STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:SV-223620r533198_rule
V-223620
SRG-OS-000080-GPOS-00048
ACF2-US-000050
CAT II
10
Configure directory permissions as follows:
There are no directories that have the other Write permission bit set on without the sticky bit set on.
NOTE: In the symbolic permission bit display, the sticky bit is indicated as a "t" or "T" in the execute portion of the other permissions. For example, a display of the permissions of a directory with the sticky bit on could be “drwxrwxrwt”.
All directories that have the other write permission bit set on do not contain any files with the setuid bit set on.
NOTE: In the symbolic permission bit display, the setuid bit is indicated as an "s" or "S" in the execute portion of the owner permissions. For example, a display of the permissions of a file with the setuid bit on could be "-rwsrwxrwx".
All directories that have the other write permission bit set on do not contain any files with the setgid bit set on.
NOTE: In the symbolic permission bit display, the setgid bit is indicated as an "s" or "S" in the execute portion of the group permissions. For example, a display of the permissions of a file with the setgid bit on could be "-rwxrwsrwx".
On the OMVS Command line enter the following command string:
find / -type d -perm -0002 ! -perm -1000 -exec ls -aldWE {} \;
If there are no directories that have the other write permission bit set on without the sticky bit set on, this is not a finding.
NOTE: In the symbolic permission bit display, the sticky bit is indicated as a “t” or “T” in the execute portion of the other permissions. For example, a display of the permissions of a directory with the sticky bit on could be “drwxrwxrwt”.
If all directories that have the other write permission bit set on do not contain any files with the setuid bit set on, this is not a finding.
NOTE: In the symbolic permission bit display, the setuid bit is indicated as an “s” or “S” in the execute portion of the owner permissions. For example, a display of the permissions of a file with the setuid bit on could be “-rwsrwxrwx”.
If all directories that have the other write permission bit set on do not contain any files with the setgid bit set on, this is not a finding.
NOTE: In the symbolic permission bit display, the setgid bit is indicated as an “s” or “S” in the execute portion of the group permissions. For example, a display of the permissions of a file with the setgid bit on could be “-rwxrwsrwx”.
V-223620
False
ACF2-US-000050
On the OMVS Command line enter the following command string:
find / -type d -perm -0002 ! -perm -1000 -exec ls -aldWE {} \;
If there are no directories that have the other write permission bit set on without the sticky bit set on, this is not a finding.
NOTE: In the symbolic permission bit display, the sticky bit is indicated as a “t” or “T” in the execute portion of the other permissions. For example, a display of the permissions of a directory with the sticky bit on could be “drwxrwxrwt”.
If all directories that have the other write permission bit set on do not contain any files with the setuid bit set on, this is not a finding.
NOTE: In the symbolic permission bit display, the setuid bit is indicated as an “s” or “S” in the execute portion of the owner permissions. For example, a display of the permissions of a file with the setuid bit on could be “-rwsrwxrwx”.
If all directories that have the other write permission bit set on do not contain any files with the setgid bit set on, this is not a finding.
NOTE: In the symbolic permission bit display, the setgid bit is indicated as an “s” or “S” in the execute portion of the group permissions. For example, a display of the permissions of a file with the setgid bit on could be “-rwxrwsrwx”.
M
4100