From z/OS ACF2 STIG
Part of ZUSS0034
Associated with IA controls: DCCS-1, ECCD-2, DCCS-2, ECCD-1
Associated with: CCI-000213 CCI-001499 CCI-002234
For the z/OS UNIX environment, there are MVS data sets that contain operating system components, MVS data sets that contain HFS file systems with operating system components, and MVS data sets that contain HFS file systems with application system and user data. All of these MVS data sets require definitions in the ACP to enforce desired access controls. In addition, the UNIX permission bits must be properly set on the HFS directories and files to enforce desired access controls.
Refer to the following report produced by the UNIX System Services Data Collection: - USSCMDS.RPT(SDPERM) Refer to the following report produced by the IBM Communications Server Data Collection: - PDI(ZUSS0034) The HFS permission bits and user audit bits for each directory and file match or are more restrictive than the specified settings listed in the SYSTEM DIRECTORY SECURITY SETTINGS Table in the z/OS STIG Addendum. If the guidance is true, this is not a finding. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing
The IAO with the assistance of a systems programmer with UID(0) and/or SUPERUSER access, will review the UNIX permission bits and user audit bits on each of the HFS directory in the table in the z/OS STIG Addendum under the SYSTEM DIRECTORY SECURITY SETTINGS, are equal or more restrictive. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing The following commands are a sample of the commands to be used (from a user account with an effective UID(0)) to update the permission bits and audit bits: chmod 0755 / chaudit w=sf,rx+f / chmod 0755 /bin chaudit rwx=f /bin
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer