AccessibilitySkip to Top NavigationSkip to Main ContentHome  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  

Part 10. Security, Privacy and Assurance

Chapter 8. Information Technology (IT) Security

Section 32. IBM Mainframe System Security Requirements (Cont. 1)

10.8.32  IBM Mainframe System Security Requirements (Cont. 1)

10.8.32.5 
Technical Controls

10.8.32.5.3  (09-01-2007)
Audit and Accountability

  1. System audit requirements are specified in IRM 10.8.1 and IRM 10.8.3. Specific audit procedures applicable to IBM mainframe systems environment are listed below.

  2. The RACF System and Group Auditors shall log, analyze, and report all security incidents in accordance with the incident response procedures of IRM 10.8.1.

10.8.32.5.3.1  (09-01-2007)
Required Privileges for Auditing

  1. The individual(s) assigned duties as SYSTEM auditor shall have system–level AUDITOR in order to run the appropriate security reports and to list RACF profiles.

  2. Personnel assigned group audit responsibilities shall be granted group–level AUDITOR.

10.8.32.5.3.2  (09-01-2007)
RACF Audit Reports

  1. The RSA, or designated alternate, is responsible for the timely distribution of the reports to the respective RACF Group Administrators.

  2. At least a seven day history of SMF records shall be kept on direct access media or readily accessible tape/cartridge for use when running reports. The RACF Report Writer that creates the Violations and Successes Reports shall use these disk datasets when running the daily and/or weekly reports.

10.8.32.5.3.3  (09-01-2007)
Violations Report

  1. The Violations Report provides all unsuccessful attempts to access any dataset(s), resource(s), or any RACF commands protected by RACF during the time period specified. Elements of information contained in this report shall be terminal identification, UserID, time, and type of violation.

  2. The Violations Report shall be distributed to the manager(s) of those users who appear on the report. The manager receiving the report shall be required to review the report, determine if corrective action is necessary, indicate if any activity was not a true security violation (i.e., access required but not granted), sign the report, and return it to the RSA (or remote access site manager) within 10 working days of the date of the report. If the report is mailed off–site, 30 calendar days shall be permitted.

  3. If the signed Violations Report is not returned to the RACF Security Administrator within 30 working days of its due date, the RSA shall send a memorandum to the responsible manager's immediate supervisor indicating that the signed report is overdue. Additionally, the UserID(s) of the user(s) on the report shall be REVOKED until the signed report is returned.

10.8.32.5.3.4  (09-01-2007)
Successes Report and SETROPTS List

  1. The Successes Report provides all selected activity to any dataset(s), resource(s), or changes to the RACF Database protected by RACF during the time period specified. Elements of information contained in this report shall be terminal identification, UserID, time, and type of success.

  2. The RSA and designated system auditor shall analyze the Successes Report for any changes or updates to the RACF Database not approved by appropriate authorities and/or not in compliance with standard security or operational guidelines.

  3. The RSA and/or designated RACF System Auditor shall analyze the SETROPTS parameters and compare it to the previous report or a baseline report to ascertain if there have been any unauthorized updates or changes to the settings.

  4. All unauthorized updates shall be considered security violations and handled in the same manner as instances on the Violations Report, as described in the section above.

10.8.32.5.3.5  (09-01-2007)
Ad Hoc Audit Reports

  1. Ad Hoc reports may be requested by Functional Managers, Auditors, IS Executives, Office of Security Evaluation, Internal Oversight, and/or External Oversight organizations (e.g., GAO).

  2. Ad Hoc audit reports shall be generated through the RACF Report Writer or by using a third party product, such as Vanguard RACF Security Administrator (VRA) or Vanguard Advisor, where available.

  3. Security violations indicated on Ad Hoc reports shall be handled in the same manner as Violations Report, as described in the section above.

10.8.32.5.3.6  (09-01-2007)
Retention and Protection of Security Reports

  1. If RACF Security Reports are printed, they shall be maintained in a security container as defined in IRM 1.16.15, Minimum Protection Standards.

