TSS OMVS UNIX security parameters are improperly specified.

From z/OS TSS STIG

Part of ZUSST050

Associated with IA controls: DCCS-1, DCCS-2

SV-7303r1_rule TSS OMVS UNIX security parameters are improperly specified.

Vulnerability discussion

Parameter settings in the TSS impact the security level of z/OS UNIX.

Check content

a) Refer to the following report produced by the TSS Data Collection: - TSSCMDS.RPT(STATUS) - System Classification Automated Analysis requiring Additional Analysis Refer to the following report produced by the TSS Data Collection: - PDI(ZUSST050) b) If system is classified or does not use the FTP socket application the OMVSUSR and OMVSGRP control option has no value (i.e., OMVSUSR(),OMVSGRP() or OMVSUSR(*NONE*), OMVSGRP(*NONE*)), there is NO FINDING. c) If the system is a non classified system, running the FTP socket application and OMVSUSR and OMVSGRP control options specify an ACID and GROUP id, there is NO FINDING. d) If (b) or (c) above is untrue, this is a FINDING.

Fix text

The OMVSUSR and OMVSGRP control options will only be used for FTP socket applications. When coding these options be sure that the restrictions specified below are followed. Users of non-shell z/OS UNIX services, must be assigned a unique UID (UID numbers for unprivileged userids should be between 100 and 16,777,215). At the discretion of the IAO, an exception to this rule is the use of FTP socket applications with the following restrictions. - Use of the OMVS default UID will not be allowed on any classified system. - The definition of the OMVS default user will be restricted to a non-0 UID, a non-writable home directory, such as "\" root, and a non-executable, but existing, binary file, "/bin/false" or “/bin/echo.” - Application of the APAR PQ63326 to control FTP access to UNIX files is required. - Collection of SMF type 80 records to track user access to OMVS default UID.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer