IBM z/OS Policy Agent must employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-223560 | SRG-OS-000480-GPOS-00232 | ACF2-OS-000240 | SV-223560r991593_rule | 2025-06-24 | 9 |
| Description |
|---|
| Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. |
| ℹ️ Check |
|---|
| Examine the Policy Agent policy statements. If it can be determined that the policy agent employs a deny-all, allow-by exception firewall policy for allowing connections to other systems, this is not a finding. |
| ✔️ Fix |
|---|
| Develop a policy application and policy agent to employ a deny-all, allow-by-exception firewall policy for allowing connections to other systems. |