  2. The DSMON reports listed in See IRM 10.8.32.4.4 and the SETROPTS list shall be retained at least until such time as a new version is created or any discrepancies have been resolved, whichever is later.

  3. Retention of the Successes and Violation reports shall meet the requirements of IRM 1.15.1, The Records Management Program, and IRM 1.15.2, Types of Records and their Life Cycles.

  4. All security reports shall be destroyed in compliance with IRM 10.8.1.

10.8.32.5.3.7  (09-01-2007)
System Management Facility (SMF)

  1. SMF (System Management Facility) data shall be logged by the operating system to describe activity occurring on the system throughout the day and shall be the authoritative record of system activity.

  2. The system shall be configured to collect the minimum SMF records identified in See Exhibit 10.8.32-12.

  3. SMF shall be used to provide for logging of events and measures.

  4. Options for SMF data recording shall be controlled by the parameters of the SMFPRMxx member of the system PARMLIB which shall control the frequency of collection, the checkpoint interval for long–running tasks, the level of detail recorded, and the SMF record types to be collected.

  5. UPDATE and ALTER access privileges to the SMF collection files (i.e. SYS1.MANx) are limited to systems programming personnel and/or batch jobs that perform SMF dump processing.

10.8.32.5.4  (09-01-2007)
System and Communications Protection

  1. The IRS shall monitor, control, and protect IBM mainframe systems in accordance with IRM 10.8.1.

  2. RACF Exits shall not be used. Exceptions must go through the deviation request process.

  3. UPDATE and ALTER (read, write, create, delete) access privileges to the Authorized Program Facility (APF), Link Pack Area (LPA), LINKLIST libraries shall be limited to systems programming personnel.

  4. UPDATE and ALTER access privileges to the following libraries containing Supervisor Calls (SVCs) shall be limited to systems programming personnel:

    • SYS1.LPALIB

    • SYS1.LINKLIB

    • SYS1.NUCLEUS

    • SYS1.SVCLIB

  5. All UPDATE and ALTER accesses shall be logged for audit purposes.

  6. An I/O appendage is a routine that appends instructions to system I/O operations. I/O appendages shall be documented and approved by the DAA.

10.8.32.5.4.1  (09-01-2007)
Identification of Started Tasks

  1. An STC is a program script started from the operating system console with the MVS START command. Procedures for managing started tasks shall include, at a minimum, the following:

    1. Every started task shall be uniquely defined to RACF.

    2. Each STC shall have access only to the resources required by the started task.

    3. For STCs assigned the "trusted" status, all access requests will be honored regardless of the permissions granted in access rules and profiles.

    4. Installations shall define a process for controlling STCs, in general, and trusted STCs, in particular, that includes identification of the STCs, authorization for inclusion, and controls for access to the procedures.

10.8.32.5.4.2  (09-01-2007)
Program Properties Table (PPT)

  1. The Program Properties Table (PPT) facility is a component of the operating system that accommodates the use of privileged programs that can bypass security software mechanisms. The PPT contains the names and properties of these special programs.

  2. UPDATE and ALTER access privileges to libraries containing programs specified in the PPT shall be limited to systems programming personnel.

10.8.32.5.4.3  (09-01-2007)
Parameter Library (PARMLIB)

  1. SYS1.PARMLIB is a critical system dataset that identifies the APF authorized libraries, LINKLIST libraries, SMF records the system is to record, system consoles, provides Virtual Telecommunications Access Method (VTAM) parameters and Initial Program Load (IPL) information.

  2. UPDATE and ALTER access privileges to SYS1.PARMLIB shall be limited to systems programming personnel only.

10.8.32.5.4.4  (09-01-2007)
Multi–System Console Support (MCS) Controls

  1. Access to console resources shall only be assigned to authorized personnel.

  2. All profiles in the CONSOLE class shall be defined with a default universal access (UACC) of NONE.

  3. The CONSOLE resource shall be defined in the TSOAUTH class with a default universal access (UACC) of NONE.

10.8.32.5.4.5  (09-01-2007)
Sensitive Utility Controls

  1. Sensitive utilities are required to support critical support operations. The uncontrolled use of the utilities could result in a major system failure, loss of data, or a potential security exposure.

