Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
a) Refer to the following reports produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(HTTPRPT) - SENSITVE.RPT(WASRPT) b) Ensure the following data set controls are in effect for WAS: ___ The ACP data set rules restrict UPDATE and ALTER access to HTTP product data sets (i.e., SYS1.IMW.AIMW** and SYS1.IMW.SIMW**) is restricted to systems programming personnel. NOTE: If the HTTP server is not used with WAS, this check can be ignored. ___ The ACP data set rules restrict UPDATE and ALTER access to WAS product data sets and associated product data sets are restricted to systems programming personnel. SYS*.EJS.V3500108.** (WebSphere 3.5) SYS*.WAS.V401.** (WebSphere 4.0.1) SYS*.OE.** (Java) SYS*.JAVA** (Java) SYS*.DB2.V710107.** (DB2) SYS*.GLD.** (LDAP) SYS1.LE.** (Language Environment) c) If all of the items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING.
The IAO will ensure that WebSphere server data sets restrict UPDATE and/or ALTER access to systems programming personnel. Ensure the following data set controls are in effect for WAS: 1) UPDATE and ALTER access to HTTP product data sets (i.e., SYS1.IMW.AIMW** and SYS1.IMW.SIMW**) are restricted to systems programming personnel. NOTE: If the HTTP server is not used with WAS, this check can be ignored. 2) UPDATE and ALTER access to WAS product data sets and associated product data sets are restricted to systems programming personnel. SYS*.EJS.V3500108.** (WebSphere 3.5) SYS*.WAS.V401.** (WebSphere 4.0.1) SYS*.OE.** (Java) SYS*.JAVA** (Java) SYS*.DB2.V710107.** (DB2) SYS*.GLD.** (LDAP) SYS1.LE.** (Language Environment)
a) Refer to the following reports produced by the UNIX System Services Data Collection: - USSCMDS.RPT(IHSHFSOB) - USSCMDS.RPT(WASHFSOB) For each IBM HTTP server, supply the following information: (PDS member name - IHSACCTS) - Web server ID defined to the ACP - Web server administration group defined to the ACP - Web server standard HFS directory b) The following notes apply to the requirements specified in the HFS Permission Bits table in the z/OS STIG Addendum: - If an owner field indicates UID(0) user, any system ID with a UID(0) specification is acceptable. - Where an owner field indicates websrv1, the ID of the web server is intended. - Where a group field indicates webadmg1, the ID of a local web server administration group is intended. IMWEB is not a valid local group. - The site is free to set the permission and audit bit settings to be more restrictive than the documented values. The following represents a hierarchy for permission bits from least restrictive to most restrictive: 7 rwx (least restrictive) 6 rw- 3 -wx 2 -w- 5 r-x 4 r-- 1 --x 0 --- (most restrictive) The possible audit bits settings are as follows: f log for failed access attempts a log for failed and successful access - no auditing c) If all of the items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING.
Review the UNIX permission bits, user audit bits, and ownership settings on the HFS directories and files for the products required to support the WAS environment. Ensure the HFS permission bits, user audit bits, owner, and group for each directory and file match the specified settings listed in the HFS Permissions Bits table located in the zOS STIG Addendum.
a) Refer to the following reports produced by the TSS Data Collection and Data Set and Resource Data Collection: - TSSCMDS.RPT(WHOOCBIN) - TSSCMDS.RPT(WHOHCBIN) - SENSITVE.RPT(WHOHCBIN) b) Ensure the following items are in effect for CBIND resource protection: 1) The CB. resource is owned appropriately in the BIND resource class. 2) Access to the CB.BIND.server_name and CB.server_name resources is restricted to WAS server (STC) ACIDs and systems management ACIDs (e.g., WebSphere administrator ID). c) If all items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING.
