STIG Articles By Findings

This article provides a list of all
ACF2
STIG articles. Select the specific
ACF2
STIG ID to assess and implement the guidance.
  • Severity 1
    : High
  • Severity 2
    : Medium
  • Severity 3
    : Low
To manage your STIG implementation, download this tracker spreadsheet.
Broadcom STIG ID
Original STIG ID
Title
Description
BACF0001
Severity 1
ACF0370
Set GSO OPTS Control MODE Field Value to ABORT
Shows how to determine if your site is set to prevent unauthorized access.
BACF0003
Severity 1
ACF0395
Use Validated Cryptography to Protect Passwords in the Security Database
Shows how to determine if your site has implemented strong encryption.
BACF0005
Severity 1
ZUSS0022
Protect z/OS UNIX Resources
Addresses how to set
ACF2
rules for all BPX.SRV.user TYPE(SUR) resources to no access.
BACF0018
Severity 1
ACF0310
Review of
ACF2
Exit Routines
Shows how to set specific GSO EXITS control option field values to ensure that proper system entry validation is performed.
BACF0046
Severity 1
ACF0760
Logonid with SECURITY Attribute Missing Security Check Attributes
Shows how to add security check attributes and remove the ability to access a data set or resource without logging to a logonid with the SECURITY attribute. 
BACF0049
Severity 1
ACF0790
Control READALL Attribute Usage
Shows how to identify logonids with the READALL privilege and how to remove if not needed.
BACF0053
Severity 1
ACF0840
Limit the Users Granted the PPGM Privilege
Shows how to identify logonids with the PPGM attribute and how to remove the attribute if it is not authorized.
BACF0054
Severity 1
ACF0850
Limit the Users Granted the OPERATOR Privilege
Shows how to identify logonids with the OPERATOR attribute and how to remove the attribute if it is not authorized.
BACF1001
Severity 1
AAMV0012
Unsupported System Software Installed and Active on System
Shows how to ensure that unsupported system software for products that meet the criteria in this STIG article are removed or upgraded before a vendor drops support.
BACF1003
Severity 1
AAMV0018
Document Procedures for Security Related Software Patches
Provides guidance to ensure documented procedures exist and are maintained for scheduling, applying, and logging security-related software patches.
BACF1015
Severity 1
AAMV0500
Protect Sensitive and Critical Data Sets and on Shared DASD
Shows how to validate and determine a DASD volume is shared and the sensitive and critical data sets are protected.
BACF1016
Severity 1
ACP00010
Limit Permissions to SYS1.PARMLIB
Shows how to review access authorizations to SYS1.PARMLIB, how to limit access to only system programmers, and how to log all activity.
BACF1017
Severity 1
ACP00020
Limit Access to SYS1.LINKLIB
Shows how to review access authorizations to SYS1.LINKLIB, how to limit access to only system programmers, and how to log all activity.
BACF1018
Severity 1
ACP00030
Limit Access to SYS1.SVCLIB
Shows how to review access authorizations to SYS1.SVCLIB, how to limit access to only system programmers, and how to log all activity.
BACF1019
Severity 1
ACP00040
Limit Access to SYS1.IMAGELIB
Shows how to review access authorizations to SYS1.IMAGELIB, how to limit access to only system programmers, and how to log all activity.
BACF1020
Severity 1
ACP00050
Limit Access to SYS1.LPALIB
Shows how to review access authorizations to SYS1.LPALIB, how to limit access to only system programmers, and how to log all activity.
BACF1021
Severity 1
ACP00060
Limit Access to APF-Authorized Libraries
Shows how to review access authorizations to APF-authorized libraries, how to limit access to only system programmers, and how to log all activity.
BACF1022
Severity 1
ACP00062
Protect Libraries Included in REXXLIB
Shows how to review the system REXXLIB concatenation, how to limit access to only system programmers, and how to log all activity.
BACF1023
Severity 1
ACP00070
Limit Access to LPA Libraries
Shows how to review access authorizations to LPA libraries, how to limit access to only system programmers, and how to log all activity.
BACF1024
Severity 1
ACP00080
Limit Access to SYS1.NUCLEUS
Shows how to review access authorizations to SYS1.NUCLEUS, how to limit access to only system programmers, and how to log all activity.
BACF1025
Severity 1
ACP00100
Limit Access to PPT Modules
Shows how to review access authorizations to PPT modules, how to limit access to only system programmers, and how to log all activity.
BACF1026
Severity 1
ACP00110
Limit Access to LINKLIST Libraries
Shows how to review access authorizations to LINKLIST libraries, how to limit access to only system programmers, and how to log all activity.
