Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The GSO UNIXOPTS record must not specify default settings for classified systems.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-6993 | ZUSSA050 | SV-7296r3_rule | Medium |
| Description |
|---|
| Default profile settings allow a user to access UNIX System Services (OMVS) if a user does not have a valid OMVS group in the logonid record. Settings in the ACP impact the security level of z/OS UNIX. In classified systems user access will not be determined by default. |
| STIG | Date |
|---|---|
| z/OS ACF2 STIG | 2018-10-04 |
Details
| Check Text ( C-3889r2_chk ) |
|---|
| If this is an Unclassified system this is not applicable. From ACF2 Command Line enter: Set CONTROL(GSO) Show UNIXOPTS Alternately: Refer to the following report produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ACFGSO) - Classification of System Automated Analysis: Refer to the following report produced by the ACF2 Data Collection: - PDI(ZUSSA050) If system is classified the UNIXOPTS record specifies DFTGROUP(); DFTUSER(); NOUNIQUSER AND MODLUSER(), there is no finding. |
| Fix Text (F-6727r2_fix) |
|---|
| Ensure that UNIXOPTS record does not specify DFTGROUP and DFTUSER fields for classified systems. Ensure that then UNIXOPTS record specifies NOUNIQUSER and no MODLUSER If system is classified the UNIXOPTS record must specify DFTGROUP(); DFTUSER() and MODLUSER(). NOUNIQUEUSER must be specified. Example: SET C(GSO) LIST UNIXOPTS CHOWNRES DFTGROUP() DFTUSER() NODIRACC NODIRSRCH NOFSOBJ NOFSSEC NOGOSETGID NOHFSACL NOHFSSEC NOIPCOBJ NGROUPS(300) NOPROCACT NOPROCESS MODLUSER() NOUNIQUSER |