Started tasks for the Base TCP/IP component must be defined in accordance with security requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3220	ITCP0060	SV-3220r3_rule		Medium

Description
The TCP/IP started tasks require special privileges and access to sensitive resources to provide its system services. Failure to properly define and control these TCP/IP started tasks could lead to unauthorized access. This exposure may result in the compromise of the integrity and availability of the operating system environment, Access Control Program (ACP) and customer data.

STIG	Date
z/OS ACF2 STIG	2019-12-12

Details

Check Text ( C-65489r1_chk )
Refer to the following reports produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ATTSTC) - ACF2CMDS.RPT(OMVSUSER) If the following items are true for the logonid(s) assigned to the TCP/IP address space(s), this is not a finding. ___ Named TCPIP or, in the case of multiple instances, prefixed with TCPIP ___ Defined with the STC, MUSASS, and NO-SMC attributes ___ z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh If the following items are in effect for the logonid assigned to the EZAZSSI started task, this is not a finding. ___ Named EZAZSSI ___ Defined with the STC attribute ___ z/OS UNIX attributes: UID(non-zero), HOME directory ‘/’, shell program /bin/sh

Check Text ( C-65489r1_chk )

Refer to the following reports produced by the ACF2 Data Collection:

- ACF2CMDS.RPT(ATTSTC)
- ACF2CMDS.RPT(OMVSUSER)

If the following items are true for the logonid(s) assigned to the TCP/IP address space(s), this is not a finding.

___ Named TCPIP or, in the case of multiple instances, prefixed with TCPIP
___ Defined with the STC, MUSASS, and NO-SMC attributes
___ z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh

If the following items are in effect for the logonid assigned to the EZAZSSI started task, this is not a finding.

___ Named EZAZSSI
___ Defined with the STC attribute
___ z/OS UNIX attributes: UID(non-zero), HOME directory ‘/’, shell program /bin/sh

Fix Text (F-70747r1_fix)
The ISSO will ensure that the Started tasks for the Base TCP/IP component user accounts are defined with the following characteristics: - Named TCPIP or, in the case of multiple instances, prefixed with TCPIP - Defined with the STC, MUSASS, and NO-SMC attributes - z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh - Named EZAZSSI - Defined with the STC attribute - z/OS UNIX attributes: UID(non-zero), HOME directory ‘/’, shell program /bin/sh Review the TCP/IP started task accounts, privileges, and access authorizations defined to the ACP. Ensure they conform to the requirements as outlined below. The following commands can be used to create the user accounts that are required for the TCP/IP address space and the EZAZSSI started task: SET LID INSERT TCPIP NAME(TCPIP) GROUP(STCTCPX) STC MUSASS NO-SMC INSERT EZAZSSI NAME(EZAZSSI) GROUP(STCTCPX) STC SET PROFILE(USER) DIVISION(OMVS) INSERT TCPIP UID(0) HOME(/) OMVSPGM(/bin/sh) INSERT EZAZSSI UID(non-zero) HOME(/) OMVSPGM(/bin/sh) F ACF2,REBUILD(USR),CLASS(P) NOTE: At eTrust CA-ACF2 6.4 and above, the PROGRAM field in the user profile record has been renamed to OMVSPGM. The following additions to the indicated rule sets can be used to assign the privileges that are required for the TCP/IP address space: $KEY(BPX) TYPE(FAC) … DAEMON UID(TCPIP-uid) SERVICE(READ) ALLOW If the z/OS host machine has hardware encryption installed and enabled, resources owned by the Integrated Cryptographic Service Facility (ICSF) component have been defined. The following rule set additions are required to allow the TN3270 Telnet Server process to access the ICSF resources. - $KEY(CSFCKI) TYPE(CSF) - UID(TCPIP-uid) SERVICE(READ) ALLOW - $KEY(CSFCKM) TYPE(CSF) - UID(TCPIP-uid) SERVICE(READ) ALLOW - $KEY(CSFDEC) TYPE(CSF) - UID(TCPIP-uid) SERVICE(READ) ALLOW - $KEY(CSFENC) TYPE(CSF) - UID(TCPIP-uid) SERVICE(READ) ALLOW - $KEY(CSFOWH) TYPE(CSF) - UID(TCPIP-uid) SERVICE(READ) ALLOW - $KEY(CSFRNG) TYPE(CSF) - UID(TCPIP-uid) SERVICE(READ) ALLOW - $KEY(CSFPKB) TYPE(CSF) - UID(TCPIP-uid) SERVICE(READ) ALLOW - $KEY(CSFPKX) TYPE(CSF) - UID(TCPIP-uid) SERVICE(READ) ALLOW - $KEY(CSFPKE) TYPE(CSF) - UID(TCPIP-uid) SERVICE(READ) ALLOW - $KEY(CSFPKD) TYPE(CSF) - UID(TCPIP-uid) SERVICE(READ) ALLOW - $KEY(CSFPKI) TYPE(CSF) - UID(TCPIP-uid) SERVICE(READ) ALLOW - $KEY(CSFDSG) TYPE(CSF) - UID(TCPIP-uid) SERVICE(READ) ALLOW - $KEY(CSFDSV) TYPE(CSF) - UID(TCPIP-uid) SERVICE(READ) ALLOW The following operator commands are required to complete the updates: F ACF2,REBUILD(FAC) F ACF2,REBUILD(CSF) These commands and definitions assume that the default type code for CSFSERV resources is CSF.

