IBM z/OS UNIX HFS MapName file security parameters must be properly specified.

An XCCDF Rule

Description

<VulnDiscussion>Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-224074r991589_rule
Severity: Medium
References: CCI-000366
Updated: 17 days ago

Review the settings in /etc/auto.master and /etc/mapname for z/OS UNIX security parameters and configure the values to conform to the specifications below.

The /etc/auto.master HFS file (and the use of Automount) is optional. 

The setuid parameter and the security parameter have a significant security impact. For this reason these parameters must be explicitly specified and not be allowed to default.
Each MapName file will specify the "setuid NO" and "security YES" statements for each automounted directory.

If there is a deviation from the required values, documentation must exist for the deviation.

"Security NO" disables security checking for file access. "Security NO" is only allowed on test and development domains.

"Setuid YES" allows a user to run under a different UID/GID identity. Justification documentation is required to validate the use of "setuid YES".

IBM z/OS UNIX HFS MapName file security parameters must be properly specified.

Description

Remediation - Manual Procedure