From z/OS ACF2 STIG
Part of ITCP0050
Associated with IA controls: DCCS-1, ECCD-2, DCCS-2, ECCD-1
The Communication Server access authorization is used to protect TCP/IP resources such as stack, network, port, and other SERVAUTH resources. These resources provide additional security checks for TCP/IP users. Failure to properly secure these TCP/IP resources could lead to unauthorized user access resulting in the compromise of some system services.
Refer to the following reports produced by the ACF2 Data Collection and Data Set and Resource Data Collection: - SENSITVE.RPT(SERVAUTH) - ACF2CMDS.RPT(ACFGSO) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ITCP0050) Verify that the accesses for TCP/IP resources are properly restricted. If the following guidance is true, this is not a finding. ___ The SERVAUTH resource class is mapped to the standard resource type SER. ___ No access is given to the EZA, EZB, and IST resources of the SERVAUTH resource class, a default access of PREVENT will be specified. ___ If the product CSSMTP is on the system, no access is given to EZB.CSSMTP of the SERVAUTH resource class. ___ If the product CSSMTP is on the system, EZB.CSSMTP.sysname.writername.JESnode will be specified and made available to the CSSMTP started task and authenticated users that require access to use CSSMTP for e-mail services. ___ Authenticated users that require access will be permitted access to the second level of the resources in the SERVAUTH resource class. Examples are the network (NETACCESS), port (PORTACCESS), stack (STACKACCESS), and FTP resources in the SERVAUTH resource class.
The IAO will develop a plan of action to implement the required changes. Ensure the following items are in effect for TCP/IP resources. The SERVAUTH resource class is mapped to the required resource type SER. Ensure that the EZA, EZB, and IST resources are defined to the SERVAUTH resource class with a default access of PREVENT. If the product CSSMTP is on the system, no access is given to EZB.CSSMTP of the SERVAUTH resource class. EZB.CSSMTP.sysname.writername.JESnode will be specified and made available to the CSSMTP started task and authenticated users that require access to use CSSMTP for e-mail services. Only authenticated users that require access are permitted access to the second level of the resources in the SERVAUTH resource class. Examples are the network (NETACCESS), port (PORTACCESS), stack (STACKACCESS), and FTP resources in the SERVAUTH resource class. The following commands can be used as examples to establish the basic security required for TCP/IP resources: $KEY(EZB) TYPE(SER) - UID(*) PREVENT CSSMTP. - UID(*) PREVENT CSSMTP.sysname.writername.JESnode UID(*) SERVICE(READ) ALLOW FTP.- UID(*) SERVICE(READ) ALLOW NETACCESS.- UID(*) SERVICE(READ) ALLOW PORTACCESS.- UID(*) SERVICE(READ) ALLOW STACKACCESS.- UID(*) SERVICE(READ) ALLOW COMPILE 'ACF2.MVA.SER(EZB)' STORE F ACF2,REBUILD(SER) A list of possible SERVAUTH resources defined to the first two nodes is shown here: (Note that additional resources may be developed with each new release of TCPIP.) EZA.DCAS. EZB.BINDDVIPARANGE. EZB.CIMPROV. EZB.FRCAACCESS. EZB.FTP. EZB.INITSTACK. EZB.IOCTL. EZB.IPSECCMD. EZB.MODDVIPA. EZB.NETACCESS. EZB.NETMGMT. EZB.NETSTAT. EZB.NSS. EZB.NSSCERT. EZB.OSM. EZB.PAGENT. EZB.PORTACCESS. EZB.RPCBIND. EZB.SOCKOPT. EZB.SNMPAGENT. EZB.STACKACCESS. EZB.TN3270. IST.NETMGMT.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer