The IBM RACF SERVAUTH resource class must be active for TCP/IP resources.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-98357 | RACF-TC-000060 | SV-107461r1_rule | Medium |
| Description |
|---|
| Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. |
| STIG | Date |
|---|---|
| IBM z/OS RACF Security Technical Implementation Guide | 2020-06-29 |
Details
| Check Text ( C-97193r1_chk ) |
|---|
| From a command input screen enter: SETROPTS LIST If there are TCP/IP resources defined and the SERVAUTH resource class is not active, this is a finding. |
| Fix Text (F-104033r1_fix) |
|---|
| Ensure that the SERVAUTH resource class is active. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a list of ACTIVE classes. The SERVAUTH Class is activated with the command SETR CLASSACT (SERVAUTH). Generic profiles and commands should also be enabled with the command SETR GENERIC(SERVAUTH) GENCMD(SERVAUTH). |