STIGQter STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:

The IBM z/OS TFTP server program must be properly protected.

DISA Rule

SV-223740r604139_rule

Vulnerability Number

V-223740

Group Title

SRG-OS-000368-GPOS-00154

Rule Version

RACF-FT-000080

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Evaluate the impact of implementing the following change. Develop a plan of action and implement the change as required.

Define the EZATD program and its alias TFTPD to RACF with no access granted. The following commands provide a sample of how this can be accomplished.

rdef program tftpd addmem('sys1.tcpip.sezaload'//nopadchk) -
data('Reference SRR PDI # IFTP0090') -
audit(all(read)) quack(none) owner(admin)

rdef program ezatd -
addmem('sys1.tcpip.sezaload'//nopadchk) -
data('Reference SRR PDI # IFTP0090') -
audit(all(read)) quack(none) owner(admin)

A PROGRAM class refresh will be necessary and can be accomplished with the command:

setr when(program) refresh

Check Contents

From the ISPF Command Shell enter:
RL Program *

If Program resources TFTPD and EZATD are defined to the PROGRAM resource class with a UACC(NONE), this is not a finding.

The library name where these programs are located is SYS1.TCPIP.SEZALOAD.

If no access to the program resources TFTPD and EZATD is permitted, this is not a finding.

Vulnerability Number

V-223740

Documentable

False

Rule Version

RACF-FT-000080

Severity Override Guidance

From the ISPF Command Shell enter:
RL Program *

If Program resources TFTPD and EZATD are defined to the PROGRAM resource class with a UACC(NONE), this is not a finding.

The library name where these programs are located is SYS1.TCPIP.SEZALOAD.

If no access to the program resources TFTPD and EZATD is permitted, this is not a finding.

Check Content Reference

M

Target Key

4101

Comments