TSS OMVS UNIX security parameters are improperly specified.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-7000	ZUSST050	SV-7303r2_rule	DCCS-1 DCCS-2	Medium

Description
Parameter settings in the TSS impact the security level of z/OS UNIX.

STIG	Date
z/OS TSS STIG	2016-12-21

Details

Check Text ( C-3701r1_chk )
a) Refer to the following report produced by the TSS Data Collection: - TSSCMDS.RPT(STATUS) - System Classification Automated Analysis requiring Additional Analysis Refer to the following report produced by the TSS Data Collection: - PDI(ZUSST050) b) If system is classified or does not use the FTP socket application the OMVSUSR and OMVSGRP control option has no value (i.e., OMVSUSR(),OMVSGRP() or OMVSUSR(NONE), OMVSGRP(NONE)), there is NO FINDING. c) If the system is a non classified system, running the FTP socket application and OMVSUSR and OMVSGRP control options specify an ACID and GROUP id, there is NO FINDING. d) If (b) or (c) above is untrue, this is a FINDING.

Check Text ( C-3701r1_chk )

a) Refer to the following report produced by the TSS Data Collection:

- TSSCMDS.RPT(STATUS)
- System Classification

Automated Analysis requiring Additional Analysis
Refer to the following report produced by the TSS Data Collection:

- PDI(ZUSST050)

b) If system is classified or does not use the FTP socket application the OMVSUSR and OMVSGRP control option has no value (i.e., OMVSUSR(),OMVSGRP() or OMVSUSR(*NONE*), OMVSGRP(*NONE*)), there is NO FINDING.

c) If the system is a non classified system, running the FTP socket application and OMVSUSR and OMVSGRP control options specify an ACID and GROUP id, there is NO FINDING.

d) If (b) or (c) above is untrue, this is a FINDING.

Fix Text (F-18835r1_fix)
The OMVSUSR and OMVSGRP control options will only be used for FTP socket applications. When coding these options be sure that the restrictions specified below are followed. Users of non-shell z/OS UNIX services, must be assigned a unique UID (UID numbers for unprivileged userids should be between 100 and 16,777,215). At the discretion of the IAO, an exception to this rule is the use of FTP socket applications with the following restrictions. - Use of the OMVS default UID will not be allowed on any classified system. - The definition of the OMVS default user will be restricted to a non-0 UID, a non-writable home directory, such as "\" root, and a non-executable, but existing, binary file, "/bin/false" or “/bin/echo.” - Application of the APAR PQ63326 to control FTP access to UNIX files is required. - Collection of SMF type 80 records to track user access to OMVS default UID.

Fix Text (F-18835r1_fix)

The OMVSUSR and OMVSGRP control options will only be used for FTP socket applications. When coding these options be sure that the restrictions specified below are followed.

Users of non-shell z/OS UNIX services, must be assigned a unique UID (UID numbers for unprivileged userids should be between 100 and 16,777,215).

At the discretion of the IAO, an exception to this rule is the use of FTP socket applications with the following restrictions.

- Use of the OMVS default UID will not be allowed on any classified system.

- The definition of the OMVS default user will be restricted to a non-0 UID, a non-writable home directory, such as "\" root, and a non-executable, but existing, binary file, "/bin/false" or “/bin/echo.”

- Application of the APAR PQ63326 to control FTP access to UNIX files is required.

- Collection of SMF type 80 records to track user access to OMVS default UID.