STIG ID - BACF0005: Protect z/OS UNIX Resources

Set rules for BPX-SRV.user TYPE(SUR) resources
Severity
: 1- High
z/OS UNIX defined resources consist of sensitive capabilities including SUPERUSER, daemon, and file manipulation privileges. Missing or inaccurate protection of these resources could give a user access to sensitive data, modify, or delete data and operating system controls, or issue commands that could negatively impact your system availability.
Your organization must ensure protection of all z/OS UNIX defined resources.
This STIG addresses how to set
ACF2
rules for all BPX.SRV.user TYPE(SUR) resources to no access. Doing so protects your organization's sensitive data.
Identify Audit Finding
Complete these steps to determine if you should consider remediation:
Follow these
steps:
  1. List rules for all BPX.SRV user TYPE(SUR) resources.
    SET RESOURCE(SUR) RESOURCE LIST LIKE(BPX-)
    RECORD(S) NOT FOUND
    LIST LIKE(BPX-) ACF75052 RESOURCE RULE BPX STORED BY MASTER ON 02/20/20-10:36 $KEY(BPX) TYPE(SUR) SRV.INTERNAL UID(FJB****STC******IMWEBSRV) SERVICE(READ) LOG SRV.PRIVATE UID(FJB****STC******IMWEBSRV) SERVICE(READ) LOG SRV.PUBLIC UID(FJB****STC******IMWEBSRV) SERVICE(READ) LOG SRV.WEBADM UID(FJB****STC******IMWEBSRV) SERVICE(READ) LOG
    SRV.- UID(FJB*************USER002) SERVICE(READ) ALLOW
    ACF75051 TOTAL RECORD LENGTH= 220 BYTES, 5 PERCENT UTILIZED RESOURCE
  2. Verify if rules for all BPX.SRV user TYPE(SUR) resources specify a default access of NONE and restricts access to the system software processes that act as servers under z/OS UNIX.
    • If there are no rules (RECORD(S) NOT FOUND) the resource is protected(if no rule set exists, access to the resource is denied),
      your organization does not have an audit finding.
      .
    • If the
      ACF2
      rules for all BPX.SRV.user TYPE(SUR) resources restrict access to the system software processes that act as servers under z/OS UNIX,
      your organization does not have an audit finding
      .
  3. If the rules in step 2 allow access to the system software processes that do not act as servers under z/OS UNIX,
    your organization has an audit finding
    . See Remediate Finding.
Remediate Audit Finding
The Security Team ensures that BPX.SRV.userid resources are properly protected and access is restricted to appropriate system tasks or systems programming personnel.
Follow these steps:
  1. Specify
    ACF2
    rules for all BPX.SRV.user TYPE(SUR) resources to default access of NONE and restrict access only to system software processes (for example, IMWEBSRV) that act as servers under z/OS UNIX:
    SET RESOURCE(SUR) RESOURCE LIST LIKE(BPX-) ACF75052 RESOURCE RULE BPX STORED BY MASTER ON 02/20/20-12:36 $KEY(BPX) TYPE(SUR) SRV.INTERNAL UID(FJB****STC******IMWEBSRV) SERVICE(READ) LOG SRV.PRIVATE UID(FJB****STC******IMWEBSRV) SERVICE(READ) LOG SRV.PUBLIC UID(FJB****STC******IMWEBSRV) SERVICE(READ) LOG SRV.WEBADM UID(FJB****STC******IMWEBSRV) SERVICE(READ) LOG RESOURCE
  2. Run the ACFRPTXR report to ensure the BPX.SRV.user resources have limited access:
    //REPORT EXEC PGM=ACFRPTXR,REGION=0M //SYSPRINT DD SYSOUT=* //INFOSTG DD DISP=SHR,DSN=your.ACF2.ALTINFO //LOGONIDS DD DISP=SHR,DSN=your.ACF2.ALTLIDS //SYSUT1 DD UNIT=SYSDA,SPACE=(CYL,(100,100)) DCB=BUFNO=30 //SYSUT2 DD UNIT=SYSDA,SPACE=(CYL,(500,500)),DCB=BUFNO=30 //SYSIN DD * NOACF2 RSRC TYPE(SUR) NAME(BPX-) LIDNAME CLASS(R) //*
All BPX.SRV.user TYPE(SUR) resources no longer have access to sensitive data.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG article. For more information, see the National Institute of Standards and Technology website.
CCI-000213, CCI-002233
Published Date
:
2009-09-21
Definition
:
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AC-3
NIST: NIST SP 800-53 Revision 4 (v4): AC-3
NIST: NIST SP 800-53A (v1): AC-3.1
CCI
:
CCI-002233
Published Date
:
2013-06-24
Definition
:
The information system prevents organization-defined software from executing at higher privilege levels than users executing the software.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): AC-6 (8)