BACF1027
Severity 1
ACP00120
Limit Access to Security Databases and Data Sets
Shows how to review access authorizations to
ACF2
database files and how to limit write or greater access to only system programmers.
BACF1028
Severity 1
ACP00130
Limit Access to Master Catalog
Shows how to review access authorizations to the master catalog, how to limit read or greater access to only system programmers and those authorized by the Information Systems Security Officer (ISSO), and how to log all activity.
BACF1029
Severity 1
ACP00135
Limit Access to System User Catalogs
Shows how to review access authorizations to the system user catalogs, how to limit write or greater access to only system programmers, and how to log all activity.
BACF1030
Severity 1
ACP00140
Limit Access to System-Level Product Installation Libraries
Shows how to review access authorizations to the system-level product execution libraries, how to limit write or greater access to only system programmers and how to log all activity.
BACF1031
Severity 1
ACP00150
Limit Access to JES2 System Data Sets
Shows how to review access authorizations to JES2 system data sets, how to limit write or greater access to only system programmers, and how to log all activity.
BACF1032
Severity 1
ACP00170
Limit Access to SYS1.UADS
Shows how to review access authorizations to the SYS1.UADS data set, how to limit write or greater access to only system programmers, and how to log all activity.
BACF1033
Severity 1
ACP00150
Limit Access to SMF Collection Files
Shows how to review access authorizations to SMF collection files, how to limit write or greater access to only system programmers, and how to log all activity.
BACF1034
Severity 1
ACP00190
Limit Access to SMF Collection Files Backup Data Sets
Shows how to review access to SMF collection file backup data sets and how to limit write or greater access to only system programmers.
BACF1035
Severity 1
ACP00200
Limit Access to System Dump Data Set
Shows how to review access authorizations to system dump data sets, how to limit write or greater access to only system programmers, and how to log all activity.
BACF1036
Severity 1
ACP00210
Limit Access to System Backup Files
Shows how to obtain the high-level indexes to backup data set names and verify that their access is restricted to system programmers and batch jobs that perform the backups.
BACF1037
Severity 1
ACP00220
Limit Access to SYS(x).TRACE
Shows how to review access authorizations to SYS1.TRACE, how to limit write or greater access to only system programmers, and how to log all access.
BACF1038
Severity 1
ACP00230
Limit Access to System Page Data Sets
Shows how to review access authorizations to system page data sets, how to limit write or greater access to only system programmers, and how to log all access.
BACF1039
Severity 1
ACP00240
Limit Access to Libraries Containing EXIT Modules
Shows how to identify system exits, how to limit write or greater access to only system programmers, and how to log all access.
BACF1040
Severity 1
ACP00250
Limit Access to PROCLIB Data Set
Shows how to identify all PROCLIB data sets that contain STCs and TSO logons, how to limit write or greater access to only system programmers, and how to log all access.
BACF1041
Severity 1
ACP00291
Configure CONSOLxx Members
Shows how to ensure that all operators are required to log on prior to entering z/OS system commands.
BACF1042
Severity 1
ACP00320
Perform Audit Analysis
Provides recommended areas of review to include in your organization's security log management policy.
BACF1043
Severity 1
ACP00330
Identify System Users
Shows how to identify userids that are shared among multiple users, uniquely define each identified user to
ACF2
, and ensure that access to resources is limited to those needed to perform the function.
BACF1044
Severity 1
ACP00340
Implement z/OS Baseline Reporting
Shows how to implement z/OS baseline reporting.
BACF1056
Severity 1
New STIG article
Define Trusted Started Tasks
Shows how to identify started tasks that are unauthorized to have the NON-CNCL and MAINT attributes and how to removed the unauthorized attributes.
BACF0007
Severity 2
ZWMQ0051
Define Websphere MQ Switch Profiles
Shows how to turn on WebSphere MQ Series external security.
BACF0009
Severity 2
ACF0710
Restrict Use of the REFRESH Attribute
Shows how to identify all logonids with the REFRESH privilege assigned and how to remove the privilege from unauthorized logonids.
BACF0011
Severity 2
ZUSSA050
Define GSO UNIXOPTS Record to Prevent Unauthorized Users
Shows how to verify and change default USS settings so that unauthorized logonids are not allowed access.
BACF0014
Severity 2
ACF0270
Control Automatic Physical Erasure of Data Sets
Addresses how to set
ACF2
to control automatic physical erasure of VSAM or non-VSAM data sets.
BACF0015
Severity 2
ACF0280
Specify GSO BACKUP Control Option Time Fields
Addresses how to set the automatic backup procedures for the
ACF2
database. This option specifies a command that
ACF2
issues internally upon successful completion of backup processing.
BACF0016
Severity 2
ACF0290
Review Control Programs Authorized to Use Bypass Label Processing
Addresses how to verify that
ACF2
does not
control programs authorized to use tape bypass label processing (BLP).
BACF0017
Severity 2
ACF0300
Write Resource Rules to Validate Security Calls
Shows how to verify if your GSO CLASMAP control option is set to translate eight-character SAF resources classes into three-character
ACF2
resource type codes to enable resource rules to be written to perform validation.
BACF0019
Severity 2
ACF0330
GSO LINKLST Control Option Values Contain Only Trusted System Data Sets
Shows how to specify trusted system partitioned data sets as part of the system link (SYS1.LINKLIB) during data set access validation.
BACF0020
Severity 2
ACF0350
Define the GSO Maint Record for System Maintenance
Shows how to specify the logonid, program, and library combinations used for the system maintenance function.
BACF0021
Severity 2
ACF0360
Indicate Proper Validation of Jobs in GSO NJE Record
Shows how to assign the validation controls to jobs submitted through an NJE subsystem.
BACF0022
Severity 2
ACF0375
Specify GSO OPTS Record Values
STIG shows how to assign the GSO OPTS record fields to define the global options available for use by the system.
BACF0023
Severity 2
ACF0390
Review GSO PSWD Record Value Recommendations
Addresses GSO PSWD record fields to consider when implementing password settings.
BACF0024
Severity 2
ACF0400
Define GSO PWPHRASE Record
Addresses GSO PWPHRASE record fields to consider when implementing password phrase.
BACF0026
Severity 2
ACF0420
Set the GSO RESVOLS Record VOLMASK Field to Default
Addresses how to set the GSO RESVOLS record value to the default to prevent exposure on storage volumes.
BACF0027
Severity 2
ACF0430
Review GSO RULEOPTS Record Values
Addresses what GSO RULEOPTS fields to consider when determining how resource and access rules are used and maintained at your site.
BACF0028
Severity 2
ACF0440
Review GSO SAFDEF Record Values
Addresses what default GSO SAFDEF fields to consider for your SAF environment.
BACF0029
Severity 2
ACF0480
Review GSO SECVOLS Record Values
Shows how to set the GSO SECVOLS record to the default value.
BACF0030
Severity 2
ACF0490
Review GSO SYNCOPTS Record Values
Shows how to define the GSO SYNCOPTS record field values to implement cache synchronization.
BACF0031
Severity 2
ACF0500
Review GSO TSO Record Values
Shows how to define the GSO TSO record field values to control how your TSO environment and other system parameters are secured.
BACF0032
Severity 2
ACF0510
Clear Password During TSO Logon Process
Shows how to define the GSO TSOCRT record field values to control how your id displays during the logon process.
BACF0033
Severity 2
ACF0520
Assign Site-Supplied Keywords for TSO Logon Process
Shows how to assign site-supplied keywords for TSO logon by defining the GSO TSOKEYS record.
BACF0034
Severity 2
ACF0530
Clear Logonid Password on TWX Devices
Shows how to define the GSO TSOTWX record to control how your password displays during logon process to TWX devices.
BACF0035
Severity 2
ACF0540
Clear Logonid Password on 2741 Devices
Shows how to define the GSO TSO2741 record to control how your password displays during logon process to 2741 devices.
BACF0036
Severity 2
ACF0570
Define Interactive Logonids to
ACF2
Required Fields
Shows how to identify interactive logonids and ensure the correct attributes are assigned.
BACF0037
Severity 2
ACF0580
Authorize Restricted Logonids Associated with Batch Job Processing
Shows how to assign attributes to restricted logonids associated with batch job processing.
BACF0038
Severity 2
ACF0600
Started Task Logonid Missing STC Attribute
Shows how to assign the STC attribute to a started task logonid.
BACF0039
Severity 2
ACF0610
Started Task Logonid Missing MUSASS and NO-SMC Attributes
Shows how to assign the MUSASS and NO-SMC attributes to a started task logonid.
BACF0040
Severity 2
ACF620
Implement MUSASS Started Task Control and Accountability
Shows how to assign the JOBFROM attribute to a started task logonid that has the MUSASS attribute assigned.
BACF0041
Severity 2
ACF0380
Ensure Protected Programs are Executed by Privileged Users
Shows how to identify if all protected programs are represented by a GSO PPGM record value.
BACF0042
Severity 2
ACF0640
Limit Access to NON-CNCL Privilege
Shows how to identify trusted started task logonid records and determine if the NON-CNCL attribute is defined.
BACF0043
Severity 2
ACF0680
Define Maintenance Logonid Key Attributes
Shows how to define a maintenance logonid to ensure that critical system maintenance tasks are performed using the
ACF2
MAINT privileged attribute.
BACF0045
Severity 2
ACF0750
Scope Logonids with ACCOUNT, LEADER, and SECURITY Attributes
Shows you how to identify logonids with ACCOUNT, LEADER, or SECURITY attributes and verify if the SCPLST attribute is defined and specified according to the job function and areas of responsibility.
BACF0047
Severity 2
ACF0770
Restrict Logonid with ACCTPRIV Attribute
Shows how to identify logonids with the ACCTPRIV attribute and verify that the logonid is assigned to the Information Systems Security Officer.
BACF0048
Severity 2
ACF0780
Scope Logonids with AUDIT or CONSULT Attribute
Shows how to identify logonids with the AUDIT and CONSULT attributes and verify if the SCPLST attribute is defined and specified according to the job function and areas of responsibility.
BACF0050
Severity 2
ACF0800
Limit the Users Granted TAPE-LBL and TAPE-BLP Privileges
Shows how to identify who has the TAPE-LBL and TAPE-BLP privileges and how to remove those privileges if they are assigned to the wrong logonid.
BACF0051
Severity 2
ACF0820
Limit the Users Granted the CONSOLE
Shows how to identify logonids with the CONSOLE attribute and how to remove the attribute if it is not authorized.
BACF0052
Severity 2
ACF0830
Limit the Users Granted ALLCMDS Privilege
Shows how to identify logonids with the ALLCMDS attribute and how to remove the attribute if it is not authorized.
BACF0055
Severity 2
ACF0870
Define and Protect Sensitive Utility Controls
Shows how to define and protect sensitive Utility programs resource controls.
BACF0057
Severity 2
ACF0410
Set GSO RESULE Record to NONE
Shows how to change the GSO RESRULE record INDEX field setting to NONE.
BACF1002
Severity 2
AAMV0014
Document a Migration Plan for Removing or Upgrading OS Software
Provides guidance to ensure that a documented migration plan exists.
BACF1004
Severity 2
AAMV0030
LNKAUTH=APFTAB is Not Specified in the IEASYSxx Member
Shows how to specify the LNKAUTH-APFTAB.
BACF1005
Severity 2
AAMV0060
Review AC=1 Modules in APF-Authorized Libraries Required Annually
Shows how to ensure that an annual review of all AC=1 modules that reside in APF-authorized libraries is performed.
BACF1006
Severity 2
AAMV0160
Validate Program Properties Table Library Entries
Provides guidance to ensure that invalid PPT entries do not exist.
BACF1007
Severity 2
AAMV0370
Specify Correct SMF Data Collection Options
Shows how to set control options for tracking SMF data.
BACF1008
Severity 2
AAMV0380
Collect the Required SMF Data Record Types
Shows how to define and review SMF data using
Auditor
BACF1009
Severity 2
AAMV0400
Collect and Retain SMF Data Automatically
Shows how to identify if automated mechanisms are in place to collect and retain SMF data produced on the system
BACF1010
Severity 2
AAMV0410
Store Backup and Recovery Data Sets on a Separate Volume from the
ACF2
Database
Shows how to determine if the
ACF2
database is not located on the same volume as the alternate backup files.
BACF1011
Severity 2
AAMV0420
Back Up the Database Regularly
Shows how to ensure there is a backup plan in place and how to execute the plan.
BACF1012
Severity 2
AAMV0430
Perform System DASD Backups
Shows how to ensure there is a documented backup procedure in place and how to execute the procedure.
BACF1013
Severity 2
AAMV0440
Use Data Set and OS Passwords
Shows how to determine if the system password data set and operating system passwords are in use and ensure that protection is provided by
ACF2
.
BACF1014
Severity 2
AAMV0450
Review and Approve Requirements for System Programs
Shows how to ensure any new system software or major upgrade of software has been reviewed and approved by your organization based upon the organizational documented acceptance.
BACF1058
Severity 2
ZUSS0011
z/OS UNIX OMVS Parameters in PARMLIB are not Properly Specified
Shows how to verify and define UNIX OMVS parameters in SYS1.PARMLIB.
BACF1059
Severity 2
ZUSS0012
z/OS UNIX BPXPRMxx Security Parameters are not Properly Specified
Shows how to verify and define the settings in PARMLIB member BPXPRMxx for z/OS UNIX security parameters values.