STIGQter: STIG Summary: IBM z/OS TSS Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

IBM z/OS started tasks for the Base TCP/IP component must be defined in accordance with security requirements.

DISA Rule

SV-224061r561402_rule

Vulnerability Number

V-224061

Group Title

SRG-OS-000104-GPOS-00051

Rule Version

TSS0-TC-000060

Severity

CAT II

CCI(s)

• CCI-000764 - The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Weight

10

Fix Recommendation

Develop a plan of action to implement the required changes. Ensure the following items are in effect for the ACID(s) assigned to the TCP/IP address space(s):

1) Named TCPIP or, in the case of multiple instances, prefixed with TCPIP

2) Has the STC facility

3) z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh

Ensure the following items are in effect for the ACID assigned to the EZAZSSI started task:

1) Named EZAZSSI

2) Has the STC facility

For Example:

The following commands can be used to create the user accounts and assign the privileges that are required for the TCP/IP address space and the EZAZSSI started task:

TSS CREATE(TCPIP) TYPE(USER) NAME(TCPIP)
DEPT(existing-dept) FACILITY(STC) PASSWORD(password,0)
TSS ADD(TCPIP) DFLTGRP(STCTCPX) GROUP(STCTCPX)
TSS ADD(TCPIP) SOURCE(INTRDR)
TSS ADD(TCPIP) UID(0) HOME(/) OMVSPGM(/bin/sh)
TSS ADD(TCPIP) MASTFAC(TCP)
TSS ADD(STC) PROCNAME(TCPIP) ACID(TCPIP)
TSS PERMIT(TCPIP) IBMFAC(BPX.DAEMON) ACCESS(READ)

TSS CREATE(EZAZSSI) TYPE(USER) NAME(EZAZSSI)
DEPT(existing-dept) FACILITY(STC) PASSWORD(password,0)
TSS ADD(EZAZSSI) DFLTGRP(STCTCPX) GROUP(STCTCPX)
TSS ADD(EZAZSSI) SOURCE(INTRDR)
TSS ADD(EZAZSSI) UID(non-zero) HOME(/) OMVSPGM(/bin/sh)
TSS ADD(EZAZSSI) MASTFAC(TCP)
TSS ADD(STC) PROCNAME(EZAZSSI) ACID(EZAZSSI)

Check Contents

Refer to system Proclibs to determine the TCPIP address space(s)

From the ISPF Command Shell enter:
TSS list(<TCPIP STCs>) SEGMENT(OMVS)

For each TCPIP:

If all of the following items are true, this is not a finding.

If any item is untrue, this is a finding.

From the ISPF Command Shell enter
TSS LIST(EZAZSSI) SEGMENT(OMVS)
If EZAZSSI STC has the STC facility this is not finding.

-Named TCPIP or, in the case of multiple instances, prefixed with TCPIP.

-Has the STC facility.

-z/OS UNIX attributes:
UID(0), HOME directory ‘/’, shell program /bin/sh

Ensure the following items are in effect for the ACID assigned to the EZAZSSI started task:
-Named EZAZSSI
-Has the STC facility.

Vulnerability Number

V-224061

Documentable

False

Rule Version

TSS0-TC-000060

Severity Override Guidance

Refer to system Proclibs to determine the TCPIP address space(s)

From the ISPF Command Shell enter:
TSS list(<TCPIP STCs>) SEGMENT(OMVS)

For each TCPIP:

If all of the following items are true, this is not a finding.

If any item is untrue, this is a finding.

From the ISPF Command Shell enter
TSS LIST(EZAZSSI) SEGMENT(OMVS)
If EZAZSSI STC has the STC facility this is not finding.

-Named TCPIP or, in the case of multiple instances, prefixed with TCPIP.

-Has the STC facility.

-z/OS UNIX attributes:
UID(0), HOME directory ‘/’, shell program /bin/sh

Ensure the following items are in effect for the ACID assigned to the EZAZSSI started task:
-Named EZAZSSI
-Has the STC facility.

Check Content Reference

M

Target Key

4102

Comments