From z/OS RACF STIG
Part of ITCP0050
Associated with IA controls: DCCS-1, ECCD-2, DCCS-2, ECCD-1
The Communication Server access authorization is used to protect TCP/IP resources such as stack, network, port, and other SERVAUTH resources. These resources provide additional security checks for TCP/IP users. Failure to properly secure these TCP/IP resources could lead to unauthorized user access resulting in the compromise of some system services.
Refer to the following reports produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(SERVAUTH) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ITCP0050) Verify that the accesses for TCP/IP resources are properly restricted. If the following guidance is true, this is not a finding. ___ The EZA, EZB, and IST resources and/or generic equivalent are defined to the SERVAUTH resource class with a UACC(NONE). ___ No access is given to the EZA, EZB, and IST resources of the SERVAUTH resource class. ___ If the product CSSMTP is on the system, no access is given to EZB.CSSMTP of the SERVAUTH resource class. ___ If the product CSSMTP is on the system, EZB.CSSMTP.sysname.writername.JESnode will be specified and made available to the CSSMTP started task and authenticated users that require access to use CSSMTP for e-mail services. ___ Authenticated users that require access will be permitted access to the second level of the resources in the SERVAUTH resource class. Examples are the network (NETACCESS), port (PORTACCESS), stack (STACKACCESS), and FTP resources in the SERVAUTH resource class.
The IAO will develop a plan of action to implement the required changes. Ensure the following items are in effect for TCP/IP resources.
Ensure that the EZA, EZB and IST resources and/or generic equivalent are defined to the SERVAUTH resource class with a UACC(NONE)
No access is given to the EZA, EZB, and IST resources of the SERVAUTH resource class.
If the product CSSMTP is on the system, no access is given to EZB.CSSMTP of the SERVAUTH resource class. EZB.CSSMTP.sysname.writername.JESnode will be specified and made available to the CSSMTP started task and authenticated users that require access to use CSSMTP for e-mail services.
Only authenticated users that require access are permitted access to the second level of the resources in the SERVAUTH resource class. Examples are the network (NETACCESS), port (PORTACCESS), stack (STACKACCESS), and FTP resources in the SERVAUTH resource class.
The following commands can be used as examples to establish the basic security required for TCP/IP resources:
RDEF SERVAUTH EZB.** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ))
RDEF SERVAUTH EZB.CSSMTP.** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ))
RDEF SERVAUTH EZB.CSSMTP.sysname.writername.JESnode UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ))
RDEF SERVAUTH EZB.FTP.** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ))
RDEF SERVAUTH EZB.NETACCESS.** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ))
RDEF SERVAUTH EZB.PORTACCESS.** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ))
RDEF SERVAUTH EZB.STACKACCESS.** UACC(NONE) OWNER(ADMIN) AUDIT(FAILURE(READ))
PE EZB.CSSMTP.sysname.writername.JESnode CL(SERVAUTH) ID(authorized user or group>) ACC(READ)
PE EZB.FTP.** CL(SERVAUTH) ID(
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer