UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

z/OS UNIX SYSTEM FILE SECURITY SETTINGS will be properly protected or specified.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6979 ZUSS0035 SV-7282r3_rule DCCS-1 DCCS-2 DCSL-1 ECCD-1 ECCD-2 Medium
Description
For the z/OS UNIX environment, there are MVS data sets that contain operating system components, MVS data sets that contain HFS file systems with operating system components, and MVS data sets that contain HFS file systems with application system and user data. All of these MVS data sets require definitions in the ACP to enforce desired access controls. In addition, the UNIX permission bits must be properly set on the HFS directories and files to enforce desired access controls.
STIG Date
z/OS TSS STIG 2019-09-27

Details

Check Text ( C-3928r3_chk )
Refer to the following reports produced by the UNIX System Services Data Collection:

- USSCMDS.RPT(SFPERM)
- USSCMDS.RPT(EAUTOM)

Refer to the following report produced by the IBM Communications Server Data Collection:

- PDI(ZUSS0035)

The HFS permission bits and user audit bits for each directory and file match or are more restrictive than the specified settings listed in the SYSTEM FILE SECURITY SETTINGS Table in the z/OS STIG Addendum. If the guidance is true, this is not a finding.

NOTE:
Some of the files listed in the SYSTEM FILE SECURITY SETTINGS Table in the z/OS STIG Addendum are not used in every configuration. Absence of any of the files is not considered a finding.

NOTE: The names of the MapName files are site-defined. Refer to the listing in the EAUTOM report.

The following represents a hierarchy for permission bits from least restrictive to most restrictive:

7 rwx (least restrictive)
6 rw-
3 -wx
2 -w-
5 r-x
4 r--
1 --x
0 --- (most restrictive)

The possible audit bits settings are as follows:

f log for failed access attempts
a log for failed and successful access
- no auditing
Fix Text (F-6741r2_fix)
The IAO with the assistance of a systems programmer with UID(0) and/or SUPERUSER access, will review the UNIX permission bits and user audit bits on the HFS files listed in the SYSTEM FILE SECURITY SETTINGS Table in the z/OS STIG Addendum.

There are a number of files that must be secured to protect system functions in z/OS UNIX. Where not otherwise specified, these files must receive a permission setting of 744 or 774. The 774 setting may be used at the site’s discretion to help to reduce the need for assignment of superuser privileges. The table identifies permission bit and audit bit settings that are required for these specific files. More restrictive permission settings may be used at the site’s discretion or as specific environments dictate.

The following represents a hierarchy for permission bits from least restrictive to most restrictive:

7 rwx (least restrictive)
6 rw-
3 -wx
2 -w-
5 r-x
4 r--
1 --x
0 --- (most restrictive)

The possible audit bits settings are as follows:

f log for failed access attempts
a log for failed and successful access
- no auditing

The following commands are a sample of the commands to be used (from a user account with an effective UID(0)) to update the permission bits and audit bits:

chmod 1755 /bin/sh
chaudit w=sf,rx+f /bin/sh
chmod 0740 /dev/console
chaudit rwx=f /dev/console