STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:

IBM z/OS HFS objects for the z/OS UNIX Telnet Server must be properly protected.

DISA Rule

SV-223865r604139_rule

Vulnerability Number

V-223865

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

RACF-UT-000020

Severity

CAT II

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
• CCI-001499 - The organization limits privileges to change software resident within software libraries.

Weight

10

Fix Recommendation

With the assistance of a systems programmer with UID(0) and/or SUPERUSER access, will review the UNIX permission bits and user audit bits on the HFS directories and files for the z/OS UNIX Telnet Server. Ensure they conform to the specifications below:

z/OS UNIX TELNET Server HFS Object Security Settings
File Permission Bits User Audit Bits
/usr/sbin/otelnetd 1740 fff
/etc/banner 0744 faf

NOTE:
The /usr/sbin/otelnetd object is a symbolic link to /usr/lpp/tcpip/sbin/otelnetd. The permission and user audit bits on the target of the symbolic link must have the required settings.

The following represents a hierarchy for permission bits from least restrictive to most restrictive:

7 rwx (least restrictive)
6 rw-
3 -wx
2 -w-
5 r-x
4 r--
1 --x
0 --- (most restrictive)

The possible audit bits settings are as follows:

f log for failed access attempts
a log for failed and successful access
- no auditing

The following commands can be used (from a user account with an effective UID(0)) to update the permission bits and audit bits:

chmod 1740 /usr/lpp/tcpip/sbin/otelnetd
chaudit rwx=f /usr/lpp/tcpip/sbin/otelnetd
chmod 0744 /etc/banner
chaudit w=sf,rx+f /etc/banner

Check Contents

From the ISPF Command Shell enter:
omvs
At the input line enter
cd /usr
enter
ls -alW

If the following File permission and user Audit Bits are true, this is not a finding.

/usr/sbin/otelnetd 1740 fff

cd /etc
ls -alW

If the following file permission and user Audit Bits are true, this is not a finding.

/etc/banner 0744 faf

The following represents a hierarchy for permission bits from least restrictive to most restrictive:

7 rwx (least restrictive)
6 rw-
3 -wx
2 -w-
5 r-x
4 r--
1 --x
0 --- (most restrictive)

The possible audit bits settings are as follows:

f log for failed access attempts
a log for failed and successful access
- no auditing

Vulnerability Number

V-223865

Documentable

False

Rule Version

RACF-UT-000020

Severity Override Guidance

From the ISPF Command Shell enter:
omvs
At the input line enter
cd /usr
enter
ls -alW

If the following File permission and user Audit Bits are true, this is not a finding.

/usr/sbin/otelnetd 1740 fff

cd /etc
ls -alW

If the following file permission and user Audit Bits are true, this is not a finding.

/etc/banner 0744 faf

The following represents a hierarchy for permission bits from least restrictive to most restrictive:

7 rwx (least restrictive)
6 rw-
3 -wx
2 -w-
5 r-x
4 r--
1 --x
0 --- (most restrictive)

The possible audit bits settings are as follows:

f log for failed access attempts
a log for failed and successful access
- no auditing

Check Content Reference

M

Target Key

4101

Comments