STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

IBM z/OS Started tasks for the Base TCP/IP component must be defined in accordance with security requirements.

DISA Rule

SV-223605r533198_rule

Vulnerability Number

V-223605

Group Title

SRG-OS-000104-GPOS-00051

Rule Version

ACF2-TC-000070

Severity

CAT II

CCI(s)

• CCI-000764 - The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Weight

10

Fix Recommendation

Define the Started tasks for the Base TCP/IP component user accounts with the following characteristics:

Named TCPIP or, in the case of multiple instances, prefixed with TCPIP
Defined with the STC, MUSASS, and NO-SMC attributes
z/OS UNIX attributes: UID(0), HOME directory '/', shell program /bin/sh

Named EZAZSSI
Defined with the STC attribute
z/OS UNIX attributes: UID(non-zero), HOME directory '/', shell program /bin/sh

Review the TCP/IP started task accounts, privileges, and access authorizations defined to the ACP. Ensure they conform to the requirements as outlined below.

The following commands can be used to create the user accounts that are required for the TCP/IP address space and the EZAZSSI started task:

SET LID
INSERT TCPIP NAME(TCPIP) GROUP(STCTCPX) STC MUSASS NO-SMC
INSERT EZAZSSI NAME(EZAZSSI) GROUP(STCTCPX) STC

SET PROFILE(USER) DIVISION(OMVS)
INSERT TCPIP UID(0) HOME(/) OMVSPGM(/bin/sh)
INSERT EZAZSSI UID(non-zero) HOME(/) OMVSPGM(/bin/sh)

F ACF2,REBUILD(USR),CLASS(P)

NOTE: At eTrust CA-ACF2 6.4 and above, the PROGRAM field in the user profile record has been renamed to OMVSPGM.

The following additions to the indicated rule sets can be used to assign the privileges that are required for the TCP/IP address space:

$KEY(BPX) TYPE(FAC)
…
DAEMON UID(TCPIP-uid) SERVICE(READ) ALLOW

If the z/OS host machine has hardware encryption installed and enabled, resources owned by the Integrated Cryptographic Service Facility (ICSF) component have been defined. The following rule set additions are required to allow the TN3270 Telnet Server process to access the ICSF resources.

- $KEY(CSFCKI) TYPE(CSF)
- UID(TCPIP-uid) SERVICE(READ) ALLOW
- $KEY(CSFCKM) TYPE(CSF)
- UID(TCPIP-uid) SERVICE(READ) ALLOW
- $KEY(CSFDEC) TYPE(CSF)
- UID(TCPIP-uid) SERVICE(READ) ALLOW
- $KEY(CSFENC) TYPE(CSF)
- UID(TCPIP-uid) SERVICE(READ) ALLOW
- $KEY(CSFOWH) TYPE(CSF)
- UID(TCPIP-uid) SERVICE(READ) ALLOW
- $KEY(CSFRNG) TYPE(CSF)
- UID(TCPIP-uid) SERVICE(READ) ALLOW
- $KEY(CSFPKB) TYPE(CSF)
- UID(TCPIP-uid) SERVICE(READ) ALLOW
- $KEY(CSFPKX) TYPE(CSF)
- UID(TCPIP-uid) SERVICE(READ) ALLOW
- $KEY(CSFPKE) TYPE(CSF)
- UID(TCPIP-uid) SERVICE(READ) ALLOW
- $KEY(CSFPKD) TYPE(CSF)
- UID(TCPIP-uid) SERVICE(READ) ALLOW
- $KEY(CSFPKI) TYPE(CSF)
- UID(TCPIP-uid) SERVICE(READ) ALLOW
- $KEY(CSFDSG) TYPE(CSF)
- UID(TCPIP-uid) SERVICE(READ) ALLOW
- $KEY(CSFDSV) TYPE(CSF)
- UID(TCPIP-uid) SERVICE(READ) ALLOW

The following operator commands are required to complete the updates:
F ACF2,REBUILD(FAC)
F ACF2,REBUILD(CSF)

These commands and definitions assume that the default type code for CSFSERV resources is CSF.

Check Contents

Verify Logonid(s) assigned to the TCP/IP address space(s), are named TCPIP or, in the case of multiple instances, are prefixed with TCPIP.

From an ACF Command screen enter:
SET LID
LIST LIKE(TCPIP-)

If each TCP/IP logonid its defined with STC, MUSASS, and NO-SMC attributes, this is not a finding.

From the ACF Command screen enter:
SET LID
LIST LIKE(TCPIP-) PROFILE(OMVS)

If the z/OS UNIX attributes are UID(0), HOME directory ‘/’, shell program /bin/sh, this is not a finding.

From an ACF Command screen enter:
SET LID
LIST EZAZSSI

If THE EZAZSSI logonid is defined with STC attribute, this is not a finding.

From the ACF Command screen enter:
SET LID
LIST EZAZSSI PROFILE(OMVS)

If the z/OS UNIX attributes are UID(0), HOME directory ‘/’, shell program /bin/sh, this is not a finding.

Vulnerability Number

V-223605

Documentable

False

Rule Version

ACF2-TC-000070

Severity Override Guidance

Verify Logonid(s) assigned to the TCP/IP address space(s), are named TCPIP or, in the case of multiple instances, are prefixed with TCPIP.

From an ACF Command screen enter:
SET LID
LIST LIKE(TCPIP-)

If each TCP/IP logonid its defined with STC, MUSASS, and NO-SMC attributes, this is not a finding.

From the ACF Command screen enter:
SET LID
LIST LIKE(TCPIP-) PROFILE(OMVS)

If the z/OS UNIX attributes are UID(0), HOME directory ‘/’, shell program /bin/sh, this is not a finding.

From an ACF Command screen enter:
SET LID
LIST EZAZSSI

If THE EZAZSSI logonid is defined with STC attribute, this is not a finding.

From the ACF Command screen enter:
SET LID
LIST EZAZSSI PROFILE(OMVS)

If the z/OS UNIX attributes are UID(0), HOME directory ‘/’, shell program /bin/sh, this is not a finding.

Check Content Reference

M

Target Key

4100

Comments