V-223622

Discussion

If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Access enforcement mechanisms include access control lists, access control matrices, and cryptography.

Check Content

From the ISPF Command Shell enter:
OMVS

For each file listed in the table below enter:
ls -alW /<directory name>/<file name>

If the HFS permission bits and user audit bits for each directory and file match or are more restrictive than the specified settings listed in the table, this is not a finding.

NOTE: Some of the files listed are not used in every configuration. Absence of any of the files is not considered a finding.

SYSTEM FILE SECURITY SETTINGS
FILE               PERMISSION BITS     USER AUDIT BITS     FUNCTION
/bin/sh            1755                faf                 z/OS UNIX shell
                                                  Note: /bin/sh has the sticky bit on to improve performance.
/dev/console      740                  fff                 The system console file receives messages that may require System Administrator (SA) attention.
/dev/null         666                  fff                 A null file; data written to it is discarded.
/etc/auto.master
any mapname files 740                  faf                 Configuration files for automount facility
/etc/inetd.conf   740                  faf                 Configuration file for network services
/etc/init.options 740                  faf                 Kernel initialization options file for z/OS UNIX environment
/etc/log          744                  fff                 Kernel initialization output file
/etc/profile      755                  faf                 Environment setup script executed for each user
/etc/rc           744                  faf                 Kernel initialization script for z/OS UNIX environment
/etc/steplib      740                  faf                 List of MVS data sets valid for set user ID and set group ID executables
/etc/tablename    740                  faf                 List of z/OS userids and group names with corresponding alias names
/usr/lib/cron/at.allow
/usr/lib/cron/at.deny 700              faf                 Configuration files for the at and batch commands
/usr/lib/cron/cron.allow
/usr/lib/cron/cron.deny 700            faf                Configuration files for the crontab command

NOTE: Some of the files listed are not used in every configuration. Absence of any of the files is not considered a finding.

NOTE: The names of the MapName files are site-defined. Refer to the listing in the EAUTOM report.

The following represents a hierarchy for permission bits from least restrictive to most restrictive:

7 rwx (least restrictive)
6 rw-
3 -wx
2 -w-
5 r-x
4 r--
1 --x
0 --- (most restrictive)

The possible audit bits settings are as follows:

f log for failed access attempts
a log for failed and successful access
- no auditing