IBM z/OS UNIX SYSTEM FILE SECURITY SETTINGS must be properly protected or specified.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-223622	ACF2-US-000070	SV-223622r533198_rule		Medium

Description
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. Satisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000259-GPOS-00100

Description

To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. Satisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000259-GPOS-00100

STIG	Date
IBM z/OS ACF2 Security Technical Implementation Guide	2022-01-05

Details

Check Text ( C-25295r504824_chk )
From the ISPF Command Shell enter: OMVS For each file listed in the table below enter: ls -alW // If the HFS permission bits and user audit bits for each directory and file match or are more restrictive than the specified settings listed in the table, this is not a finding. NOTE: Some of the files listed are not used in every configuration. Absence of any of the files is not considered a finding. SYSTEM FILE SECURITY SETTINGS FILE PERMISSION BITS USER AUDIT BITS FUNCTION /bin/sh 1755 faf z/OS UNIX shell Note: /bin/sh has the sticky bit on to improve performance. /dev/console 740 fff The system console file receives messages that may require System Administrator (SA) attention. /dev/null 666 fff A null file; data written to it is discarded. /etc/auto.master any mapname files 740 faf Configuration files for automount facility /etc/inetd.conf 740 faf Configuration file for network services /etc/init.options 740 faf Kernel initialization options file for z/OS UNIX environment /etc/log 744 fff Kernel initialization output file /etc/profile 755 faf Environment setup script executed for each user /etc/rc 744 faf Kernel initialization script for z/OS UNIX environment /etc/steplib 740 faf List of MVS data sets valid for set user ID and set group ID executables /etc/tablename 740 faf List of z/OS userids and group names with corresponding alias names /usr/lib/cron/at.allow /usr/lib/cron/at.deny 700 faf Configuration files for the at and batch commands /usr/lib/cron/cron.allow /usr/lib/cron/cron.deny 700 faf Configuration files for the crontab command NOTE: Some of the files listed are not used in every configuration. Absence of any of the files is not considered a finding. NOTE: The names of the MapName files are site-defined. Refer to the listing in the EAUTOM report. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing

Check Text ( C-25295r504824_chk )

From the ISPF Command Shell enter:
OMVS

For each file listed in the table below enter:
ls -alW //

If the HFS permission bits and user audit bits for each directory and file match or are more restrictive than the specified settings listed in the table, this is not a finding.

NOTE: Some of the files listed are not used in every configuration. Absence of any of the files is not considered a finding.

SYSTEM FILE SECURITY SETTINGS
FILE PERMISSION BITS USER AUDIT BITS FUNCTION
/bin/sh 1755 faf z/OS UNIX shell
Note: /bin/sh has the sticky bit on to improve performance.
/dev/console 740 fff The system console file receives messages that may require System Administrator (SA) attention.
/dev/null 666 fff A null file; data written to it is discarded.
/etc/auto.master
any mapname files 740 faf Configuration files for automount facility
/etc/inetd.conf 740 faf Configuration file for network services
/etc/init.options 740 faf Kernel initialization options file for z/OS UNIX environment
/etc/log 744 fff Kernel initialization output file
/etc/profile 755 faf Environment setup script executed for each user
/etc/rc 744 faf Kernel initialization script for z/OS UNIX environment
/etc/steplib 740 faf List of MVS data sets valid for set user ID and set group ID executables
/etc/tablename 740 faf List of z/OS userids and group names with corresponding alias names
/usr/lib/cron/at.allow
/usr/lib/cron/at.deny 700 faf Configuration files for the at and batch commands
/usr/lib/cron/cron.allow
/usr/lib/cron/cron.deny 700 faf Configuration files for the crontab command

NOTE: Some of the files listed are not used in every configuration. Absence of any of the files is not considered a finding.

NOTE: The names of the MapName files are site-defined. Refer to the listing in the EAUTOM report.

