STIGQter STIGQter: STIG Summary: z/OS RACF STIG Version: 6 Release: 43 Benchmark Date: 24 Jan 2020: z/OS UNIX security parameters in /etc/rc not properly specified.

DISA Rule

SV-7264r2_rule

Vulnerability Number

V-6963

Group Title

ZUSS0016

Rule Version

ZUSS0016

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Review the settings in the /etc/rc. The /etc/rcfile is the system initialization shell script. When z/OS UNIX kernel services start, /etc/rc is executed to set file permissions and ownership for dynamic system files and to perform other system startup functions such as starting daemons. There can be many commands in /etc/rc. There are two specific guidelines that must be followed:
Verify that The CHMOD or CHAUDIT command does not result in less restrictive security than than what is specified in the table in the z/OS STIG addendum under the SYSTEM DIRECTORY SECURITY SETTINGS,

Immediately prior to each command that starts a daemon, the _BPX_JOBNAME variable must be set to match the daemon’s name (e.g., inetd, syslogd). The use of _BPX_USERID is at the site’s discretion, but is recommended.

Check Contents

a) Refer to the following report produced by the UNIX System Services Data Collection:

- USSCMDS.RPT(ERC)

b) If all of the CHMOD commands in /etc/rc do not result in less restrictive access than what is specified in the SYSTEM DIRECTORY SECURITY SETTINGS Table and the SYSTEM FILE SECURITY SETTINGS Table in the z/OS STIG Addendum, there is NO FINDING.

NOTE: The use of CHMOD commands in /etc/rc is required in most environments to comply with the required settings, especially for dynamic objects such as the /dev directory.

The following represents a hierarchy for permission bits from least restrictive to most restrictive:

7 rwx (least restrictive)
6 rw-
3 -wx
2 -w-
5 r-x
4 r--
1 --x
0 --- (most restrictive)

c) If all of the CHAUDIT commands in /etc/rc do not result in less auditing than what is specified in the SYSTEM DIRECTORY SECURITY SETTINGS Table and the SYSTEM FILE SECURITY SETTINGS Table in the z/OS STIG Addendum, there is NO FINDING.

NOTE: The use of CHAUDIT commands in /etc/rc may not be necessary. If none are found, there is NO FINDING.

The possible audit bits settings are as follows:

f log for failed access attempts
a log for failed and successful access
- no auditing


d) If the _BPX_JOBNAME variable is appropriately set (i.e., to match daemon name) as each daemon (e.g., syslogd, inetd) is started in /etc/rc, there is NO FINDING.

NOTE: If _BPX_JOBNAME is not specified, the started address space will be named using an inherited value. This could result in reduced security in terms of operator command access.

e) If (b), (c), or (d) above is untrue, this is a FINDING.

Vulnerability Number

V-6963

Documentable

False

Rule Version

ZUSS0016

Severity Override Guidance

a) Refer to the following report produced by the UNIX System Services Data Collection:

- USSCMDS.RPT(ERC)

b) If all of the CHMOD commands in /etc/rc do not result in less restrictive access than what is specified in the SYSTEM DIRECTORY SECURITY SETTINGS Table and the SYSTEM FILE SECURITY SETTINGS Table in the z/OS STIG Addendum, there is NO FINDING.

NOTE: The use of CHMOD commands in /etc/rc is required in most environments to comply with the required settings, especially for dynamic objects such as the /dev directory.

The following represents a hierarchy for permission bits from least restrictive to most restrictive:

7 rwx (least restrictive)
6 rw-
3 -wx
2 -w-
5 r-x
4 r--
1 --x
0 --- (most restrictive)

c) If all of the CHAUDIT commands in /etc/rc do not result in less auditing than what is specified in the SYSTEM DIRECTORY SECURITY SETTINGS Table and the SYSTEM FILE SECURITY SETTINGS Table in the z/OS STIG Addendum, there is NO FINDING.

NOTE: The use of CHAUDIT commands in /etc/rc may not be necessary. If none are found, there is NO FINDING.

The possible audit bits settings are as follows:

f log for failed access attempts
a log for failed and successful access
- no auditing


d) If the _BPX_JOBNAME variable is appropriately set (i.e., to match daemon name) as each daemon (e.g., syslogd, inetd) is started in /etc/rc, there is NO FINDING.

NOTE: If _BPX_JOBNAME is not specified, the started address space will be named using an inherited value. This could result in reduced security in terms of operator command access.

e) If (b), (c), or (d) above is untrue, this is a FINDING.

Check Content Reference

M

Responsibility

Systems Programmer

Target Key

106

Comments