z/OS UNIX BPXPRMxx security parameters in PARMLIB are not properly specified.

From z/OS ACF2 STIG

Part of ZUSS0012

Associated with IA controls: DCCS-1, DCCS-2

Associated with: CCI-000366

SV-7246r2_rule z/OS UNIX BPXPRMxx security parameters in PARMLIB are not properly specified.

Vulnerability discussion

Parameter settings in PARMLIB and /etc specify values for z/OS UNIX security controls. The parameters impact HFS data access and operating system services. Undesirable values can allow users to gain inappropriate privileges that could impact data integrity or the availability of some system services.

Check content

a) Review the logical parmlib data sets, example: SYS1.PARMLIB(BPXPRMxx), for the following UNIX Parameter Keywords and Values: Parameter Keyword Value SUPERUSER BPXROOT TTYGROUP TTY STEPLIBLIST /etc/steplib USERIDALIASTABLE Will not be specified. ROOT SETUID will be specified MOUNT NOSETUID SETUID (for Vendor-provided files)SECURITY STARTUP_PROC OMVS Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ZUSS0012) b) If the required parameter keywords and values are defined, there is NO FINDING. c) If the required parameter keywords and values are not defined, this is a FINDING.

Fix text

Review the settings in PARMLIB member BPXPRMxx for z/OS UNIX security parameters and ensure that the values conform to the specifications below: Parameter Keyword Value SUPERUSER BPXROOT TTYGROUP TTY STEPLIBLIST /etc/steplib USERIDALIASTABLE Will not be specified. ROOT SETUID will be specified MOUNT NOSETUIDSETUID (for Vendor-provided files)SECURITY STARTUP_PROC OMVS BPXPRMxx is the SYS1.PARMLIB member that contains the parameters that control the z/OS UNIX environment. BPXPRMxx controls the way features work and it establishes logical access to data by configuring the HFS environment. The SUPERUSER parameter specifies the userid to be assigned to users when the su command is entered without a userid operand. The userid must be defined to the ACP as BPXROOT and have a UID of 0. The TTYGROUP parameter specifies the group name assigned to pseudo terminals (PTYs) and remote terminals (RTYs). The group must be defined to the ACP with a unique GID and users must not be assigned to this group. This group name is used by some shell commands (e.g., talk and write) when writing to the PTY or RTY being used by another user. The name TTY must be used. The STEPLIBLIST parameter specifies the pathname of the HFS file that contains the list of MVS data sets that are used as step libraries for programs that have the set-user-id or set group id permission bit set. The use of STEPLIBLIST is at the site’s discretion, but if used the value of STEPLIBLIST will be /etc/steplib. All update and alter access to the MVS data sets in the list will be logged and only systems programming personnel will be authorized to update the data sets. The USERIDALIASTABLE parameter specifies the pathname of the HFS file that contains a list of userids and group names with their corresponding alias names. The alias table is intended primarily for use where mixed or lower case userids are used in the UNIX environment. Because the z/OS/ MVS components support only upper case userids, the USERIDALIASTABLE will not be used. The ROOT parameter specifies data for the file system that is to be mounted as the root file system for z/OS UNIX. ROOT can have a number of sub-parameters; the FILESYSTEM and SETUID|NOSETUID sub-parameters have security considerations. FILESYSTEM can be used to specify the name of the MVS HFS data set that holds the root file system. As the highest point in the HFS hierarchy, this file system is critical to system operations. Therefore appropriate ACP access rules must be written to protect the named data set. Update and alter access must be restricted to the z/OS UNIX kernel and individual systems programming personnel. The SETUID|NOSETUID sub-parameter specifies whether or not the set-user-ID or set-group-ID permission bits are supported. SETUID|NOSETUID also impacts the APF authorized and program-controlled extended attributes. For the root file system, SETUID must be specified for normal operations. The MOUNT parameter specifies data for a file system that is to be mounted by z/OS UNIX. There are usually multiple MOUNT statements and each can have a number of sub-parameters. The FILESYSTEM, SETUID|NOSETUID, and SECURITY|NOSECURITY sub-parameters have significant security considerations. FILESYSTEM can be used to specify the name of the MVS HFS data set that holds the logical file system. Appropriate ACP access rules must be written to protect the named data set. Update and alter access must be restricted to the z/OS UNIX kernel and to individual systems programming personnel. The SETUID|NOSETUID sub parameter specifies whether or not the set-user-ID or set group ID permission bits are supported. SETUID|NOSETUID also impacts the APF authorized and program-controlled extended attributes. SETUID may be specified for those file systems that contain only vendor-provided software or that have been documented to the IAO as requiring this support. Otherwise NOSETUID must be specified. The SECURITY|NOSECURITY sub-parameter specifies whether security checks are performed. SECURITY must be specified unless a specific exception for the file system has been identified and documented to the IAO. Regardless of IBM defaults, the values for SETUID|NOSETUID and SECURITY|NOSECURITY must be explicitly coded to protect against potential vendor changes and to simplify security reviews. The STARTUP_PROC parameter specifies the name of the JCL procedure (PROC) that starts the z/OS UNIX component. This started task must be defined to the ACP. The name OMVS must be used.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer