STIG ID - BACF0011: Define GSO UNIXOPTS Record to Prevent Unauthorized Users
Verify and change default USS settings.
Severity: 2- Medium
In environments where users move across multiple operating systems to access applications, security is a major concern. Organizations need the same control over data and resources accessed in an open system as they have in their mainframe environment.
ACF2settings impact the security level of z/OS UNIX. Default profile settings let a user access UNIX System Services (USS) even if a user
does nothave a valid OMVS group in the logonid record. The GSO(UNIXOPTS) record defines the system options related to USS.
Your organization must ensure that the UNIXOPTS defaults are defined to prevent unauthorized users access to USS systems.
This STIG article shows how to verify and change default USS settings so that unauthorized logonids are not allowed access.
Identify Audit Finding
Complete these steps to determine if you should consider remediation:
Follow these steps:
- List the GSO(UNIXOPTS) record. This option defines the system options related to USS:SET CONTROL(GSO) CONTROL LIST UNIXOPTS XXXX / UNIXOPTS LAST CHANGED BY XXXXXXXX ON 07/25/19-09:20 NOBYP-FSA NODENYEXEC NODIRACC NODIRSRCH FSOBJ FSSEC NOGOSETGID NOHFSACL NOHFSSEC IPCOBJ NGROUPS(300) PROCACT PROCESS NOTRACEDFT UNIQUSER CONTROL
- Verify that the DFTGROUP, DFTUSER, NOUNIQUSER, and MODLUSER fields are defined. These fields must be set to ensure that USS is secured. The example in step 1 shows a system where these fields are not set.
- DFTGROUPSpecifies the name of the default group used by USS if a user does not have a valid OMVS group in the logonid record.
- DFTUSERSpecifies the name of the logonid and OMVS user profile record name that defines the defaults for USS. If a user accesses USS services and does not have an OMVS user profile record, the defaults defined in this ID are used. If NO-OMVS is defined in a user's logonid, the user cannot use USS services and the default is not used.DFTGROUP and DFTUSER are obsolete in z/OS 2.1 and above. To ensure automatic assignment of unique GIDs and UIDs when creating OMVS GROUP profiles, turn on the UNIXOPTS GSO UNIQUSER and the AUTOIDOM GSO ASSIGNU settings. For more information about GIDs and UIDs, see Automatic UID/GID Assignment Options (AUTOIDLX).
- UNIQUSER|NOUNIQUSERSpecifies that the BPX.UNIQUE.USER profile is active. If UNIQUSER and GSO AUTOIDOM are active and set to auto-assign UIDs and GIDs, new USS profile records are generated automatically with UIDs and GIDs when users access USS services.
- MODLUSERSpecifies the name of a model OMVS user profile record that defines attributes for OMVS. If a user accesses OMVS services and does not have an OMVS user profile record, the attributes defined in this OMVS user profile record are used to initialize a new OMVS user profile record for the user.
- If the GSO(UNIXOPTS) fields in Step 2 are defined, the correct defaults are set andyour organization does not have an audit finding.
- If the GSO(UNIXOPTS) fields in Step 2 arenotdefined,your organization has an audit finding. See Remediate Auditing Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the GSO UNIXOPTS record. Limit all access to change GSO records to time frames of approved changes and reduced to view only outside of approved change windows.
Follow these steps:
- Configure the GSO UNIXOPTS record by defining the DFTGROUP, DFTUSER, NOUNIQUSER, and MODLUSER fields:
These UNIXOPTS record settings prevent logonid records without a valid OMVS group from accessing USS.SET CONTROL(GSO) CONTROL CHANGE UNIXOPTSDFTGROUP(), DFTUSER(), NOUNIQUSER,MODLUSER() F ACF2, REFRESH(UNIXOPTS) CONTROL
- Verify that the GSO UNIXOPTS record changed:SET CONTROL(GSO) CONTROL SHOW UNIXOPTS -- UNIXOPTS OPENEDITION/MVS/UNIX SYSTEM SERVICES (USS) SUMMARYOMVS DEFAULT USER: NONEOMVS DEFAULT GROUP: NONEMAX NUMBER OF OMVS GROUPS: 300 HFS SECURITY ACTIVE: NO HFSACL ACTIVE: NO FILE.GROUPOWNER.SETGID ACTIVE: NOOMVS MODEL USER: NONEBPX.UNIQUE.USER ACTIVE: YESBPX.NEXT.USER ACTIVE:YESAUTOIDOM SYSID: NONE FSACCESS CHECKING: YES DENY EXECUTION IF FILE HAS NO EXECUTE PERMISSIONS: NO TRACE USE OF BPX.DEFAULT.USER UID AND GID: NO -- AUDIT FLAG STATUS -- CHOWN_RESTRICTED: YES DIRACC_ACTIVE: NO DIRSRCH_ACTIVE: NO FSOBJ_ACTIVE: YES FSSEC_ACTIVE: YES IPCOBJ_ACTIVE: YES PROCACT_ACTIVE: YES PROCESS_ACTIVE: YES CONTROL
The UNIXOPTS defaults are set, preventing unauthorized users access to USS systems. This configuration provides additional security for your z/OS UNIX system.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCI is related to this STIG article. For more information, see the National Institute of Standards and Technology website.
The organization implements the security configuration settings.
NIST: NIST SP 800-53 (v3): CM-6 b
NIST: NIST SP 800-53 Revision 4 (v4): CM-6 b
NIST: NIST SP 800-53A (v1): CM-6.1 (iv)