An error occurred:

Check: ZUSS0034

zOS RACF STIG: ZUSS0034 (in versions v6 r43 through v6 r30)

Title

z/OS UNIX HFS permission bits and audit bits for each directory will be properly protected or specified. (Cat II impact)

Discussion

For the z/OS UNIX environment, there are MVS data sets that contain operating system components, MVS data sets that contain HFS file systems with operating system components, and MVS data sets that contain HFS file systems with application system and user data. All of these MVS data sets require definitions in the ACP to enforce desired access controls. In addition, the UNIX permission bits must be properly set on the HFS directories and files to enforce desired access controls.

Check Content

Refer to the following report produced by the UNIX System Services Data Collection: - USSCMDS.RPT(SDPERM) Refer to the following report produced by the IBM Communications Server Data Collection: - PDI(ZUSS0034) The HFS permission bits and user audit bits for each directory and file match or are more restrictive than the specified settings listed in the SYSTEM DIRECTORY SECURITY SETTINGS Table in the z/OS STIG Addendum. If the guidance is true, this is not a finding. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing

Fix Text

The IAO with the assistance of a systems programmer with UID(0) and/or SUPERUSER access, will review the UNIX permission bits and user audit bits on each of the HFS directory in the table in the z/OS STIG Addendum under the SYSTEM DIRECTORY SECURITY SETTINGS, are equal or more restrictive. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing The following commands are a sample of the commands to be used (from a user account with an effective UID(0)) to update the permission bits and audit bits: chmod 0755 / chaudit w=sf,rx+f / chmod 0755 /bin chaudit rwx=f /bin

Additional Identifiers

Rule ID: SV-7281r3_rule

Vulnerability ID: V-6978

Group Title: ZUSS0034

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000213

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
CCI-001499

The organization limits privileges to change software resident within software libraries.
CCI-002234

The information system audits the execution of privileged functions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-3

Access Enforcement
AC-6 (9)

Auditing Use Of Privileged Functions
CM-5 (6)

Limit Library Privileges