{
"stig": {
"date": "2020-01-23",
"description": "None",
"findings": {
"V-3897": {
"checkid": "C-3258r1_chk",
"checktext": "a)\tRefer to the following reports produced by the Data Set and Resource Data Collection:\n\n-\tSENSITVE.RPT(HTTPRPT)\n-\tSENSITVE.RPT(WASRPT)\n\nb)\tEnsure the following data set controls are in effect for WAS:\n\n___\tThe ACP data set rules restrict UPDATE and ALTER access to HTTP product data sets (i.e., SYS1.IMW.AIMW** and SYS1.IMW.SIMW**) is restricted to systems programming personnel.\n\nNOTE:\tIf the HTTP server is not used with WAS, this check can be ignored.\n\n___\tThe ACP data set rules restrict UPDATE and ALTER access to WAS product data sets and associated product data sets are restricted to systems programming personnel.\n\nSYS*.EJS.V3500108.** (WebSphere 3.5)\nSYS*.WAS.V401.** (WebSphere 4.0.1)\nSYS*.OE.** (Java)\nSYS*.JAVA** (Java)\nSYS*.DB2.V710107.** (DB2)\nSYS*.GLD.** (LDAP)\nSYS1.LE.** (Language Environment)\n\nc)\tIf all of the items in (b) are true, there is NO FINDING.\n\nd)\tIf any item in (b) is untrue, this is a FINDING.",
"description": "MVS data sets provide the configuration, operational, and executable properties of the WebSphere Application Server (WAS) environment. Failure to properly protect these data sets may lead to unauthorized access. This exposure could compromise the integrity and availability of system services, applications, and customer data.",
"fixid": "F-26597r1_fix",
"fixtext": "The IAO will ensure that WebSphere server data sets restrict UPDATE and/or ALTER access to systems programming personnel.\n\nEnsure the following data set controls are in effect for WAS:\n \n1)\tUPDATE and ALTER access to HTTP product data sets (i.e., SYS1.IMW.AIMW** and SYS1.IMW.SIMW**) are restricted to systems programming personnel.\n\nNOTE:\tIf the HTTP server is not used with WAS, this check can be ignored.\n\n2)\tUPDATE and ALTER access to WAS product data sets and associated product data sets are restricted to systems programming personnel.\n\nSYS*.EJS.V3500108.** (WebSphere 3.5)\nSYS*.WAS.V401.** (WebSphere 4.0.1)\nSYS*.OE.** (Java)\nSYS*.JAVA** (Java)\nSYS*.DB2.V710107.** (DB2)\nSYS*.GLD.** (LDAP)\nSYS1.LE.** (Language Environment)",
"iacontrols": null,
"id": "V-3897",
"ruleID": "SV-3897r3_rule",
"severity": "medium",
"title": "MVS data sets for the WebSphere Application Server are not protected in accordance with the proper security requirements.",
"version": "ZWAS0010"
},
"V-3898": {
"checkid": "C-20978r1_chk",
"checktext": "a)\tRefer to the following reports produced by the UNIX System Services Data Collection:\n\n-\tUSSCMDS.RPT(IHSHFSOB)\n-\tUSSCMDS.RPT(WASHFSOB)\n\nFor each IBM HTTP server, supply the following information: (PDS member name - IHSACCTS)\n\n-\tWeb server ID defined to the ACP\n-\tWeb server administration group defined to the ACP\n-\tWeb server standard HFS directory\n\nb)\tThe following notes apply to the requirements specified in the HFS Permission Bits table in the z/OS STIG Addendum:\n\n-\tIf an owner field indicates UID(0) user, any system ID with a UID(0) specification is acceptable.\n-\tWhere an owner field indicates websrv1, the ID of the web server is intended.\n-\tWhere a group field indicates webadmg1, the ID of a local web server administration group is intended. IMWEB is not a valid local group.\n-\tThe site is free to set the permission and audit bit settings to be more restrictive than the documented values.\n\nEnsure the HFS permission bits, user audit bits, owner, and group for each directory and file match the specified settings listed in the HFS Permission Bits table in the z/OS STIG Addendum. Currently the guidance requires the permissions on these files to be 640, where the group is the SA or web manager account that controls the web service. However the group permission only allows READ access making it impossible to update files unless using a UID(0) account. There appears to be a conflict with this requirement. Proposed updates include changing permissions from 640 to 460. The owner will be the web server user account and the group will be the web server administrator group.\n \nVerification of these proposed changes needs to be performed. Until this occurs, compliance of the WAS configuration and property files cannot be reviewed. An entry for was.conf file settings needs to be added. Settings for the WebSphere properties and bin directories may be desirable.\n\nThe following represents a hierarchy for permission bits from least restrictive to most restrictive:\n\n7\trwx\t\t(least restrictive)\n6\trw-\n3\t-wx\n2\t-w-\n5\tr-x\n4\tr--\n1\t--x\n0\t---\t\t(most restrictive)\n\nThe possible audit bits settings are as follows:\n\nf\tlog for failed access attempts\na\tlog for failed and successful access\n-\tno auditing\n\nc)\tIf all of the items in (b) are true, there is NO FINDING.\n\nd)\tIf any item in (b) is untrue, this is a FINDING.",
"description": "HFS directories and files provide the configuration, operational, and executable properties of the WebSphere Application Server (WAS) environment. Many of these objects are responsible for the security implementation of WAS. Failure to properly protect these directories and files may lead to unauthorized access. This exposure could potentially compromise the integrity and availability of system services, applications, and customer data.",
"fixid": "F-18956r1_fix",
"fixtext": "Review the UNIX permission bits, user audit bits, and ownership settings on the HFS directories and files for the products required to support the WAS environment. \n\nEnsure the HFS permission bits, user audit bits, owner, and group for each directory and file match the specified settings listed in the HFS Permissions Bits table located in the zOS STIG Addendum. ",
"iacontrols": null,
"id": "V-3898",
"ruleID": "SV-3898r3_rule",
"severity": "medium",
"title": "HFS objects for the WebSphere Application Server are not protected in accordance with the proper security requirements.",
"version": "ZWAS0020"
},
"V-3899": {
"checkid": "C-20750r1_chk",
"checktext": "a)\tRefer to the following reports produced by the ACF2 Data Collection:\n\n-\tACF2CMDS.RPT(ACFGSO)\n-\tSENSITVE.RPT(CBIND)\n\nb)\tEnsure the following items are in effect for CBIND resource protection:\n\n2)\tThe CLASMAP record defines the CBIND resource class.\n\n3)\tThe CB.BIND.server_name resource is defined to the CBIND resource class with a default access of PREVENT.\n\n4)\tAccess to the CB.BIND.server_name resource is restricted to WAS server (STC) logonids and systems management logonids (e.g., WebSphere administrator ID).\n\nc)\tIf all items in (b) are true, there is NO FINDING.\n\ne)\tIf any item in (b) is untrue, this is a FINDING.\n",
"description": "SAF resources provide the ability to control access to functions and services of the WebSphere Application Server (WAS) environment. Many of these resources provide operational and administrative support for WAS. Failure to properly protect these resources may lead to unauthorized access. This exposure could compromise the integrity and availability of application services and customer data.",
"fixid": "F-18682r1_fix",
"fixtext": "The IAO will ensure that the CBIND resource is defined to the ACP with an access of none.\n\nEnsure the following items are in effect for CBIND resource protection:\n\nThe CLASMAP record defines the CBIND resource class.\n\nThe CBIND class defaults to a generic type code of SAF. It is recommended that a GSO CLASMAP record be added to change this to a site selected resource unique to the CBIND class such as CBI. The following shows how the suggested change example would be coded:\n\nSET CONTROL(GSO)\nINSERT CLASMAP.cbind RESOURCE(CBIND) RSRCTYPE(cbi) -ENTITYLN(41)\n\nThe CB.BIND.server_name resource is defined to the CBIND resource class with a default access of PREVENT.\n\nAccess to the CB.BIND.server_name resource is restricted to WAS server (STC) logonids and systems management logonids (e.g., WebSphere administrator ID).\n\nExample:\n\n$KEY(CB) TYPE(CBI)\nBBOASR1 UID(was_admin_uid) SERVICE(READ) ALLOW\nBIND.BBOASR1 UID(was_admin_uid) SERVICE(READ) ALLOW\nUID(*) PREVENT\n\n\n",
"iacontrols": null,
"id": "V-3899",
"ruleID": "SV-3899r3_rule",
"severity": "medium",
"title": "The CBIND Resource(s) for the WebSphere Application Server is(are) not protected in accordance with security requirements.",
"version": "ZWAS0030"
},
"V-3900": {
"checkid": "C-3264r2_chk",
"checktext": "a) Refer to the following report produced by the ACP Data Collection:\n\nACF2\n- ACF2CMDS.RPT(LOGONIDS)\nRACF\n- RACFCMDS.RPT(LISTUSER) \nTSS\n- TSSCMDS.RPT(@ACIDS)\n\nAutomated Analysis requires Additional Analysis.\nRefer to the following report produced by the z/OS Data Collection:\n\n- PDI(ZWAS0040)\n\nb) If the CBADMIN user account is not defined to the ACP, there is NO FINDING.\n\nc) If the CBADMIN user account is defined to ACP and the password has NOT been changed from the vendor default of CBADMIN, this is a FINDING with a severity code of CAT I.\n\nd) If the CBADMIN user account is defined to the ACP and the password has been changed from the vendor default of CBADMIN, this is a FINDING with a severity code of\nCAT II.\n",
"description": "Vendor-supplied user accounts are defined to the ACP with factory-set passwords during the installation of the WebSphere Application Server (WAS). These user accounts are common to all WAS environments and have access to restricted resources and functions. Failure to delete vendor-supplied user accounts from the ACP may lead to unauthorized access. This exposure could compromise the integrity and availability of system services, applications, and customer data.",
"fixid": "F-18947r1_fix",
"fixtext": "The IAO will ensure that the CBADMIN user account is removed or not defined to the ACP.",
"iacontrols": null,
"id": "V-3900",
"ruleID": "SV-3900r4_rule",
"severity": "high",
"title": "Vendor-supplied user accounts for the WebSphere Application Server must be defined to the ACP.",
"version": "ZWAS0040"
},
"V-3901": {
"checkid": "C-20980r1_chk",
"checktext": "a)\tRefer to the following report produced by the UNIX System Services Data Collection:\n\n-\tUSSCMDS.RPT(AHTTPD)\n\nCollect the following information for each IBM HTTP server:\n\n-\tThe JCL procedure library and member name used to start each IBM HTTP server. DOC(IHSPROCS)\n-\tFor each IBM HTTP server, supply the following information: \n\nWeb server ID defined to the ACP\nWeb server administration group defined to the ACP\nWeb server standard HFS directory\n\nb)\tReview the HTTP server JCL procedure to determine the httpd.conf file to review.\n\nc)\tEnsure that all WAS-related directives are configured using the ServerInit, Service, and ServerTerm statements as outlined below.\n\nThe following path entries were added to the /etc/httpd.conf file for WebSphere 3.5:\n\nServerInit\t/usr/lpp/WebSphere/AppServer/bin/was350plugin.so:init_exit /usr/lpp/WebSphere/etc/WebSphere/AppServer/properties/was.conf\nService\t/webapp/examples/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit\nService\t/*.jhtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit\nService\t/*.shtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit\nService\t/servlet/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit\nService\t/*.jsp /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit\nServerTerm\t/usr/lpp/WebSphere/AppServer/bin/was350plugin.so:term_exit\n\nThe following path entries are added to the /etc/httpd.conf file for WebSphere 4.0.1:\n\nServerInit -\t /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:init_exit\nService - \t/usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:service_exit\nServerTerm - \t/usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:term_exit\n\nNOTE:\tThe /etc/WebSphere clause for ServerInit matches the directory name above where the site customization was.conf file was established.\n\nSpecific items to review include proper path, was.conf, and plug-in settings.\n\nd)\tIf all WAS-related directives are configured properly, there is NO FINDING.\n\ne)\tIf any WAS-related directive is not configured properly, this is a FINDING.",
"description": "Requests processed by the WebSphere Application Server (WAS) are dependent on directives configured in the HTTP server httpd.conf file. These directives specify critical files containing the WAS plug-in and WAS configuration. These files provide the operational and security characteristics of WAS. Failure to properly configure WAS-related directives could lead to undesirable operations and degraded security. This exposure may compromise the availability and integrity of applications and customer data.",
"fixid": "F-18948r1_fix",
"fixtext": "The IAO will ensure that the WebSphere Application Server directives in the httpd.conf file are configured as outlined below.\n\nEnsure that all WAS-related directives are configured using the ServerInit, Service, and ServerTerm statements as outlined below.\n\nThe following path entries were added to the /etc/httpd.conf file for WebSphere 3.5:\n ServerInit /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:init_exit /usr/lpp/WebSphere/etc/WebSphere/AppServer/properties/was.conf \nService /webapp/examples/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit \nService /*.jhtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit\nService /*.shtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit \nService /servlet/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit \nService /*.jsp /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit ServerTerm /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:term_exit \n\nThe following path entries are added to the /etc/httpd.conf file for WebSphere 4.0.1:\n \nServerInit -/usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:init_exit\n Service - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:service_exit \nServerTerm - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:term_exit\n\n NOTE: The /etc/WebSphere clause for ServerInit matches the directory name above where the site customization was.conf file was established. Specific items to review include proper path, was.conf, and plug-in settings. ",
"iacontrols": null,
"id": "V-3901",
"ruleID": "SV-3901r3_rule",
"severity": "medium",
"title": "The WebSphere Application Server plug-in is not specified in accordance with the proper security requirements.",
"version": "ZWAS0050"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-3897": "true",
"V-3898": "true",
"V-3899": "true",
"V-3900": "true",
"V-3901": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-3897": "true",
"V-3898": "true",
"V-3899": "true",
"V-3900": "true",
"V-3901": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-3897": "true",
"V-3898": "true",
"V-3899": "true",
"V-3900": "true",
"V-3901": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-3897": "true",
"V-3898": "true",
"V-3899": "true",
"V-3900": "true",
"V-3901": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-3897": "true",
"V-3898": "true",
"V-3899": "true",
"V-3900": "true",
"V-3901": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-3897": "true",
"V-3898": "true",
"V-3899": "true",
"V-3900": "true",
"V-3901": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-3897": "true",
"V-3898": "true",
"V-3899": "true",
"V-3900": "true",
"V-3901": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-3897": "true",
"V-3898": "true",
"V-3899": "true",
"V-3900": "true",
"V-3901": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-3897": "true",
"V-3898": "true",
"V-3899": "true",
"V-3900": "true",
"V-3901": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "zos_websphere_application_serveracf2",
"title": "zOS Websphere Application Server for ACF2 STIG",
"version": "None"
}
}