kriterion 0.0.1

data/standards/stig_zos_netviewracf.json

@@ -0,0 +1,47 @@
+{
+  "name": "stig_zos_netviewracf",
+  "date": "2016-06-30",
+  "description": "None",
+  "title": "z/OS NetView for RACF STIG",
+  "version": "None",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-16932",
+      "title": "NetView install data sets are not properly protected.",
+      "description": "NetView Install data sets provide the capability to use privileged functions and/or have access to sensitive data. Failure to properly restrict access to their data sets could result in violating the integrity of the base product which could result in compromising the operating system or sensitive data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17067",
+      "title": "NetView STC data sets are not properly protected.",
+      "description": "NetView STC data sets provide the capability to use privileged functions and/or have access to sensitive data. Failure to properly restrict access to their data sets could result in violating the integrity of the base product which could result in compromising the operating system or sensitive data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17452",
+      "title": "NetView Started Task name(s) is not properly identified / defined to the system ACP.\n",
+      "description": "NetView requires a started task(s) that will be restricted to certain resources, datasets and other system functions. By defining the started task as a userid to the system ACP, It allows the ACP to control the access and authorized users that require these capabilities. Failure to properly control these capabilities, could compromise of the operating system environment, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17454",
+      "title": "IBM Tivoli NetView Started task(s) must be properly defined to the STARTED resource class for RACF.",
+      "description": "Access to product resources should be restricted to only those individuals responsible for the application connectivity and who have a requirement to access these resources.  Improper control of product resources could potentially compromise the operating system, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17947",
+      "title": "NetView resources must be properly defined and protected.",
+      "description": "NetView can run with sensitive system privileges, and potentially can circumvent system controls.  Failure to properly control access to product resources could result in the compromise of the operating system environment, and compromise the confidentiality of customer data.  Many utilities assign resource controls that can be granted to system programmers only in greater than read authority.  Resources are also granted to certain non systems personnel with read only authority.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-18014",
+      "title": "NetView configuration/parameter values must be specified properly.",
+      "description": "NetView configuration/parameters control the security and operational characteristics of products.  If these parameter values are improperly specified, security and operational controls may be weakened.  This exposure may threaten the availability of the product applications, and compromise the confidentiality of customer data.",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_zos_netviewtss.json

@@ -0,0 +1,53 @@
+{
+  "name": "stig_zos_netviewtss",
+  "date": "2016-06-30",
+  "description": "None",
+  "title": "z/OS NetView for TSS STIG",
+  "version": "None",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-16932",
+      "title": "NetView install data sets are not properly protected.",
+      "description": "NetView install data sets provide the capability to use privileged functions and/or have access to sensitive data. Failure to properly restrict access to these data sets could result in violating the integrity of the base product which could result in compromising the operating system or sensitive data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17067",
+      "title": "NetView STC data sets are not properly protected.",
+      "description": "NetView STC data sets provide the capability to use privileged functions and/or have access to sensitive data. Failure to properly restrict access to their data sets could result in violating the integrity of the base product which could result in compromising the operating system or sensitive data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17452",
+      "title": "NetView Started Task name(s) is not properly identified / defined to the system ACP.",
+      "description": "NetView requires a started task(s) that will be restricted to certain resources, datasets and other system functions. By defining the started task as a userid to the system ACP, It allows the ACP to control the access and authorized users that require these capabilities. Failure to properly control these capabilities, could compromise of the operating system environment, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17454",
+      "title": "IBM Tivoli NetView Started task(s) must be properly defined to the Started Task Table ACID for Top Secret.",
+      "description": "Access to product  resources should be restricted to only those individuals responsible for the application connectivity and who have a requirement to access these resources.  Improper control of product resources could potentially compromise the operating system, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17469",
+      "title": "NetView is not properly defined to the Facility Matrix Table for Top Secret.",
+      "description": "Improperly defined security controls for the Product could result in the compromise of the network, operating system, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17947",
+      "title": "NetView resources must be properly defined and protected.",
+      "description": "NetView can run with sensitive system privileges, and potentially can circumvent system controls.  Failure to properly control access to product resources could result in the compromise of the operating system environment, and compromise the confidentiality of customer data.  Many utilities assign resource controls that can be granted to system programmers only in greater than read authority.  Resources are also granted to certain non systems personnel with read only authority.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-18014",
+      "title": "NetView configuration/parameter values must be specified properly.",
+      "description": "NetView configuration/parameters control the security and operational characteristics of products.  If these parameter values are improperly specified, security and operational controls may be weakened.  This exposure may threaten the availability of the product applications, and compromise the confidentiality of customer data.",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_zos_quest_nc-passacf2.json

@@ -0,0 +1,35 @@
+{
+  "name": "stig_zos_quest_nc-passacf2",
+  "date": "2015-01-15",
+  "description": "None",
+  "title": "z/OS Quest NC-Pass for ACF2 STIG",
+  "version": "None",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-16932",
+      "title": "Quest NC-Pass installation data sets will be properly protected.",
+      "description": "Quest NC-Pass installation data sets have the ability to use privileged functions and/or have access to sensitive data. Failure to properly restrict access to these data sets could result in violating the integrity of the base product which could result in compromising the operating system or sensitive data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17067",
+      "title": "Quest NC-Pass STC data sets will be properly protected.",
+      "description": "Quest NC-Pass STC data sets have the ability to use privileged functions and/or have access to sensitive data.  Failure to properly restrict access to these data sets could result in violating the integrity of the base product which could result in compromising the operating system or sensitive data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17452",
+      "title": "Quest NC-Pass Started Task name will be properly identified and/or defined to the system ACP.",
+      "description": "Quest NC-Pass requires a started task that will be restricted to certain resources, datasets and other system functions. By defining the started task as a userid to the system ACP, It allows the ACP to control the access and authorized users that require these capabilities. Failure to properly control these capabilities, could compromise of the operating system environment, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17947",
+      "title": "Quest NC-Pass will be used by Highly-Sensitive users.",
+      "description": "DISA has directed that Quest NC-Pass extended authentication be implemented on all domains. All users with update and alter access to sensitive system-level data sets and resources, or who possess special security privileges, are required to use NC-Pass for extended authentication.  Typical personnel required to use NC-Pass include, but are not limited to, systems programming, security, operations, network/communications, storage management, and production control.\n\nImproper enforcement of extended authentication through NC-Pass could potentially compromise the operating system, ACP, and customer data.",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_zos_quest_nc-passracf.json

@@ -0,0 +1,41 @@
+{
+  "name": "stig_zos_quest_nc-passracf",
+  "date": "2015-01-15",
+  "description": "None",
+  "title": "z/OS Quest NC-Pass for RACF STIG",
+  "version": "None",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-16932",
+      "title": "Quest NC-Pass installation data sets will be properly protected.",
+      "description": "Quest NC-Pass installation data sets have the ability to use privileged functions and/or have access to sensitive data. Failure to properly restrict access to these data sets could result in violating the integrity of the base product which could result in compromising the operating system or sensitive data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17067",
+      "title": "Quest NC-Pass STC data sets will be properly protected.",
+      "description": "Quest NC-Pass STC data sets have the ability to use privileged functions and/or have access to sensitive data.  Failure to properly restrict access to these data sets could result in violating the integrity of the base product which could result in compromising the operating system or sensitive data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17452",
+      "title": "Quest NC-Pass Started Task name will be properly identified and/or defined to the system ACP.",
+      "description": "Quest NC-Pass requires a started task that will be restricted to certain resources, datasets and other system functions. By defining the started task as a userid to the system ACP, It allows the ACP to control the access and authorized users that require these capabilities. Failure to properly control these capabilities, could compromise of the operating system environment, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17454",
+      "title": "Quest NC-Pass Started task will be properly defined to the STARTED resource class for RACF.",
+      "description": "Access to product resources should be restricted to only those individuals responsible for the application connectivity and who have a requirement to access these resources.  Improper control of product resources could potentially compromise the operating system, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17947",
+      "title": "Quest NC-Pass will be used by Highly-Sensitive users.",
+      "description": "DISA has directed that Quest NC-Pass extended authentication be implemented on all domains. All users with update and alter access to sensitive system-level data sets and resources, or who possess special security privileges, are required to use NC-Pass for extended authentication.  Typical personnel required to use NC-Pass include, but are not limited to, systems programming, security, operations, network/communications, storage management, and production control.\n\nImproper enforcement of extended authentication through NC-Pass could potentially compromise the operating system, ACP, and customer data.",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_zos_quest_nc-passtss.json

@@ -0,0 +1,47 @@
+{
+  "name": "stig_zos_quest_nc-passtss",
+  "date": "2015-01-15",
+  "description": "None",
+  "title": "z/OS Quest NC-Pass for TSS STIG",
+  "version": "None",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-16932",
+      "title": "Quest NC-Pass installation data sets will be properly protected.",
+      "description": "Quest NC-Pass installation data sets have the ability to use privileged functions and/or have access to sensitive data. Failure to properly restrict access to these data sets could result in violating the integrity of the base product which could result in compromising the operating system or sensitive data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17067",
+      "title": "Quest NC-Pass STC data sets will be properly protected.",
+      "description": "Quest NC-Pass STC data sets have the ability to use privileged functions and/or have access to sensitive data.  Failure to properly restrict access to these data sets could result in violating the integrity of the base product which could result in compromising the operating system or sensitive data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17452",
+      "title": "Quest NC-Pass Started Task name will be properly identified and/or defined to the system ACP.",
+      "description": "Quest NC-Pass requires a started task that will be restricted to certain resources, datasets and other system functions. By defining the started task as a userid to the system ACP, It allows the ACP to control the access and authorized users that require these capabilities. Failure to properly control these capabilities, could compromise of the operating system environment, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17454",
+      "title": "Quest NC-Pass Started task will be properly defined to the Started Task Table ACID for Top Secret.",
+      "description": "Access to product resources should be restricted to only those individuals responsible for the application connectivity and who have a requirement to access these resources.  Improper control of product resources could potentially compromise the operating system, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17469",
+      "title": "Quest NC-Pass will be properly defined to the Facility Matrix Table. ",
+      "description": "Improperly defined security controls for Quest NC-Pass could result in the compromise of the network, operating system, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-17947",
+      "title": "Quest NC-Pass will be used by Highly-Sensitive users.",
+      "description": "DISA has directed that Quest NC-Pass extended authentication be implemented on all domains. All users with update and alter access to sensitive system-level data sets and resources, or who possess special security privileges, are required to use NC-Pass for extended authentication.  Typical personnel required to use NC-Pass include, but are not limited to, systems programming, security, operations, network/communications, storage management, and production control.\n\nImproper enforcement of extended authentication through NC-Pass could potentially compromise the operating system, ACP, and customer data.",
+      "severity": "medium"
+    }
+  ]
+}

data/standards/stig_zos_racf.json

@@ -0,0 +1,1415 @@
+{
+  "name": "stig_zos_racf",
+  "date": "2018-04-04",
+  "description": "None",
+  "title": "z/OS RACF STIG",
+  "version": "None",
+  "item_syntax": "^\\w-\\d+$",
+  "section_separator": null,
+  "items": [
+    {
+      "id": "V-100",
+      "title": "Non-existent or inaccessible LINKLIST libraries.",
+      "description": "LINKLIST libraries give a common access point for the general usage of modules.  Many of the subsystems installed on a domain rely upon these modules for proper execution.  If the list of libraries found in this LINKLIST is not properly maintained, the integrity of the operating environment is subject to compromise.",
+      "severity": "low"
+    },
+    {
+      "id": "V-101",
+      "title": "Non-standard SMF data collection options specified.",
+      "description": "SMF data collection is the basic unit of tracking of all system functions and actions.  Included in this tracking data are the audit trails from each of the ACPs.  If the control options for the recording of this tracking are not properly maintained, then accountability cannot be monitored, and its use in the execution of a contingency plan could be compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-102",
+      "title": "Required SMF data record types must be collected.",
+      "description": "SMF data collection is the basic unit of tracking of all system functions and actions.  Included in this tracking data are the audit records from each of the ACPs and system.  If the required SMF data record types are not being collected, then accountability cannot be monitored, and its use in the execution of a contingency plan could be compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-103",
+      "title": "An automated process is not in place to collect and retain SMF data.",
+      "description": "SMF data collection is the basic unit of tracking of all system functions and actions.  Included in this racking data is the audit trail from the ACP.  If the control options for the recording of this tracking are not properly maintained, then accountability cannot be monitored and its use in the execution of a contingency plan could be compromised.   Failure to collect SMF data in a timely fashion can result in the loss of critical system data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-104",
+      "title": "ACP database is not on a separate physical volume from its backup and recovery datasets.  ",
+      "description": "The ACP backup and recovery data files provide the only means of recovering the ACP database in the event of its damage.  In the case where this damage is to the physical volume on which it resides, and any of these recovery data files exist on this volume as well, then complete recovery of the ACP database would be extremely difficult, if even possible.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-105",
+      "title": "ACP database is not backed up on a scheduled basis.",
+      "description": "Loss of the ACP database would cause an interruption in the service of the operating system environment.  If regularly scheduled backups of this database are not processed, system recovery time could be unacceptably long.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-106",
+      "title": "System DASD backups are not performed on a regularly scheduled basis.",
+      "description": "If backups of the operating environment are not properly processed, implementation of a contingency plan would not include the data necessary to fully recover from any outage.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-107",
+      "title": "PASSWORD data set and OS passwords are utilized.",
+      "description": "All protection of system resources must come from the ACP.  If multiple protection mechanisms are in place, the accessibility of data, specifically under contingency plan execution, is subject to compromise.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-108",
+      "title": "SYS1.PARMLIB is not limited to only system programmers.",
+      "description": "SYS1.PARMLIB contains the parameters which control system IPL, configuration characteristics, security facilities, and performance.  Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.",
+      "severity": "high"
+    },
+    {
+      "id": "V-109",
+      "title": "Access to SYS1.LINKLIB is not properly protected.",
+      "description": "This data set is automatically APF-authorized, contains system SVCs and the base PPT.  Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-110",
+      "title": "Write or greater access to SYS1.SVCLIB must be limited to system programmers only.",
+      "description": "This data set is automatically APF-authorized, contains system SVCs, and may also contain I/O appendages. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.",
+      "severity": "high"
+    },
+    {
+      "id": "V-111",
+      "title": "Write or greater access to SYS1.IMAGELIB must be limited to system programmers only.\n  ",
+      "description": "SYS1.IMAGELIB is a partitioned data set containing universal character set (UCS), forms control buffer (FCB), and printer control information. Most IBM standard UCS images are included in SYS1.IMAGELIB during system installation. This data set should be protected as a z/OS system data set.",
+      "severity": "high"
+    },
+    {
+      "id": "V-112",
+      "title": "Write or greater access to SYS1.LPALIB must be limited to system programmers only. \n ",
+      "description": "SYS1.LPALIB is automatically APF-authorized during IPL processing and can contain SVCs. LPA modules, once loaded into the Link Pack Area, are capable of performing APF-authorized functions. This authorization allows a program to bypass various levels of security checking. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.",
+      "severity": "high"
+    },
+    {
+      "id": "V-113",
+      "title": "Update and allocate access to all APF -authorized libraries are not limited to system programmers only.  ",
+      "description": "The Authorized Program List designates those libraries that can contain program modules which possess a significant level of security bypass capability.  Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.",
+      "severity": "high"
+    },
+    {
+      "id": "V-114",
+      "title": "Write or greater access to all LPA libraries must be limited to system programmers only.",
+      "description": "LPA modules, once loaded into the Link Pack Area, are capable of performing APF-authorized functions. This authorization allows a program to bypass various levels of security checking. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.",
+      "severity": "high"
+    },
+    {
+      "id": "V-115",
+      "title": "Write or greater access to SYS1.NUCLEUS must be limited to system programmers only. ",
+      "description": "This data set contains a large portion of the system initialization (IPL) programs and pointers to the master and alternate master catalog. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.",
+      "severity": "high"
+    },
+    {
+      "id": "V-116",
+      "title": "Write or greater access to libraries that contain PPT modules must be limited to system programmers only.",
+      "description": "Specific PPT designated program modules possess significant security bypass capabilities. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.",
+      "severity": "high"
+    },
+    {
+      "id": "V-117",
+      "title": "Update and allocate access to LINKLIST libraries are not limited to system programmers only.  ",
+      "description": "The primary function of the LINKLIST is to serve as a single repository for commonly used system modules.  Failure to ensure that the proper set of libraries are designated for LINKLIST can impact system integrity, performance, and functionality.  For this reason, controls must be employed to ensure that the correct set of LINKLIST libraries are used.  Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-118",
+      "title": "The ACP security data sets and/or databases must be properly protected.",
+      "description": "The Access Control Program (ACP) database files contain all access control information for the operating system environment and system resources. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.",
+      "severity": "high"
+    },
+    {
+      "id": "V-119",
+      "title": "Access greater than Read to the System Master Catalog must be limited to system programmers only.   ",
+      "description": "System catalogs are the basis for locating all files on the system. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.\n",
+      "severity": "high"
+    },
+    {
+      "id": "V-120",
+      "title": "Update and allocate access to all system-level product installation libraries are not limited to system programmers only.  ",
+      "description": "System-level product installation libraries constitute the majority of the systems software libraries.  Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-121",
+      "title": "Update and allocate access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) are not limited to system programmers only.  ",
+      "description": "The JES2 System data sets are a common repository for all jobs submitted to the system and the associated printout and configuration of the JES2 environment. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-122",
+      "title": "Write or greater access to SYS1.UADS must be limited to system programmers only and read and update access must be limited to system programmer personnel and/or security personnel.",
+      "description": "SYS1.UADS is the data set where emergency USERIDs are maintained. This ensures that logon processing can occur even if the ACP is not functional. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.",
+      "severity": "high"
+    },
+    {
+      "id": "V-123",
+      "title": "Update and allocate access to SMF collection files (i.e., SYS1.MANx) are not limited to system programmers and/or batch jobs that perform SMF dump processing.  ",
+      "description": "SMF data collection is the system activity journaling facility of the z/OS system.  With the proper parameter designations it serves as the basis to ensure individual user accountability.  SMF data is the primary source for cost charge back in DISA.  Unauthorized access could result in the compromise of logging and recording of the operating system environment, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-124",
+      "title": "Update and allocate access to data sets used to backup and/or dump SMF collection files are not limited to system programmers and/or batch jobs that perform SMF dump processing.  ",
+      "description": "SMF backup data sets are those data sets to which SMF data has been offloaded in order to ensure a historical tracking of individual user accountability.  Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-125",
+      "title": "Access to SYSTEM DUMP data sets are not limited to system programmers only.  ",
+      "description": "System DUMP data sets are used to record system data areas and virtual storage associated with system task failures.  Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-126",
+      "title": "Update and allocate access to System backup files are not limited to system programmers and/or batch jobs that perform DASD backups.",
+      "description": "System backup data sets are necessary for recovery of DASD resident data sets.  Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-127",
+      "title": "Access to SYS(x).TRACE is not limited to system programmers only.",
+      "description": "SYS1.TRACE is used to trace and debug system problems.  Unauthorized access could result in a compromise of the integrity and availability of all system data and processes.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-128",
+      "title": "Access to System page data sets (i.e., PLPA, COMMON, and LOCALx) are not limited to system programmers.",
+      "description": "Page data sets hold individual pages of virtual storage when they are paged out of real storage.  Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-129",
+      "title": "Write or greater access to Libraries containing EXIT modules must be limited to system programmers only.",
+      "description": "System exits have a wide range of uses and capabilities within any system. Exits may introduce security exposures within the system, modify audit trails, and alter individual user capabilities. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.",
+      "severity": "high"
+    },
+    {
+      "id": "V-15209",
+      "title": "Site does not maintain documented procedures to apply security related software patches to their system and does not maintain a log of when these patches were applied.",
+      "description": "Vendors' code may contain  vulnerabilities that may be exploited to cause denial of service or to violate the integrity of the system or data on the System. Most vendors develop patches to correct these vulnerabilities. These patches must be applied and documented. ",
+      "severity": "high"
+    },
+    {
+      "id": "V-17839",
+      "title": "Batch job user Ids must be properly defined.",
+      "description": "Batch jobs are submitted to the operating system under their own USERID.  This will identify the batch job with the user for the purpose of accessing resources.  BATCHALLRACF ensures that a valid USERID is associated with batch jobs.  Jobs that are submitted to the operating system via a scheduling facility must also be identified to the system.  Without a batch job having an associated USERID, access to system resources will be limited.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-182",
+      "title": "Memory and privileged program dumps must be protected in accordance with proper security requirements.",
+      "description": "Access to memory and privileged program dumps running Trusted Control Block (TCB) key 0-7 may hold passwords, encryption keys, or other sensitive data that must not be made available. Failure to properly control access to these facilities could result in unauthorized personnel modifying sensitive z/OS lists. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-184",
+      "title": "LOGONIDs must not be defined to SYS1.UADS for non-emergency use.",
+      "description": "SYS1.UADS is a dataset where LOGONIDs will be maintained with applicable password information when the ACP is not functional. If an unauthorized user has access to SYS1.UADS, they could enter their LOGONID and password into the SYS1.UADS dataset and could give themselves all special attributes on the system. This could enable the user to bypass all security and alter data. They could modify the audit trail information so no trace of their activity could be found.",
+      "severity": "high"
+    },
+    {
+      "id": "V-234",
+      "title": "All system PROCLIB data sets must be limited to system programmers only",
+      "description": "Unauthorized access to PROCLIB data sets referenced in the JES2 procedure can allow unauthorized modifications to STCs and other system level procedures.  This could result in the compromise of the operating system environment, ACP, and customer data.",
+      "severity": "high"
+    },
+    {
+      "id": "V-23837",
+      "title": "z/OS Baseline reports are not reviewed and validated to ensure only authorized changes have been made within the z/OS operating system. This is a current DISA requirement for change management to system libraries.",
+      "description": "A product that generates reports validating changes, additions or removal from APF and LPA libraries, as well as changes to SYS1.PARMLIB PDS members, should be run against system libraries to provide a baseline analysis to allow monitoring of changes to these libraries. Failure to monitor and review these reports on a regular bases and validating any changes could threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.       ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-251",
+      "title": "Sensitive CICS transactions are not protected in accordance with security requirements.",
+      "description": "Sensitive CICS transactions offer the ability to circumvent transaction level controls for accessing resources under CICS.  These transactions must be protected so that only authorized users can access them.  Unauthorized use can result in the compromise of the confidentiality, integrity, and availability of the operating system or customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-254",
+      "title": "The Automatic Data Set Protection (ADSP) SETROPTS value is not set to NOADSP.",
+      "description": "(RACF0250: CAT II) ADSP indicates that RACF automatically creates discrete data set profiles to protect datasets created by users having this attribute.\n\nADSP specifies that data sets created by users who have the ADSP attribute will be RACF protected automatically.  NOADSP cancels automatic RACF protection for users who have ADSP.\n\nThe system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data.  The ACP provides the ability to set a number of these fields at the subsystem level.  If no setting is found, the system-wide defaults will be used.  The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment.  In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-255",
+      "title": "The AUDIT SETROPTS value is improperly set.",
+      "description": "(RACF0260: CAT II) AUDIT specifies the names of the classes for which you want RACF to perform auditing.  For the classes that you specify, RACF logs all uses of the RACDEF SVC and all changes made to profiles by RACF commands.  NOAUDIT cancels auditing.\n\nThe system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data.  The ACP provides the ability to set a number of these fields at the subsystem level.  If no setting is found, the system-wide defaults will be used.  The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment.  In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-256",
+      "title": "The CLASSACT SETROPTS must be specified for the TEMPDSN Class. ",
+      "description": "CLASSACT specifies those classes defined by entries in the class descriptor table for which RACF checking is to be ACTIVE.  DATASET, USER, and GROUP are active by default and cannot be activated or deactivated.\n\nThe system-wide options control the default settings for determining how the Access Control Program (ACP) will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-257",
+      "title": "The CMDVIOL SETROPTS value is not set to CMDVIOL.  ",
+      "description": "(RACF0280: CAT II) The CMDVIOL specifies whether RACF is to log violations detected by RACF commands.  You must have the auditor attribute to specify these commands.  A violation may occur because a user is not authorized to modify a particular profile, or is not authorized to enter a particular operand on a command.\n\nThe system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data.  The ACP provides the ability to set a number of these fields at the subsystem level.  If no setting is found, the system-wide defaults will be used.  The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment.  In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-258",
+      "title": "The EGN SETROPTS value specified is not set to EGN.",
