STIGQter: STIG Summary: IBM z/OS TSS Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

IBM z/OS UNIX HFS MapName file security parameters must be properly specified.

DISA Rule

SV-224074r561402_rule

Vulnerability Number

V-224074

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

TSS0-US-000010

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Review the settings in /etc/auto.master and /etc/mapname for z/OS UNIX security parameters and configure the values to conform to the specifications below.

The /etc/auto.master HFS file (and the use of Automount) is optional.

The setuid parameter and the security parameter have a significant security impact. For this reason these parameters must be explicitly specified and not be allowed to default.

Each MapName file will specify the "setuid NO" and "security YES" statements for each automounted directory.

If there is a deviation from the required values, documentation must exist for the deviation.

"Security NO" disables security checking for file access. "Security NO" is only allowed on test and development domains.

"Setuid YES" allows a user to run under a different UID/GID identity. Justification documentation is required to validate the use of "setuid YES".

Check Contents

Refer to the logical parmlib data sets, example: SYS1.PARMLIB(BPXPRMxx), for the following FILESYSTYPE entry:

FILESYSTYPE TYPE(AUTOMNT) ENTRYPOINT(BPXTAMD)

If the above entry is not found or is commented out in the BPXPRMxx member(s), this is not applicable.

From the ISPF Command Shell enter:
OMVS
cd /etc
cat auto.master
perform a contents list for the file identified
Example:
cat u.map
Note: The /etc/auto.master HFS file (and the use of Automount) is optional. If the file does not exist, this is not applicable.

Note: The setuid parameter and the security parameter have a significant security impact. For this reason these parameters must be explicitly specified and not allowed to default.

If each MapName file specifies the "setuid No" and "security Yes" statements for each automounted directory, this is not a finding.

If there is any deviation from the required values, this is a finding.

Vulnerability Number

V-224074

Documentable

False

Rule Version

TSS0-US-000010

Severity Override Guidance

Refer to the logical parmlib data sets, example: SYS1.PARMLIB(BPXPRMxx), for the following FILESYSTYPE entry:

FILESYSTYPE TYPE(AUTOMNT) ENTRYPOINT(BPXTAMD)

If the above entry is not found or is commented out in the BPXPRMxx member(s), this is not applicable.

From the ISPF Command Shell enter:
OMVS
cd /etc
cat auto.master
perform a contents list for the file identified
Example:
cat u.map
Note: The /etc/auto.master HFS file (and the use of Automount) is optional. If the file does not exist, this is not applicable.

Note: The setuid parameter and the security parameter have a significant security impact. For this reason these parameters must be explicitly specified and not allowed to default.

If each MapName file specifies the "setuid No" and "security Yes" statements for each automounted directory, this is not a finding.

If there is any deviation from the required values, this is a finding.

Check Content Reference

M

Target Key

4102

Comments