OS/390 Security Technical Implementation Guide, v5 Release 2.3

Version 5, Release 2.3

Final

Not Available

2007-05-30

Operating System

IBM

IBM OS/390 Operating System, z/OS Operating System

IBM OS/390 Operating System, z/OS Operating System

Server

The OS/390 Security Technical Implementation Guide defines the technical criteria necessary to implement Mission Assurance Category (MAC) II Sensitive functionality. The purpose of this document is not to define policy, but to document the procedures and parameters necessary to implement policy. Policy serves no value if it cannot be technically implemented. When implementing security within the OS/390 operating platform, or within any platform, essentially three criteria must be considered - confidentiality, integrity, and availability. OS/390 Security Design for most mainframe information systems deployed throughout DOD use the IBM OS/390 or z/OS operating system. Controls within OS/390 and z/OS have been developed and documented in IBM references to ensure operating system integrity is maintained. The OS/390 and z/OS operating system, as distributed by IBM, provides integrity of the operating environment as part of the trusted computer base, as defined in DoDD 8500.1. Controls have been developed and documented in IBM references to ensure this integrity.

This document defines the requirements, standards, controls, and options that must be in place in order to comply with the MAC II Sensitive requirements. Security mechanisms that provide MAC II Sensitive level controls for the OS/390 and z/OS operating environments are implemented by the addition of Access Control Products (ACPs). The ACPs currently in use throughout DOD are listed below:

- Access Control Facility 2 (ACF2)  - Computer Associates (CA)

- Resource Access Control Facility (RACF)  - IBM Corporation

- TOP SECRET - Computer Associates (CA)

To maintain the integrity of the site, the ACP must be properly installed and configured. Options specified during the installation and techniques involved in the administration of these products can reduce the assurance introduced into the individual operating environment. As a result, guidance is needed on how these products should be configured in the operational environment.

The site may implement additional security as necessary to allow multiple partitions to exist on the same physical box without risk to the integrity of the operating system. Many of the sites running OS/390 and z/OS are doing so on processors capable of executing multiple environments concurrently. In addition to the security required within OS/390 and z/OS, additional requirements are necessary to ensure the integrity of each environment.

The Security Technical Implementation Guides (STIGs) were initially developed to assist the sites in securing their systems against security and infrastructure vulnerabilities. All sites have a vested interest in maintaining system security, as it directly impacts the site's Certification and Accreditation (C&A). Sites are mandated by DISA to have a valid C&A status by the authority derived from DOD Directive 8500.1, Security Requirements for Automated Information Systems, 24 October 2002, and the Computer Security Act of 1987, Public Law 100-235, January 1988. The requirements for accreditation of DISA Information Technology, as described here, are found in DISAI 630-230-19, DISA Information Systems Security Program, July 1996. Compliance with the applicable Security Technical Implementation Guide (STIG) is mandatory for systems residing in a DISA facility and for any system directly administered by DISA. The use of the principles and guidelines in this STIG will provide an environment that meets or exceeds the security requirements of DOD systems operating at the Mission Assurance Category (MAC) II Sensitive level, containing unclassified but sensitive information.

Developped for the DOD.
The requirements set forth in this document will assist Information Assurance Managers (IAMs), Information Assurance Officers (IAOs), System Administrators (SAs), and systems programming personnel in support of protecting OS/390 and z/OS operating systems, ACPs, and IA-enabled products. This document assumes that the reader has experience installing and administering the OS/390 and/or the z/OS operating systems.

Enterprise and Specialized Security-Limited Functionality.

Not Available.

Not Available.

Not Available.

Not Available.

DOD Directive 8500.

Refer to Known Issues.

Not Available.

It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers.

Defense Information Systems Agency

Not Available.

Not Available.

Not Available.

http://iase.disa.mil/stigs/stig/index.html

http://iase.disa.mil/stigs/stig/
OS390_V5R23.zip

SHA1 Digest (OS390_V5R23.zip) =
5ebcd1986c6203116d1c26adb722e1faab4d8810

SHA256 Digest (OS390_V5R23.zip) =
e6d498ce3b10488f867a977185ac95b9942c4f23
ac46b0 5c93f61227776d1c0f

v5 Release 0 Volume 1: 2004-07-26
v5 Release 1 Volume 1: 2005-01-21
v5 Release 2 : 2006-09-19
v5 Release 2.2: 2007-03-23
v5 Release 2.3: 2007-05-30

OS/390 Security Technical Implementation Guide, v5 Release 1, Volume 2 of 2
OS/390 RACF Checklist, Version 4 Release 1.5
OS/390 ACF2 Checklist, Version 4 Release 1.5
OS/390 TSS Checklist, Version 4 Release 1.5

Not Available.

1072