+      "description": "(RACF0290: CAT II) EGN changes the meaning of the signle generic character *.  The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data.  The ACP provides the ability to set a number of these fields at the subsystem level.  If no setting is found, the system-wide defaults will be used.  The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment.  In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-259",
+      "title": "The ERASE ALL SETROPTS value must be set to ERASE(ALL) on all systems.",
+      "description": "The ERASE ALL specifies that data management is to erase all scratched data sets including temporary data sets.  NOERASE specifies that no DASD data sets are erased when deleted.\n\nThe system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data.  The ACP provides the ability to set a number of these fields at the subsystem level.  If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment.  In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-260",
+      "title": "The GENCMD SETROPTS value is not enabled for ACTIVE classes.",
+      "description": "(RACF0310: CAT II) The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data.  The ACP provides the ability to set a number of these fields at the subsystem level.  If no setting is found, the system-wide defaults will be used.  The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment.  In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-261",
+      "title": "The GENERIC SETROPTS value is not enabled for ACTIVE classes.",
+      "description": "(RACF0320: CAT II) The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-262",
+      "title": "The TERMINAL SETROPTS value is not set to READ.",
+      "description": "(RACF0330: CAT II) TERMINAL is used to set the universal access authority (UACC) associated with undefined terminals.  If you specify TERMINAL, but do not specify read or none, the system will prompt you for a value.\n\nThe system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data.  The ACP provides the ability to set a number of these fields at the subsystem level.  If no setting is found, the system-wide defaults will be used.  The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment.  In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-263",
+      "title": "The PASSWORD(MINCHANGE) value will specified a value greater the zero (0).",
+      "description": "MINCHANGE specifies the number of days that must pass between a user’s password and password phrase changes.  Users can not change their own passwords and password phrases within the minimum change interval.\n\nThe system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-264",
+      "title": "The INACTIVE SETROPTS value is not set to 35 days.",
+      "description": "The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data.  The ACP provides the ability to set a number of these fields at the subsystem level.  If no setting is found, the system-wide defaults will be used.  The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment.  In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-265",
+      "title": "The GRPLIST SETROPTS value is not set to ACTIVE.",
+      "description": "(RACF0350: CAT II) GRPLIST specifies that RACF processing is to perform group list access checking for all system users.  When you specify GRPLIST, a users authority to access a resource is not based only on the authority of the users current connect group; access is based on the authority of any group to which the user is connected.\n\nThe system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data.  The ACP provides the ability to set a number of these fields at the subsystem level.  If no setting is found, the system-wide defaults will be used.  The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment.  In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-266",
+      "title": "The INITSTATS SETROPTS value is not set to INITSTATS.",
+      "description": "RACF0370: CAT II) INITSTATS specifies statistics available during RACINIT SVC processing are to be recorded.  These statistics include the date and time RACINIT is issued for a particular user, the number of RACINITs for a user to a particular group, and the date and time of the last RACINIT for a user to a particular group.\n\nThe system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data.  The ACP provides the ability to set a number of these fields at the subsystem level.  If no setting is found, the system-wide defaults will be used.  The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment.  In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-267",
+      "title": "The JES(BATCHALLRACF) SETROPTS value is not set to JES(BATCHALLRACF).",
+      "description": "(RACF0380: CAT II) JES(BATCHALLRACF) specifies that JES is to test for the presence of a USERID and password on the job statement or for propagated RACF identification information for all batch jobs.\n\nThe system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data.  The ACP provides the ability to set a number of these fields at the subsystem level.  If no setting is found, the system-wide defaults will be used.  The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment.  In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-269",
+      "title": "The JES(XBMALLRACF) SETROPTS value is not set to JES(XBMALLRACF).",
+      "description": "(RACF0400: CAT II) XBMALLRACF ensures that (assuming you have JES configured to support XBM jobs) any XBM job submitted by a user must have a RACF identity or the job\nwill fail.  This is used only in JES2.\n\nThe system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data.  The ACP provides the ability to set a number of these fields at the subsystem level.  If no setting is found, the system-wide defaults will be used.  The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment.  In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-270",
+      "title": "The OPERAUDIT SETROPTS value is not set to OPERAUDIT.",
+      "description": "(RACF0420: CAT II) OPERAUDIT specifies whether RACF is to log all actions, such as accesses to resources and commands, allowed only because a user has the OPERATIONS or group OPERATIONS attribute.\n\nThe system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data.  The ACP provides the ability to set a number of these fields at the subsystem level.  If no setting is found, the system-wide defaults will be used.  The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment.  In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-271",
+      "title": "The PASSWORD(HISTORY) SETROPTS value is not set to 10.",
+      "description": "(RACF0430: CAT II) HISTORY specifies the number of previous passwords that RACF saves for each USERID and compares with an intended new password.  If there is a match with one of the previous passwords, or with the current password, RACF rejects the intended new password.\n\nThe system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data.  The ACP provides the ability to set a number of these fields at the subsystem level.  If no setting is found, the system-wide defaults will be used.  The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment.  In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-272",
+      "title": "The PASSWORD(INTERVAL) SETROPTS value is not set to 60 days.",
+      "description": "(RACF0440: CAT II) INTERVAL specifies the maximum number of days that each users password is valid.   When a user logs on to the system, RACF compares the system password interval value specified in the user profile.  RACF uses the lower of the two values to determine if the users password has expired.\n\nThe system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data.  The ACP provides the ability to set a number of these fields at the subsystem level.  If no setting is found, the system-wide defaults will be used.  The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment.  In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-273",
+      "title": "The PASSWORD(REVOKE) SETROPTS value specified is not in accordance with security requirements.",
+      "description": "(RACF0450: CAT II) The IAO will ensure that PASSWORD(REVOKE) SETROPTS value is\nset to 1 or 2.  This value specifies the number of consecutive incorrect password attempts RACF allows before it revokes the USERID on the next incorrect attempt. If you specify REVOKE, ensure\nINITSTATS are in effect.  \n\nThe system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data.  The ACP provides the ability to set a number of these fields at the subsystem level.  If no setting is found, the system-wide defaults will be used.  The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment.  In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-274",
+      "title": "The PASSWORD(RULEn) SETROPTS value(s) must be properly set.",
+      "description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks.  Password complexity is one factor of several that determine how long it takes to crack a password.  The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.  Use of a complex password helps to increase the time and resources required to compromise the password.\n\nThe PASSWORD SETROPTS value(s) specify the rules that RACF will apply when a user selects a new password.  Improper setting of any of these fields, individually or in combination with another, can result in weakened passwords and compromise the security of the processing environment.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-275",
+      "title": "The PASSWORD(WARNING) SETROPTS value is improperly set.",
+      "description": "WARNING specifies the number of days before a password expires when RACF\nis to issue a warning message to the user.  \n\nThe system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data.  The ACP provides the ability to set a number of these fields at the subsystem level.  If no setting is found, the system-wide defaults will be used.  The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment.  In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-276",
+      "title": "The PROTECTALL SETROPTS value specified is improperly set.",
+      "description": "When PROTECTALL processing is active and set to FAIL, the system automatically rejects any request to create or access a data set that is not RACF protected.\n\nTemporary data sets that comply with standard MVS temporary data set naming conventions are excluded from PROTECTALL processing.  PROTECTALL requires that data sets be RACF protected.  In order for PROTECTALL to work effectively, you must specify GENERIC to activate generic profile checking.   Otherwise, RACF would allow users to create or access only data sets protected by discrete profiles.\n\nThe system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data.  The ACP provides the ability to set a number of these fields at the subsystem level.  If no setting is found, the system-wide defaults will be used.  The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment.  In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.",
+      "severity": "high"
+    },
+    {
+      "id": "V-277",
+      "title": "The REALDSN SETROPTS value specified is improperly set.",
+      "description": "REALDSN specifies that RACF is to record, in any SMF log records and operator messages, the real data set name (not the naming-conventions name) used on the data set commands and during resource access checking and resource definition.\n\nThe system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data.  The ACP provides the ability to set a number of these fields at the subsystem level.  If no setting is found, the system-wide defaults will be used.  The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment.  In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.",
+      "severity": "low"
+    },
+    {
+      "id": "V-278",
+      "title": "The RETPD SETROPTS value specified is improperly set.",
+      "description": "RETPD specifies the default RACF security retention period for tape data sets. The security\nretention period is the number of days that RACF protection is to remain in effect for the\ntape data set and should be set to a value of 99999.\n\nThe system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data.  The ACP provides the ability to set a number of these fields at the subsystem level.  If no setting is found, the system-wide defaults will be used.  The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment.  In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-279",
+      "title": "The SETROPTS RVARYPW values will be properly set.",
+      "description": "RVARYPW specifies passwords that an operator is to use to respond with requests to approve RVARY command processing.\n\nThe system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data.  The ACP provides the ability to set a number of these fields at the subsystem level.  If no setting is found, the system-wide defaults will be used.  The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment.  In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-280",
+      "title": "The SAUDIT SETROPTS value specified is improperly set.",
+      "description": "SAUDIT specifies whether RACF is to log all RACF commands issued by users with the\nSPECIAL or group SPECIAL attribute.\n\nThe system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data.  The ACP provides the ability to set a number of these fields at the subsystem level.  If no setting is found, the system-wide defaults will be used.  The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment.  In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-282",
+      "title": "The TAPEDSN SETROPTS value specified is improperly set.",
+      "description": "TAPEDSN activates tape data set protection. When tape data set protection is\nin effect, RACF can protect individual tape data sets as well as tape volumes.\n\nThe system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data.  The ACP provides the ability to set a number of these fields at the subsystem level.  If no setting is found, the system-wide defaults will be used.  The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment.  In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-283",
+      "title": "The WHEN(PROGRAM) SETROPTS value specified is not active.",
+      "description": "WHEN(PROGRAM) activates RACF program control, which\nincludes both access control to load modules and program access to data sets.\n\nThe system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data.  The ACP provides the ability to set a number of these fields at the subsystem level.  If no setting is found, the system-wide defaults will be used.  The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment.  In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-284",
+      "title": "RACF users do not have the required default fields.  ",
+      "description": "Ensure that Every USERID is uniquely identified to the system. Within the USERID record, the user's name, default group, the owner, and the user's passdate fields are completed.  This will uniquely identify each user.  If these fields are not completed for each user, user accountability will become lost.\n\nEvery user will be identified to RACF via each user’s unique userid profile. To RACF, a user is\nan individual (user), a started task, or a batch job. Every userid will be fully identified within\nRACF with the following fields completed:\nNAME User’s name\nDFLTGRP Default group\nOWNER User’s profile owner\nPASSWORD Password\n\nRACF will automatically assign the default group as the password if a password is not explicitly\ncoded. Assign a unique password to every userid to prevent unauthorized access by a person\nwho knows the default group for a new userid.",
+      "severity": "low"
+    },
+    {
+      "id": "V-285",
+      "title": "Interactive USERIDs defined to RACF must have the required fields completed.",
+      "description": "Improper assignments of attributes in the LOGONID record may allow users excessive privileges resulting in unauthorized access.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-286",
+      "title": "RACF batch jobs are improperly secured.",
+      "description": "Batch jobs that are submitted to the operating system should inherit the USERID of the submitter.  This will identify the batch job with a userid for the purpose of accessing resources.  BATCHALLRACF ensures that a valid USERID is associated with batch jobs.  Jobs that are submitted to the operating system via a scheduling facility must also be identified to the system.  Without a batch job having an associated USERID, access to system resources will be limited.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-28603",
+      "title": "z/OS  USS Software owning Shared accounts do not meet strict security and creation restrictions. ",
+      "description": "Shared accounts by nature are a violation of proper audit trail and proper user authentication. If not properly controlled, could cause system corruption without an audit trail tracking session\nactivity to an individual user's identity.\n\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-287",
+      "title": "RACF batch jobs are not protected with propagation control.",
+      "description": "Batch jobs that are user-submitted to the operating system should inherit the USERID of the submitter.  This will identify the batch job with the user for the purpose of accessing resources.  In some environments, such as CICS, jobs submitted without the USER operand specified on the JOB statement run under a user ID other than the user submitting the job, in this case, the CICS userid.  This situation presents a security violation in that the issuer of the job will inherit the authority of the CICS userid.  \n\nThe PROPCNTL Class was designed to prevent this from occurring.  Utilize propagation control (PROPCNTL) for system-level address spaces that submit jobs on behalf of users.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-288",
