Sensitive CICS transactions are not protected in accordance with the proper security requirements.

From z/OS ACF2 STIG

Part of ZCICA024

Associated with IA controls: DCCS-1, DCCS-2, ECSD-2, ECSD-1

SV-7189r1_rule Sensitive CICS transactions are not protected in accordance with the proper security requirements.

Vulnerability discussion

Sensitive CICS transactions offer the ability to circumvent transaction level controls for accessing resources under CICS. These transactions must be protected so that only authorized users can access them. Unauthorized use can result in the compromise of the confidentiality, integrity, and availability of the operating system or customer data.

Check content

a) Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(CICSPROC) Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. b) Browse the ACF2/CICS data set allocated by the ACF2PARM DD statement in the JCL of each CICS procedure. c) Ensure the following items are in effect for entries specified in the SAFELIST parameter: 1) Transactions are uniquely identified. 2) Transactions are not masked. 3) Sensitive transactions are not included. NOTE: The following transactions are eligible for exemption from security checking. CATR CCIN CEGN CEJR CESF CESN CIEP CLQ2 CLR1 CLR2 CLS1 CLS2 CLS3 CLS4 CMPX CPSS CQPI CQPO CQRY CRSR CSAC CSCY CSHR CSPG CSPK CSPP CSPS CSRK CSRS CSSF CXRT d) If the items in (c) are true for all entries specified in the SAFELIST parameter for each CICS region, there is NO FINDING. e) If any item in (c) is untrue for any entry specified in the SAFELIST parameter, this is a FINDING.

Fix text

The Systems Programmer and IAO will ensure the ACF2/CICS parameter SAFELIST are coded with values specified below. Browse the ACF2/CICS data set allocated by the ACF2PARM DD statement in the JCL of each CICS procedure. Ensure the following items are in effect for entries specified in the SAFELIST parameter: 1) Transactions are uniquely identified. 2) Transactions are not masked. 3) Sensitive transactions are not included. NOTE: The following transactions are eligible for exemption from security checking. CATR CCIN CEGN CEJR CESF CESN CIEP CLQ2 CLR1 CLR2 CLS1 CLS2 CLS3 CLS4 CMPX CPSS CQPI CQPO CQRY CRSR CSAC CSCY CSHR CSPG CSPK CSPP CSPS CSRK CSRS CSSF CXRT

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer