Check: IUTN0020
zOS RACF STIG:
IUTN0020
(in versions v6 r43 through v6 r30)
Title
Startup parameters for the z/OS UNIX Telnet Server are not specified properly. (Cat II impact)
Discussion
The z/OS UNIX Telnet Server (i.e., otelnetd) provides interactive access to the z/OS UNIX shell. During the initialization process, startup parameters are read to define the characteristics of each otelnetd instance. Some of these parameters have an impact on system security. Failure to specify the appropriate command options could result in degraded security. This exposure may result in unauthorized access impacting data integrity or the availability of some system services.
Check Content
a) Refer to the following report produced by the UNIX System Services Data Collection: - USSCMDS.RPT(EINETD) b) Ensure the following items are in effect for the otelnetd startup command: 1) Option -D login is included on the otelnetd command. 2) Option -c 900 is included on the otelnetd command. NOTE: 900 indicates a session timeout value of 15 minutes and is currently the maximum value allowed. 3) Option -h is not included on the otelnetd command. c) If all of the items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING.
Fix Text
Review the startup parameters in the inetd.conf file for otelnetd and ensure they conform to the specifications below. The otelnetd startup command includes the options -D login and -c 900, where: -D login indicates that messages should be written to the syslogd facility for login and logout activity -c 900 indicates that the Telnet session should be terminated after 15 minutes of inactivity. NOTE: The 900 is the maximum value; any value between 1 and 900 is acceptable. The otelnetd startup command should not include the option -h, where: -h indicates that the logon banner should not be displayed.
Additional Identifiers
Rule ID: SV-3230r2_rule
Vulnerability ID: V-3230
Group Title: IUTN0020
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001133 |
The information system terminates the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity. |
Controls
Number | Title |
---|---|
SC-10 |
Network Disconnect |