UCF STIG Viewer Logo

z/OS UNIX MVS HFS directory(s) with "other" write permission bit set are not properly defined.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6981 ZUSS0036 SV-7284r2_rule DCCS-1 DCCS-2 DCSL-1 ECCD-1 ECCD-2 Medium
Description
For the z/OS UNIX environment, there are MVS data sets that contain operating system components, MVS data sets that contain HFS file systems with operating system components, and MVS data sets that contain HFS file systems with application system and user data. All of these MVS data sets require definitions in the ACP to enforce desired access controls. In addition, the UNIX permission bits must be properly set on the HFS directories and files to enforce desired access controls.
STIG Date
z/OS RACF STIG 2019-12-12

Details

Check Text ( C-3929r1_chk )
a) Refer to the following report produced by the UNIX System Services Data Collection:

- USSCMDS.RPT(OWDIR)

b) If there are no directories that have the other write permission bit set on without the sticky bit set on, there is NO FINDING.

NOTE: In the symbolic permission bit display, the sticky bit is indicated as a “t” or “T” in the execute portion of the other permissions. For example, a display of the permissions of a directory with the sticky bit on could be “drwxrwxrwt”.

c) If all directories that have the other write permission bit set on do not contain any files with the setuid bit set on, there is NO FINDING.

NOTE: In the symbolic permission bit display, the setuid bit is indicated as an “s” or “S” in the execute portion of the owner permissions. For example, a display of the permissions of a file with the setuid bit on could be “-rwsrwxrwx”.

d) If all directories that have the other write permission bit set on do not contain any files with the setgid bit set on, there is NO FINDING.

NOTE: In the symbolic permission bit display, the setgid bit is indicated as an “s” or “S” in the execute portion of the group permissions. For example, a display of the permissions of a file with the setgid bit on could be “-rwxrwsrwx”.

e) If (b), (c), or (d) above is untrue, this is a FINDING.
Fix Text (F-18958r1_fix)
The systems programmer will verify the following:

b) There are no directories that have the other write permission bit set on without the sticky bit set on.

NOTE: In the symbolic permission bit display, the sticky bit is indicated as a “t” or “T” in the execute portion of the other permissions. For example, a display of the permissions of a directory with the sticky bit on could be “drwxrwxrwt”.

c) All directories that have the other write permission bit set on do not contain any files with the setuid bit set on.

NOTE: In the symbolic permission bit display, the setuid bit is indicated as an “s” or “S” in the execute portion of the owner permissions. For example, a display of the permissions of a file with the setuid bit on could be “-rwsrwxrwx”.

d) All directories that have the other write permission bit set on do not contain any files with the setgid bit set on.

NOTE: In the symbolic permission bit display, the setgid bit is indicated as an “s” or “S” in the execute portion of the group permissions. For example, a display of the permissions of a file with the setgid bit on could be “-rwxrwsrwx”.