Ensure the following items are in effect for CBIND resource protection: 1) The CB. resource is owned appropriately in the BIND resource class. For Example: TSS ADD(cbowner) CBIND(CB) 2) Access to the CB.BIND.server_name and CB.server_name resources is restricted to WAS server (STC) ACIDs and systems management ACIDs (e.g., WebSphere administrator ID). For Example: The WebSphere administrator ID needs read authority to the CB.BBOASR1 and CB.BIND.BBOASR1 servers: TSS PERMIT(was_admin_acid) CBIND(CB.BBOASR1) ACCESS(READ) TSS PERMIT(was_admin_acid) CBIND(CB.BIND.BBOASR1) ACCESS(READ) NOTE: When adding a new server, all systems management userids (e.g., WebSphere administrator ID) must be authorized to have read access to the CB.server_name and CB.BIND.server_name resources.
a) Refer to the following report produced by the ACP Data Collection: ACF2 - ACF2CMDS.RPT(LOGONIDS) RACF - RACFCMDS.RPT(LISTUSER) TSS - TSSCMDS.RPT(@ACIDS) Automated Analysis requires Additional Analysis. Refer to the following report produced by the z/OS Data Collection: - PDI(ZWAS0040) b) If the CBADMIN user account is not defined to the ACP, there is NO FINDING. c) If the CBADMIN user account is defined to ACP and the password has NOT been changed from the vendor default of CBADMIN, this is a FINDING with a severity code of CAT I. d) If the CBADMIN user account is defined to the ACP and the password has been changed from the vendor default of CBADMIN, this is a FINDING with a severity code of CAT II.
The IAO will ensure that the CBADMIN user account is removed or not defined to the ACP.
a) Refer to the following report produced by the UNIX System Services Data Collection: - USSCMDS.RPT(AHTTPD) Collect the following information for each IBM HTTP server: - The JCL procedure library and member name used to start each IBM HTTP server. DOC(IHSPROCS) - For each IBM HTTP server, supply the following information: Web server ID defined to the ACP Web server administration group defined to the ACP Web server standard HFS directory b) Review the HTTP server JCL procedure to determine the httpd.conf file to review. c) Ensure that all WAS-related directives are configured using the ServerInit, Service, and ServerTerm statements as outlined below. The following path entries were added to the /etc/httpd.conf file for WebSphere 3.5: ServerInit /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:init_exit /usr/lpp/WebSphere/etc/WebSphere/AppServer/properties/was.conf Service /webapp/examples/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.jhtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.shtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /servlet/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.jsp /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit ServerTerm /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:term_exit The following path entries are added to the /etc/httpd.conf file for WebSphere 4.0.1: ServerInit - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:init_exit Service - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:service_exit ServerTerm - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:term_exit NOTE: The /etc/WebSphere clause for ServerInit matches the directory name above where the site customization was.conf file was established. Specific items to review include proper path, was.conf, and plug-in settings. d) If all WAS-related directives are configured properly, there is NO FINDING. e) If any WAS-related directive is not configured properly, this is a FINDING.
The IAO will ensure that the WebSphere Application Server directives in the httpd.conf file are configured as outlined below. Ensure that all WAS-related directives are configured using the ServerInit, Service, and ServerTerm statements as outlined below. The following path entries were added to the /etc/httpd.conf file for WebSphere 3.5: ServerInit /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:init_exit /usr/lpp/WebSphere/etc/WebSphere/AppServer/properties/was.conf Service /webapp/examples/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.jhtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.shtml /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /servlet/* /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit Service /*.jsp /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:service_exit ServerTerm /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:term_exit The following path entries are added to the /etc/httpd.conf file for WebSphere 4.0.1: ServerInit -/usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:init_exit Service - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:service_exit ServerTerm - /usr/lpp/WebSphere401/WebServerPlugIn/bin/was400plugin.so:term_exit NOTE: The /etc/WebSphere clause for ServerInit matches the directory name above where the site customization was.conf file was established. Specific items to review include proper path, was.conf, and plug-in settings.