z/OS UNIX HFS MapName files security parameters are not properly specified.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6946	ZUSS0013	SV-7247r2_rule	DCCS-1 DCCS-2	Medium

Description
Parameter settings in PARMLIB and /etc specify values for z/OS UNIX security controls. The parameters impact HFS data access and operating system services. Undesirable values can allow users to gain inappropriate privileges that could impact data integrity or the availability of some system services.

STIG	Date
z/OS ACF2 STIG	2019-12-12

Details

Check Text ( C-22296r1_chk )
a) Review the logical parmlib data sets, example: SYS1.PARMLIB(BPXPRMxx), for the following FILESYSTYPE entry: FILESYSTYPE TYPE(AUTOMNT) ENTRYPOINT(BPXTAMD) If the above entry is not found or is commented out in the BPXPRMxx member(s), this is NOT APPLICABLE. b) Refer to the following report produced by the UNIX System Services Data Collection: - USSCMDS.RPT(EAUTOM) NOTE: The /etc/auto.master HFS file (and the use of Automount) is optional. If the file does not exist, this is NOT APPLICABLE. NOTE: The setuid parameter and the security parameter have a significant security impact. For this reason these parameters must be explicitly specified and not allowed to default. c) If each MapName file specifies the “setuid No” and “security Yes” statements for each automounted directory, there is NO FINDING. d) If there is any deviation from the required values, this is a FINDING.

Check Text ( C-22296r1_chk )

a) Review the logical parmlib data sets, example: SYS1.PARMLIB(BPXPRMxx), for the following FILESYSTYPE entry:

FILESYSTYPE TYPE(AUTOMNT) ENTRYPOINT(BPXTAMD)

If the above entry is not found or is commented out in the BPXPRMxx member(s), this is NOT APPLICABLE.

b) Refer to the following report produced by the UNIX System Services Data Collection:

- USSCMDS.RPT(EAUTOM)

NOTE: The /etc/auto.master HFS file (and the use of Automount) is optional. If the file does not exist, this is NOT APPLICABLE.

NOTE: The setuid parameter and the security parameter have a significant security impact. For this reason these parameters must be explicitly specified and not allowed to default.

c) If each MapName file specifies the “setuid No” and “security Yes” statements for each automounted directory, there is NO FINDING.

d) If there is any deviation from the required values, this is a FINDING.

Fix Text (F-18944r1_fix)
Review the settings in /etc/auto.master and /etc/mapname for z/OS UNIX security parameters and ensure that the values conform to the specifications below. The /etc/auto.master HFS file (and the use of Automount) is optional. The setuid parameter and the security parameter have a significant security impact. For this reason these parameters must be explicitly specified and not be allowed to default. Each MapName file will specify the “setuid NO” and “security YES statements for each automounted directory If there is a deviation from the required values, documentation must exist for the deviation. Security NO disables security checking for file access. Security NO is only allowed on test and development domains. Setuid YES allows a user to run under a different UID/GID identity. Justification documentation is required to validate the use of setuid YES.

Fix Text (F-18944r1_fix)

Review the settings in /etc/auto.master and /etc/mapname for z/OS UNIX security parameters and ensure that the values conform to the specifications below.

The /etc/auto.master HFS file (and the use of Automount) is optional.
The setuid parameter and the security parameter have a significant security impact. For this reason these parameters must be explicitly specified and not be allowed to default.

Each MapName file will specify the “setuid NO” and “security YES statements for each automounted directory

If there is a deviation from the required values, documentation must exist for the deviation.

Security NO disables security checking for file access. Security NO is only allowed on test and development domains.

Setuid YES allows a user to run under a different UID/GID identity. Justification documentation is required to validate the use of setuid YES.