STIGQter STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

IBM z/OS Attributes of UNIX user accounts used for account modeling must be defined in accordance with security requirements.

DISA Rule

SV-223638r533198_rule

Vulnerability Number

V-223638

Group Title

SRG-OS-000104-GPOS-00051

Rule Version

ACF2-US-000230

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Define DFTUSER or MODLUSER or BPX.UNIQUE.USER user account to be defined as follows:

A non-writable HOME directory:
Shell program specified as "/bin/echo" or "/bin/false"

Note: The shell program must have one of the specified values. The HOME directory must have a value (i.e., not be allowed to default).

Example:
SET PROFILE(USER) DIV(OMVS)
LIST OMVS

INSERT OMVS HOME(/) OMVSPGM(/bin/false) UID(0)

Check Contents

If this is a Classified system, this is Not Applicable.

From an ACF2 command line enter:
SET CONTROL(GSO)
SHOW UNIXOPTS

Alternately:
Refer to the following report produced by the ACF2 Data Collection:
- ACF2CMDS.RPT(ACFGSO)
- ACF2CMDS.RPT(OMVSUSER)

Note: This check applies to any user identifier (LOGONID) used to model OMVS access on the mainframe. This includes any DFTUSER; MODLUSER and BPX.UNIQUE.USER. If MODLUSER is specified then UNIQUSER must be specified.

If DFTUSER or MODLUSER is not defined in the UNIXOPTS record, this is not a finding.

If ALL user identifiers (LOGONID) defined to DFTUSER or MODLUSER. or BPX.UNIQUE.USER user account is defined as follows, this is not a finding:

A non-writable HOME directory:
Shell program specified as “/bin/echo” or “/bin/false”

Note: The shell program must have one of the specified values. The HOME directory must have a value (i.e., not be allowed to default).

Vulnerability Number

V-223638

Documentable

False

Rule Version

ACF2-US-000230

Severity Override Guidance

If this is a Classified system, this is Not Applicable.

From an ACF2 command line enter:
SET CONTROL(GSO)
SHOW UNIXOPTS

Alternately:
Refer to the following report produced by the ACF2 Data Collection:
- ACF2CMDS.RPT(ACFGSO)
- ACF2CMDS.RPT(OMVSUSER)

Note: This check applies to any user identifier (LOGONID) used to model OMVS access on the mainframe. This includes any DFTUSER; MODLUSER and BPX.UNIQUE.USER. If MODLUSER is specified then UNIQUSER must be specified.

If DFTUSER or MODLUSER is not defined in the UNIXOPTS record, this is not a finding.

If ALL user identifiers (LOGONID) defined to DFTUSER or MODLUSER. or BPX.UNIQUE.USER user account is defined as follows, this is not a finding:

A non-writable HOME directory:
Shell program specified as “/bin/echo” or “/bin/false”

Note: The shell program must have one of the specified values. The HOME directory must have a value (i.e., not be allowed to default).

Check Content Reference

M

Target Key

4100

Comments