OS/390 Logical Partition Security Technical Implementation Guide, v2 Release 2

v2 Release 2

Final

Not available.

2005-03-04

Operating System

IBM

IBM OS/390 Operating System

Not available.

Server

The OS/390 Logical Partition Security Technical Implementation Guide defines the technical criteria necessary to implement Mission Assurance Category (MAC) II Sensitive functionality within DISA non-classified multiple partitions and classified partitions.  The purpose of this document is not to define policy, but to document the procedures and parameters necessary to implement policy.  Policy serves no value if it cannot be technically implemented. When implementing security within the OS/390 operating platform, or within any platform, essentially three criteria must be considered — confidentiality, integrity, and availability. Many Information Systems (ISs) used throughout DISA sites run IBM operating systems.  The OS/390 MVS operating system, as distributed by IBM, provides integrity of the operating environment as part of the trusted computer base, as defined in DoDD 8500.1.  Controls have been developed and documented in IBM references to ensure this integrity.

This document defines the requirements, standards, controls, and options that must be in place for each LPAR in a processing complex to comply with the MAC II Sensitive requirements.  The site may implement additional security as necessary to allow multiple partitions to exist on the same physical box without risk to the integrity of the LPAR. Many of the sites running OS/390 are doing so on processors capable of executing multiple environments concurrently.  In addition to the security required within OS/390, additional requirements are necessary to ensure the integrity of each environment.  Also, controls will be in place to ensure the separation of data with different classification levels. The requirements set forth in this document are for OS/390 LPARs and for the hardware and software used to support LPARs at the following sites: Systems Management Centers (SMCs), Computing Services Processing Element (CSPE), Systems Support Offices (SSOs), DOD Components, and other DISA customers.

The Security Technical Implementation Guides (STIGs) were initially developed to assist the sites in securing their systems against security and infrastructure vulnerabilities.  All sites have a vested interest in maintaining system security, as it directly impacts the site’s Certification and Accreditation (C&A).  Sites are mandated by DISA to have a valid C&A status by the authority derived from DOD Directive 8500.1, Security Requirements for Automated Information Systems, 24 October 2002, and the Computer Security Act of 1987, Public Law 100-235, January 1988.  The requirements for accreditation of DISA Information Technology, as described here, are found in DISAI 630-230-19, DISA Information Systems Security Program, July 1996.  Compliance with the applicable Security Technical Implementation Guide (STIG) is mandatory for systems residing in a DISA facility and for any system directly administered by DISA.  The use of the principles and guidelines in this STIG will provide an environment that meets or exceeds the security requirements of DOD systems operating at the Mission Assurance Category (MAC) II Sensitive level, containing unclassified but sensitive information.

This process has been extended to Joint Commands seeking to secure their systems against the same vulnerabilities.  While there is no mandate for their use at the Joint Commands, the value of the STIGs has been seen by each of the Unified Commands.

Each manufacturer uses a different term for describing a Logical Partition.  Amdahl uses the term domain.  Hitachi Data Systems (HDS) and IBM both use the term LPAR.  Throughout this document, LPAR is used generically to refer to any manufacturer’s logical partition.

Developped for the DOD.
The requirements set forth in this document will assist system administrators with knowledge of the IBM OS/390 operating system in support of protecting DOD systems.

Enterprise and Specialized Security-Limited Functionality.

Not available.

Not available.

Not available.

Not available.

Not available.

Refer to Known Issues.

Not available.

It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers.

Defense Information Systems Agency

Not available.

Not available.

Not available.

http://iase.disa.mil/stigs/stig/index.html

http://iase.disa.mil/stigs/stig/lpar_stig_v2r2.pdf

SHA1 Digest (lpar_stig_v2r2.pdf) =
10159836fe61cdda1b47095ae7f5c2998bda0b3f

SHA256 Digest (lpar_stig_v2r2.pdf) =
6fb9a8b1e0cc8ae2018c9e44411815efd54da95
aedf39ed7d3f1424b1ea2ec39

v1 Release 3: 2001-02-09

v2 Release 1: 2003-06

v2 Release 2: 2005-03-04

SRR Review Procedures, MVS Logical Partition (LPAR), v2 Release 1.3

Government Publications

Department of Defense (DOD) Directive 8500.1, "Information Assurance (IA),” October 24, 2002.

Department of Defense (DOD) Directive 8500.1, "DOD Trusted Computer System Evaluation Criteria," October 24, 2002.

Defense Information Systems Agency Instruction (DISAI) 630-230-19, "Security Requirements for Automated Information Systems (AIS)," July 1996.

DISA Computing Services Naming Convention Standards, February 1996.

DISA Computing Services Security Handbook, Version 3, 1 December 2000.

DISA Network Infrastructure Security Technical Implementation Guide, Version 4, Release 2, 15 October 2002.

DISA UNIX Security Technical Implementation Guide, Version 3, Release 1.1, 5 January 2001.

DISA OS/390 Security Technical Implementation Guide, Version 3, Release 2, 30 June 2002.

DISA VM Security Technical Implementation Guide, Version 1, Release 3, 29 April 2002.

National Security Agency (NSA), "Information Systems Security Products and Services Catalog" (Current Edition).

Defense Logistics Agency Regulation (DLAR) 5200.17, "Security Requirements for Automated Information and Telecommunications Systems," October 9, 1991.

Army Regulation (AR) 380-19, "Information Systems Security," 1 August 1990.

Air Force Systems Security Instruction (AFSSI) 5100, "The Air Force Computer Security (COMPUSEC) Program," June 2, 1992.

Air Force Systems Security Memorandum (AFSSM) 5007, "A Methodology for Addressing DOD-Mandated "C2 by 92" for Operational Air Force Systems," March 25, 1991.

Secretary of the Navy Instruction (SECNAVINST) 5239.2, "Department of the Navy Automated Information Systems (AIS) Security Program," November 15, 1989.

Navy Staff Office Publication (NAVSO Pub) 5239-15, "Controlled Access Protection Guidebook," August 1992.

Public Law 100-235, 100th Congress, an Act cited as the "Computer Security Act of 1987," January 8, 1988.

Executive Office of the President, Office of Management and Budget, Circular No. A-130, "Management of Federal Information Resources," December 12, 1985.

IBM Corporation Publications

OS/390 MVS Initialization and Tuning Reference (SC28-1752)

OS/390 MVS System Management Facilities (SMF) (GC28-1783)

OS/390 MVS System Commands (GC28-1781)

OS/390 SecureWay Communications Server IP Configuration (SC31-8513)

OS/390 Security Server (RACF) Callable Services (GC28-1921)

NetView Administration and Reference, Version 2

NetView Installation and Operations Guide, Version 2

OS/390 CDROM

JES2 Implementation Guide

Computer Associates Corporation Publications

CA-EXAMINE Product Manuals

CA-ACF2 Product Manuals

CA-TOP SECRET Product Manuals

Other

TMON for MVS Product Manuals

TMON for CICS Product Manuals

FDR Product Manuals

OMEGAMON/OMEGAMON II Product Manuals

1069