STIGQter: STIG Summary: zOS Websphere Application Server for TSS STIG Version: 6 Release: 1 Benchmark Date: 11 Mar 2020:

Vendor-supplied user accounts for the WebSphere Application Server must be defined to the ACP.

DISA Rule

SV-3900r4_rule

Vulnerability Number

V-3900

Group Title

ZWAS0040

Rule Version

ZWAS0040

Severity

CAT I

CCI(s)

CCI-001762 - The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.

Weight

Fix Recommendation

The IAO will ensure that the CBADMIN user account is removed or not defined to the ACP.

Check Contents

a) Refer to the following report produced by the ACP Data Collection:

ACF2
- ACF2CMDS.RPT(LOGONIDS)
RACF
- RACFCMDS.RPT(LISTUSER)
TSS
- TSSCMDS.RPT(@ACIDS)

Automated Analysis requires Additional Analysis.
Refer to the following report produced by the z/OS Data Collection:

- PDI(ZWAS0040)

b) If the CBADMIN user account is not defined to the ACP, there is NO FINDING.

c) If the CBADMIN user account is defined to ACP and the password has NOT been changed from the vendor default of CBADMIN, this is a FINDING with a severity code of CAT I.

d) If the CBADMIN user account is defined to the ACP and the password has been changed from the vendor default of CBADMIN, this is a FINDING with a severity code of
CAT II.

Vendor-supplied user accounts for the WebSphere Application Server must be defined to the ACP.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Responsibility

Target Key

Comments