UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Attributes of z/OS UNIX user accounts used for account modeling must be defined in accordance with security requirements.


Overview

Finding ID Version Rule ID IA Controls Severity
V-7050 ZUSS0048 SV-7941r4_rule Medium
Description
Top Secret ACIDs that use z/OS UNIX facilities must be properly defined. If these attributes are not correctly defined, data access or command privilege controls could be compromised.
STIG Date
z/OS TSS STIG 2017-06-26

Details

Check Text ( C-5462r3_chk )
If this is a classified system this is not applicable.

From a command line issue the following command:

Note: One must have appropriate access to perform this command (have the site security officer to issue command)

TSS MODIFY STATUS

Examine the following option:
UNIQUSER

Alternately:
Refer to the following report produced by the TSS Data Collection:

- TSSCMDS.RPT(STATUS)
- TSSCMDS.RPT(OMVSUSER)

NOTE: This check applies to any user identifier (ACID) used to model OMVS access on the mainframe. This includes OMVSUSR; MODLUSER and BPX.UNIQUE.USER. If MODLUSER is specified then UNIQUSER must be specified as ON.

If user identifier (ACID) used to model OMVS user account is defined as follows, there is no finding.

A unique UID number (except for UID(0) users)
A non-writable HOME directory
Shell program specified as “/bin/echo”, or “/bin/false”

NOTE: The shell program must have one of the specified values. The HOME directory must have a value (i.e., not be allowed to default).
Fix Text (F-75871r2_fix)
Use of the OMVS default UID will not be allowed on any classified system.

Define the user identifier (ACID) used to model OMVS user account with a non-0 UID, a non-writable home directory, such as "\" root, and a non-executable, but existing, binary file, "/bin/false" or “/bin/echo.”