Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-3899 | ZWAS0030 | SV-7265r2_rule | DCCS-1 DCCS-2 ECCD-1 ECCD-2 | Medium |
Description |
---|
SAF resources provide the ability to control access to functions and services of the WebSphere Application Server (WAS) environment. Many of these resources provide operational and administrative support for WAS. Failure to properly protect these resources may lead to unauthorized access. This exposure could compromise the integrity and availability of application services and customer data. |
STIG | Date |
---|---|
z/OS RACF STIG | 2016-01-04 |
Check Text ( C-3261r1_chk ) |
---|
a) Refer to the following reports produced by the RACF Data Collection: - SENSITVE.RPT(CBIND) - RACFCMDS.RPT(SETROPTS) - DSMON.RPT(RACCDT) - Alternate list of active resource classes b) Ensure the following items are in effect for CBIND resource protection: 1) The CBIND resource class is active. 2) The CB.BIND.server_name resource is defined to the CBIND resource class with a UACC(NONE). 3) Access to the CB.BIND.server_name resource is restricted to WAS server (STC) userids and systems management userids (e.g., WebSphere administrator ID). c) If all items in (b) are true, there is NO FINDING. b) If any item in (b) is untrue, this is a FINDING. |
Fix Text (F-18794r1_fix) |
---|
There are two profiles to create when using the CBIND class. They are the CB.BIND.server_name profile, which controls whether a local or remote client can access servers. The CB.BIND is mandatory for the first two qualifiers for the profile; the third qualifier is the server name. Also, there is the CB.server_name profile that controls whether a client can use components in a server; again these definitions are mandatory. Ensure the following items are in effect for CBIND resource protection: 1) The CBIND resource class is active. 2) The CB.BIND.server_name resource is defined to the CBIND resource class with a UACC(NONE). 3) Access to the CB.BIND.server_name resource is restricted to WAS server (STC) userids and systems management userids (e.g., WebSphere administrator ID). The following command provide sample definitions and permissions for this CBIND resource: SETR CLASSACT(CBIND) SETR GENERIC(CBIND) SETR RACL(CBIND) RDEFINE CBIND cb.bind. Permit cb.bind. Note: "wscfg1" is a RACF group that contains the Websphere Application Server STCs and maintenance userids. |