UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The CBIND Resource Class for the WebSphere Application Server is not configured in accordance with security requirements.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3899 ZWAS0030 SV-7265r2_rule DCCS-1 DCCS-2 ECCD-1 ECCD-2 Medium
Description
SAF resources provide the ability to control access to functions and services of the WebSphere Application Server (WAS) environment. Many of these resources provide operational and administrative support for WAS. Failure to properly protect these resources may lead to unauthorized access. This exposure could compromise the integrity and availability of application services and customer data.
STIG Date
z/OS RACF STIG 2016-01-04

Details

Check Text ( C-3261r1_chk )
a) Refer to the following reports produced by the RACF Data Collection:

- SENSITVE.RPT(CBIND)
- RACFCMDS.RPT(SETROPTS)
- DSMON.RPT(RACCDT) - Alternate list of active resource classes

b) Ensure the following items are in effect for CBIND resource protection:

1) The CBIND resource class is active.

2) The CB.BIND.server_name resource is defined to the CBIND resource class with a UACC(NONE).

3) Access to the CB.BIND.server_name resource is restricted to WAS server (STC) userids and systems management userids (e.g., WebSphere administrator ID).

c) If all items in (b) are true, there is NO FINDING.

b) If any item in (b) is untrue, this is a FINDING.
Fix Text (F-18794r1_fix)
There are two profiles to create when using the CBIND class. They are the CB.BIND.server_name profile, which controls whether a local or remote client can access servers. The CB.BIND is mandatory for the first two qualifiers for the profile; the third qualifier is the server name. Also, there is the CB.server_name profile that controls whether a client can
use components in a server; again these definitions are mandatory.

Ensure the following items are in effect for CBIND resource protection:

1) The CBIND resource class is active.

2) The CB.BIND.server_name resource is defined to the CBIND resource class with a UACC(NONE).

3) Access to the CB.BIND.server_name resource is restricted to WAS server (STC) userids and systems management userids (e.g., WebSphere administrator ID).

The following command provide sample definitions and permissions for this CBIND resource:

SETR CLASSACT(CBIND)
SETR GENERIC(CBIND)
SETR RACL(CBIND)

RDEFINE CBIND cb.bind. UACC(none) owner(admin) audit(all(read)) data('IAW SRR PDI ZWAS0030')

Permit cb.bind. CLASS(CBIND) ID() ACCESS(CONTROL)

Note: "wscfg1" is a RACF group that contains the Websphere Application Server STCs and maintenance userids.