UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

z/OS UNIX security parameters in /etc/rc not properly specified.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6963 ZUSS0016 SV-7264r2_rule DCCS-1 DCCS-2 Medium
Description
Parameter settings in PARMLIB and /etc specify values for z/OS UNIX security controls. The parameters impact HFS data access and operating system services. Undesirable values can allow users to gain inappropriate privileges that could impact data integrity or the availability of some system services.
STIG Date
z/OS ACF2 STIG 2016-01-04

Details

Check Text ( C-20981r1_chk )
a) Refer to the following report produced by the UNIX System Services Data Collection:

- USSCMDS.RPT(ERC)

b) If all of the CHMOD commands in /etc/rc do not result in less restrictive access than what is specified in the SYSTEM DIRECTORY SECURITY SETTINGS Table and the SYSTEM FILE SECURITY SETTINGS Table in the z/OS STIG Addendum, there is NO FINDING.

NOTE: The use of CHMOD commands in /etc/rc is required in most environments to comply with the required settings, especially for dynamic objects such as the /dev directory.

The following represents a hierarchy for permission bits from least restrictive to most restrictive:

7 rwx (least restrictive)
6 rw-
3 -wx
2 -w-
5 r-x
4 r--
1 --x
0 --- (most restrictive)

c) If all of the CHAUDIT commands in /etc/rc do not result in less auditing than what is specified in the SYSTEM DIRECTORY SECURITY SETTINGS Table and the SYSTEM FILE SECURITY SETTINGS Table in the z/OS STIG Addendum, there is NO FINDING.

NOTE: The use of CHAUDIT commands in /etc/rc may not be necessary. If none are found, there is NO FINDING.

The possible audit bits settings are as follows:

f log for failed access attempts
a log for failed and successful access
- no auditing


d) If the _BPX_JOBNAME variable is appropriately set (i.e., to match daemon name) as each daemon (e.g., syslogd, inetd) is started in /etc/rc, there is NO FINDING.

NOTE: If _BPX_JOBNAME is not specified, the started address space will be named using an inherited value. This could result in reduced security in terms of operator command access.

e) If (b), (c), or (d) above is untrue, this is a FINDING.
Fix Text (F-18949r1_fix)
Review the settings in the /etc/rc. The /etc/rcfile is the system initialization shell script. When z/OS UNIX kernel services start, /etc/rc is executed to set file permissions and ownership for dynamic system files and to perform other system startup functions such as starting daemons. There can be many commands in /etc/rc. There are two specific guidelines that must be followed:
Verify that The CHMOD or CHAUDIT command does not result in less restrictive security than than what is specified in the table in the z/OS STIG addendum under the SYSTEM DIRECTORY SECURITY SETTINGS,

Immediately prior to each command that starts a daemon, the _BPX_JOBNAME variable must be set to match the daemon’s name (e.g., inetd, syslogd). The use of _BPX_USERID is at the site’s discretion, but is recommended.