IBM RACF use of the RACF SPECIAL Attribute must be justified.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-98133	RACF-ES-000660	SV-107237r1_rule		Medium

Description
The organization must perform a periodic scan/review of the application (as required by CCI-000384) and disable functions, ports, protocols, and services deemed to be unneeded or non-secure.

STIG	Date
IBM z/OS RACF Security Technical Implementation Guide	2020-06-29

Details

Check Text ( C-96969r1_chk )
From the ISPF Command Shell enter: ListUser * If Authorization to the SYSTEM OPERATIONS attribute is restricted to key systems personnel, such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is not a finding. If any users connected to sensitive system dataset HLQ (e.g., SYS1, SYS2, ETC) groups with the Group-OPERATIONS are key systems personnel, such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is a finding. Otherwise, Group-OPERATIONS is allowed.

Check Text ( C-96969r1_chk )

From the ISPF Command Shell enter:
ListUser *

If Authorization to the SYSTEM OPERATIONS attribute is restricted to key systems personnel, such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is not a finding.

If any users connected to sensitive system dataset HLQ (e.g., SYS1, SYS2, ETC) groups with the Group-OPERATIONS are key systems personnel, such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is a finding.

Otherwise, Group-OPERATIONS is allowed.

Fix Text (F-103809r1_fix)
Review all USERIDs with the SPECIAL attribute. Ensure documentation providing justification for access is maintained and filed with the ISSO, and that unjustified access is removed. For the SYSTEM SPECIAL attribute: A sample command for removing the SPECIAL attribute is shown here: ALU NOSPECIAL. For the GROUP SPECIAL attribute: CO GROUP() NOSPECIAL