+      "title": "Started Tasks are not properly identified to RACF.",
+      "description": "Started procedures have system generated job statements that do not contain the user, group, or password statements.  To enable the started procedure to access the same protected resources that users and groups access, started procedures must have an associated USERID.  If a USERID is not associated with the started procedure, the started procedure will not have access to the resources.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-289",
+      "title": "Started Tasks are improperly defined to RACF.",
+      "description": "Started procedures have system generated job statements that do not contain the user, group, or password statements.  To enable the started procedure to access the same protected resources that users and groups access, started procedures must have an associated USERID.  If a USERID is not associated with the started procedure, the started procedure will not have access to the resources.  If the started procedure is associated with an incorrect user or a user with higher than necessary authority then a potential vulnerability exists.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-290",
+      "title": "DASD Management USERIDs must be properly controlled.",
+      "description": "DASD management USERIDs require access to backup and restore all files, and present a high degree of risk to the environment.  These users should be given access to perform necessary functions thru use of the DASDVOL class (for non-SMS volumes) and/or thru STGADMIN profiles in the FACILITY class for SMS managed volumes.  Access to individual profiles in the DATASET class should be disallowed.  These userids should also set up IAW RACF0595 for batch userids which includes use of the PROTECTED Attribute.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-291",
+      "title": "There are started tasks defined to RACF with the trusted attribute that are not justified.",
+      "description": "Trusted Started tasks bypass RACF checking.  It is vital that this attribute is NOT granted to unauthorized Started Tasks which could then obtain unauthorized access to the system.  This could result in the compromise of the confidentiality, integrity, and availability of the operating system, ACP, or customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-292",
+      "title": "Emergency USERIDs must be properly defined.",
+      "description": "Emergency USERIDs are necessary in the event of a system outage for recovery purposes.  It is critical that those USERIDs be defined with the appropriate access to ensure timely restoration of services.\n\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-293",
+      "title": "The use of the RACF SPECIAL Attribute is not justified.",
+      "description": "The SPECIAL user attribute allows full authorization to modify all profiles in the RACF database and allows the user to perform all RACF functions, except those requiring AUDITOR attributes.  This privilege should be limited to the security group and administrators because of the extreme control that these users have.  Users with this privilege can alter any profile or resource on the system and could also alter the audit trail information.\n\nThe Group-Special attribute allows decentralized RACF control of datasets and resources.  In cases where the scope of authority granted to a Group-Special Administrator has an impact on system security, the IAO needs to be fully aware and approve its use.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-294",
+      "title": "Assignment of the RACF OPERATIONS attribute to individual userids is not fully justified.\n",
+      "description": "A user possessing the OPERATIONS attribute has authorization to do maintenance operations on all RACF-protected data sets, tape volumes, and DASD volumes except those where the access list specifically limits the OPERATIONS user to a lower access authority than the operation requires.\n\nBecause the OPERATIONS and GROUP-OPERATIONS privileges allow widespread access they should be limited to users documented with a valid requirement.  Delegation of GROUP-OPERATIONS processing to other personnel by site-defined Group Administrators is forbidden.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-295",
+      "title": "The use of the RACF AUDITOR privilege is not justified.",
+      "description": "A user having the AUDITOR attribute has the authority to specify logging options, gives control of logging SMF data and list auditing information.  With the AUDITOR attribute, a user could alter SMF logging data so no trace of the activity could be found.  This could destroy audit trace information for the RACF system.  This attribute should be limited to a minimum number of people.  This also applies to the use of Group-Auditor in cases where users are connected to sensitive system dataset HLQ or general resource owning groups with Group-Auditor.\n\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-29532",
+      "title": "IEASYMUP resource will be protected in accordance with proper security requirements.",
+      "description": "Failure to properly control access to the IEASYMUP resource could result in unauthorized\npersonnel modifying sensitive z/OS symbolics. This exposure may threaten the integrity and\navailability of the operating system environment.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-296",
+      "title": "The number of USERIDs possessing the Tape Bypass Label Processing (BLP) privilege is not justified.\n",
+      "description": "BLP is extremely sensitive, as it allows the circumvention of security access checking for the data.  When BLP is used in z/OS, the only verification that is done is for the data set name in the JCL.  Any data set name can be used.  A user could specify a data set name that he has access to, the job would pass the validation check, and the job would be processed, giving access to the data.  BLP is typically used for tapes that are external to the tape management system used on the processor.\n\nBLP should be granted to only a limited number of people, preferably the tape librarian and a few key people from the operations staff.  If an unauthorized user possesses BLP authority, they could potentially read any restricted tape and modify any information once it has been copied.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-297",
+      "title": "TSOAUTH resources must be restricted to authorized users.",
+      "description": "The TSOAUTH resource class controls sensitive privileges, such as OPER, ACCOUNT, MOUNT, TESTAUTH, CONSOLE, and PARMLIB. Several of these privileges offer the ability, or provide a facility, to modify sensitive operating system resources. Failure to properly control and restrict access to these privileges may result in the compromise of the operating system environment, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-298",
+      "title": "DASD Volume level protection must be properly defined.",
+      "description": "Volume access grants default access to all data sets residing on a given volume.  This presents an exposure in the case of a data set improperly placed on a volume or inappropriate access being granted to a volume.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-299",
+      "title": "Sensitive Utility Controls will be properly defined and protected.",
+      "description": "Sensitive Utility Controls can run sensitive system privileges or controls, and potentially can circumvent system and security controls.  Failure to properly control access to these resources could result in the compromise of the confidentiality, integrity, and availability of the operating system environment, system services, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-29952",
+      "title": "FTP Control cards will be properly stored in a secure PDS file. ",
+      "description": "FTP control cards carry unencrypted information such as userids, passwords and remote IP Addresses. Without a requirement to store this information separate from the JCL and in-stream JCL, it allows a security exposure by allowing read exposure to this information from anyone having access to the JCL libraries.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-301",
+      "title": "External RACF Classes are not active for CICS transaction checking.",
+      "description": "Implement CICS transaction security by utilizing two distinct and unique RACF resource\nclasses (i.e., member and grouping) within each CICS region. If several CICS regions are\ngrouped in an MRO environment, it is permissible for those grouped regions to share a\ncommon pair of resource classes. Member classes contain a RACF discrete profile for\neach transaction. Grouping classes contain groups of transactions requiring equal\nprotection under RACF. Ideally, member classes contain no profiles, and all transactions\nare defined by groups in a grouping class.\n\nIf CICS Classes are not active, this could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-302",
+      "title": "CICS System Initialization Table (SIT) parameter values must be specified in accordance with proper security requirements.",
+      "description": "The CICS SIT is used to define system operation and configuration parameters of a CICS system.  Several of these parameters control the security within a CICS region.  Failure to code the appropriate values could result in unexpected operations and degraded security.  This exposure may result in unauthorized access impacting the confidentiality, integrity, and availability of the CICS region, applications, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-31",
+      "title": "DFSMS resources must be protected in accordance with the proper security requirements.",
+      "description": "DFSMS provides data, storage, program, and device management functions for the operating system.  Some DFSMS storage administration functions allow a user to obtain a privileged status and effectively bypass all ACP data set and volume controls.  Failure to properly protect DFSMS resources may result in unauthorized access.  This exposure could compromise the availability and integrity of the operating system environment, system services, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-31561",
+      "title": "Production WebSphere MQ Remotes must utilize Certified Name Filters (CNF)",
+      "description": "IBM Websphere MQ can use a user ID associated with an ACP certificate as a channel user ID.  When an entity at one end of an SSL channel receives a certificate from a remote connection, the entity asks The ACP if there is a user ID associated with that certificate. The entity uses that user ID as the channel user ID. If there is no user ID associated with the certificate, the entity uses the user ID under which the channel initiator is running.  Without a validly defined Certificate Name Filter for the entity IBM Websphere MQ will set the channel user ID to the default.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3215",
+      "title": "Configuration files for the TCP/IP stack are not properly specified.",
+      "description": "The TCP/IP stack reads two configuration files to determine values for critical operational parameters.  These file names are specified in multiple locations and, depending on the process, are referenced differently.  Because system security is impacted by some of the parameter settings, specifying the file names explicitly in each location reduces ambiguity and ensures proper operations.  Inappropriate values could result in undesirable operations and degraded security.  This exposure may result in unauthorized access impacting data integrity or the availability of some system services.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3216",
+      "title": "TCPIP.DATA configuration statements for the TCP/IP stack must be properly specified.",
+      "description": "During the initialization of TCP/IP servers and clients, the TCPIP.DATA configuration file provides information that is essential for proper operations of TCP/IP applications.  Inappropriate values could result in undesirable operations and degraded security.  This exposure may result in unauthorized access impacting data integrity or the availability of some system services.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3217",
+      "title": "PROFILE.TCPIP configuration statements for the TCP/IP stack are not coded properly.",
+      "description": "The PROFILE.TCPIP configuration file provides system operation and configuration parameters for the TCP/IP stack.  Inappropriate values could result in undesirable operations and degraded security.  This exposure may result in unauthorized access impacting data integrity or the availability of some system services.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3218",
+      "title": "The permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be configured properly.",
+      "description": "HFS directories and files of the Base TCP/IP component provide the configuration, operational, and executable properties of IBMs TCP/IP system product.  Failure to properly secure these objects may lead to unauthorized access resulting in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3219",
+      "title": "TCP/IP resources must be properly protected.",
+      "description": "The Communication Server access authorization is used to protect TCP/IP resources such as stack, network, port, and other SERVAUTH resources. These resources provide additional security checks for TCP/IP users. Failure to properly secure these TCP/IP resources could lead to unauthorized user access resulting in the compromise of some system services and possible compromise of data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3220",
+      "title": "Started tasks for the Base TCP/IP component must be defined in accordance with security requirements.",
+      "description": "The TCP/IP started tasks require special privileges and access to sensitive resources to provide its system services.  Failure to properly define and control these TCP/IP started tasks could lead to unauthorized access.  This exposure may result in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3221",
+      "title": "MVS data sets for the Base TCP/IP component are not properly protected,",
+      "description": "MVS data sets of the Base TCP/IP component provide the configuration, operational, and executable properties of IBMs TCP/IP system product.  Failure to properly secure these data sets may lead to unauthorized access resulting in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3222",
+      "title": "PROFILE.TCPIP configuration statements for the TN3270 Telnet Server are not properly specified.",
+      "description": "The PROFILE.TCPIP configuration file provides system operation and configuration parameters for the TN3270 Telnet Server.  Several of these parameters have potential impact to system security.  Failure to code the appropriate values could result in unexpected operations and degraded security.  This exposure may result in unauthorized access impacting data integrity or the availability of some system services.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3223",
+      "title": "VTAM session setup controls for the TN3270 Telnet Server are not properly specified. ",
+      "description": "After a connection from a Telnet client to the TN3270 Telnet Server has been established, the process of session setup with a VTAM application occurs.  A number of BEGINVTAM statements must be coded in a specific configuration to ensure adequate control to VTAM applications is maintained.  Failure to code the appropriate statements could result in unauthorized access to the host and application resources.  This exposure may impact data integrity or the availability of some system services.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3224",
+      "title": "The warning banner for the TN3270 Telnet Server is not specified or properly specified.",
+      "description": "A logon banner can be used to inform users about the environment during the initial logon.  In the DISA environment, logon banners are used to warn users against unauthorized entry and the possibility of legal action for unauthorized users, and advise all users that system use constitutes consent to monitoring.  Failure to display a logon warning banner without this type of information could adversely impact the ability to prosecute unauthorized users and users who abuse the system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3226",
+      "title": "SSL encryption options for the TN3270 Telnet Server will be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.",
+      "description": "During the SSL connection process a mutually acceptable encryption algorithm is selected by the server and client.  This algorithm is used to encrypt the data that subsequently flows between the two.  However, the level or strength of encryption can vary greatly.  Certain configuration options can allow no encryption to be used and others can allow a relatively weak 40-bit algorithm to be used.  Failure to properly enforce adequate encryption strength could result in the loss of data privacy.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3227",
+      "title": "SMF recording options for the TN3270 Telnet Server must be properly specified.",
+      "description": "The TN3270 Telnet Server can provide audit data in the form of SMF records.  The SMF data produced provides information about individual sessions.  This data includes the VTAM application, the remote and local IP addresses, and the remote and local IP port numbers.  Failure to collect and retain audit data may contribute to the loss of accountability and hamper security audit activities.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3229",
+      "title": "The startup user account for the z/OS UNIX Telnet Server is not defined properly.",
+      "description": "The z/OS UNIX Telnet Server (i.e., otelnetd) requires a UID(0) to provide its system services.  After the user enters their userid and password, otelnetd switches to the security context of the users account.  Because the otelnetd account is only used until authentication is completed, there is no need to require a unique account for this function.  This limits the number of privileged accounts defined to the ACP and reduces the exposure potential.  Failure to properly define and control otelnetd could lead to unauthorized access resulting in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3230",
+      "title": "Startup parameters for the z/OS UNIX Telnet Server are not specified properly.",
+      "description": "The z/OS UNIX Telnet Server (i.e., otelnetd) provides interactive access to the z/OS UNIX shell.  During the initialization process, startup parameters are read to define the characteristics of each otelnetd instance.  Some of these parameters have an impact on system security.  Failure to specify the appropriate command options could result in degraded security.  This exposure may result in unauthorized access impacting data integrity or the availability of some system services.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3231",
+      "title": "The warning banner for the z/OS UNIX Telnet Server is not specified or not properly specified.",
+      "description": "A logon banner can be used to inform users about the environment during the initial logon.  Logon banners are used to warn users against unauthorized entry and the possibility of legal action for unauthorized users, and advise all users that system use constitutes consent to monitoring.  Failure to display a logon warning banner without this type of information could adversely impact the ability to prosecute unauthorized users and users who abuse the system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3232",
+      "title": "HFS objects for the z/OS UNIX Telnet Server will be properly protected. ",
+      "description": "HFS directories and files of the z/OS UNIX Telnet Server provide the configuration and executable properties of this product.  Failure to properly secure these objects may lead to unauthorized access resulting in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3233",
+      "title": "The FTP Server daemon is not defined with proper security parameters.",
+      "description": "The FTP Server daemon requires special privileges and access to sensitive resources to provide its system services.  Failure to properly define and control the FTP Server daemon could lead to unauthorized access.  This exposure may result in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3234",
+      "title": "The startup parameters for the FTP  include the ANONYMOUS, ANONYMOUS=, or INACTIVE  keywords. The FTP daemon’s started task JCL does not specify the SYSTCPD and SYSFTPD DD statements for configuration files.",
+      "description": "During initialization, the FTP daemon reads JCL keywords and configuration files to determine values for critical operational parameters.  Because system security is impacted by some of these parameter settings, controlling these options through the configuration file only and explicitly specifying the file locations reduces ambiguity, enhances security auditing, and ensures proper operations.  Inappropriate values could result in undesirable operations and degraded security.  This exposure may result in unauthorized access impacting data integrity or the availability of some system services.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3235",
+      "title": "FTP.DATA configuration statements for the FTP Server are not specified in accordance with requirements.",
+      "description": "The statements in the FTP.DATA configuration file specify the parameters and values that control the operation of the FTP Server components including the use of anonymous FTP.  Several of the parameters must have specific settings to provide a secure configuration.  Inappropriate values could result in undesirable operations and degraded security.  This exposure may result in unauthorized access impacting data integrity or the availability of some system services.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3236",
+      "title": "User exits for the FTP Server must not be used without proper approval and documentation.",
+      "description": "Several user exit points in the FTP Server component are available to permit customization of its operating behavior.  These exits can be used to modify functions such as FTP command usage, client connection controls, post processing tasks, and SMF record modifications.  Without proper review and adequate documentation of these exit programs, undesirable operations and degraded security may result.  This exposure could lead to unauthorized access impacting data integrity or the availability of some system services, or contribute to the loss of accountability and hamper security audit activities.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3237",
+      "title": "The warning banner for the FTP Server is not specified properely.",
+      "description": "A logon banner can be used to inform users about the environment during the initial logon.  In the DISA environment, logon banners are used to warn users against unauthorized entry and the possibility of legal action for unauthorized users, and advise all users that system use constitutes consent to monitoring.  Failure to display a logon warning banner without this type of information could adversely impact the ability to prosecute unauthorized users and users who abuse the system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3238",
+      "title": "SMF recording options for the FTP Server must be configured to write SMF records for all eligible events.",
+      "description": "The FTP Server can provide audit data in the form of SMF records.  The SMF data produced by the FTP Server provides transaction information for both successful and unsuccessful FTP commands.  Failure to collect and retain audit data may contribute to the loss of accountability and hamper security audit activities.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3239",
+      "title": "The permission bits and user audit bits for HFS objects that are part of the FTP Server component will be properly configured.\n",
+      "description": "HFS directories and files of the FTP Server provide the configuration and executable properties of this product.  Failure to properly secure these objects may lead to unauthorized access resulting in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3240",
+      "title": "MVS data sets for the FTP Server are not properly protected.",
+      "description": "MVS data sets of the FTP Server provide the configuration and operational characteristics of this product.  Failure to properly secure these data sets may lead to unauthorized access resulting in the compromise of the integrity and availability of customer data and some system services.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3241",
+      "title": "The TFTP Server program is not properly protected.",
+      "description": "The Trivial File Transfer Protocol (TFTP) Server, known as tftpd, supports file transfer according to the industry standard Trivial File Transfer Protocol.  The TFTP Server does not perform any user identification or authentication, allowing any client to connect to the TFTP Server.  Due to this lack of security, the TFTP Server will not be used.  Failure to restrict the use of the TFTP Server may result in unauthorized access to the host.  This exposure may impact the integrity, availability, and privacy of application data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3242",
+      "title": "The Syslog daemon is not started at z/OS initialization.",
+      "description": "The Syslog daemon, known as SYSLOGD, is a z/OS UNIX daemon that provides a central processing point for log messages issued by other z/OS UNIX processes.  The messages may be of varying importance levels including general process information, diagnostic information, critical error notification, and audit-class information.  It is important that SYSLOGD be started during the initialization phase of the z/OS system to ensure that significant messages are not lost.  Failure to collect and retain audit data may contribute to the loss of accountability and hamper security audit activities.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3243",
+      "title": "The Syslog daemon must be properly defined and secured.",
+      "description": "The Syslog daemon, known as syslogd, is a zOS UNIX daemon that provides a central processing point for log messages issued by other zOS UNIX processes. It is also possible to receive log messages from other network-connected hosts. Some of the IBM Communications Server components that may send messages to syslog are the FTP, TFTP, zOS UNIX Telnet, DNS, and DHCP servers. The messages may be of varying importance levels including general process information, diagnostic information, critical error notification, and audit-class information. Primarily because of the potential to use this information in an audit process, there is a security interest in protecting the syslogd process and its associated data. \n\nThe Syslog daemon requires special privileges and access to sensitive resources to provide its system services.  Failure to properly define and control the Syslog daemon could lead to unauthorized access.  This exposure may result in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3244",
+      "title": "The permission bits and user audit bits for HFS objects that are part of the Syslog daemon component will be configured properly.",
+      "description": "HFS directories and files of the Syslog daemon provide the configuration and executable properties of this product.  Failure to properly secure these objects could lead to unauthorized access.  This exposure may result in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3331",
+      "title": "The ACP audit logs must be reviewed on a regular basis .",
+      "description": "Each ACP has the ability to produce audit records, based on specific security-related events. Audit Trail, Monitoring, Analysis and Reporting provides automated, continuous on-line monitoring and audit trail creation capability, to alert personnel of any unusual or inappropriate activity with potential IA implications. Failure to perform audit log analysis would allow for unusual or inappropriate activity to continue without review and appropriate actions taken.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-33795",
+      "title": "Sensitive and critical system data sets exist on shared DASD.",
+      "description": "Any time a sensitive or critical system data set is allocated on a shared DASD device, it is critical to validate that it is properly protected on any additional systems that are sharing that device. Without proper review and adequate restrictions to access of these data sets on all systems sharing them, can lead to corruption, integrity and availability of the operating system, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-34",
+      "title": "System programs (e.g., exits, SVCs, etc.) must have approval of appropriate authority and/or documented correctly.",
+      "description": "Many vendor products and applications require or provide operating system exits, SVCs, I/O appendages, special PPT privileges, and APF authorization.  Without proper review, approval and adequate documentation of these system programs, the integrity and availability of the operating system, ACP, and customer data are subject to compromise.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-36",
+      "title": "Dynamic lists must be protected in accordance with proper security requirements.",
+      "description": "Dynamic lists provide a method of making z/OS system changes without interrupting the availability of the operating system.  Failure to properly control access to these facilities could result in unauthorized personnel modifying sensitive z/OS lists.  This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.",
+      "severity": "high"
+    },
+    {
+      "id": "V-3716",
+      "title": "User accounts defined to the ACP do not uniquely identify system users.",
+      "description": "System users must be uniquely identified to the operating system.  To accomplish this, each user must have an individual account defined to the ACP.  If user accounts are not associated with specific individuals and are shared among multiple users, individual accountability is lost.  This could hamper security audit activities and lead to unauthorized user access of system resources and customer data.\n.  Scope of, ownership of and responsibility over users shall be based upon the specifics of appointment, role, responsibilities and level of authority.  Such as a domain/system level IAO is responsible for the Domain/system level users, whereas normally a application user would be the responsibility of the DoD AIS application security team unless SLA indicates otherwise.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3895",
+      "title": "DFSMS control data sets must be protected in accordance with security requirements.",
+      "description": "DFSMS control data sets provide the configuration and operational characteristics of the system-managed storage environment.  Failure to properly protect these data sets may result in unauthorized access.  This exposure could compromise the availability and integrity of some system services and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3896",
+      "title": "SYS(x).Parmlib(IEFSSNxx) SMS configuration parameter settings are  not properly specified.\n",
+      "description": "Configuration properties of DFSMS are specified in various members of the system parmlib concatenation (e.g., SYS1.PARMLIB).  Statements within these PDS members provide the execution, operational, and configuration characteristics of the system-managed storage environment.  Missing or inappropriate configuration values may result in undesirable operations and degraded security.  This exposure could potentially compromise the availability and integrity of some system services and customer data.",
+      "severity": "low"
+    },
+    {
+      "id": "V-3897",
+      "title": "MVS data sets for the WebSphere Application Server are not protected in accordance with the proper security requirements.",
+      "description": "MVS data sets provide the configuration, operational, and executable properties of the WebSphere Application Server (WAS) environment.  Failure to properly protect these data sets may lead to unauthorized access.  This exposure could compromise the integrity and availability of system services, applications, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3898",
+      "title": "HFS objects for the WebSphere Application Server are not protected in accordance with the proper security requirements.",
+      "description": "HFS directories and files provide the configuration, operational, and executable properties of the WebSphere Application Server (WAS) environment.  Many of these objects are responsible for the security implementation of WAS.  Failure to properly protect these directories and files may lead to unauthorized access.  This exposure could potentially compromise the integrity and availability of system services, applications, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3899",
+      "title": "The CBIND Resource Class for the WebSphere Application Server is not configured in accordance with security requirements.\n",
+      "description": "SAF resources provide the ability to control access to functions and services of the WebSphere Application Server (WAS) environment.  Many of these resources provide operational and administrative support for WAS.  Failure to properly protect these resources may lead to unauthorized access.  This exposure could compromise the integrity and availability of application services and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3900",
+      "title": "Vendor-supplied user accounts for the WebSphere Application Server are defined to the ACP.",
+      "description": "Vendor-supplied user accounts are defined to the ACP with factory-set passwords during the installation of the WebSphere Application Server (WAS).  These user accounts are common to all WAS environments and have access to restricted resources and functions.  Failure to delete vendor-supplied user accounts from the ACP may lead to unauthorized access.  This exposure could compromise the integrity and availability of system services, applications, and customer data.",
+      "severity": "high"
+    },
+    {
+      "id": "V-3901",
+      "title": "The WebSphere Application Server plug-in is not specified in accordance with the proper security requirements.",
+      "description": "Requests processed by the WebSphere Application Server (WAS) are dependent on directives configured in the HTTP server httpd.conf file.  These directives specify critical files containing the WAS plug-in and WAS configuration.  These files provide the operational and security characteristics of WAS.  Failure to properly configure WAS-related directives could lead to undesirable operations and degraded security.  This exposure may compromise the availability and integrity of applications and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3903",
+      "title": "User timeout parameter values for WebSphere MQ queue managers are not specified in accordance with security requirements.\n",
+      "description": "Users signed on to a WebSphere MQ queue manager could leave their terminals unattended for long periods of time.  This may allow unauthorized individuals to gain access to WebSphere MQ resources and application data.  This exposure could compromise the availability, integrity, and confidentiality of some system services and application data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3904",
+      "title": "WebSphere MQ started tasks are not defined in accordance with the proper security requirements.",
+      "description": "Started tasks are used to execute WebSphere MQ queue manager services.  Improperly defined WebSphere MQ started tasks may result in inappropriate access to application resources and the loss of accountability.  This exposure could compromise the availability of some system services and application data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-3905",
+      "title": "WebSphere MQ all update and alter access to MQSeries/WebSphere MQ product and system data sets are not properly restricted ",
+      "description": "MVS data sets provide the configuration, operational, and executable properties of WebSphere MQ.  Some data sets are responsible for the security implementation of WebSphere MQ.  Failure to properly protect these data sets may lead to unauthorized access.  This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-44",
+      "title": "CICS region logonid(s) must be defined and/or controlled in accordance with the security requirements.\n",
+      "description": "CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Improperly defined or controlled CICS region userids may provide an exposure and vulnerability within the CICS environment.  This could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data.\n\nThe region userid should be associated with a unique RACF userid.  ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-4850",
+      "title": "Allocate access to system user catalogs are not limited to system programmers only.  ",
+      "description": "System catalogs are the basis for locating all files on the system.  Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-54",
+      "title": "Surrogate users must be controlled in accordance with proper security requirements.",
+      "description": "Surrogate users have the ability to submit jobs on behalf of another user (the execution user) without specifying the execution user's password. Jobs submitted by surrogate users run with the identity of the execution user. Failure to properly control surrogate users could result in unauthorized personnel accessing sensitive resources. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-5605",
+      "title": "Non-existent or inaccessible Link Pack Area (LPA) libraries.",
+      "description": " LPA libraries give a common access point for the general usage of modules.  Many of the subsystems installed on a domain rely upon these modules for proper execution.  If the list of libraries found in this LPA member is not properly maintained, the integrity of the operating environment is subject to compromise.\n",
+      "severity": "low"
+    },
+    {
+      "id": "V-5627",
+      "title": "The hosts identified by the NSINTERADDR statement will be properly protected.",
+      "description": "If the hosts identified by NSINTERADDR statement are not properly protected they can be stolen, damaged, or disturbed. Without adequate physical security, unauthorized users can access the host and the hosts' components. Therefore, they can interfere with the normal operations of the host. Improper control of hosts and the hosts' components could compromise network operations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-59477",
+      "title": "RACF exit ICHPWX01 must be installed and properly configured.",
+      "description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute-force attacks.  Password complexity is one factor of several that determine how long it takes to crack a password.  The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.  Use of a complex password helps to increase the time and resources required to compromise the password.\n\nThe RACF exit ICHPWX01 will allow for additional checks not available in RACF SETROPTS whenever a user selects a new password.  Improper setting of any of these fields, individually or in combination with another, can result in weakened passwords and compromise the security of the processing environment.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-64803",
+      "title": "The RACF System REXX IRRPWREX security data set must be properly protected.",
+      "description": "The RACF System REXX named IRRPWREX contains sensitive access control and password information for the operating system environment and system resources. Unauthorized access could result in the compromise of passwords, the operating system environment, ACP (Access Control Program), and customer data.",
+      "severity": "high"
+    },
+    {
+      "id": "V-65649",
+      "title": "NIST FIPS-validated cryptography must be used to protect passwords in the security database.",
+      "description": "Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Cryptographic modules must adhere to the higher standards approved by the federal government since this provides assurance they have been tested and validated.",
+      "severity": "high"
+    },
+    {
+      "id": "V-6898",
+      "title": "CICS regions are improperly protected to prevent unauthorized propagation of the region userid.",
+      "description": "CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Improperly defined or controlled CICS userids (i.e., region, default, and terminal users) may provide an exposure and vulnerability within the CICS environment.  This could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6900",
+      "title": "All hardware components of the FEPs are not placed in secure locations where they cannot be stolen, damaged, or disturbed",
+      "description": "If components of the FEPs are not properly protected they can be stolen, damaged, or disturbed.  Without adequate physical security, unauthorized users can access the control panel, the operator console, and the diskette drive of the service subsystem.  Therefore, they can interfere with the normal operations of the FEPs.  Improper control of FEP components could compromise network operations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6901",
+      "title": "Procedures are not in place  to restrict access to FEP functions of the service subsystem from operator consoles (local and/or remote), and to restrict access to the diskette drive of the service subsystem.",
+      "description": "If components of the FEPs are not properly protected they can be stolen, damaged, or disturbed.  Without adequate physical security, unauthorized users can access the control panel, the operator console, and the diskette drive of the service subsystem.  Therefore, they can interfere with the normal operations of the FEPs.  Improper control of FEP components could compromise network operations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6902",
+      "title": "A documented procedure is not available instructing how to load and dump the FEP NCP (Network Control Program).",
+      "description": "If components of the FEPs are not properly protected they can be stolen, damaged, or disturbed.  Without adequate physical security, unauthorized users can access the control panel, the operator console, and the diskette drive of the service subsystem.  Therefore, they can interfere with the normal operations of the FEPs.  Improper control of FEP components could compromise network operations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6903",
+      "title": "An active log is not available to keep track of all hardware upgrades and software changes made to the FEP (Front End Processor).",
+      "description": "If components of the FEPs are not properly protected they can be stolen, damaged, or disturbed.  Without adequate physical security, unauthorized users can access the control panel, the operator console, and the diskette drive of the service subsystem.  Therefore, they can interfere with the normal operations of the FEPs.  Improper control of FEP components could compromise network operations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6904",
+      "title": "NCP (Net Work Control Program) Data set access authorization does not restricts UPDATE and/or ALLOCATE access to appropriate personnel.",
+      "description": "If components of the FEPs are not properly protected they can be stolen, damaged, or disturbed.  Without adequate physical security, unauthorized users can access the control panel, the operator console, and the diskette drive of the service subsystem.  Therefore, they can interfere with the normal operations of the FEPs.  Improper control of FEP components could compromise network operations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6905",
+      "title": "A password control is not in place to restrict access to the service subsystem via the operator consoles (local and/or remote) and a key-lock switch is not used to protect the modem supporting the remote console of the service subsystem.",
+      "description": "If components of the FEPs are not properly protected they can be stolen, damaged, or disturbed.  Without adequate physical security, unauthorized users can access the control panel, the operator console, and the diskette drive of the service subsystem.  Therefore, they can interfere with the normal operations of the FEPs.  Improper control of FEP components could compromise network operations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6916",
+      "title": "RJE workstations and NJE nodes are not controlled in accordance with security requirements.",
+      "description": "JES2 RJE workstations and NJE nodes provide a method of sending and receiving data (e.g., jobs, job output, and commands) from remote locations.  Failure to properly identify and control these remote facilities could result in unauthorized sources transmitting data to and from the operating system.  This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6918",
+      "title": "RJE workstations and NJE nodes are not controlled in accordance with STIG requirements.",
+      "description": "JES2 RJE workstations and NJE nodes provide a method of sending and receiving data (e.g., jobs, job output, and commands) from remote locations.  Failure to properly identify and control these remote facilities could result in unauthorized sources transmitting data to and from the operating system.  This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6919",
+      "title": "JES2 input sources are not controlled in accordance with theh proper security requirements.",
+      "description": "JES2 input sources provide a variety of channels for job submission.  Failure to properly control the use of these input sources could result in unauthorized submission of work into the operating system.  This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6920",
+      "title": "JES2 input sources must be properly controlled.",
+      "description": "JES2 input sources provide a variety of channels for job submission. Failure to properly control the use of these input sources could result in unauthorized submission of work into the operating system. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6921",
+      "title": "JES2 output devices are not controlled in accordance with the proper security requirements.",
+      "description": "JES2 output devices provide a variety of channels to which output can be processed.  Failure to properly control these output devices could result in unauthorized personnel accessing output.  This exposure may compromise the confidentiality of customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6922",
+      "title": "JES2 output devices must be properly controlled for Classified Systems.",
+      "description": "JES2 output devices provide a variety of channels to which output can be processed. Failure to properly control these output devices could result in unauthorized personnel accessing output. This exposure may compromise the confidentiality of customer data on a classified System..",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69223",
+      "title": "All digital certificates in use must have a valid path to a trusted Certification authority.\n\n",
+      "description": "The origin of a certificate, the Certificate Authority (i.e., CA), is crucial in determining if the certificate should be trusted.  An approved CA establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted.\n\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69225",
+      "title": "Expired Digital Certificates must not be used.",
+      "description": "The longer and more often a key is used, the more susceptible it is to loss or discovery. This weakens the assurance provided to a relying Party that the unique binding between a key and its named subscriber is valid. Therefore, it is important that certificates are periodically refreshed. This is in accordance with DoD requirement.  Expired Certificate must not be in use.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69227",
+      "title": "Certificate Name Filtering must be implemented with appropriate authorization and documentation.",
+      "description": "Certificate name filtering is a facility that allows multiple certificates to be mapped to a single ACP userid.  Rather than matching a certificate stored in the ACP to determine the userid, criteria rules are used.  Depending on the filter criteria, a large number of client certificates could be mapped to a single userid.  Failure to properly control the use of certificate name filtering could result in the loss of individual identity and accountability.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69229",
+      "title": "The SSH daemon must be configured to only use the SSHv2 protocol.\n\n",
+      "description": "SSHv1 is not a DoD-approved protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.",
+      "severity": "high"
+    },
+    {
+      "id": "V-6923",
+      "title": "JESSPOOL resources are not protected in accordance with security requirements.",
+      "description": "JES2 spool resources include all SYSOUT, SYSLOG, JESTRACE, and JESNEWS data sets.  Failure to properly control JES2 spool resources could result in unauthorized personnel accessing job output, system activity logs, and trace data containing userid and password information.  This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69231",
+      "title": "The SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm.",
+      "description": "Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Cryptographic modules must adhere to the higher standards approved by the federal government since this provides assurance they have been tested and validated.",
+      "severity": "high"
+    },
+    {
+      "id": "V-69233",
+      "title": "The SSH daemon must be configured with the Department of Defense (DoD) logon banner.",
+      "description": "Failure to display the DoD logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69235",
+      "title": "SMF recording options for the SSH daemon must be configured to write SMF records for all eligible events.  ",
+      "description": "SMF data collection is the basic unit of tracking of all system functions and actions.  Included in this tracking data are the audit trails from each of the ACPs.  If the control options for the recording of this tracking are not properly maintained, then accountability cannot be monitored, and its use in the execution of a contingency plan could be compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-69237",
+      "title": "The SSH daemon must be configured to use SAF keyrings for key storage.",
+      "description": "The use of SAF Key Rings for key storage enforces organizational access control policies and assures the protection of cryptographic keys in storage. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6924",
+      "title": "JESNEWS rewsources are not protected in accordance with security requirements.",
+      "description": "JES2 spool resources include all SYSOUT, SYSLOG, JESTRACE, and JESNEWS data sets.  Failure to properly control JES2 spool resources could result in unauthorized personnel accessing job output, system activity logs, and trace data containing userid and password information.  This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6925",
+      "title": "JESTRACE and/or SYSLOG resources are not protected in accordance with security requirements.\n",
+      "description": "JES2 spool resources include all SYSOUT, SYSLOG, JESTRACE, and JESNEWS data sets.  Failure to properly control JES2 spool resources could result in unauthorized personnel accessing job output, system activity logs, and trace data containing userid and password information.  This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6926",