  2. Access to sensitive utilities shall be restricted through the appropriate RACF profiles.

10.8.32.5.4.6  (09-01-2007)
Controls for z/OS Services

  1. Any service that runs on the IBM mainframe platform shall not degrade the overall security of the IRS system or network. Refer to See Exhibit 10.8.32-10 for the location of specific technical requirements for common services.

10.8.32.5.4.7  (09-01-2007)
Controls for Software Products

  1. Any software product that runs on the IBM mainframe platform shall not degrade the overall security of the IRS system or network. Refer to See Exhibit 10.8.32-11 for the location of specific technical requirements for common software products.

10.8.32.5.4.8  (09-01-2007)
Required RACF Settings

  1. To achieve security levels consistent with this manual, the following parameters shall be required to be defined to RACF SETROPTS for all IRS systems. These shall defined using the Set RACF Options (SETROPTS) facility.

  2. The SETROPTS value for each of the options below shall be configured in accordance with See Exhibit 10.8.32-1:

    1. System Level Attributes
      INITSTATS –      Used to capture statistics during the user verification process at RACINIT.
      WHEN (PROGRAM) –Used for RACF program control.
      TERMINAL –Associated with use of console terminal.
      SAUDIT –Used to log privileged commands issued by users with the SPECIAL attribute.
      OPERAUDIT –Used to log OPERATIONS commands issued by users with OPERATIONS attribute.
      CMDVIOL –Used to log every command violation.

    2. Switches set for each resource class
      AUDIT CLASSES –      Lists of Audit Classes.
      ACTIVE CLASSES –Lists of Active Classes.
      GENERIC –List of classes with generic profile checking.
      LOGOPTIONS –Additional (or subtractive) auditing options for specified classes.

    3. Dataset and UserID Options
      ADSP –      This feature shall not be turned on. If it is turned on, RACF will automatically create a new discrete RACF profile for each new dataset created on the system. This will quickly cause the RACF database to fill up and result in system problems.
      EGN –Determines whether the "ENHANCED" use of asterisks is used for DSNAMES.
      REALDSN –Unmodified dataset names are used in messages and SMF records.
      JES–BATCHALLRACF OPTION IS ACTIVE –Requires that every batch job must have a RACF UserID.
      JES–XBMALLRACF OPTION IS ACTIVE –Requires a RACF UserID when XBATCH job is setup in JES.
      JES–EARLYVERIFY –Obsolete. JES now always assumes that this switch is on. Used to indicate that jobs should have their password checked when they are read in, not later when they are executed.
      PROTECTALL –Require all datasets to be RACF–protected.
      TAPEDSN –Tape dataset name protection.
      ERASE–ON–SCRATCH –Overwrite data segment upon deletion.
      SECURITY RETENTION PERIOD –Used with tape datasets to specify the default number of days a tape dataset is kept before the reel or cartridge is sent to the "SCRATCH" Pool.
      SINGLE LEVEL NAME PREFIX IS "RAC1LVL" –Forces the system to prefix a specified high–level qualifier to any dataset or resource with only one qualifier. This standard applies across systems protected by RACF when there is communication between CPUs or platforms.
      GRPLIST –When active, all RACF access requests are checked for all groups in which the user is a member. If not active, the access requests are checked only against the user ID and the current active group.
      INACTIVE –Sets the number of days a UserID may be inactive before being automatically revoked.
      TERMINAL –Associated with use of console terminal.

    4. Password Options
      CHANGE INTERVAL –Number of days after which a user must change his or her password.
      MIXED CASE SUPPORT –allows passwords to include lower and upper case characters
      HISTORY GENERATIONS (AKA "PASSWORD HISTORY" ) –Number of recently used passwords (up to 32) maintained in each user profile (to prevent password re-use).
      NUMBER OF CONSECUTIVE UNSUCCESSFUL –Number of bad passwords in a row which will cause RACF to revoke a userid.
      EXPIRATION WARNING LEVEL –Number of days before a password expires that a user is warned.
      SYNTAX RULES –Length and content rules.

