UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

z/OS UNIX security parameters in etc/profile are not properly specified.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6961 ZUSS0015 SV-7262r2_rule DCCS-1 DCCS-2 Medium
Description
Parameter settings in PARMLIB and /etc specify values for z/OS UNIX security controls. The parameters impact HFS data access and operating system services. Undesirable values can allow users to gain inappropriate privileges that could impact data integrity or the availability of some system services.
STIG Date
z/OS TSS STIG 2017-06-26

Details

Check Text ( C-3867r1_chk )
a) Refer to the following report produced by the UNIX System Services Data Collection:

- USSCMDS.RPT(EPROF)

b) If the final or only instance of the UMASK command in /etc/profile is specified as “umask 077”, there is NO FINDING.

c) If the LOGNAME variable is marked read-only (i.e., “readonly LOGNAME”) in /etc/profile, there is NO FINDING.

d) If (b) or(c) above is untrue, this is a FINDING.
Fix Text (F-18946r1_fix)
Verify that the UMASK command is executed with a value of 077 and the LOGNAME variable is marked read-only for the /etc/profile file, exceptions are documented with the IAO.

The /etc/profile file is the system-wide profile that is executed for each user’s shell invocation. It provides a default environment for users. It sets environment variables and executes commands. Although there are several variables and commands that can be included, those with notable security considerations are the STEPLIB variable and the UMASK command. The STEPLIB variable should be assigned a value of none in /etc/profile unless a specific requirement for another value exists. The use of STEPLIB must be coordinated with the SYS1.PARMLIB(BPXPRMxx) STEPLIBLIST control, the /etc/steplib file, and the use of RTLS. The umask command must be executed in /etc/profile with a value of 077. This sets the file-creation permission-code mask so that a file creator has full permissions, group members have no permission, and other users have no permission. Exceptions to this may occur during software installation when the installation process demands a more permissive value, during database access by users, and during administrative actions. All requirements will be justified and documented with the IAO.