prefixing setting bolded: X’80’ EQU B’10000000’ EXTERNAL SECURITY REQUESTED X’40’ EQU B’01000000’ RESOURCE PREFIX REQUIRED X’10’ EQU B’00010000’ RACLIST class APPCLU required X’08’ EQU B’00001000’ ESM INSTLN data is required X’04’ EQU B’00000100’ Surrogate User Checking is required X’02’ EQU B’00000010’ Always enact resource check X’01’ EQU B’00000001’ Always enact command check NOTE 1: If XTRAN=ssrrTRN is specified, resource prefixing (e.g., SECPRFX=YES) is not required to be enabled. Also, CICS regions cannot share the same resource class if resource prefixing is not active. NOTE 2: CICS system initialization parameters are specified in the following ways: (a) In the system initialization table, loaded from a library in the STEPLIB concatenation of the CICS startup procedure. (b) In the PARM parameter of the EXEC PGM=DFHSIP statement of the CICS startup procedure. (c) In the SYSIN data set defined in the startup procedure (but only if SYSIN is coded in the PARM parameter). The system initialization parameters are processed in the preceding order, with later system initialization parameter values overriding those specified earlier. c) If the SIT parameters are defined as specified in (b) for each CICS region, there is NO FINDING. d) If any SIT parameter is not defined as specified in (b) for a CICS region, this is a FINDING.

Fix text

The IAO will ensure that CICS System Initialization Table (SIT) parameter values are specified. Ensure the following CICS System Initialization Table (SIT) parameter settings are specified for each CICS region: SEC=YES If SEC is not coded in the CICS region startup JCL, go to offset x’117’ from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the security byte flag. Below are the hex and bit settings for this flag with the external security setting bolded: X’80’ EQU B’10000000’ EXTERNAL SECURITY REQUESTED X’40’ EQU B’01000000’ RESOURCE PREFIX REQUIRED X’10’ EQU B’00010000’ RACLIST class APPCLU required X’08’ EQU B’00001000’ ESM INSTLN data is required X’04’ EQU B’00000100’ Surrogate User Checking required X’02’ EQU B’00000010’ Always enact resource check X’01’ EQU B’00000001’ Always enact command check DFLTUSER=CICSUSER If DFLTUSER is not coded in the CICS region startup JCL, go to offset x’118’ from the beginning on the SIT dump (record sequence number - 6) for a length of 8 bytes. The value will be the CICS default userid. XUSER=YES If XUSER is not coded in the CICS region startup JCL, go to offset x’117’ from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the security byte flag. Below are the hex and bit settings for this flag with the surrogate user checking setting bolded: X’80’ EQU B’10000000’ EXTERNAL SECURITY REQUESTED X’40’ EQU B’01000000’ RESOURCE PREFIX REQUIRED X’10’ EQU B’00010000’ RACLIST class APPCLU required X’08’ EQU B’00001000’ ESM INSTLN data is required X’04’ EQU B’00000100’ Surrogate User Checking required X’02’ EQU B’00000010’ Always enact resource check X’01’ EQU B’00000001’ Always enact command check SNSCOPE=NONE|CICS|MVSIMAGE|SYSPLEX If SNSCOPE is not coded in the CICS region startup JCL, go to offset x’124’ from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the signon scope byte flag. Below are the hex settings for this flag: X’01’ EQU 1 SIGNON SCOPE = NONE X’02’ EQU 2 SIGNON SCOPE = CICS X’03’ EQU 3 SIGNON SCOPE = MVSIMAGE X’04’ EQU 4 SIGNON SCOPE = SYSPLEX NOTE: SNSCOPE=NONE is only allowed with test/development regions. XTRAN=YES|ssrrTRN If XTRAN is not coded in the CICS region startup JCL, go to offset x’CA’ from the beginning on the SIT dump (record sequence number - 6) for a length of 7 bytes. The value will be the resource class name used for that region. If XTRAN=YES is coded, c’CICSTRN’ will be present. SECPRFX=YES If SECPRFX is not coded in the CICS region startup JCL, go to offset x’117’ from the beginning on the SIT dump (record sequence number - 6) for a length of 1. This is the security byte flag. Below are the hex and bit settings for this flag with the resource prefixing setting bolded: X’80’ EQU B’10000000’ EXTERNAL SECURITY REQUESTED X’40’ EQU B’01000000’ RESOURCE PREFIX REQUIRED X’10’ EQU B’00010000’ RACLIST class APPCLU required X’08’ EQU B’00001000’ ESM INSTLN data is required X’04’ EQU B’00000100’ Surrogate User Checking is required X’02’ EQU B’00000010’ Always enact resource check X’01’ EQU B’00000001’ Always enact command check NOTE 1: If XTRAN=ssrrTRN is specified, resource prefixing (e.g., SECPRFX=YES) is not required to be enabled. Also, CICS regions cannot share the same resource class if resource prefixing is not active. NOTE 2: CICS system initialization parameters are specified in the following ways: In the system initialization table, loaded from a library in the STEPLIB concatenation of the CICS startup procedure. In the PARM parameter of the EXEC PGM=DFHSIP statement of the CICS startup procedure. In the SYSIN data set defined in the startup procedure (but only if SYSIN is coded in the PARM parameter). The system initialization parameters are processed in the preceding order, with later system initialization parameter values overriding those specified earlier.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer