{"stig":{"title":"zOS WebSphere Application Server for TSS Security Technical Implementation Guide","version":"7","release":"2"},"checks":[{"vulnId":"V-225618","ruleId":"SV-225618r1146184_rule","severity":"medium","ruleTitle":"MVS data sets for the WebSphere Application Server are not protected in accordance with the proper security requirements.","description":"MVS data sets provide the configuration, operational, and executable properties of the WebSphere Application Server (WAS) environment. Failure to properly protect these data sets may lead to unauthorized access. This exposure could compromise the integrity and availability of system services, applications, and customer data.","checkContent":"Refer to the following reports produced by the Data Set and Resource Data Collection:\n\n- SENSITVE.RPT(HTTPRPT).\n- SENSITVE.RPT(WASRPT).\n\nIf the following data set controls are in effect for WAS, this is not a finding.\n\nThe ACP data set rules restrict WRITE and/or greater access to HTTP product data sets (i.e., SYS1.IMW.AIMW** and SYS1.IMW.SIMW**) is restricted to systems programming personnel.\n\nNote: If the HTTP server is not used with WAS, this check can be ignored.\n\nThe ACP data set rules restrict WRITE and/or greater access to WAS product data sets and associated product data sets are restricted to systems programming personnel.\n\nSYS*.EJS.V3500108.** (WebSphere 3.5)\nSYS*.WAS.V401.** (WebSphere 4.0.1)\nSYS*.OE.** (Java)\nSYS*.JAVA** (Java)\nSYS*.DB2.V710107.** (DB2)\nSYS*.GLD.** (LDAP)\nSYS1.LE.** (Language Environment)","fixText":"The ISSO will ensure that WebSphere server data sets restrict UPDATE and/or ALTER access to systems programming personnel.\n\nEnsure the following data set controls are in effect for WAS:\n \nUPDATE and ALTER access to HTTP product data sets (i.e., SYS1.IMW.AIMW** and SYS1.IMW.SIMW**) are restricted to systems programming personnel.\n\nNote: If the HTTP server is not used with WAS, this check can be ignored.\n\nUPDATE and ALTER access to WAS product data sets and associated product data sets are restricted to systems programming personnel.\n\nSYS*.EJS.V3500108.** (WebSphere 3.5)\nSYS*.WAS.V401.** (WebSphere 4.0.1)\nSYS*.OE.** (Java)\nSYS*.JAVA** (Java)\nSYS*.DB2.V710107.** (DB2)\nSYS*.GLD.** (LDAP)\nSYS1.LE.** (Language Environment)","ccis":["CCI-001499"]},{"vulnId":"V-225619","ruleId":"SV-225619r1146187_rule","severity":"medium","ruleTitle":"HFS objects for the WebSphere Application Server are not protected in accordance with the proper security requirements.","description":"HFS directories and files provide the configuration, operational, and executable properties of the WebSphere Application Server (WAS) environment. Many of these objects are responsible for the security implementation of WAS. Failure to properly protect these directories and files may lead to unauthorized access. This exposure could potentially compromise the integrity and availability of system services, applications, and customer data.","checkContent":"Refer to the following reports produced by the z/OS Data Collection:\n\n- USSCMDS.RPT(IHSHFSOB).\n- USSCMDS.RPT(WASHFSOB).\n\nFor each IBM HTTP server, supply the following information: (PDS member name - IHSACCTS)\n\n- Web server ID defined to the ACP.\n- Web server administration group defined to the ACP.\n- Web server standard HFS directory.\n\nThe following notes apply to the requirements specified in the HFS Permission Bits table in the z/OS STIG Addendum. If the following guidance is true, this is not a finding.\n\n- If an owner field indicates UID(0) user, any system ID with a UID(0) specification is acceptable.\n- Where an owner field indicates websrv1, the ID of the web server is intended.\n- Where a group field indicates webadmg1, the ID of a local web server administration group is intended. IMWEB is not a valid local group.\n- The site is free to set the permission and audit bit settings to be more restrictive than the documented values.\n\nThe following represents a hierarchy for permission bits from least restrictive to most restrictive:\n\n7\trwx\t\t(least restrictive)\n6\trw-\n3\t-wx\n2\t-w-\n5\tr-x\n4\tr--\n1\t--x\n0\t---\t\t(most restrictive)\n\nThe possible audit bits settings are as follows:\n\nf\tlog for failed access attempts\na\tlog for failed and successful access\n-\tno auditing","fixText":"Review the UNIX permission bits, user audit bits, and ownership settings on the HFS directories and files for the products required to support the WAS environment. \n\nEnsure the HFS permission bits, user audit bits, owner, and group for each directory and file match the specified settings listed in the HFS Permissions Bits table located in the zOS STIG Addendum.","ccis":["CCI-000213","CCI-002234"]},{"vulnId":"V-225620","ruleId":"SV-225620r1146190_rule","severity":"medium","ruleTitle":"The CBIND Resource(s) for the WebSphere Application Server is(are) not protected in accordance with security requirements.","description":"SAF resources provide the ability to control access to functions and services of the WebSphere Application Server (WAS) environment. Many of these resources provide operational and administrative support for WAS. Failure to properly protect these resources may lead to unauthorized access. This exposure could compromise the integrity and availability of application services and customer data.","checkContent":"Refer to the following reports produced by the Data Set and Resource Data Collection:\n\n- TSSCMDS.RPT(WHOOCBIN).\n- TSSCMDS.RPT(WHOHCBIN).\n- SENSITVE.RPT(WHOHCBIN).\n\nIf the following items are in effect for CBIND resource protection, this is not a finding.\n\nThe CB. resource is owned appropriately in the BIND resource class.\n\nAccess to the CB.BIND.server_name and CB.server_name resources is restricted to WAS server (STC) ACIDs and systems management ACIDs (e.g., WebSphere administrator ID).","fixText":"Ensure the following items are in effect for CBIND resource protection:\n\nThe CB. resource is owned appropriately in the BIND resource class. \n\nFor Example:\nTSS ADD(cbowner) CBIND(CB)\n\nAccess to the CB.BIND.server_name and CB.server_name resources is restricted to WAS server (STC) ACIDs and systems management ACIDs (e.g., WebSphere administrator ID). \n\nFor Example:  \nThe WebSphere administrator ID needs READ access to the CB.BBOASR1 and CB.BIND.BBOASR1 servers:\n\nTSS PERMIT(was_admin_acid) CBIND(CB.BBOASR1) ACCESS(READ)\nTSS PERMIT(was_admin_acid) CBIND(CB.BIND.BBOASR1) ACCESS(READ)\n\nNote: When adding a new server, all systems management userids (e.g., WebSphere administrator ID) must be authorized to have READ access to the CB.server_name and CB.BIND.server_name resources.","ccis":["CCI-000213"]},{"vulnId":"V-225621","ruleId":"SV-225621r1146193_rule","severity":"high","ruleTitle":"Vendor-supplied user accounts for the WebSphere Application Server must be defined to the ACP.","description":"Vendor-supplied user accounts are defined to the ACP with factory-set passwords during the installation of the WebSphere Application Server (WAS). These user accounts are common to all WAS environments and have access to restricted resources and functions. Failure to delete vendor-supplied user accounts from the ACP may lead to unauthorized access. This exposure could compromise the integrity and availability of system services, applications, and customer data.","checkContent":"Refer to the following reports produced by the ACP Data Collection:\n\nACF2\n- ACF2CMDS.RPT(LOGONIDS).\nRACF\n- RACFCMDS.RPT(LISTUSER).\nTSS\n- TSSCMDS.RPT(@ACIDS).\n\nAutomated Analysis requires Additional Analysis.\nRefer to the following report produced by the z/OS Data Collection:\n\n- PDI(ZWAS0040).\n\nIf the CBADMIN user account is not defined to the ACP, this is not a finding.\n\nIf the CBADMIN user account is defined to ACP and the password has NOT been changed from the vendor default of CBADMIN, this is a finding with a severity of Category I.\n\nIf the CBADMIN user account is defined to the ACP and the password has been changed from the vendor default of CBADMIN, this is a finding with a severity of Category II.","fixText":"The ISSO will ensure that the CBADMIN user account is removed or not  defined to the ACP.","ccis":["CCI-001762"]},{"vulnId":"V-225622","ruleId":"SV-225622r1146196_rule","severity":"medium","ruleTitle":"The WebSphere Application Server plug-in is not specified in accordance with the proper security requirements.","description":"Requests processed by the WebSphere Application Server (WAS) are dependent on directives configured in the HTTP server httpd.conf file. These directives specify critical files containing the WAS plug-in and WAS configuration. These files provide the operational and security characteristics of WAS. Failure to properly configure WAS-related directives could lead to undesirable operations and degraded security. This exposure may compromise the availability and integrity of applications and customer data.","checkContent":"Refer to the following report produced by the z/OS Data Collection:\n\n- USSCMDS.RPT(AHTTPD).\n\nCollect the following information for each IBM HTTP server:\n\n- The JCL procedure library and member name used to start each IBM HTTP server. DOC(IHSPROCS).\n\nFor each IBM HTTP server, supply the following information: \n\n- Web server ID defined to the ACP.\n- Web server administration group defined to the ACP.\n- Web server standard HFS directory.\n\nReview the HTTP server JCL procedure to determine the httpd.conf file to review.\n\nEnsure that all WAS-related directives are configured using the ServerInit, Service, and ServerTerm statements as outlined below.\n\nThe following path entries were added to the /etc/httpd.conf file for WebSphere 3.5:\n\nServerInit\t/usr/lpp/WebSphere/AppServer/bin/was350plugin.so:init_exit /usr/lpp/WebSphere/etc/WebSphere/AppServer/properties/was.conf\nService\t/webapp/examples/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit\nService\t/*.jhtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit\nService\t/*.shtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit\nService\t/servlet/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit\nService\t/*.jsp /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit\nServerTerm\t/usr/lpp/WebSphere/AppServer/bin/was350plugin.so:term_exit\n\nThe following path entries are added to the /etc/httpd.conf file for WebSphere 4.0.1:\n\nServerInit -\t /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:init_exit\nService - \t/usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:service_exit\nServerTerm - \t/usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:term_exit\n\nNote: The /etc/WebSphere clause for ServerInit matches the directory name above where the site customization was.conf file was established.\n\nSpecific items to review include proper path, was.conf, and plug-in settings.\n\nIf all WAS-related directives are configured properly, this is not a finding.","fixText":"The ISSO will ensure that the WebSphere Application Server directives in the httpd.conf file are configured as outlined below.\n\nEnsure that all WAS-related directives are configured using the ServerInit, Service, and ServerTerm statements as outlined below.\n\nThe following path entries were added to the /etc/httpd.conf file for WebSphere 3.5:\nServerInit /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:init_exit /usr/lpp/WebSphere/etc/WebSphere/AppServer/properties/was.conf \nService /webapp/examples/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit \nService /*.jhtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit\nService /*.shtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit \nService /servlet/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit \nService /*.jsp /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit ServerTerm /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:term_exit \n\nThe following path entries are added to the /etc/httpd.conf file for WebSphere 4.0.1:\n \nServerInit -/usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:init_exit\nService - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:service_exit \nServerTerm - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:term_exit\n\nNote: The /etc/WebSphere clause for ServerInit matches the directory name above where the site customization was.conf file was established. Specific items to review include proper path, was.conf, and plug-in settings.","ccis":["CCI-000382","CCI-001762","CCI-000068"]}]}