The CBIND Resource Class for the WebSphere Application Server is not configured in accordance with security requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3899	ZWAS0030	SV-7265r3_rule		Medium

Description
SAF resources provide the ability to control access to functions and services of the WebSphere Application Server (WAS) environment. Many of these resources provide operational and administrative support for WAS. Failure to properly protect these resources may lead to unauthorized access. This exposure could compromise the integrity and availability of application services and customer data.

STIG	Date
zOS Websphere Application Server for RACF STIG	2020-01-23

Details

Check Text ( C-3261r1_chk )
a) Refer to the following reports produced by the RACF Data Collection: - SENSITVE.RPT(CBIND) - RACFCMDS.RPT(SETROPTS) - DSMON.RPT(RACCDT) - Alternate list of active resource classes b) Ensure the following items are in effect for CBIND resource protection: 1) The CBIND resource class is active. 2) The CB.BIND.server_name resource is defined to the CBIND resource class with a UACC(NONE). 3) Access to the CB.BIND.server_name resource is restricted to WAS server (STC) userids and systems management userids (e.g., WebSphere administrator ID). c) If all items in (b) are true, there is NO FINDING. b) If any item in (b) is untrue, this is a FINDING.

Check Text ( C-3261r1_chk )

a) Refer to the following reports produced by the RACF Data Collection:

- SENSITVE.RPT(CBIND)
- RACFCMDS.RPT(SETROPTS)
- DSMON.RPT(RACCDT) - Alternate list of active resource classes

b) Ensure the following items are in effect for CBIND resource protection:

1) The CBIND resource class is active.

2) The CB.BIND.server_name resource is defined to the CBIND resource class with a UACC(NONE).

3) Access to the CB.BIND.server_name resource is restricted to WAS server (STC) userids and systems management userids (e.g., WebSphere administrator ID).

c) If all items in (b) are true, there is NO FINDING.

b) If any item in (b) is untrue, this is a FINDING.

Fix Text (F-18794r1_fix)
There are two profiles to create when using the CBIND class. They are the CB.BIND.server_name profile, which controls whether a local or remote client can access servers. The CB.BIND is mandatory for the first two qualifiers for the profile; the third qualifier is the server name. Also, there is the CB.server_name profile that controls whether a client can use components in a server; again these definitions are mandatory. Ensure the following items are in effect for CBIND resource protection: 1) The CBIND resource class is active. 2) The CB.BIND.server_name resource is defined to the CBIND resource class with a UACC(NONE). 3) Access to the CB.BIND.server_name resource is restricted to WAS server (STC) userids and systems management userids (e.g., WebSphere administrator ID). The following command provide sample definitions and permissions for this CBIND resource: SETR CLASSACT(CBIND) SETR GENERIC(CBIND) SETR RACL(CBIND) RDEFINE CBIND cb.bind. UACC(none) owner(admin) audit(all(read)) data('IAW SRR PDI ZWAS0030') Permit cb.bind. CLASS(CBIND) ID() ACCESS(CONTROL) Note: "wscfg1" is a RACF group that contains the Websphere Application Server STCs and maintenance userids.

Fix Text (F-18794r1_fix)

There are two profiles to create when using the CBIND class. They are the CB.BIND.server_name profile, which controls whether a local or remote client can access servers. The CB.BIND is mandatory for the first two qualifiers for the profile; the third qualifier is the server name. Also, there is the CB.server_name profile that controls whether a client can
use components in a server; again these definitions are mandatory.

Ensure the following items are in effect for CBIND resource protection:

1) The CBIND resource class is active.

2) The CB.BIND.server_name resource is defined to the CBIND resource class with a UACC(NONE).

3) Access to the CB.BIND.server_name resource is restricted to WAS server (STC) userids and systems management userids (e.g., WebSphere administrator ID).

The following command provide sample definitions and permissions for this CBIND resource:

SETR CLASSACT(CBIND)
SETR GENERIC(CBIND)
SETR RACL(CBIND)

RDEFINE CBIND cb.bind. UACC(none) owner(admin) audit(all(read)) data('IAW SRR PDI ZWAS0030')

Permit cb.bind. CLASS(CBIND) ID() ACCESS(CONTROL)

Note: "wscfg1" is a RACF group that contains the Websphere Application Server STCs and maintenance userids.