+      "title": "JES2 spool resources will be controlled in accordance with security requirements.",
+      "description": "JES2 spool resources include all SYSOUT, SYSLOG, JESTRACE, and JESNEWS data sets.  Failure to properly control JES2 spool resources could result in unauthorized personnel accessing job output, system activity logs, and trace data containing userid and password information.  This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6928",
+      "title": "JES2 system commands are not protected in accordance with security requirements.",
+      "description": "JES2 system commands are used to control JES2 resources and the operating system environment.  Failure to properly control access to JES2 system commands could result in unauthorized personnel issuing sensitive JES2 commands.  This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6933",
+      "title": "SMS Program Resources must be properly defined and protected.",
+      "description": "DFSMS provides data, storage, program, and device management functions for the operating system.  Some DFSMS storage administration functions allow a user to obtain a privileged status and effectively bypass all ACP data set and volume controls.  Failure to properly protect DFSMS resources may result in unauthorized access.  This exposure could compromise the availability and integrity of the operating system environment, system services, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6936",
+      "title": "DFSMS control data sets are not properly protected.",
+      "description": "DFSMS control data sets provide the configuration and operational characteristics of the system-managed storage environment.  Failure to properly protect these data sets may result in unauthorized access.  This exposure could compromise the availability and integrity of some system services and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6937",
+      "title": "SYS(x).PARMLIB(IGDSMSxx), SMS parameter settings are not properly specified.\n",
+      "description": "Configuration properties of DFSMS are specified in various members of the system parmlib concatenation (e.g., SYS1.PARMLIB).  Statements within these PDS members provide the execution, operational, and configuration characteristics of the system-managed storage environment.  Missing or inappropriate configuration values may result in undesirable operations and degraded security.  This exposure could potentially compromise the availability and integrity of some system services and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6943",
+      "title": "DFSMS-related RACF classes are not active.",
+      "description": "DFSMS provides data, storage, program, and device management functions for the operating system.  Some DFSMS storage administration functions allow a user to obtain a privileged status and effectively bypass all ACP data set and volume controls.  Failure to properly protect DFSMS resources may result in unauthorized access.  This exposure could compromise the availability and integrity of the operating system environment, system services, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6944",
+      "title": "z/OS UNIX OMVS parameters in PARMLIB are not properly specified.",
+      "description": "Parameter settings in PARMLIB and /etc specify values for z/OS UNIX security controls.  The parameters impact HFS data access and operating system services.  Undesirable values can allow users to gain inappropriate privileges that could impact data integrity or the availability of some system services.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6945",
+      "title": "z/OS UNIX BPXPRMxx security parameters in PARMLIB are not properly specified.",
+      "description": "Parameter settings in PARMLIB and /etc specify values for z/OS UNIX security controls.  The parameters impact HFS data access and operating system services.  Undesirable values can allow users to gain inappropriate privileges that could impact data integrity or the availability of some system services.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6946",
+      "title": "z/OS UNIX HFS MapName files security parameters are not properly specified.",
+      "description": "Parameter settings in PARMLIB and /etc specify values for z/OS UNIX security controls.  The parameters impact HFS data access and operating system services.  Undesirable values can allow users to gain inappropriate privileges that could impact data integrity or the availability of some system services.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6947",
+      "title": "z/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf are not properly specified.",
+      "description": "Parameter settings in PARMLIB and /etc specify values for z/OS UNIX security controls.  The parameters impact HFS data access and operating system services.  Undesirable values can allow users to gain inappropriate privileges that could impact data integrity or the availability of some system services.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6949",
+      "title": "The VTAM USSTAB definitions are being used for unsecured terminals",
+      "description": "VTAM options and definitions are used to define VTAM operational capabilities.  They must be strictly controlled.  Unauthorized users could override or change start options or network definitions.  Failure to properly control VTAM resources could potentially compromise the network operations.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6956",
+      "title": "The System datasets used to support the VTAM network are not properly secured.",
+      "description": "Ensure that RACF data set rules for all VTAM system data sets restrict access to only network systems programming staff.  These data sets include libraries containing VTAM load modules and exit routines, and VTAM start options and definition statements.\n\nFailure to properly control VTAM datasets could potentially compromise the network operations.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6958",
+      "title": "WebSphere MQ channel security must be implemented in accordance with security requirements.",
+      "description": "WebSphere MQ Channel security can be configured to provide authentication, message privacy, and message integrity between queue managers.  Secure Sockets Layer (SSL) uses encryption techniques, digital signatures and digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers.\n\nFailure to properly secure a WebSphere MQ channel may lead to unauthorized access.  This exposure could compromise the availability, integrity, and confidentiality of some system services, applications, and customer data.",
+      "severity": "high"
+    },
+    {
+      "id": "V-6959",
+      "title": "WebSphere MQ resource classes are not properly actived for security checking by the ACP.\n",
+      "description": "WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists.  Some resources provide the ability to disable or bypass security checking.  Failure to ensure the classes have been made ACTIVE under RACF will prevent RACF from enforcing security rules.  This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6960",
+      "title": "WebSphere MQ \"switch\" profiles are improperly defined to the MQADMIN class.",
+      "description": "WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists.  Some resources provide the ability to disable or bypass security checking.  Failure to properly protect WebSphere MQ resources may result in unauthorized access.  This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.",
+      "severity": "high"
+    },
+    {
+      "id": "V-6961",
+      "title": "z/OS UNIX security parameters in etc/profile are not properly specified.",
+      "description": "Parameter settings in PARMLIB and /etc specify values for z/OS UNIX security controls.  The parameters impact HFS data access and operating system services.  Undesirable values can allow users to gain inappropriate privileges that could impact data integrity or the availability of some system services.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6962",
+      "title": "WebSphere MQ MQCONN Class (Connection) resource definitions are not protected in accordance with security.\n",
+      "description": "WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists.  Some resources provide the ability to disable or bypass security checking.  Failure to properly protect WebSphere MQ resources may result in unauthorized access.  This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6963",
+      "title": "z/OS UNIX security parameters in /etc/rc not properly specified.",
+      "description": "Parameter settings in PARMLIB and /etc specify values for z/OS UNIX security controls.  The parameters impact HFS data access and operating system services.  Undesirable values can allow users to gain inappropriate privileges that could impact data integrity or the availability of some system services.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6964",
+      "title": "WebSphere MQ dead letter and alias dead letter queues are not properly defined.",
+      "description": "WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists.  Some resources provide the ability to disable or bypass security checking.  Failure to properly protect WebSphere MQ resources may result in unauthorized access.  This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6965",
+      "title": "WebSphere MQ MQQUEUE (Queue) resource profiles defined to the MQQUEUE class are not protected in accordance with security requirements.\n",
+      "description": "WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists.  Some resources provide the ability to disable or bypass security checking.  Failure to properly protect WebSphere MQ resources may result in unauthorized access.  This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6966",
+      "title": "WebSphere MQ Process resource profiles defined in the MQPROC Class are not protected in accordance with security requirements.\n\n",
+      "description": "WebSphere MQ Process resources allow for the control of processes.  Failure to properly protect WebSphere MQ resources may result in unauthorized access.  This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6967",
+      "title": "WebSphere MQ Namelist resource profiles defined in the MQNLIST Class are not protected in accordance with security requirements.\n",
+      "description": "WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists.  Some resources provide the ability to disable or bypass security checking.  Failure to properly protect WebSphere MQ resources may result in unauthorized access.  This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6968",
+      "title": "BPX resource(s)s is(are) not protected in accordance with security requirements.",
+      "description": "z/OS UNIX ACP-defined resources consist of sensitive capabilities including SUPERUSER, daemon, and numerous file manipulation privileges.  Missing or inaccurate protection of these resources could allow a user to access sensitive data, modify or delete data and operating system controls, or issue commands that could negatively impact system availability.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6969",
+      "title": "WebSphere MQ Alternate User resources defined to MQADMIN resource class are not protected in accordance with security requirements.\n",
+      "description": "WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists.  Some resources provide the ability to disable or bypass security checking.  Failure to properly protect WebSphere MQ resources may result in unauthorized access.  This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6970",
+      "title": "z/OS UNIX resources must be protected in accordance with security requirements.",
+      "description": "z/OS UNIX ACP-defined resources consist of sensitive capabilities including SUPERUSER, daemon, and numerous file manipulation privileges. Missing or inaccurate protection of these resources could allow a user to access sensitive data, modify or delete data and operating system controls, or issue commands that could negatively impact system availability.",
+      "severity": "high"
+    },
+    {
+      "id": "V-6971",
+      "title": "WebSphere MQ context resources defined to the MQADMIN resource class are not protected in accordance with security requirements.",
+      "description": "Context security validates whether a userid has authority to pass or set identity and/or origin data\nfor a message. Context security will be active to avoid security exposure.  \n\nThis exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6972",
+      "title": "z/OS UNIX SUPERUSER resource must be protected in accordance with guidelines.\n",
+      "description": "z/OS UNIX ACP-defined resources consist of sensitive capabilities including SUPERUSER, daemon, and numerous file manipulation privileges.  Missing or inaccurate protection of these resources could allow a user to access sensitive data, modify or delete data and operating system controls, or issue commands that could negatively impact system availability.",
+      "severity": "high"
+    },
+    {
+      "id": "V-6973",
+      "title": "WebSphere MQ command resources defined to MQCMDS resource class are not protected in accordance with security requirements.",
+      "description": "WebSphere MQ resources allow for the control of  commands.  Failure to properly protect WebSphere MQ Command resources may result in unauthorized access.  This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6974",
+      "title": "z/OS UNIX MVS data sets or HFS objects are not properly protected.",
+      "description": "For the z/OS UNIX environment, there are MVS data sets that contain operating system components, MVS data sets that contain HFS file systems with operating system components, and MVS data sets that contain HFS file systems with application system and user data.  All of these MVS data sets require definitions in the ACP to enforce desired access controls.  In addition, the UNIX permission bits must be properly set on the HFS directories and files to enforce desired access controls.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6975",
+      "title": "WebSphere MQ RESLEVEL resources in the MQADMIN resource class are not protected in accordance with security requirements. ",
+      "description": "RESLEVEL security profiles control the number of userids checked for API-resource security.\nRESLEVEL is a powerful option that can cause the bypassing of all security checks.\nRESLEVEL security will not be implemented. \n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6976",
+      "title": "z/OS UNIX MVS data sets WITH z/OS UNIX COMPONENTS are not properly protected",
+      "description": "For the z/OS UNIX environment, there are MVS data sets that contain operating system components, MVS data sets that contain HFS file systems with operating system components, and MVS data sets that contain HFS file systems with application system and user data.  All of these MVS data sets require definitions in the ACP to enforce desired access controls.  In addition, the UNIX permission bits must be properly set on the HFS directories and files to enforce desired access controls.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6977",
+      "title": "z/OS UNIX MVS data sets used as step libraries in /etc/steplib are not properly protected",
+      "description": "For the z/OS UNIX environment, there are MVS data sets that contain operating system components, MVS data sets that contain HFS file systems with operating system components, and MVS data sets that contain HFS file systems with application system and user data.  All of these MVS data sets require definitions in the ACP to enforce desired access controls.  In addition, the UNIX permission bits must be properly set on the HFS directories and files to enforce desired access controls.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6978",
+      "title": "z/OS UNIX HFS permission bits and audit bits for each directory will be properly protected or specified.",
+      "description": "For the z/OS UNIX environment, there are MVS data sets that contain operating system components, MVS data sets that contain HFS file systems with operating system components, and MVS data sets that contain HFS file systems with application system and user data.  All of these MVS data sets require definitions in the ACP to enforce desired access controls.  In addition, the UNIX permission bits must be properly set on the HFS directories and files to enforce desired access controls.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6979",
+      "title": "z/OS UNIX SYSTEM FILE SECURITY SETTINGS will be properly protected or specified.",
+      "description": "For the z/OS UNIX environment, there are MVS data sets that contain operating system components, MVS data sets that contain HFS file systems with operating system components, and MVS data sets that contain HFS file systems with application system and user data.  All of these MVS data sets require definitions in the ACP to enforce desired access controls.  In addition, the UNIX permission bits must be properly set on the HFS directories and files to enforce desired access controls.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6980",
+      "title": "WebSphere MQ channel security is not implemented in accordance with security requirements.",
