STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← Back to zOS Websphere Application Server for RACF Security Technical Implementation Guide

V-224548

CAT II (Medium)

The CBIND Resource Class for the WebSphere Application Server is not configured in accordance with security requirements.

Rule ID

SV-224548r1145032_rule

STIG

zOS Websphere Application Server for RACF Security Technical Implementation Guide

Version

V7R2

CCIs

CCI-000213

Discussion

SAF resources provide the ability to control access to functions and services of the WebSphere Application Server (WAS) environment. Many of these resources provide operational and administrative support for WAS. Failure to properly protect these resources may lead to unauthorized access. This exposure could compromise the integrity and availability of application services and customer data.

Check Content

Refer to the following reports produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(CBIND).
- RACFCMDS.RPT(SETROPTS).
- DSMON.RPT(RACCDT) - Alternate list of active resource classes.

If the following items are in effect for CBIND resource protection, this is not a finding.

The CBIND resource class is active.

The CB.BIND.server_name resource is defined to the CBIND resource class with a UACC(NONE).

Access to the CB.BIND.server_name resource is restricted to WAS server (STC) userids and systems management userids (e.g., WebSphere administrator ID).

Fix Text

There are two profiles to create when using the CBIND class. One is the CB.BIND.server_name profile, which controls whether a local or remote client can access servers. The CB.BIND is mandatory for the first two qualifiers for the profile; the third qualifier is the server name. Second is the CB.server_name profile that controls whether a client can use components in a server; again these definitions are mandatory.

Ensure the following items are in effect for CBIND resource protection:

The CBIND resource class is active.

The CB.BIND.server_name resource is defined to the CBIND resource class with a UACC(NONE).

Access to the CB.BIND.server_name resource is restricted to WAS server (STC) userids and systems management userids (e.g., WebSphere administrator ID).

The following command provide sample definitions and permissions for this CBIND resource:

SETR CLASSACT(CBIND)
SETR GENERIC(CBIND)
SETR RACL(CBIND)

RDEFINE CBIND cb.bind.<servername> UACC(none) owner(admin) audit(all(read)) data('IAW SRR PDI ZWAS0030')    
   
Permit cb.bind.<servername> CLASS(CBIND) ID(<wscfg1>) ACCESS(CONTROL)

Note: "wscfg1" is a RACF group that contains the Websphere Application Server STCs and maintenance userids.