STIGQter: STIG Summary: IBM z/OS TSS Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: IBM z/OS TSS Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:SV-224076r695474_rule
V-224076
SRG-OS-000080-GPOS-00048
TSS0-US-000030
CAT II
10
Because they convey especially powerful privileges, the settings for BPX.DAEMON, BPX.SAFFASTPATH, BPX.SERVER, and BPX.SUPERUSER require special attention.
Review the following items for the IBMFAC resource class:
-The TSS owner defined for the BPX resource.
-There are no TSS rules that allow access to the BPX resource.
-There are no TSS rules for BPX.SAFFASTPATH defined.
The TSS rules for each of the BPX resources listed in General Facility Class BPX Resources Table, in the z/OS UNIX System Services Planning, Establishing UNIX security restrict access to appropriate system tasks or systems programming personnel. Access can be permitted only to users with a requirement for the resource that is documented to the ISSO. Access to BPX.DAEMON must be restricted to the z/OS UNIX kernel userid, z/OS UNIX daemons (e.g., inetd, syslogd, ftpd), and other system software daemons (e.g., web servers). When BPX.SAFFASTPATH is defined, calls to the ACP are not performed for file accesses and there is no audit trail of access failures. This configuration is unacceptable. Therefore BPX.SAFFASTPATH must not be used on any system.
For Example:
The following commands can be used to provide the required protection:
TSS ADD(ADMIN) IBMFAC(BPX.)
TSS PERMIT(ALL) IBMFAC(BPX.SAFFASTPATH) ACCESS(NONE)
NOTE:
The PERMIT command for BPX.SAFFASTPATH must be executed on TOP SECRET systems. If access to BPX.SAFFSTPATH were allowed, z/OS UNIX would perform permission bit checking internally instead of calling the ACP. On TOP SECRET systems this would bypass any audit trail of violations. In addition, the z/OS UNIX kernel userid (OMVS is the example in this section) must not have the TOP SECRET NORESCHK privilege. Having that privilege would allow access to BPX.SAFFASTPATH even though the access restriction was in place.
From the ISPF Command Shell enter:
TSS WHOOWNS IBMFAC(BPX.)
If the BPX. resource is properly owned, this is not a finding.
From the ISPF Command Shell enter:
TSS WHOHAS (<each BPX resource>)
If any item below are untrue, this is a finding.
-There are no TSS rules that allow access to the BPX resource.
-There are no TSS rules for BPX.SAFFASTPATH defined.
-The TSS rules for each of the BPX resources listed in the z/OS UNIX System Services Planning, Establishing UNIX security, restrict access to appropriate system tasks or systems programming personnel.
V-224076
False
TSS0-US-000030
From the ISPF Command Shell enter:
TSS WHOOWNS IBMFAC(BPX.)
If the BPX. resource is properly owned, this is not a finding.
From the ISPF Command Shell enter:
TSS WHOHAS (<each BPX resource>)
If any item below are untrue, this is a finding.
-There are no TSS rules that allow access to the BPX resource.
-There are no TSS rules for BPX.SAFFASTPATH defined.
-The TSS rules for each of the BPX resources listed in the z/OS UNIX System Services Planning, Establishing UNIX security, restrict access to appropriate system tasks or systems programming personnel.
M
4102