UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

TSS OMVS UNIX security parameters are improperly specified.


Overview

Finding ID Version Rule ID IA Controls Severity
V-7000 ZUSST050 SV-7303r2_rule DCCS-1 DCCS-2 Medium
Description
Parameter settings in the TSS impact the security level of z/OS UNIX.
STIG Date
z/OS TSS STIG 2017-03-22

Details

Check Text ( C-3701r1_chk )
a) Refer to the following report produced by the TSS Data Collection:

- TSSCMDS.RPT(STATUS)
- System Classification

Automated Analysis requiring Additional Analysis
Refer to the following report produced by the TSS Data Collection:

- PDI(ZUSST050)

b) If system is classified or does not use the FTP socket application the OMVSUSR and OMVSGRP control option has no value (i.e., OMVSUSR(),OMVSGRP() or OMVSUSR(*NONE*), OMVSGRP(*NONE*)), there is NO FINDING.

c) If the system is a non classified system, running the FTP socket application and OMVSUSR and OMVSGRP control options specify an ACID and GROUP id, there is NO FINDING.

d) If (b) or (c) above is untrue, this is a FINDING.
Fix Text (F-18835r1_fix)
The OMVSUSR and OMVSGRP control options will only be used for FTP socket applications. When coding these options be sure that the restrictions specified below are followed.

Users of non-shell z/OS UNIX services, must be assigned a unique UID (UID numbers for unprivileged userids should be between 100 and 16,777,215).

At the discretion of the IAO, an exception to this rule is the use of FTP socket applications with the following restrictions.

- Use of the OMVS default UID will not be allowed on any classified system.

- The definition of the OMVS default user will be restricted to a non-0 UID, a non-writable home directory, such as "\" root, and a non-executable, but existing, binary file, "/bin/false" or “/bin/echo.”

- Application of the APAR PQ63326 to control FTP access to UNIX files is required.

- Collection of SMF type 80 records to track user access to OMVS default UID.