Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

zOS Websphere Application Server for RACF Security Technical Implementation Guide - V7R2

  • Version/Release: V7R2
  • Published: 2025-09-27
  • Released: 2025-10-01
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
MVS data sets for the WebSphere Application Server are not protected in accordance with the proper security requirements.
CM-5 - Medium - CCI-001499 - V-224546 - SV-224546r1145026_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
ZWAS0010
Vuln IDs
  • V-224546
  • V-3897
Rule IDs
  • SV-224546r1145026_rule
  • SV-3897
MVS data sets provide the configuration, operational, and executable properties of the WebSphere Application Server (WAS) environment. Failure to properly protect these data sets may lead to unauthorized access. This exposure could compromise the integrity and availability of system services, applications, and customer data.
Checks: C-26229r1145024_chk

Refer to the following reports produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(HTTPRPT). - SENSITVE.RPT(WASRPT). If the following data set controls are in effect for WAS, this is not a finding. The ACP data set rules restrict WRITE and/or greater access to HTTP product data sets (i.e., SYS1.IMW.AIMW** and SYS1.IMW.SIMW**) is restricted to systems programming personnel. Note: If the HTTP server is not used with WAS, this check can be ignored. The ACP data set rules restrict WRITE and/or greater access to WAS product data sets and associated product data sets are restricted to systems programming personnel. SYS*.EJS.V3500108.** (WebSphere 3.5) SYS*.WAS.V401.** (WebSphere 4.0.1) SYS*.OE.** (Java) SYS*.JAVA** (Java) SYS*.DB2.V710107.** (DB2) SYS*.GLD.** (LDAP) SYS1.LE.** (Language Environment)

Fix: F-26217r1145025_fix

The ISSO will ensure that WebSphere server data sets restrict UPDATE and/or ALTER access to systems programming personnel. Ensure the following data set controls are in effect for WAS: WRITE and/or greater access to HTTP product data sets (i.e., SYS1.IMW.AIMW** and SYS1.IMW.SIMW**) are restricted to systems programming personnel. Note: If the HTTP server is not used with WAS, this check can be ignored. WRITE and/or greater access to WAS product data sets and associated product data sets are restricted to systems programming personnel. SYS*.EJS.V3500108.** (WebSphere 3.5) SYS*.WAS.V401.** (WebSphere 4.0.1) SYS*.OE.** (Java) SYS*.JAVA** (Java) SYS*.DB2.V710107.** (DB2) SYS*.GLD.** (LDAP) SYS1.LE.** (Language Environment)

b
HFS objects for the WebSphere Application Server are not protected in accordance with the proper security requirements.
AC-3 - Medium - CCI-000213 - V-224547 - SV-224547r1145029_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZWAS0020
Vuln IDs
  • V-224547
  • V-3898
Rule IDs
  • SV-224547r1145029_rule
  • SV-3898
HFS directories and files provide the configuration, operational, and executable properties of the WebSphere Application Server (WAS) environment. Many of these objects are responsible for the security implementation of WAS. Failure to properly protect these directories and files may lead to unauthorized access. This exposure could potentially compromise the integrity and availability of system services, applications, and customer data.
Checks: C-26230r1145027_chk

Refer to the following reports produced by the z/OS Data Collection: - USSCMDS.RPT(IHSHFSOB). - USSCMDS.RPT(WASHFSOB). For each IBM HTTP server, supply the following information: (PDS member name - IHSACCTS) - Web server ID defined to the ACP. - Web server administration group defined to the ACP. - Web server standard HFS directory. The following notes apply to the requirements specified in the HFS Permission Bits table in the z/OS STIG Addendum. If the following guidance is true, this is not a finding. - If an owner field indicates UID(0) user, any system ID with a UID(0) specification is acceptable. - Where an owner field indicates websrv1, the ID of the web server is intended. - Where a group field indicates webadmg1, the ID of a local web server administration group is intended. IMWEB is not a valid local group. - The site is free to set the permission and audit bit settings to be more restrictive than the documented values. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing

Fix: F-26218r1145028_fix

Review the UNIX permission bits, user audit bits, and ownership settings on the HFS directories and files for the products required to support the WAS environment. Ensure the HFS permission bits, user audit bits, owner, and group for each directory and file match the specified settings listed in the HFS Permissions Bits table located in the zOS STIG Addendum.

b
The CBIND Resource Class for the WebSphere Application Server is not configured in accordance with security requirements.
AC-3 - Medium - CCI-000213 - V-224548 - SV-224548r1145032_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
ZWAS0030
Vuln IDs
  • V-224548
  • V-3899
Rule IDs
  • SV-224548r1145032_rule
  • SV-7265
SAF resources provide the ability to control access to functions and services of the WebSphere Application Server (WAS) environment. Many of these resources provide operational and administrative support for WAS. Failure to properly protect these resources may lead to unauthorized access. This exposure could compromise the integrity and availability of application services and customer data.
Checks: C-26231r1145030_chk

Refer to the following reports produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(CBIND). - RACFCMDS.RPT(SETROPTS). - DSMON.RPT(RACCDT) - Alternate list of active resource classes. If the following items are in effect for CBIND resource protection, this is not a finding. The CBIND resource class is active. The CB.BIND.server_name resource is defined to the CBIND resource class with a UACC(NONE). Access to the CB.BIND.server_name resource is restricted to WAS server (STC) userids and systems management userids (e.g., WebSphere administrator ID).

