The Syslog daemon must be properly defined and secured.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3243	ISLG0020	SV-3243r3_rule	DCCS-1 DCCS-2 DCFA-1	Medium

Description
The Syslog daemon, known as syslogd, is a zOS UNIX daemon that provides a central processing point for log messages issued by other zOS UNIX processes. It is also possible to receive log messages from other network-connected hosts. Some of the IBM Communications Server components that may send messages to syslog are the FTP, TFTP, zOS UNIX Telnet, DNS, and DHCP servers. The messages may be of varying importance levels including general process information, diagnostic information, critical error notification, and audit-class information. Primarily because of the potential to use this information in an audit process, there is a security interest in protecting the syslogd process and its associated data. The Syslog daemon requires special privileges and access to sensitive resources to provide its system services. Failure to properly define and control the Syslog daemon could lead to unauthorized access. This exposure may result in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.

Description

The Syslog daemon, known as syslogd, is a zOS UNIX daemon that provides a central processing point for log messages issued by other zOS UNIX processes. It is also possible to receive log messages from other network-connected hosts. Some of the IBM Communications Server components that may send messages to syslog are the FTP, TFTP, zOS UNIX Telnet, DNS, and DHCP servers. The messages may be of varying importance levels including general process information, diagnostic information, critical error notification, and audit-class information. Primarily because of the potential to use this information in an audit process, there is a security interest in protecting the syslogd process and its associated data. The Syslog daemon requires special privileges and access to sensitive resources to provide its system services. Failure to properly define and control the Syslog daemon could lead to unauthorized access. This exposure may result in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.

STIG	Date
z/OS ACF2 STIG	2019-12-12

Details

Check Text ( C-46985r5_chk )
Refer to the following reports produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ATTSTC) - ACF2CMDS.RPT(OMVSUSER) Refer to the following report produced by the UNIX System Services Data Collection: - USSCMDS.RPT(ERC) - Refer to this report if the Syslog daemon is started from /etc/rc. Refer to the JCL procedure libraries defined to JES2. Ensure that the Syslog daemon is properly defined and protected as stated below. If the following guidance is true, this is not a finding. ___ The Syslog daemon logonid is SYSLOGD. ___ The SYSLOGD logonid is defined with the STC attribute. ___ The SYSLOGD userid has UID(0), HOME(‘/’), and PROGRAM(‘/bin/sh’) specified in the OMVS segment. ___ If Syslog daemon is started from /etc/rc then ensure that the _BPX_JOBNAME and _BPX_USERID environment variables are assigned a value of SYSLOGD.

Check Text ( C-46985r5_chk )

Refer to the following reports produced by the ACF2 Data Collection:

- ACF2CMDS.RPT(ATTSTC)
- ACF2CMDS.RPT(OMVSUSER)

Refer to the following report produced by the UNIX System Services Data Collection:

- USSCMDS.RPT(ERC) - Refer to this report if the Syslog daemon is started from /etc/rc.

Refer to the JCL procedure libraries defined to JES2.

Ensure that the Syslog daemon is properly defined and protected as stated below. If the following guidance is true, this is not a finding.

___ The Syslog daemon logonid is SYSLOGD.
___ The SYSLOGD logonid is defined with the STC attribute.
___ The SYSLOGD userid has UID(0), HOME(‘/’), and PROGRAM(‘/bin/sh’) specified in the OMVS segment.
___ If Syslog daemon is started from /etc/rc then ensure that the _BPX_JOBNAME and _BPX_USERID environment variables are assigned a value of SYSLOGD.

Fix Text (F-18685r6_fix)
The IAO working with the systems programmer responsible for supporting IBM Comm Server will ensure that Syslog daemon runs under its own user account. Specifically, it does not share the account defined for the z/OS UNIX kernel. The Syslog daemon logonid is SYSLOGD. The SYSLOGD logonid is defined with the STC attribute. To set up and use as an MVS Started Proc, the following sample commands are provided: SET LID INSERT SYSLOGD NAME(SYSLOGD STC) GROUP(stctcpx) STC The SYSLOGD userid has UID(0), HOME(‘/’), and PROGRAM(‘/bin/sh’) specified in the OMVS segment. SET PROFILE(USER) DIVISION(OMVS) INSERT SYSLOGD UID(0) HOME(/) PROGRAM(/bin/sh) F ACF2,REBUILD(USR),CLASS(P) If /etc/rc is used to start the Syslog daemon ensure that the _BPX_JOBNAME and _BPX_ USERID environment variables are assigned a value of SYSLOGD.

Fix Text (F-18685r6_fix)

The IAO working with the systems programmer responsible for supporting IBM Comm Server will ensure that Syslog daemon runs under its own user account. Specifically, it does not share the account defined for the z/OS UNIX kernel.

The Syslog daemon logonid is SYSLOGD.
The SYSLOGD logonid is defined with the STC attribute.

To set up and use as an MVS Started Proc, the following sample commands are provided:

SET LID
INSERT SYSLOGD NAME(SYSLOGD STC) GROUP(stctcpx) STC

The SYSLOGD userid has UID(0), HOME(‘/’), and PROGRAM(‘/bin/sh’) specified in the OMVS segment.

SET PROFILE(USER) DIVISION(OMVS)
INSERT SYSLOGD UID(0) HOME(/) PROGRAM(/bin/sh)

F ACF2,REBUILD(USR),CLASS(P)

If /etc/rc is used to start the Syslog daemon ensure that the _BPX_JOBNAME and _BPX_ USERID environment variables are assigned a value of SYSLOGD.