STIGQter: STIG Summary: zOS Websphere Application Server for RACF STIG Version: 6 Release: 1 Benchmark Date: 11 Mar 2020:

The CBIND Resource Class for the WebSphere Application Server is not configured in accordance with security requirements.

DISA Rule

SV-7265r3_rule

Vulnerability Number

V-3899

Group Title

ZWAS0030

Rule Version

ZWAS0030

Severity

CAT II

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Weight

10

Fix Recommendation

There are two profiles to create when using the CBIND class. They are the CB.BIND.server_name profile, which controls whether a local or remote client can access servers. The CB.BIND is mandatory for the first two qualifiers for the profile; the third qualifier is the server name. Also, there is the CB.server_name profile that controls whether a client can
use components in a server; again these definitions are mandatory.

Ensure the following items are in effect for CBIND resource protection:

1) The CBIND resource class is active.

2) The CB.BIND.server_name resource is defined to the CBIND resource class with a UACC(NONE).

3) Access to the CB.BIND.server_name resource is restricted to WAS server (STC) userids and systems management userids (e.g., WebSphere administrator ID).

The following command provide sample definitions and permissions for this CBIND resource:

SETR CLASSACT(CBIND)
SETR GENERIC(CBIND)
SETR RACL(CBIND)

RDEFINE CBIND cb.bind.<servername> UACC(none) owner(admin) audit(all(read)) data('IAW SRR PDI ZWAS0030')

Permit cb.bind.<servername> CLASS(CBIND) ID(<wscfg1>) ACCESS(CONTROL)

Note: "wscfg1" is a RACF group that contains the Websphere Application Server STCs and maintenance userids.

Check Contents

a) Refer to the following reports produced by the RACF Data Collection:

- SENSITVE.RPT(CBIND)
- RACFCMDS.RPT(SETROPTS)
- DSMON.RPT(RACCDT) - Alternate list of active resource classes

b) Ensure the following items are in effect for CBIND resource protection:

1) The CBIND resource class is active.

2) The CB.BIND.server_name resource is defined to the CBIND resource class with a UACC(NONE).

3) Access to the CB.BIND.server_name resource is restricted to WAS server (STC) userids and systems management userids (e.g., WebSphere administrator ID).

c) If all items in (b) are true, there is NO FINDING.

b) If any item in (b) is untrue, this is a FINDING.

Vulnerability Number

V-3899

Documentable

False

Rule Version

ZWAS0030

Severity Override Guidance

a) Refer to the following reports produced by the RACF Data Collection:

- SENSITVE.RPT(CBIND)
- RACFCMDS.RPT(SETROPTS)
- DSMON.RPT(RACCDT) - Alternate list of active resource classes

b) Ensure the following items are in effect for CBIND resource protection:

1) The CBIND resource class is active.

2) The CB.BIND.server_name resource is defined to the CBIND resource class with a UACC(NONE).

3) Access to the CB.BIND.server_name resource is restricted to WAS server (STC) userids and systems management userids (e.g., WebSphere administrator ID).

c) If all items in (b) are true, there is NO FINDING.

b) If any item in (b) is untrue, this is a FINDING.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

3361

Comments