Attributes of z/OS UNIX user accounts are not defined in accordance with security requirements.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-7050 | ZUSS0048 | SV-7941r2_rule | DCCS-1 DCCS-2 | Medium |
| Description |
|---|
| Top Secret ACIDs that use z/OS UNIX facilities must be properly defined. If these attributes are not correctly defined, data access or command privilege controls could be compromised. |
| STIG | Date |
|---|---|
| z/OS TSS STIG | 2015-06-24 |
Details
| Check Text ( C-5462r1_chk ) |
|---|
| a) Refer to the following report produced by the TSS Data Collection: - TSSCMDS.RPT(STATUS) - TSSCMDS.RPT(OMVSUSER) NOTE: This check only applies to the OMVS default user. If the OMVS default user is not defined in the STATUS report, this is NOT APPLICABLE. b) If OMVS default user account is defined as follows, there is NO FINDING: 1) A unique UID number (except for UID(0) users) 2) A non-writable HOME directory 3) Shell program specified as “/bin/echo”, or “/bin/false” NOTE: The shell program must have one of the specified values. The HOME directory must have a value (i.e., not be allowed to default). c) If the user account is not defined as specified in (b) above, this is a FINDING. |
| Fix Text (F-18833r1_fix) |
|---|
| Use of the OMVS default UID will not be allowed on any classified system. - The definition of the OMVS default user will be restricted to a non-0 UID, a non-writable home directory, such as "\" root, and a non-executable, but existing, binary file, "/bin/false" or “/bin/echo.” - Collection of SMF type 80 records to track user access to OMVS default UID. |