STIGQter STIGQter: STIG Summary: zOS Websphere Application Server for TSS STIG Version: 6 Release: 1 Benchmark Date: 11 Mar 2020:

HFS objects for the WebSphere Application Server are not protected in accordance with the proper security requirements.

DISA Rule

SV-3898r3_rule

Vulnerability Number

V-3898

Group Title

ZWAS0020

Rule Version

ZWAS0020

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Review the UNIX permission bits, user audit bits, and ownership settings on the HFS directories and files for the products required to support the WAS environment.

Ensure the HFS permission bits, user audit bits, owner, and group for each directory and file match the specified settings listed in the HFS Permissions Bits table located in the zOS STIG Addendum.

Check Contents

a) Refer to the following reports produced by the UNIX System Services Data Collection:

- USSCMDS.RPT(IHSHFSOB)
- USSCMDS.RPT(WASHFSOB)

For each IBM HTTP server, supply the following information: (PDS member name - IHSACCTS)

- Web server ID defined to the ACP
- Web server administration group defined to the ACP
- Web server standard HFS directory

b) The following notes apply to the requirements specified in the HFS Permission Bits table in the z/OS STIG Addendum:

- If an owner field indicates UID(0) user, any system ID with a UID(0) specification is acceptable.
- Where an owner field indicates websrv1, the ID of the web server is intended.
- Where a group field indicates webadmg1, the ID of a local web server administration group is intended. IMWEB is not a valid local group.
- The site is free to set the permission and audit bit settings to be more restrictive than the documented values.

Ensure the HFS permission bits, user audit bits, owner, and group for each directory and file match the specified settings listed in the HFS Permission Bits table in the z/OS STIG Addendum. Currently the guidance requires the permissions on these files to be 640, where the group is the SA or web manager account that controls the web service. However the group permission only allows READ access making it impossible to update files unless using a UID(0) account. There appears to be a conflict with this requirement. Proposed updates include changing permissions from 640 to 460. The owner will be the web server user account and the group will be the web server administrator group.

Verification of these proposed changes needs to be performed. Until this occurs, compliance of the WAS configuration and property files cannot be reviewed. An entry for was.conf file settings needs to be added. Settings for the WebSphere properties and bin directories may be desirable.

The following represents a hierarchy for permission bits from least restrictive to most restrictive:

7 rwx (least restrictive)
6 rw-
3 -wx
2 -w-
5 r-x
4 r--
1 --x
0 --- (most restrictive)

The possible audit bits settings are as follows:

f log for failed access attempts
a log for failed and successful access
- no auditing

c) If all of the items in (b) are true, there is NO FINDING.

d) If any item in (b) is untrue, this is a FINDING.

Vulnerability Number

V-3898

Documentable

False

Rule Version

ZWAS0020

Severity Override Guidance

a) Refer to the following reports produced by the UNIX System Services Data Collection:

- USSCMDS.RPT(IHSHFSOB)
- USSCMDS.RPT(WASHFSOB)

For each IBM HTTP server, supply the following information: (PDS member name - IHSACCTS)

- Web server ID defined to the ACP
- Web server administration group defined to the ACP
- Web server standard HFS directory

b) The following notes apply to the requirements specified in the HFS Permission Bits table in the z/OS STIG Addendum:

- If an owner field indicates UID(0) user, any system ID with a UID(0) specification is acceptable.
- Where an owner field indicates websrv1, the ID of the web server is intended.
- Where a group field indicates webadmg1, the ID of a local web server administration group is intended. IMWEB is not a valid local group.
- The site is free to set the permission and audit bit settings to be more restrictive than the documented values.

Ensure the HFS permission bits, user audit bits, owner, and group for each directory and file match the specified settings listed in the HFS Permission Bits table in the z/OS STIG Addendum. Currently the guidance requires the permissions on these files to be 640, where the group is the SA or web manager account that controls the web service. However the group permission only allows READ access making it impossible to update files unless using a UID(0) account. There appears to be a conflict with this requirement. Proposed updates include changing permissions from 640 to 460. The owner will be the web server user account and the group will be the web server administrator group.

Verification of these proposed changes needs to be performed. Until this occurs, compliance of the WAS configuration and property files cannot be reviewed. An entry for was.conf file settings needs to be added. Settings for the WebSphere properties and bin directories may be desirable.

The following represents a hierarchy for permission bits from least restrictive to most restrictive:

7 rwx (least restrictive)
6 rw-
3 -wx
2 -w-
5 r-x
4 r--
1 --x
0 --- (most restrictive)

The possible audit bits settings are as follows:

f log for failed access attempts
a log for failed and successful access
- no auditing

c) If all of the items in (b) are true, there is NO FINDING.

d) If any item in (b) is untrue, this is a FINDING.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

3361

Comments