STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:

The IBM z/OS Syslog daemon must be properly defined and secured.

DISA Rule

SV-223814r604139_rule

Vulnerability Number

V-223814

Group Title

SRG-OS-000104-GPOS-00051

Rule Version

RACF-SL-000030

Severity

CAT II

CCI(s)

• CCI-000764 - The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Weight

10

Fix Recommendation

The Syslog daemon userid is SYSLOGD.
Define the SYSLOGD userid as a PROTECTED userid.
Define the SYSLOGD userid has UID(0), HOME(‘/’), and PROGRAM(‘/bin/sh’) specified in the OMVS segment.

To set up and use as an MVS Started Proc, the following sample commands are provided:

AU SYSLOGD NAME('stc, tcpip') NOPASSWORD NOOIDCARD DFLTGRP(STC) –
OWNER(STC) DATA('Reference ISLG0020 for proper setup ')
ALU SYSLOGD DFLTGRP(stctcpx)
ALU SYSLOGD OMVS(UID(0) HOME('/') PROGRAM('/bin/sh'))
CO SYSLOGD GROUP(stctcpx) OWNER(stctcpx)

A matching entry mapping the SYSLOGD started proc to the SYSLOGD userid is in the STARTED resource class.

RDEF STARTED SYSLOGD.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) STDATA(USER(SYSLOGD) GROUP(STC))

If /etc/rc is used to start the Syslog daemon ensure that the _BPX_JOBNAME and _BPX_ USERID environment variables are assigned a value of SYSLOGD.

Check Contents

From z/OS command screen enter:
ListUser SYSLOGD OMVS (SYSLOGD is usual name of the SYSLOG daemon)

If all of the following are true this is not a finding.

If either of the following is untrue, this is a finding.

-The SYSLOGD userid is defined as a PROTECTED userid.
-The SYSLOGD userid has the following z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh.

From z/OS command screen enter:
RList STARTED SYSLOGD

If a matching entry in the STARTED resource class exists enabling the use of the standard userid and appropriate group, this is not a finding.

Vulnerability Number

V-223814

Documentable

False

Rule Version

RACF-SL-000030

Severity Override Guidance

From z/OS command screen enter:
ListUser SYSLOGD OMVS (SYSLOGD is usual name of the SYSLOG daemon)

If all of the following are true this is not a finding.

If either of the following is untrue, this is a finding.

-The SYSLOGD userid is defined as a PROTECTED userid.
-The SYSLOGD userid has the following z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh.

From z/OS command screen enter:
RList STARTED SYSLOGD

If a matching entry in the STARTED resource class exists enabling the use of the standard userid and appropriate group, this is not a finding.

Check Content Reference

M

Target Key

4101

Comments