STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:SV-223621r533198_rule
V-223621
SRG-OS-000080-GPOS-00048
ACF2-US-000060
CAT II
10
Configure BPX. Resources to be properly protected and access is restricted to appropriate system tasks or systems programming personnel.
Configure the following items for the FACILITY resource class, TYPE(FAC):
The ACF2 rules for the BPX resource specify a default access of NONE.
Example:
$KEY(BPX) TYPE(FAC)
- UID(*) PREVENT
There are no ACF2 rules that allow access to the BPX resource.
Example:
$KEY(BPX) TYPE(FAC)
- UID(*) PREVENT
There is no ACF2 rule for BPX.SAFFASTPATH defined.
Example:
$KEY(BPX) TYPE(FAC)
SAFFASTPATH UID(*) PREVENT
The ACF2 rules for each of the BPX resources listed in the General Facility Class BPX Resources Table, in the z/OS UNIX System Services Planning, Establishing UNIX security, specify a default access of NONE.
Example:
$KEY(BPX) TYPE(FAC)
DAEMON UID(*) PREVENT
DEBUG UID(*) PREVENT
FILEATTR.APF UID(*) PREVENT
FILEATTR.PROGCTL UID(*) PREVENT
JOBNAME UID(*) PREVENT
SAFFASTPATH UID(*) PREVENT
SERVER UID(*) PREVENT
SMF UID(*) PREVENT
STOR.SWAP UID(*) PREVENT
SUPERUSER UID(*) PREVENT
WLMSERVER UID(*) PREVENT
The ACF2 rules for each of the BPX resources listed in the General Facility Class BPX Resources Table, in the z/OS UNIX System Services Planning, Establishing UNIX security, restrict access to appropriate system tasks or systems programming personnel as specified.
Example:
$KEY(BPX) TYPE(FAC)
DAEMON UID(*******STC******FTPD) SERVICE(READ) LOG
DAEMON UID(*******STC******INETD) SERVICE(READ) LOG
DAEMON UID(*******STC******NAMED) SERVICE(READ) LOG
DAEMON UID(*******STC******OMVSKERN) SERVICE(READ) LOG
DAEMON UID(*******STC******OMVS) SERVICE(READ) LOG
DAEMON UID(*******STC******OROUTED) SERVICE(READ) LOG
DAEMON UID(*******STC******OSNMPD) SERVICE(READ) LOG
From the ISPF Command Shell enter:
ACF
SET RESOURCE(FAC)
SET VERBOSE
LIST LIKE(BPX-)
If the ACF2 rules for the BPX resource specify a default access of NONE, this is not a finding.
If there are no ACF2 rules that allow access to the BPX resource, this is not a finding.
If there is no ACF2 rule for BPX.SAFFASTPATH defined, this is not a finding.
If the ACF2 rules for each of the BPX resources listed in z/OS UNIX System Services Planning, Establishing UNIX security, specify a default access of NONE, this is not a finding.
If the ACF2 rules for each of the BPX resources listed in the in z/OS UNIX System Services Planning, Establishing UNIX security, restrict access to appropriate system tasks or systems programming personnel, this is not a finding.
V-223621
False
ACF2-US-000060
From the ISPF Command Shell enter:
ACF
SET RESOURCE(FAC)
SET VERBOSE
LIST LIKE(BPX-)
If the ACF2 rules for the BPX resource specify a default access of NONE, this is not a finding.
If there are no ACF2 rules that allow access to the BPX resource, this is not a finding.
If there is no ACF2 rule for BPX.SAFFASTPATH defined, this is not a finding.
If the ACF2 rules for each of the BPX resources listed in z/OS UNIX System Services Planning, Establishing UNIX security, specify a default access of NONE, this is not a finding.
If the ACF2 rules for each of the BPX resources listed in the in z/OS UNIX System Services Planning, Establishing UNIX security, restrict access to appropriate system tasks or systems programming personnel, this is not a finding.
M
4100