    5. Miscellaneous Options
      CATALOGUED DATASETS ONLY –Requires every dataset to be catalogued, (with some exceptions).
      JES–NJEUSERID –Default userid for JESSPOOL profile names for NJE jobs.
      JES–UNDEFINEDUSER –Default userid for JESSPOOL.
      SESSIONKEY INTERVAL –Default and maximum number of days session key for APPC is valid profile names for local.
      SESSIONKEY INTERVAL –Default and maximum number of days session key for APPC is valid.
      KERBLVL –For the encryption keys used if the profile has a KERB segment. In order to control the use of the capability of using keys that are not plain DES keys, it is required that the RACF administrator sets the option KERBLVL(1):
      SETR KERBLVL(1) Not setting this option or setting KERBLVL(0) results in always generating DES keys. You may want this to happen if not all of your platforms in your Kerberos configuration support Triple-DES or derived keys.
      Notes:The three keys are always generated and stored as a user key when KERBLVL is set to "1" . The settings of ENCRYPT will determine which keys are allowed for use. If ENCRYPT is changed then there is no need to generate new keys since they are already available in the USER profile.
      ADDCREATOR –This should not be ACTIVE. Automatically grants the UserID creating a resource rule with ALTER access to the resource.

    6. Optional Controls
      GENCMD –Activates generic profile command processing for specified classes.
      GLOBAL CHECKING CLASSES –(Performance vs. Security) This option is most effective for all resource classes with high–frequency utilization by many users (i.e., datasets or resources with access allowed to the majority of users). Since this feature reduces I/O on dataset/resource security profiles, it may enhance performance.
      RACLIST CLASSES –(Performance vs. Security) This option specifies resource classes that are to have in–storage profiles. Intended for high I/O volume resources.
      MODELLING (USER, GROUP, GDG) –Obsolete. Used to specify that model dataset profiles will be used to fill in the permit lists of user, group, or GDG dataset profiles.

10.8.32.6  (09-01-2007)
Deviations

  1. Deviations from this policy shall be submitted in accordance with IRM 10.8.1 and use Form 13125, as described in deviation Standard Operating Procedures (SOPs).

  2. Refer to IRM 10.8.1 for additional information.

Exhibit 10.8.32-1  (09-01-2007)
Appendix A: Required SETROPTS Specifications

The following table depicts the required values for the RACF Standard Global Options (SETROPTS) operands. The options specified shall be baseline requirements so that each site can choose to be more restrictive if documented and necessary.

REQUIRED GLOBAL OPTIONS
(SETROPTS) TABLE REQUIREMENTS
Requirements VERSION 1.5 and/or < SETTING VERSION 1.6 SETTING VERSION 1.7 SETTING COMMENT
 
ATTRIBUTES INITSTATS, WHEN(PROGRAM), SAUDIT, OPERAUDIT, CMDVIOL INITSTATS , WHEN(PROGRAM –– BASIC), SAUDIT , OPERAUDIT , CMDVIOL, TERMINAL (READ) INITSTATS, WHEN(PROGRAM ––BASIC), SAUDIT, OPERAUDIT, CMDVIOL, TERMINAL (READ) when the TERMINAL class is in the ACTIVE class list    
 
 
AUDIT CLASSES Audit all ACTIVE CLASSES Audit all ACTIVE CLASSES Audit all ACTIVE CLASSES    
 
