From z/OS TSS STIG
Part of ISLG0020
Associated with IA controls: DCCS-1, DCFA-1, DCCS-2
The Syslog daemon requires special privileges and access to sensitive resources to provide its system services. Failure to properly define and control the Syslog daemon could lead to unauthorized access. This exposure may result in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.
a) Refer to the following reports produced by the TSS Data Collection: - TSSCMDS.RPT(@ACIDS) - TSSCMDS.RPT(OMVSUSER) Refer to the following report produced by the UNIX System Services Data Collection: - USSCMDS.RPT(ERC) - Refer to this report if Syslogd is started from the shell. Refer to the JCL procedure libraries defined to JES2. b) Ensure the following items are in effect for the Syslog daemon: 1) The Syslog daemon ACID is SYSLOGD. If Syslogd is started from /etc/rc, the _BPX_JOBNAME environment variable is set to assign a job name of SYSLOGD. NOTE: If the _BPX_USERID environment variable is present, it is set to assign an ACID of SYSLOGD. 2) The SYSLOGD ACID has the STC facility. 3) The SYSLOGD ACID has the following z/OS OMVS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh. c) If all of the items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING.
Evaluate the impact of accomplishing the change. Develop a plan of action and implement the change as required. Ensure the following items are in effect for the Syslog daemon: 1) The Syslog daemon ACID is SYSLOGD. If Syslogd is started from /etc/rc, the _BPX_JOBNAME environment variable is set to assign a job name of SYSLOGD. NOTE: If the _BPX_USERID environment variable is present, it is set to assign an ACID of SYSLOGD. 2) The SYSLOGD ACID has the STC facility. 3) The SYSLOGD ACID has the following z/OS OMVS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh. For Example: TSS CREATE(SYSLOGD) TYPE(USER) NAME(SYSLOGD) DEPT(existing-dept) FACILITY(STC) PASSWORD(password,0) TSS ADD(SYSLOGD) DFLTGRP(STCTCPX) GROUP(STCTCPX) TSS ADD(SYSLOGD) SOURCE(INTRDR) TSS ADD(SYSLOGD) UID(0) HOME(/) OMVSPGM(/bin/sh) TSS ADD(STC) PROCNAME(SYSLOGD) ACID(SYSLOGD) TSS PERMIT(SYSLOGD) IBMFAC(BPX.DAEMON) ACCESS(READ) TSS PERMIT(SYSLOGD) IBMFAC(BPX.SMF) ACCESS(READ) TSS PERMIT(SYSLOGD) IBMFAC(BPX.JOBNAME) ACCESS(READ) TSS PERMIT(SYSLOGD) IBMFAC(BPX.STORE.SWAP) ACCESS(READ) NOTE: Access to the BPX.SMF resource is only required when the syslogd configuration file specifies $SMF as a destination.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer