Have you discussed with your auditors the risks associated with changing the permission bits set by the product and service installs? Compliance with the STIG could conceivably break something, and denial of service is itself a security violation.
-- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of Larre Shiller <[email protected]> Sent: Wednesday, September 26, 2018 12:33 PM To: [email protected] Subject: DISA STIG and permission/audit bits As part of a recent audit, we have been goaded into updating the permission and/or audit bits on certain Unix directories per the DISA STIG (which we use as our risk model). Those directories include many that are shipped by IBM and it's a fair bit of research/work. So... you can easily imagine the problem here--when IBM ships a new release of z/OS or makes changes to either the directory structure or to the existing directories, our changes are backed out. We have been trying to figure out a semi-automated "best practice" that would satisfy the Audit requirement, but have not had much success. So... we started to wonder if anybody else is doing this and if so, how do they manage to keep track of directory changes and keep them updated per the STIG. Any advice would be gratefully appreciated... Thanks. Larre Shiller US Social Security Administration “The opinions expressed in this e-mail are mine personally and do not necessarily reflect the opinion of the US Social Security Administration and/or the US Government.” ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
