Attributes of z/OS UNIX user accounts used for account modeling must be defined in accordance with security requirements.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-7050 | ZUSS0048 | SV-7941r3_rule | Medium |
| Description |
|---|
| Top Secret ACIDs that use z/OS UNIX facilities must be properly defined. If these attributes are not correctly defined, data access or command privilege controls could be compromised. |
| STIG | Date |
|---|---|
| z/OS TSS STIG | 2016-12-21 |
Details
| Check Text ( C-5462r2_chk ) |
|---|
| Refer to the following report produced by the TSS Data Collection: - TSSCMDS.RPT(STATUS) - TSSCMDS.RPT(OMVSUSER) NOTE: This check applies to any user identifier (ACID) used to model OMVS access on the mainframe. This includes OMVSUSR; MODLUSER and BPX.UNIQUE.USER. If MODLUSER is specified then UNIQUSER must be specified. If user identifier (ACID) used to model OMVS user account is defined as follows, there is NO FINDING: A unique UID number (except for UID(0) users) A non-writable HOME directory Shell program specified as “/bin/echo”, or “/bin/false” NOTE: The shell program must have one of the specified values. The HOME directory must have a value (i.e., not be allowed to default). |
| Fix Text (F-75871r1_fix) |
|---|
| Use of the OMVS default UID will not be allowed on any classified system. Define the user identifier (ACID) used to model OMVS user account with a non-0 UID, a non-writable home directory, such as "\" root, and a non-executable, but existing, binary file, "/bin/false" or “/bin/echo.” |