The Syslog daemon is improperly defined and secured.

From z/OS RACF STIG

Part of ISLG0020

Associated with IA controls: DCCS-1, DCFA-1, DCCS-2

SV-7079r1_rule The Syslog daemon is improperly defined and secured.

Vulnerability discussion

BACKGROUND - The Syslog daemon, known as syslogd, is a zOS UNIX daemon that provides a central processing point for log messages issued by other zOS UNIX processes. It is also possible to receive log messages from other network-connected hosts. Some of the IBM CommunicationsServer components that may send messages to syslog are the FTP, TFTP, zOS UNIX Telnet,DNS, and DHCP servers. The messages may be of varying importance levels including generalprocess information, diagnostic information, critical error notification, and audit-classinformation. Primarily because of the potential to use this information in an audit process, thereis a security interest in protecting the syslogd process and its associated data.SECURITY - The Syslog daemon requires special privileges and access to sensitive resources to provide its system services. Failure to properly define and control the Syslog daemon could lead to unauthorized access. This exposure may result in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.

Check content

a) Refer to the following reports produced by the RACF Data Collection: - RACFCMDS.RPT(LISTUSER) - DSMON.RPT(RACSPT) Refer to the following report produced by the UNIX System Services Data Collection: - USSCMDS.RPT(ERC) - Refer to this report if Syslogd is started from the shell. Refer to the JCL procedure libraries defined to JES2. b) Ensure the following items are in effect for the Syslog daemon: 1) If you start SYSLOGD from MVS then ensure the following: a) The SYSLOG daemon userid is SYSLOGD. b) The SYSLOGD userid is defined as a PROTECTED userid. c) The SYSLOGD userid has the following z/OS OMVS attributes: UID(0) HOME(‘/’) PROGRAM(‘/bin/sh’) d) A matching entry in the STARTED class exists mapping the SYSLOGD started proc to the SYSLOGD userid. 2) If you start SYSLOGD from /etc/rc then ensure the following: a) The _BPX_JOBNAME environment variable is set to assign a job name of SYSLOGD. c) If SYSLOGD is started from MVS then if b(1) is true, there is NO FINDING. d) If SYSLOGD is started from within USS then if b(2) is true, there is NO FINDING. e) If SYSLOGD is started from within MVS and b(1) is untrue, this is a FINDING. f) If SYSLOGD is started from within USS and b(2) is untrue, this is a FINDING.

Fix text

Evaluate the impact of accomplishing the change. Develop a plan of action and implement the change as required. To set up and use as an MVS Started Proc, the following sample commands are provided: AU SYSLOGD NAME('stc, tcpip') NOPASSWORD NOOIDCARD DFLTGRP(STC) OWNER(STC) DATA('Reference ISLG0020 for proper setup ') ALU SYSLOGD OMVS(UID(0) HOME('/') PROGRAM('/bin/sh')) CO SYSLOGD GROUP(stctcpx) OWNER(stctcpx) RDEF STARTED SYSLOGD.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) STDATA(USER(SYSLOGD) GROUP(STC) TRACE(YES)) PERMIT BPX.DAEMON CLASS(FACILITY) ACCESS(READ) ID(SYSLOGD) PERMIT BPX.SMF CLASS(FACILITY) ACCESS(READ) ID(SYSLOGD) To setup and use from within USS, The _BPX_JOBNAME environment variable, found in /etc/rc, is set to assign a job name of SYSLOGD.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer