IBM Security Z Security

Security for Z

Join this online user group to communicate across Z Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Implementing STIG zSecure Checks Query

    Posted Mon February 27, 2023 10:31 AM

    Hi, we're looking at migrating to using the STIG standards as a baseline for our compliance on our ACF2 and RACF mainframes, and using zSecure to perform the compliance checks. We are currently running zSecure 2.4 with plans to migrate to version 2.5 by years end. When looking at the lastest versions of the STIG documents, I noted that the STIG rule names in zSecure don't map to the RuleID in the STIG documents. I was wondering if there is a matrix or document that can help us map the rules in the official STIG documents to the defined STIG checks in zSecure? 

    Example:

    ZSecure 2.4 Check:
    Rule      Standard  Description                Member
    RACF0244  STIG      FACILITY class active      CKAGR244

    STIG 8.10 Entry:
    Vul ID: V-223657           Rule ID: SV-223657r604139_rule           STIG ID: RACF-ES-000090 Rule Title: The IBM RACF FACILITY resource class must be active.


    My understanding is the current version of the z/OS STIGs for RACF and ACF2 is 8.10 and that zSecure 2.4 supported STIG version 6.41, so I realise there will be some discrepancies. Thanks very much for any assistance you can provide, sorry if I have missed something obvious. 



    ------------------------------
    Nathan Shrive
    ------------------------------


  • 2.  RE: Implementing STIG zSecure Checks Query

    Posted Mon February 27, 2023 11:14 AM
    Edited by Hans Schoone Mon February 27, 2023 11:24 AM

    You need to install the Feb 2023 SSE PTF (see APAR  OA64225)  on zSecure 2.5.0 to get the support for STIG v8.10 control names ("STIG Id") like RACF-ES-000090.

    Obviously during development we tried creating such a mapping. But there is not always a one-to-one relation between the v6 STIG ids and v8 STIG ids.



    ------------------------------
    Hans Schoone
    Chief Architect zSecure
    IBM
    ------------------------------

    Original Message


  • 3.  RE: Implementing STIG zSecure Checks Query

    Posted Mon February 27, 2023 11:25 AM

    The main APAR is OA64225, for all details see the blog entry (but indeed this requires 2.5.0).

    VIEW       CRMA.D.GKR250.$TEST.SCKRCARL(CKAHE090) - 01.16  Columns 00001 00072 
Command ===> ________________________________________________ Scroll ===> CSR  
000016  ****************************************************EndModule********/ 
000017  RULE_SET(,                                                             
000018   RACF-ES-000090 STD(RACF_zOS_STIG(8.10:),                              
000019                  REF(STIGID=RACF-ES-000090 VULID=V-223657 VMS=4101,     
000020                      CCI=CCI-000213)),


    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------

    Original Message


  • 4.  RE: Implementing STIG zSecure Checks Query

    Posted Mon February 27, 2023 02:26 PM

    I used to work for DISA and I have all the documentation. 



    ------------------------------
    Steve Beaver
    ------------------------------

    Original Message


  • 5.  RE: Implementing STIG zSecure Checks Query

    Posted Mon February 27, 2023 05:09 PM

    Hi guys, thanks for your input, I saw the new 2.5 blog entry just after I posted, looks like that will be great and allow us to map the checks to the STIG rules. As we are still a little way away from getting 2.5 installed, Steve Beaver if you have anything that you think would help map the checks in the interim that would be fantastic. Cheers. 



    ------------------------------
    Nathan Shrive
    ------------------------------

    Original Message


Related Content