z/OS UNIX security parameters in etc/profile are not properly specified.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6961	ZUSS0015	SV-7262r2_rule	DCCS-1 DCCS-2	Medium

Description
Parameter settings in PARMLIB and /etc specify values for z/OS UNIX security controls. The parameters impact HFS data access and operating system services. Undesirable values can allow users to gain inappropriate privileges that could impact data integrity or the availability of some system services.

STIG	Date
z/OS RACF STIG	2019-12-12

Details

Check Text ( C-3867r1_chk )
a) Refer to the following report produced by the UNIX System Services Data Collection: - USSCMDS.RPT(EPROF) b) If the final or only instance of the UMASK command in /etc/profile is specified as “umask 077”, there is NO FINDING. c) If the LOGNAME variable is marked read-only (i.e., “readonly LOGNAME”) in /etc/profile, there is NO FINDING. d) If (b) or(c) above is untrue, this is a FINDING.

Check Text ( C-3867r1_chk )

a) Refer to the following report produced by the UNIX System Services Data Collection:

- USSCMDS.RPT(EPROF)

b) If the final or only instance of the UMASK command in /etc/profile is specified as “umask 077”, there is NO FINDING.

c) If the LOGNAME variable is marked read-only (i.e., “readonly LOGNAME”) in /etc/profile, there is NO FINDING.

d) If (b) or(c) above is untrue, this is a FINDING.

Fix Text (F-18946r1_fix)
Verify that the UMASK command is executed with a value of 077 and the LOGNAME variable is marked read-only for the /etc/profile file, exceptions are documented with the IAO. The /etc/profile file is the system-wide profile that is executed for each user’s shell invocation. It provides a default environment for users. It sets environment variables and executes commands. Although there are several variables and commands that can be included, those with notable security considerations are the STEPLIB variable and the UMASK command. The STEPLIB variable should be assigned a value of none in /etc/profile unless a specific requirement for another value exists. The use of STEPLIB must be coordinated with the SYS1.PARMLIB(BPXPRMxx) STEPLIBLIST control, the /etc/steplib file, and the use of RTLS. The umask command must be executed in /etc/profile with a value of 077. This sets the file-creation permission-code mask so that a file creator has full permissions, group members have no permission, and other users have no permission. Exceptions to this may occur during software installation when the installation process demands a more permissive value, during database access by users, and during administrative actions. All requirements will be justified and documented with the IAO.

Fix Text (F-18946r1_fix)

Verify that the UMASK command is executed with a value of 077 and the LOGNAME variable is marked read-only for the /etc/profile file, exceptions are documented with the IAO.

The /etc/profile file is the system-wide profile that is executed for each user’s shell invocation. It provides a default environment for users. It sets environment variables and executes commands. Although there are several variables and commands that can be included, those with notable security considerations are the STEPLIB variable and the UMASK command. The STEPLIB variable should be assigned a value of none in /etc/profile unless a specific requirement for another value exists. The use of STEPLIB must be coordinated with the SYS1.PARMLIB(BPXPRMxx) STEPLIBLIST control, the /etc/steplib file, and the use of RTLS. The umask command must be executed in /etc/profile with a value of 077. This sets the file-creation permission-code mask so that a file creator has full permissions, group members have no permission, and other users have no permission. Exceptions to this may occur during software installation when the installation process demands a more permissive value, during database access by users, and during administrative actions. All requirements will be justified and documented with the IAO.