The CBIND Resource Class for the WebSphere Application Server is not configured in accordance with security requirements.

From z/OS RACF STIG

Part of ZWAS0030

Associated with: CCI-000213

SV-7265r2_rule The CBIND Resource Class for the WebSphere Application Server is not configured in accordance with security requirements.

Vulnerability discussion

SAF resources provide the ability to control access to functions and services of the WebSphere Application Server (WAS) environment. Many of these resources provide operational and administrative support for WAS. Failure to properly protect these resources may lead to unauthorized access. This exposure could compromise the integrity and availability of application services and customer data.

Check content

a) Refer to the following reports produced by the RACF Data Collection: - SENSITVE.RPT(CBIND) - RACFCMDS.RPT(SETROPTS) - DSMON.RPT(RACCDT) - Alternate list of active resource classes b) Ensure the following items are in effect for CBIND resource protection: 1) The CBIND resource class is active. 2) The CB.BIND.server_name resource is defined to the CBIND resource class with a UACC(NONE). 3) Access to the CB.BIND.server_name resource is restricted to WAS server (STC) userids and systems management userids (e.g., WebSphere administrator ID). c) If all items in (b) are true, there is NO FINDING. b) If any item in (b) is untrue, this is a FINDING.

Fix text

There are two profiles to create when using the CBIND class. They are the CB.BIND.server_name profile, which controls whether a local or remote client can access servers. The CB.BIND is mandatory for the first two qualifiers for the profile; the third qualifier is the server name. Also, there is the CB.server_name profile that controls whether a client can use components in a server; again these definitions are mandatory. Ensure the following items are in effect for CBIND resource protection: 1) The CBIND resource class is active. 2) The CB.BIND.server_name resource is defined to the CBIND resource class with a UACC(NONE). 3) Access to the CB.BIND.server_name resource is restricted to WAS server (STC) userids and systems management userids (e.g., WebSphere administrator ID). The following command provide sample definitions and permissions for this CBIND resource: SETR CLASSACT(CBIND) SETR GENERIC(CBIND) SETR RACL(CBIND) RDEFINE CBIND cb.bind. UACC(none) owner(admin) audit(all(read)) data('IAW SRR PDI ZWAS0030') Permit cb.bind. CLASS(CBIND) ID() ACCESS(CONTROL) Note: "wscfg1" is a RACF group that contains the Websphere Application Server STCs and maintenance userids.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer