Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

zOS WebSphere Application Server for ACF2 Security Technical Implementation Guide - V7R2

  • Version/Release: V7R2
  • Published: 2025-09-26
  • Released: 2025-10-01
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
MVS datasets for the WebSphere Application Server are not protected in accordance with the proper security requirements.
CM-5 - Medium - CCI-001499 - V-224349 - SV-224349r1141669_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
ZWAS0010
Vuln IDs
  • V-224349
  • V-3897
Rule IDs
  • SV-224349r1141669_rule
  • SV-3897
MVS datasets provide the configuration, operational, and executable properties of the WebSphere Application Server (WAS) environment. Failure to properly protect these datasets may lead to unauthorized access. This exposure could compromise the integrity and availability of system services, applications, and customer data.
Checks: C-26026r1141667_chk

Refer to the following reports produced by the dataset and Resource Data Collection: - SENSITVE.RPT(HTTPRPT). - SENSITVE.RPT(WASRPT). If the following dataset controls are in effect for WAS, this is not a finding. The ACP dataset rules restrict WRITE and/or greater access to HTTP product datasets (i.e., SYS1.IMW.AIMW** and SYS1.IMW.SIMW**) is restricted to systems programming personnel. Note: If the HTTP server is not used with WAS, this check can be ignored. The ACP dataset rules restrict WRITE and/or greater access to WAS product datasets and associated product datasets are restricted to systems programming personnel. SYS*.EJS.V3500108.** (WebSphere 3.5) SYS*.WAS.V401.** (WebSphere 4.0.1) SYS*.OE.** (Java) SYS*.JAVA** (Java) SYS*.DB2.V710107.** (DB2) SYS*.GLD.** (LDAP) SYS1.LE.** (Language Environment)

Fix: F-26014r1141668_fix

The ISSO will ensure that WebSphere server datasets restrict WRITE and/or greater access to systems programming personnel. Ensure the following dataset controls are in effect for WAS: WRITE and/or greater access to HTTP product datasets (i.e., SYS1.IMW.AIMW** and SYS1.IMW.SIMW**) are restricted to systems programming personnel. Note: If the HTTP server is not used with WAS, this check can be ignored. WRITE and/or greater access to WAS product datasets and associated product datasets are restricted to systems programming personnel. SYS*.EJS.V3500108.** (WebSphere 3.5) SYS*.WAS.V401.** (WebSphere 4.0.1) SYS*.OE.** (Java) SYS*.JAVA** (Java) SYS*.DB2.V710107.** (DB2) SYS*.GLD.** (LDAP) SYS1.LE.** (Language Environment)

b
HFS objects for the WebSphere Application Server are not protected in accordance with the proper security requirements.
AC-3 - Medium - CCI-000213 - V-224350 - SV-224350r1141672_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZWAS0020
Vuln IDs
  • V-224350
  • V-3898
Rule IDs
  • SV-224350r1141672_rule
  • SV-3898
HFS directories and files provide the configuration, operational, and executable properties of the WebSphere Application Server (WAS) environment. Many of these objects are responsible for the security implementation of WAS. Failure to properly protect these directories and files may lead to unauthorized access. This exposure could compromise the integrity and availability of system services, applications, and customer data.
Checks: C-26027r1141670_chk

Refer to the following reports produced by the z/OS Data Collection: - USSCMDS.RPT(IHSHFSOB). - USSCMDS.RPT(WASHFSOB). For each IBM HTTP server, supply the following information: (PDS member name - IHSACCTS) - Web server ID defined to the ACP. - Web server administration group defined to the ACP. - Web server standard HFS directory. The following notes apply to the requirements specified in the HFS Permission Bits table in the z/OS STIG Addendum. If the following guidance is true, this is not a finding. - If an owner field indicates UID(0) user, any system ID with a UID(0) specification is acceptable. - Where an owner field indicates websrv1, the ID of the web server is intended. - Where a group field indicates webadmg1, the ID of a local web server administration group is intended. IMWEB is not a valid local group. - The site is free to set the permission and audit bit settings to be more restrictive than the documented values. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing

Fix: F-26015r1141671_fix

Review the UNIX permission bits, user audit bits, and ownership settings on the HFS directories and files for the products required to support the WAS environment. Verify the HFS permission bits, user audit bits, owner, and group for each directory and file match the specified settings listed in the HFS Permissions Bits table located in the zOS STIG Addendum.

b
The CBIND Resource(s) for the WebSphere Application Server is(are) not protected in accordance with security requirements.
AC-3 - Medium - CCI-000213 - V-224351 - SV-224351r1141675_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZWAS0030
Vuln IDs
  • V-224351
  • V-3899
Rule IDs
  • SV-224351r1141675_rule
  • SV-3899
SAF resources provide the ability to control access to functions and services of the WebSphere Application Server (WAS) environment. Many of these resources provide operational and administrative support for WAS. Failure to properly protect these resources may lead to unauthorized access. This exposure could compromise the integrity and availability of application services and customer data.
Checks: C-26028r1141673_chk

Refer to the following reports produced by the dataset and Resource Data Collection: - ACF2CMDS.RPT(ACFGSO). - SENSITVE.RPT(CBIND). If the following items are in effect for CBIND resource protection, this is not a finding. The CLASMAP record defines the CBIND resource class. The CB.BIND.server_name resource is defined to the CBIND resource class with a default access of PREVENT. Access to the CB.BIND.server_name resource is restricted to WAS server (STC) logonids and systems management logonids (e.g., WebSphere administrator ID).

Fix: F-26016r1141674_fix

The ISSO will ensure that the CBIND resource is defined to the ACP with an access of none. Ensure the following items are in effect for CBIND resource protection: The CLASMAP record defines the CBIND resource class. The CBIND class defaults to a generic type code of SAF. It is recommended that a GSO CLASMAP record be added to change this to a site-selected resource unique to the CBIND class such as CBI. The following shows how the suggested change example would be coded: SET CONTROL(GSO) INSERT CLASMAP.cbind RESOURCE(CBIND) RSRCTYPE(cbi) -ENTITYLN(41) The CB.BIND.server_name resource is defined to the CBIND resource class with a default access of PREVENT. Access to the CB.BIND.server_name resource is restricted to WAS server (STC) logonids and systems management logonids (e.g., WebSphere administrator ID). Example: $KEY(CB) TYPE(CBI) BBOASR1 UID(was_admin_uid) SERVICE(READ) ALLOW BIND.BBOASR1 UID(was_admin_uid) SERVICE(READ) ALLOW UID(*) PREVENT

c
Vendor-supplied user accounts for the WebSphere Application Server must be defined to the ACP.
IA-2 - High - CCI-000764 - V-224352 - SV-224352r1141678_rule
RMF Control
IA-2
Severity
High
CCI
CCI-000764
Version
ZWAS0040
Vuln IDs
  • V-224352
  • V-3900
Rule IDs
  • SV-224352r1141678_rule
  • SV-3900
Vendor-supplied user accounts are defined to the ACP with factory-set passwords during the installation of the WebSphere Application Server (WAS). These user accounts are common to all WAS environments and have access to restricted resources and functions. Failure to delete vendor-supplied user accounts from the ACP may lead to unauthorized access. This exposure could compromise the integrity and availability of system services, applications, and customer data.
Checks: C-26029r1141676_chk

Refer to the following report produced by the ACP Data Collection: ACF2 - ACF2CMDS.RPT(LOGONIDS). RACF - RACFCMDS.RPT(LISTUSER). TSS - TSSCMDS.RPT(@ACIDS). Automated Analysis requires Additional Analysis. Refer to the following report produced by the z/OS Data Collection: - PDI(ZWAS0040) If the CBADMIN user account is not defined to the ACP, this is not a finding. If the CBADMIN user account is defined to ACP and the password has NOT been changed from the vendor default of CBADMIN, this is a finding with a severity of Category I. If the CBADMIN user account is defined to the ACP and the password has been changed from the vendor default of CBADMIN, this is a finding with a severity of Category II.

Fix: F-26017r1141677_fix

The ISSO will ensure that the CBADMIN user account is removed or not defined to the ACP.

b
The WebSphere Application Server plug-in is not specified in accordance with the proper security requirements.
AC-17 - Medium - CCI-000068 - V-224353 - SV-224353r1141681_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000068
Version
ZWAS0050
Vuln IDs
  • V-224353
  • V-3901
Rule IDs
  • SV-224353r1141681_rule
  • SV-3901
Requests processed by the WebSphere Application Server (WAS) are dependent on directives configured in the HTTP server httpd.conf file. These directives specify critical files containing the WAS plug-in and WAS configuration. These files provide the operational and security characteristics of WAS. Failure to properly configure WAS-related directives could lead to undesirable operations and degraded security. This exposure may compromise the availability and integrity of applications and customer data.
Checks: C-26030r1141679_chk

Refer to the following report produced by the z/OS Data Collection: - USSCMDS.RPT(AHTTPD). Collect the following information for each IBM HTTP server: - The JCL procedure library and member name used to start each IBM HTTP server. DOC(IHSPROCS) - For each IBM HTTP server, supply the following information: Web server ID defined to the ACP Web server administration group defined to the ACP Web server standard HFS directory Review the HTTP server JCL procedure to determine the httpd.conf file to review. If all WAS-related directives are configured using the ServerInit, Service, and ServerTerm statements as outlined below, this is not a finding. The following path entries were added to the /etc/httpd.conf file for WebSphere 3.5: ServerInit /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:init_exit /usr/lpp/WebSphere/etc/WebSphere/AppServer/properties/was.conf Service /webapp/examples/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.jhtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.shtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /servlet/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.jsp /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit ServerTerm /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:term_exit The following path entries are added to the /etc/httpd.conf file for WebSphere 4.0.1: ServerInit - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:init_exit Service - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:service_exit ServerTerm - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:term_exit Note: The /etc/WebSphere clause for ServerInit matches the directory name above where the site customization was.conf file was established. Specific items to review include proper path, was.conf, and plug-in settings.

Fix: F-26018r1141680_fix

The ISSO will ensure that the WebSphere Application Server directives in the httpd.conf file are configured as outlined below. Ensure that all WAS-related directives are configured using the ServerInit, Service, and ServerTerm statements as outlined below. The following path entries were added to the /etc/httpd.conf file for WebSphere 3.5: ServerInit /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:init_exit /usr/lpp/WebSphere/etc/WebSphere/AppServer/properties/was.conf Service /webapp/examples/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.jhtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.shtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /servlet/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.jsp /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit ServerTerm /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:term_exit The following path entries are added to the /etc/httpd.conf file for WebSphere 4.0.1: ServerInit -/usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:init_exit Service - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:service_exit ServerTerm - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:term_exit Note: The /etc/WebSphere clause for ServerInit matches the directory name above where the site customization was.conf file was established. Specific items to review include proper path, was.conf, and plug-in settings.