STIGQter STIGQter: STIG Summary: IBM z/OS TSS Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

IBM z/OS BPX resource(s) must be protected in accordance with security requirements.

DISA Rule

SV-224076r695474_rule

Vulnerability Number

V-224076

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

TSS0-US-000030

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Because they convey especially powerful privileges, the settings for BPX.DAEMON, BPX.SAFFASTPATH, BPX.SERVER, and BPX.SUPERUSER require special attention.

Review the following items for the IBMFAC resource class:

-The TSS owner defined for the BPX resource.
-There are no TSS rules that allow access to the BPX resource.
-There are no TSS rules for BPX.SAFFASTPATH defined.

The TSS rules for each of the BPX resources listed in General Facility Class BPX Resources Table, in the z/OS UNIX System Services Planning, Establishing UNIX security restrict access to appropriate system tasks or systems programming personnel. Access can be permitted only to users with a requirement for the resource that is documented to the ISSO. Access to BPX.DAEMON must be restricted to the z/OS UNIX kernel userid, z/OS UNIX daemons (e.g., inetd, syslogd, ftpd), and other system software daemons (e.g., web servers). When BPX.SAFFASTPATH is defined, calls to the ACP are not performed for file accesses and there is no audit trail of access failures. This configuration is unacceptable. Therefore BPX.SAFFASTPATH must not be used on any system.

For Example:
The following commands can be used to provide the required protection:

TSS ADD(ADMIN) IBMFAC(BPX.)
TSS PERMIT(ALL) IBMFAC(BPX.SAFFASTPATH) ACCESS(NONE)

NOTE:
The PERMIT command for BPX.SAFFASTPATH must be executed on TOP SECRET systems. If access to BPX.SAFFSTPATH were allowed, z/OS UNIX would perform permission bit checking internally instead of calling the ACP. On TOP SECRET systems this would bypass any audit trail of violations. In addition, the z/OS UNIX kernel userid (OMVS is the example in this section) must not have the TOP SECRET NORESCHK privilege. Having that privilege would allow access to BPX.SAFFASTPATH even though the access restriction was in place.

Check Contents

From the ISPF Command Shell enter:
TSS WHOOWNS IBMFAC(BPX.)

If the BPX. resource is properly owned, this is not a finding.

From the ISPF Command Shell enter:
TSS WHOHAS (<each BPX resource>)

If any item below are untrue, this is a finding.

-There are no TSS rules that allow access to the BPX resource.
-There are no TSS rules for BPX.SAFFASTPATH defined.
-The TSS rules for each of the BPX resources listed in the z/OS UNIX System Services Planning, Establishing UNIX security, restrict access to appropriate system tasks or systems programming personnel.

Vulnerability Number

V-224076

Documentable

False

Rule Version

TSS0-US-000030

Severity Override Guidance

From the ISPF Command Shell enter:
TSS WHOOWNS IBMFAC(BPX.)

If the BPX. resource is properly owned, this is not a finding.

From the ISPF Command Shell enter:
TSS WHOHAS (<each BPX resource>)

If any item below are untrue, this is a finding.

-There are no TSS rules that allow access to the BPX resource.
-There are no TSS rules for BPX.SAFFASTPATH defined.
-The TSS rules for each of the BPX resources listed in the z/OS UNIX System Services Planning, Establishing UNIX security, restrict access to appropriate system tasks or systems programming personnel.

Check Content Reference

M

Target Key

4102

Comments