Title

Started tasks for the Base TCP/IP component must be defined in accordance with security requirements. (Cat II impact)

Discussion

The TCP/IP started tasks require special privileges and access to sensitive resources to provide its system services. Failure to properly define and control these TCP/IP started tasks could lead to unauthorized access. This exposure may result in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.

Check Content

a) Refer to the following reports produced by the RACF Data Collection: - RACFCMDS.RPT(LISTUSER) - DSMON.RPT(RACSPT) b) Ensure the following items are in effect for the userid(s) assigned to the TCP/IP address space(s): 1) Named TCPIP or, in the case of multiple instances, prefixed with TCPIP 2) Defined as a PROTECTED userid 3) z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh 4) A matching entry in the STARTED resource class exists enabling the use of the standard userid(s) and appropriate group c) Ensure the following items are in effect for the userid assigned to the EZAZSSI started task: 1) Named EZAZSSI 2) Defined as a PROTECTED userid 3) A matching entry in the STARTED resource class exists enabling the use of the standard userid and appropriate group. d) If all of the items in (b) and (c) are true, there is NO FINDING. e) If any item in (b) or (c) is untrue, this is a FINDING.

Fix Text

Develop a plan of action to implement the required changes. 1) Define a userid for the TCPIP Address space. A sample command is shown here: ADDUSER TCPIP NAME('STC, TCPIP') NOPASS DFLTGRP(STCTCPX) OWNER(STCTCPX) OMVS(UID(0) HOME('/') PROGRAM('/bin/sh')) 2) Define a matching entry in the STARTED Class. A sample command is shown here: RDEFINE STARTED TCPIP.** UACC(NONE) OWNER(ADMN) AUDIT(ALL(READ)) STDATA(USER(TCPIP) GROUP(STCTCPX) TRACE(YES)) 3) Set up the RACF userid for the EZAZSSI Proc. A sample command to accomplish this is shown here: AU EZAZSSI NAME('STC, EZAZSSI') NOPASS OWNER(STCTCPX) DFLTGRP(STCTCPX) 4) Define a matching entry in the STARTED class for the EZAZSSI proc. A sample command to accomplish this is shown here: RDEF STARTED EZAZSSI.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) STDATA(USER(EZAZSSI) GROUP(STCTCPX) TRACE(YES))

Additional Identifiers

Rule ID: SV-7087r3_rule

Vulnerability ID: V-3220

Group Title: ITCP0060

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.