ACTIVE CLASSES Installation Decision Installation Decision Installation Decision Enterprise Implementation shall be required for this requirement.  
GENERIC PROFILE CLASSES All possible classes All possible classes All possible classes Turn on generic profile for every class possible (not possible for group classes).  
GENERIC COMMAND CLASSES Installation Decision Installation Decision Installation Decision All classes that commands may be used against. Enterprise Implementation shall be required for this requirement.  
GENLIST CLASSES NONE NONE NONE General resources classes that shall be activated for in–storage, used to reduce retrieval time and storage of general resources  
GLOBAL CHECKING CLASSES Installation Decision Installation Decision Installation Decision Enterprise Implementation shall be required for this requirement.  
SETR RACLIST CLASSES Installation Decision Installation Decision Installation Decision Some General Resource classes require RACLIST in order to function. Enterprise Implementation shall be required for this requirement.  
GLOBAL RACLIST ONLY CLASSES Installation Decision Installation Decision Installation Decision Enterprise Implementation shall be required for this requirement.  
LOGOPTIONS ALWAYS Installation Decision Installation Decision Installation Decision Enterprise Implementation shall be required for this requirement.  
LOGOPTIONS NEVER NONE NONE NONE Enterprise Implementation shall be required for this requirement.  
LOGOPTIONS SUCCESSES Installation Decision Installation Decision Installation Decision Enterprise Implementation shall be required for this requirement.  
LOGOPTIONS FAILURES Installation Decision Installation Decision Installation Decision Enterprise Implementation shall be required for this requirement.  
LOGOPTIONS DEFAULT Installation Decision Installation Decision Installation Decision Enterprise Implementation shall be required for this requirement.  
AUTOMATIC DATASET PROTECTION Installation Decision Installation Decision Installation Decision Enterprise Implementation shall be required for this requirement.  
ENHANCED GENERIC NAMING EGN EGN EGN Enterprise Implementation shall be required for this requirement.  
REAL DATASET NAMES REALDSN REALDSN REALDSN    
JES– BATCHALLRACF JES BATCHALLRACF JES BATCHALLRACF JES BATCHALLRACF    
 
