IBM z/OS UNIX SYSTEM FILE SECURITY SETTINGS must be properly protected or specified.

An XCCDF Rule

Description

<VulnDiscussion>If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Access enforcement mechanisms include access control lists, access control matrices, and cryptography.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-223622r861188_rule
Severity: Medium
References: CCI-000213 CCI-001499
Updated: 8 months ago

Define the UNIX permission bits and user audit bits on the HFS files as listed in the table below:

SYSTEM FILE SECURITY SETTINGS
FILE               PERMISSION BITS  USER AUDIT BITS FUNCTION
/bin/sh            1755             faf             z/OS UNIX shell
                                                    Note: /bin/sh has the sticky bit on to improve performance./dev/console       740              fff             The system console file receives messages that may require System Administrator (SA) attention.
/dev/null          666              fff             A null file; data written to it is discarded.
/etc/auto.master
any mapname files  740              faf             Configuration files for automount facility
/etc/inetd.conf    740              faf            Configuration file for network services
/etc/init.options  740              faf            Kernel initialization options file for z/OS UNIX environment
/etc/log           744              fff            Kernel initialization output file
/etc/profile       755              faf            Environment setup script executed for each user
/etc/rc            744              faf            Kernel initialization script for z/OS UNIX environment
/etc/steplib       740              faf            List of MVS data sets valid for set user ID and set group ID executables
/etc/tablename     740              faf            List of z/OS userids and group names with corresponding alias names
/usr/lib/cron/at.allow
/usr/lib/cron/at.deny 700           faf            Configuration files for the at and batch commands
/usr/lib/cron/cron.allow
/usr/lib/cron/cron.deny 700         faf           Configuration files for the crontab command

There are a number of files that must be secured to protect system functions in z/OS UNIX. Where not otherwise specified, these files must receive a permission setting of 744 or 774. The 774 setting may be used at the site's discretion to help to reduce the need for assignment of superuser privileges. The table identifies permission bit and audit bit settings that are required for these specific files. More restrictive permission settings may be used at the site's discretion or as specific environments dictate.

The following represents a hierarchy for permission bits from least restrictive to most restrictive:

7 rwx (least restrictive)
6 rw-
3 -wx
2 -w-
5 r-x
4 r--
1 --x
0 --- (most restrictive)

The possible audit bits settings are as follows:
f log for failed access attempts
a log for failed and successful access
- no auditing

The following commands are a sample of the commands to be used (from a user account with an effective UID(0)) to update the permission bits and audit bits:
chmod 1755 /bin/sh
chaudit w=sf,rx+f /bin/sh
chmod 0740 /dev/console
chaudit rwx=f /dev/console

IBM z/OS UNIX SYSTEM FILE SECURITY SETTINGS must be properly protected or specified.

Description

Remediation - Manual Procedure