Title

The GSO UNIXOPTS record must not specify default settings for classified systems. (Cat II impact)

Discussion

Default profile settings allow a user to access UNIX System Services (OMVS) if a user does not have a valid OMVS group in the logonid record. Settings in the ACP impact the security level of z/OS UNIX. In classified systems user access will not be determined by default.

Check Content

If this is an Unclassified system this is not applicable. From ACF2 Command Line enter: Set CONTROL(GSO) Show UNIXOPTS Alternately: Refer to the following report produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ACFGSO) - Classification of System Automated Analysis: Refer to the following report produced by the ACF2 Data Collection: - PDI(ZUSSA050) If system is classified the UNIXOPTS record specifies DFTGROUP(); DFTUSER(); NOUNIQUSER AND MODLUSER(), there is no finding.

Fix Text

Ensure that UNIXOPTS record does not specify DFTGROUP and DFTUSER fields for classified systems. Ensure that then UNIXOPTS record specifies NOUNIQUSER and no MODLUSER If system is classified the UNIXOPTS record must specify DFTGROUP(); DFTUSER() and MODLUSER(). NOUNIQUEUSER must be specified. Example: SET C(GSO) LIST UNIXOPTS CHOWNRES DFTGROUP() DFTUSER() NODIRACC NODIRSRCH NOFSOBJ NOFSSEC NOGOSETGID NOHFSACL NOHFSSEC NOIPCOBJ NGROUPS(300) NOPROCACT NOPROCESS MODLUSER() NOUNIQUSER

Additional Identifiers

Rule ID: SV-7296r3_rule

Vulnerability ID: V-6993

Group Title: ZUSSA050

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.