The following represents a hierarchy for permission bits from least restrictive to most restrictive:

7 rwx (least restrictive)
6 rw-
3 -wx
2 -w-
5 r-x
4 r--
1 --x
0 --- (most restrictive)

The possible audit bits settings are as follows:

f log for failed access attempts
a log for failed and successful access
- no auditing

Fix Text (F-25283r504825_fix)
Define the UNIX permission bits and user audit bits on the HFS files as listed in the table below: SYSTEM FILE SECURITY SETTINGS FILE PERMISSION BITS USER AUDIT BITS FUNCTION /bin/sh 1755 faf z/OS UNIX shell Note: /bin/sh has the sticky bit on to improve performance. /dev/console 740 fff The system console file receives messages that may require System Administrator (SA) attention. /dev/null 666 fff A null file; data written to it is discarded. /etc/auto.master any mapname files 740 faf Configuration files for automount facility /etc/inetd.conf 740 faf Configuration file for network services /etc/init.options 740 faf Kernel initialization options file for z/OS UNIX environment /etc/log 744 fff Kernel initialization output file /etc/profile 755 faf Environment setup script executed for each user /etc/rc 744 faf Kernel initialization script for z/OS UNIX environment /etc/steplib 740 faf List of MVS data sets valid for set user ID and set group ID executables /etc/tablename 740 faf List of z/OS userids and group names with corresponding alias names /usr/lib/cron/at.allow /usr/lib/cron/at.deny 700 faf Configuration files for the at and batch commands /usr/lib/cron/cron.allow /usr/lib/cron/cron.deny 700 faf Configuration files for the crontab command There are a number of files that must be secured to protect system functions in z/OS UNIX. Where not otherwise specified, these files must receive a permission setting of 744 or 774. The 774 setting may be used at the site’s discretion to help to reduce the need for assignment of superuser privileges. The table identifies permission bit and audit bit settings that are required for these specific files. More restrictive permission settings may be used at the site’s discretion or as specific environments dictate. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing The following commands are a sample of the commands to be used (from a user account with an effective UID(0)) to update the permission bits and audit bits: chmod 1755 /bin/sh chaudit w=sf,rx+f /bin/sh chmod 0740 /dev/console chaudit rwx=f /dev/console

Fix Text (F-25283r504825_fix)

Define the UNIX permission bits and user audit bits on the HFS files as listed in the table below:

SYSTEM FILE SECURITY SETTINGS
FILE PERMISSION BITS USER AUDIT BITS FUNCTION
/bin/sh 1755 faf z/OS UNIX shell
Note: /bin/sh has the sticky bit on to improve performance.
/dev/console 740 fff The system console file receives messages that may require System Administrator (SA) attention.
/dev/null 666 fff A null file; data written to it is discarded.
/etc/auto.master
any mapname files 740 faf Configuration files for automount facility
/etc/inetd.conf 740 faf Configuration file for network services
/etc/init.options 740 faf Kernel initialization options file for z/OS UNIX environment
/etc/log 744 fff Kernel initialization output file
/etc/profile 755 faf Environment setup script executed for each user
/etc/rc 744 faf Kernel initialization script for z/OS UNIX environment
/etc/steplib 740 faf List of MVS data sets valid for set user ID and set group ID executables
/etc/tablename 740 faf List of z/OS userids and group names with corresponding alias names
/usr/lib/cron/at.allow
/usr/lib/cron/at.deny 700 faf Configuration files for the at and batch commands
/usr/lib/cron/cron.allow
/usr/lib/cron/cron.deny 700 faf Configuration files for the crontab command

There are a number of files that must be secured to protect system functions in z/OS UNIX. Where not otherwise specified, these files must receive a permission setting of 744 or 774. The 774 setting may be used at the site’s discretion to help to reduce the need for assignment of superuser privileges. The table identifies permission bit and audit bit settings that are required for these specific files. More restrictive permission settings may be used at the site’s discretion or as specific environments dictate.

The following represents a hierarchy for permission bits from least restrictive to most restrictive:

7 rwx (least restrictive)
6 rw-
3 -wx
2 -w-
5 r-x
4 r--
1 --x
0 --- (most restrictive)

The possible audit bits settings are as follows:
f log for failed access attempts
a log for failed and successful access
- no auditing

The following commands are a sample of the commands to be used (from a user account with an effective UID(0)) to update the permission bits and audit bits:
chmod 1755 /bin/sh
chaudit w=sf,rx+f /bin/sh
chmod 0740 /dev/console
chaudit rwx=f /dev/console