Fix Text (F-70747r1_fix)

The ISSO will ensure that the Started tasks for the Base TCP/IP component user accounts are defined with the following characteristics:

- Named TCPIP or, in the case of multiple instances, prefixed with TCPIP
- Defined with the STC, MUSASS, and NO-SMC attributes
- z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh

- Named EZAZSSI
- Defined with the STC attribute
- z/OS UNIX attributes: UID(non-zero), HOME directory ‘/’, shell program /bin/sh

Review the TCP/IP started task accounts, privileges, and access authorizations defined to the ACP. Ensure they conform to the requirements as outlined below.

The following commands can be used to create the user accounts that are required for the TCP/IP address space and the EZAZSSI started task:

SET LID
INSERT TCPIP NAME(TCPIP) GROUP(STCTCPX) STC MUSASS NO-SMC
INSERT EZAZSSI NAME(EZAZSSI) GROUP(STCTCPX) STC

SET PROFILE(USER) DIVISION(OMVS)
INSERT TCPIP UID(0) HOME(/) OMVSPGM(/bin/sh)
INSERT EZAZSSI UID(non-zero) HOME(/) OMVSPGM(/bin/sh)

F ACF2,REBUILD(USR),CLASS(P)

NOTE: At eTrust CA-ACF2 6.4 and above, the PROGRAM field in the user profile record has been renamed to OMVSPGM.

The following additions to the indicated rule sets can be used to assign the privileges that are required for the TCP/IP address space:

$KEY(BPX) TYPE(FAC)
…
DAEMON UID(TCPIP-uid) SERVICE(READ) ALLOW

If the z/OS host machine has hardware encryption installed and enabled, resources owned by the Integrated Cryptographic Service Facility (ICSF) component have been defined. The following rule set additions are required to allow the TN3270 Telnet Server process to access the ICSF resources.

- $KEY(CSFCKI) TYPE(CSF)
- UID(TCPIP-uid) SERVICE(READ) ALLOW
- $KEY(CSFCKM) TYPE(CSF)
- UID(TCPIP-uid) SERVICE(READ) ALLOW
- $KEY(CSFDEC) TYPE(CSF)
- UID(TCPIP-uid) SERVICE(READ) ALLOW
- $KEY(CSFENC) TYPE(CSF)
- UID(TCPIP-uid) SERVICE(READ) ALLOW
- $KEY(CSFOWH) TYPE(CSF)
- UID(TCPIP-uid) SERVICE(READ) ALLOW
- $KEY(CSFRNG) TYPE(CSF)
- UID(TCPIP-uid) SERVICE(READ) ALLOW
- $KEY(CSFPKB) TYPE(CSF)
- UID(TCPIP-uid) SERVICE(READ) ALLOW
- $KEY(CSFPKX) TYPE(CSF)
- UID(TCPIP-uid) SERVICE(READ) ALLOW
- $KEY(CSFPKE) TYPE(CSF)
- UID(TCPIP-uid) SERVICE(READ) ALLOW
- $KEY(CSFPKD) TYPE(CSF)
- UID(TCPIP-uid) SERVICE(READ) ALLOW
- $KEY(CSFPKI) TYPE(CSF)
- UID(TCPIP-uid) SERVICE(READ) ALLOW
- $KEY(CSFDSG) TYPE(CSF)
- UID(TCPIP-uid) SERVICE(READ) ALLOW
- $KEY(CSFDSV) TYPE(CSF)
- UID(TCPIP-uid) SERVICE(READ) ALLOW

The following operator commands are required to complete the updates:

F ACF2,REBUILD(FAC)
F ACF2,REBUILD(CSF)

These commands and definitions assume that the default type code for CSFSERV resources is CSF.