JES– XBMALLRACF JES XBMALLRACF JES XBMALLRACF JES XBMALLRACF    
PROTECT–ALL FAIL FAIL FAIL    
TAPE DATA SET PROTECTION TAPEDSN TAPEDSN TAPEDSN Enterprise Implementation shall be required for this requirement.  
SECURITY RETENTION PERIOD Installation Decision Installation Decision Installation Decision Recommend a number between 0 and 99999 which equals never expiring. Enterprise Implementation shall be required for this requirement.  
ERASE–ON–SCRATCH Installation Decision Installation Decision Installation Decision NOERASE and ERASE are acceptable  
SINGLE LEVEL NAME PREFIX RAC1LVL RAC1LVL RAC1LVL    
LIST OF GROUPS ACCESS CHECKING GRPLIST GRPLIST GRPLIST    
INACTIVE USERIDS Reference IRM 10.8.1 Reference IRM 10.8.1 Reference IRM 10.8.1    
DATA SET MODELING Installation Decision Installation Decision Installation Decision Enterprise Implementation shall be required for this requirement.  
USER DATA SET MODELLING N/A Installation Decision Installation Decision Enterprise Implementation shall be required for this requirement.  
GROUP DATA SET MODELLING N/A Installation Decision Installation Decision Enterprise Implementation shall be required for this requirement.  
PASSWORD PROCESS OPTIONS CHANGE INTERVAL Reference IRM 10.8.1 Reference IRM 10.8.1 Reference IRM 10.8.1    
PASSWORD PROCESS OPTIONS MINIMUM CHANGE INTERVAL N/A N/A 5    
PASSWORD PROCESS OPTIONS MIXED CASE SUPPORT N/A N/A MIXEDCASE    
PASSWORD PROCESS OPTIONS HISTORY GENERATIONS Reference IRM 10.8.1 Reference IRM 10.8.1 Reference IRM 10.8.1    
PASSWORD PROCESS OPTIONS NUMBER OF CONSECUTIVE UNSUCCESSFUL Reference IRM 10.8.1 Reference IRM 10.8.1 Reference IRM 10.8.1    
PASSWORD PROCESS OPTIONS EXPIRATION WARNING LEVEL 14 14 14    
PASSWORD PROCESS OPTIONS SYNTAX ALPHA–NUMERIC ALPHA–NUMERIC ALPHA–NUMERIC Length of 8  
RVARY SWITCH PASSWORD Installation defined – Not default Installation defined – Not default Installation defined – Not default    
RVARY STATUS PASSWORD Installation defined – Not default Installation defined – Not default Installation defined – Not default    
SECLEVEL AUDIT Installation Decision Installation Decision Installation Decision Enterprise Implementation shall be required for this requirement.  
SECLABEL AUDIT Installation Decision Installation Decision Installation Decision Enterprise Implementation shall be required for this requirement.  
SECLABEL CONTROL Installation Decision Installation Decision Installation Decision Enterprise Implementation shall be required for this requirement.  
GENERIC OWNER GENERIC OWNER GENERIC OWNER GENERIC OWNER    
COMPATIBILITY MODE Installation Decision Installation Decision Installation Decision Enterprise Implementation shall be required for this requirement.  
MULTI–LEVEL QUIET Installation Decision Installation Decision Installation Decision Enterprise Implementation shall be required for this requirement.  
MULTI–LEVEL STABLE Installation Decision Installation Decision Installation Decision Enterprise Implementation shall be required for this requirement.  
WRITE–DOWN Installation Decision Installation Decision Installation Decision Enterprise Implementation shall be required for this requirement.  
MULTI–LEVEL SECURE Installation Decision N/A N/A Enterprise Implementation shall be required for this requirement.  
MULTI–LEVEL ACTIVE Installation Decision Installation Decision Installation Decision Enterprise Implementation shall be required for this requirement.  
CATALOGUED DATA SETS Installation Decision Installation Decision Installation Decision Enterprise Implementation shall be required for this requirement.  
JES NJEUSERID IS: ???????? ???????? ????????    
JES UNDERFINDUSER IS: DEFAULT ++++++++ DEFAULT ++++++++ DEFAULT ++++++++    
PARTNER SESSIONKEY INTERVAL 180 180 180    
APPLAUDIT Installation Decision Installation Decision Installation Decision Enterprise Implementation shall be required for this requirement.  
ADDCREATOR NOADDCREATOR NOADDCREATOR NOADDCREATOR    
KERBLVL Installation Decision Installation Decision Installation Decision Enterprise Implementation shall be required for this requirement.  
MULTI–LEVEL FILE Installation Decision Installation Decision Installation Decision Enterprise Implementation shall be required for this requirement.  
 
MULTI–LEVEL COMMUNICATIONS Installation Decision Installation Decision Installation Decision Enterprise Implementation shall be required for this requirement.  
MULTI–LEVEL NAME HIDING N/A Installation Decision Installation Decision Enterprise Implementation shall be required for this requirement.  
EIM NOEIM N/A N/A    
PRIMARY LANGUAGE ENU ENU ENU/AMERICAN The language name (AMERICAN) only appears if the MVS message service is active.  
SECONDARY LANGUAGE ENU ENU ENU / AMERICAN The language name (AMERICAN) only appears if the MVS message is active.  

Exhibit 10.8.32-2  (09-01-2007)
Appendix B: RACF Planning and Implementation

A systematic analysis of access configuration shall be performed whether setting up RACF on a system for the first time or conducting a top–to–bottom review and verification of discretionary access controls.

(1) Establishing the RACF Environment

The system project office, which is responsible for creating a new system, shall designate a team of system knowledgeable personnel. This group shall include, but is not limited to, the application manager/owner, systems programmers, operating system administrators, RACF security administrators, RACF system auditor, and database administrators. As a minimum, the group should perform the following activities:

  1. Identify and document all access points and resources connected to the system (e.g., CPUs, applications, remote ports, remote job entry sites, TSO, CICS, DASDVOL, databases, batch jobs, started tasks, etc.).

  2. Ensure that each resource requires a RACINIT so that only RACF– defined users and resources can use the system.