+      "description": "WebSphere MQ channel security can be configured to provide authentication, message privacy, and message integrity between queue managers.  WebSphere MQ channels use SSL encryption techniques, digital signatures and digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers.\n\nFailure to properly secure a WebSphere MQ channel may lead to unauthorized access.  This exposure could compromise the availability, integrity, and confidentiality of some system services, applications, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6981",
+      "title": "z/OS UNIX MVS HFS directory(s) with \"other\" write permission bit set are not properly defined.",
+      "description": "For the z/OS UNIX environment, there are MVS data sets that contain operating system components, MVS data sets that contain HFS file systems with operating system components, and MVS data sets that contain HFS file systems with application system and user data.  All of these MVS data sets require definitions in the ACP to enforce desired access controls.  In addition, the UNIX permission bits must be properly set on the HFS directories and files to enforce desired access controls.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6985",
+      "title": "Attributes of z/OS UNIX user accounts are not defined properly",
+      "description": "User identifiers (ACF2 logonids, RACF userids, and Top Secret ACIDs), groups, and started tasks that use z/OS UNIX facilities are defined to an ACP with attributes including UID and GID.  If these attributes are not correctly defined, data access or command privilege controls could be compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6986",
+      "title": "z/OS UNIX each group is not defined with a unique GID.",
+      "description": "User identifiers (ACF2 logonids, RACF userids, and Top Secret ACIDs), groups, and started tasks that use z/OS UNIX facilities are defined to an ACP with attributes including UID and GID.  If these attributes are not correctly defined, data access or command privilege controls could be compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6987",
+      "title": "The user account for the z/OS UNIX kernel (OMVS) is not properly defined to the security database.",
+      "description": "User identifiers (ACF2 logonids, RACF userids, and Top Secret ACIDs), groups, and started tasks that use z/OS UNIX facilities are defined to an ACP with attributes including UID and GID.  If these attributes are not correctly defined, data access or command privilege controls could be compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6988",
+      "title": "The user account for the z/OS UNIX SUPERSUSER userid must be properly defined.",
+      "description": "User identifiers (ACF2 logonids, RACF userids, and Top Secret ACIDs), groups, and started tasks that use z/OS UNIX facilities are defined to an ACP with attributes including UID and GID.  If these attributes are not correctly defined, data access or command privilege controls could be compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6989",
+      "title": "The user account for the z/OS UNIX (RMFGAT) must be properly defined.",
+      "description": "User identifiers (ACF2 logonids, RACF userids, and Top Secret ACIDs), groups, and started tasks that use z/OS UNIX facilities are defined to an ACP with attributes including UID and GID.  If these attributes are not correctly defined, data access or command privilege controls could be compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6991",
+      "title": "UID(0) is improperly assigned.",
+      "description": "User identifiers (ACF2 logonids, RACF userids, and Top Secret ACIDs), groups, and started tasks that use z/OS UNIX facilities are defined to an ACP with attributes including UID and GID.  If these attributes are not correctly defined, data access or command privilege controls could be compromised.",
+      "severity": "high"
+    },
+    {
+      "id": "V-6992",
+      "title": "z/OS UNIX user accounts are not properly defined.",
+      "description": "User identifiers (ACF2 logonids, RACF userids, and Top Secret ACIDs), groups, and started tasks that use z/OS UNIX facilities are defined to an ACP with attributes including UID and GID.  If these attributes are not correctly defined, data access or command privilege controls could be compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6997",
+      "title": "The z/OS Default profiles must not be defined in the corresponding FACILITY Class Profile for classified systems.",
+      "description": "The RACF FACILITY Class BPX. UNIQUE.USER profile contains the userid or the userid/group ID of the default profiles to be used for a user without a z/OS UNIX profile (i.e., OMVS Segment). In classified system user access will not be determined by default.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6998",
+      "title": "The RACF Classes required to properly security the z/OS UNIX environment are not ACTIVE.",
+      "description": "The FACILITY, SURROGAT, and UNIXPRIV Class support profiles used to secure the z/OS UNIX (OMVS) environment.  Without these classes being in an ACTIVE status, system integrity can be compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-6999",
+      "title": "RACF Classes required to support z/OS UNIX security are not properly implemented with the SETROPTS RACLIST command.",
+      "description": "RACF provides the ability to load certain class profiles into memory for better performance thru the use of the SETR RACLIST command. For some classes, RACLISTing is strongly recommended and should be implemented.  By not following vendor recommendations, unpredictable results could occur that compromise the integrity of the z/OS system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-7050",
+      "title": "Attributes of z/OS UNIX user accounts used for account modeling must be defined in accordance with security requirements. \n",
+      "description": "RACF userids that use z/OS UNIX must be properly configured.  If these attributes are not correctly defined, data access or command privilege controls could be compromised.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-7119",
+      "title": "CICS default logonid(s) must be defined and/or controlled in accordance with the security requirements.",
+      "description": "CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. An improperly defined or controlled CICS default userid may provide an exposure and vulnerability within the CICS environment.  This could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-7120",
+      "title": "CICS logonid(s) do not have time-out limit set to 15 minutes.\n",
+      "description": "CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Improperly defined or controlled CICS region userids may provide an exposure and vulnerability within the CICS environment.  This could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data.\n\nRACF provides the PROPCNTL class to prevent userids such as the CICS region userid from being propogated/used by unauthorized userids.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-71203",
+      "title": "The SETROPTS LOGOPTIONS must be properly configured.\n\n\n",
+      "description": "Audit records are central to after-the-fact investigations of security incidents.  Every effort should be taken to collect as much information as productively feasible for these investigative processes. The SETROPTS LOGOPTIONS option serves as a default auditing requirement.  Auditing ‘Failures’ as a minimum will assure a base level of information is available for investigations.  ",
+      "severity": "low"
+    },
+    {
+      "id": "V-71223",
+      "title": "Libraries included in the system REXXLIB concatenation must be properly protected. ",
+      "description": "The libraries included in the system REXXLIB concatenation can contain program modules which possess a significant level of security bypass capability. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.",
+      "severity": "high"
+    },
+    {
+      "id": "V-7482",
+      "title": "z/OS system commands must be properly protected.",
+      "description": "z/OS system commands provide a method of controlling the operating environment.  Failure to properly control access to z/OS system commands could result in unauthorized personnel issuing sensitive system commands.  This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.\n",
+      "severity": "medium"
+    },
+    {
+      "id": "V-7485",
+      "title": "CONSOLxx members must be properly configured.",
+      "description": "MCS consoles can be used to issue operator commands.  Failure to properly control access to MCS consoles could result in unauthorized personnel issuing sensitive operator commands.  This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-7486",
+      "title": "MCS console userid(s) will be properly protected.",
+      "description": "MCS consoles can be used to issue operator commands.  Failure to properly control access to MCS consoles could result in unauthorized personnel issuing sensitive operator commands.  This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-7487",
+      "title": "MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.  ",
+      "description": "MCS consoles can be used to issue operator commands.  Failure to properly control access to MCS consoles could result in unauthorized personnel issuing sensitive operator commands.  This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-7488",
+      "title": "Users that have access to the CONSOLE resource in the TSOAUTH resource class are not properly defined.\n",
+      "description": "MCS consoles can be used to issue operator commands.  Failure to properly control access to MCS consoles could result in unauthorized personnel issuing sensitive operator commands.  This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-7490",
+      "title": "FACILITY resource class is inactive.",
+      "description": "IBM Provides the FACILITY Class for use in protecting a variety of features/functions/products both IBM and third party.  The FACILITY Class is not dedicated to any one specific use and is intended as a multi-purpose RACF Class.  Failure to activate this class will result in unprotected resources.  This exposure may threaten the integrity of the operating system environment, and compromise the confidentiality of customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-7491",
+      "title": "MCS consoles are not active.",
+      "description": "(RACF0248: CAT II) MCS consoles can be used to issue operator commands.  Failure to properly control access to MCS consoles could result in unauthorized personnel issuing sensitive operator commands.  This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-7492",
+      "title": "The OPERCMDS resource class is not active.",
+      "description": "z/OS system commands provide a method of controlling the operating environment.  Failure to properly control access to z/OS system commands could result in unauthorized personnel issuing sensitive system commands.  This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-75057",
+      "title": "The RACF SERVAUTH resource class must be active for TCP/IP resources.",
+      "description": "IBM Provides the SERVAUTH Class for use in protecting a variety of TCP/IP features/functions/products both IBM and third-party. Failure to activate this class will result in unprotected resources. This exposure may threaten the integrity of the operating system environment, and compromise the confidentiality of customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-75059",
+      "title": "RACF Global Access Checking must be restricted to appropriate classes and resources",
+      "description": "RACF Global access checking can be used to improve the performance of RACF authorization checking for selected resources. The global access checking table is maintained in storage and is checked early in the RACF authorization checking sequence. If an entry in the global access checking table allows the requested access to a resource, RACF performs no further authorization checking. This can eliminate the need for I/O to the RACF database to retrieve a resource profile, which can result in substantial performance improvements. However, if an entry in the global access checking table allows a requested access to a resource, no auditing is done for the request. Capture of audit data ensure a historical checking of individual user accountability. This accountability is basic for forensic purposes. ",
+      "severity": "medium"
+    },
+    {
+      "id": "V-7516",
+      "title": "CICS system data sets are not properly protected.",
+      "description": "CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Unauthorized access to CICS system data sets (i.e., product, security, and application libraries) could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-7545",
+      "title": "Unsupported system software is installed and active on the system.",
+      "description": "When a vendor drops support of System Software, they no longer maintain security vulnerability patches to the software. Without vulnerability patches, it is impossible to verify that the system does not contain code which could violate the integrity of the operating system environment. ",
+      "severity": "high"
+    },
+    {
+      "id": "V-7546",
+      "title": "Site must have a formal migration plan for removing or upgrading OS systems software prior to the date the vendor drops security patch support.",
+      "description": "Vendors' code may contain vulnerabilities that may be exploited to cause denial of service or to violate the integrity of the system or data on the System. Most vendors develop patches to correct these vulnerabilities. When vendors' products become unsupported, the creation of these patches cease leaving the system exposed to any future vulnerabilities not patched. Without a documented migration plan established to monitor system software versions and releases unsupported software may be allowed to run on the system.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-82",
+      "title": "A CMP (Change Management Process) is not being utilized on this system. ",
+      "description": " Without proper tracking of changes to the operating system software environment, its processing integrity and availability are subject to compromise.",
+      "severity": "low"
+    },
+    {
+      "id": "V-8271",
+      "title": "FTP / Telnet unencryted transmissions require Acknowledgement of Risk Letter(AORL) ",
+      "description": "In addition to the data transmission being in the clear, the user credentials are also passed in the clear, which violates the control IAIA-1.  As mitigation for this vulnerability, special consideration must be given to account maintenance and the types of user privileges associated with these accounts.  Interception of the above information could result in the compromise of the operating system environment, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-83",
+      "title": "LNKAUTH=APFTAB is not specified in the IEASYSxx member(s) in the currently active parmlib data set(s).",
+      "description": "Failure to specify LINKAUTH=APFTAB allows libraries other than those designated as APF to contain authorized modules which could bypass security and violate the integrity of the operating system environment.  This expanded authorization list inhibits the ability to control inclusion of these modules.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-84",
+      "title": "Inaccessible APF libraries defined.",
+      "description": "If a library designated by an APF entry does not exist on the volume specified, a library of the same name may be placed on this volume and inherit APF authorization.  This could allow the introduction of modules which bypass security and violate the integrity of the operating system environment.",
+      "severity": "low"
+    },
+    {
+      "id": "V-85",
+      "title": "Duplicated sensitive utilities and/or programs exist in APF libraries.",
+      "description": "Modules designated as sensitive utilities have the ability to significantly modify the operating system environment.  Duplication of these modules causes an exposure by making it extremely difficult to track modifications to them.  This could allow for the execution of invalid or trojan horse versions of these utilities.",
+      "severity": "low"
+    },
+    {
+      "id": "V-86",
+      "title": "The review of AC=1 modules in APF authorized libraries will be reviewed annually and documentation verifying the modules integrity is available.",
+      "description": "The review of AC=1 modules that reside in APF authorized libraries will be reviewed annually.  The IAO will maintain documentation identifying the integrity and justification of Vendor APF authorized libraries.  For non-vendor APF authorized libraries, the source and documentation identifying the integrity and justification that describes the AC=1 module process will be maintained by the IAO.  Sites have undocumented and/or unauthorized AC=1 modules have a possible risk to the confidentiality, integrity, and availability of the system and present a clear risk to the operating system, ACP, and customer data.",
+      "severity": "medium"
+    },
+    {
+      "id": "V-90",
+      "title": "Inapplicable PPT entries have not been invalidated.",
+      "description": "If invalid or inapplicable PPT entries exist, a venue is provided for the introduction of trojan horse modules with security bypass capabilities.",
+      "severity": "medium"
+    }
+  ]
+}