Fix: F-26219r1145031_fix

There are two profiles to create when using the CBIND class. One is the CB.BIND.server_name profile, which controls whether a local or remote client can access servers. The CB.BIND is mandatory for the first two qualifiers for the profile; the third qualifier is the server name. Second is the CB.server_name profile that controls whether a client can use components in a server; again these definitions are mandatory. Ensure the following items are in effect for CBIND resource protection: The CBIND resource class is active. The CB.BIND.server_name resource is defined to the CBIND resource class with a UACC(NONE). Access to the CB.BIND.server_name resource is restricted to WAS server (STC) userids and systems management userids (e.g., WebSphere administrator ID). The following command provide sample definitions and permissions for this CBIND resource: SETR CLASSACT(CBIND) SETR GENERIC(CBIND) SETR RACL(CBIND) RDEFINE CBIND cb.bind.<servername> UACC(none) owner(admin) audit(all(read)) data('IAW SRR PDI ZWAS0030') Permit cb.bind.<servername> CLASS(CBIND) ID(<wscfg1>) ACCESS(CONTROL) Note: "wscfg1" is a RACF group that contains the Websphere Application Server STCs and maintenance userids.

c
Vendor-supplied user accounts for the WebSphere Application Server must be defined to the ACP.
CM-7 - High - CCI-001762 - V-224549 - SV-224549r1145035_rule
RMF Control
CM-7
Severity
High
CCI
CCI-001762
Version
ZWAS0040
Vuln IDs
  • V-224549
  • V-3900
Rule IDs
  • SV-224549r1145035_rule
  • SV-3900
Vendor-supplied user accounts are defined to the ACP with factory-set passwords during the installation of the WebSphere Application Server (WAS). These user accounts are common to all WAS environments and have access to restricted resources and functions. Failure to delete vendor-supplied user accounts from the ACP may lead to unauthorized access. This exposure could compromise the integrity and availability of system services, applications, and customer data.
Checks: C-26232r1145033_chk

Refer to the following report produced by the ACP Data Collection: ACF2 - ACF2CMDS.RPT(LOGONIDS). RACF - RACFCMDS.RPT(LISTUSER). TSS - TSSCMDS.RPT(@ACIDS). Automated Analysis requires Additional Analysis. Refer to the following report produced by the z/OS Data Collection: - PDI(ZWAS0040). If the CBADMIN user account is not defined to the ACP, this is not a finding. If the CBADMIN user account is defined to ACP and the password has NOT been changed from the vendor default of CBADMIN, this is a finding with a severity of Category I. If the CBADMIN user account is defined to the ACP and the password has been changed from the vendor default of CBADMIN, this is a finding with a severity of Category II.

Fix: F-26220r1145034_fix

The ISSO will ensure that the CBADMIN user account is removed or not defined to the ACP.

b
The WebSphere Application Server plug-in is not specified in accordance with the proper security requirements.
AC-17 - Medium - CCI-000068 - V-224550 - SV-224550r1145293_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000068
Version
ZWAS0050
Vuln IDs
  • V-224550
  • V-3901
Rule IDs
  • SV-224550r1145293_rule
  • SV-3901
Requests processed by the WebSphere Application Server (WAS) are dependent on directives configured in the HTTP server httpd.conf file. These directives specify critical files containing the WAS plug-in and WAS configuration. These files provide the operational and security characteristics of WAS. Failure to properly configure WAS-related directives could lead to undesirable operations and degraded security. This exposure may compromise the availability and integrity of applications and customer data.
Checks: C-26233r1145036_chk

Refer to the following report produced by the z/OS Data Collection: - USSCMDS.RPT(AHTTPD). Collect the following information for each IBM HTTP server: - The JCL procedure library and member name used to start each IBM HTTP server. DOC(IHSPROCS) - For each IBM HTTP server, supply the following information: Web server ID defined to the ACP Web server administration group defined to the ACP Web server standard HFS directory Review the HTTP server JCL procedure to determine the httpd.conf file to review. Verify that all WAS-related directives are configured using the ServerInit, Service, and ServerTerm statements as outlined below. The following path entries were added to the /etc/httpd.conf file for WebSphere 3.5: ServerInit /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:init_exit /usr/lpp/WebSphere/etc/WebSphere/AppServer/properties/was.conf Service /webapp/examples/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.jhtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.shtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /servlet/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.jsp /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit ServerTerm /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:term_exit The following path entries are added to the /etc/httpd.conf file for WebSphere 4.0.1: ServerInit - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:init_exit Service - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:service_exit ServerTerm - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:term_exit Note: The /etc/WebSphere clause for ServerInit matches the directory name above where the site customization was.conf file was established. Specific items to review include proper path, was.conf, and plug-in settings. If all WAS-related directives are configured properly, this is not a finding.

Fix: F-26221r1145292_fix

The ISSO will ensure that the WebSphere Application Server directives in the httpd.conf file are configured as outlined below. Ensure that all WAS-related directives are configured using the ServerInit, Service, and ServerTerm statements as outlined below. The following path entries were added to the /etc/httpd.conf file for WebSphere 3.5: ServerInit /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:init_exit /usr/lpp/WebSphere/etc/WebSphere/AppServer/properties/was.conf Service /webapp/examples/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.jhtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.shtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /servlet/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.jsp /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit ServerTerm /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:term_exit The following path entries are added to the /etc/httpd.conf file for WebSphere 4.0.1: ServerInit -/usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:init_exit Service - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:service_exit ServerTerm - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:term_exit Note: The /etc/WebSphere clause for ServerInit matches the directory name above where the site customization was.conf file was established. Specific items to review include proper path, was.conf, and plug-in settings.