UCF STIG Viewer Logo

IBM RACF users must have the required default fields.


Overview

Finding ID Version Rule ID IA Controls Severity
V-223717 RACF-ES-000700 SV-223717r604139_rule Medium
Description
Ensure that Every USERID is uniquely identified to the system. Within the USERID record, the user's name, default group, the owner, and the user's passdate or phrasedate fields are completed. This will uniquely identify each user. If these fields are not completed for each user, user accountability will become lost. RACF will automatically assign the default group as the password if a password is not explicitly coded. Assign a unique password to every userid to prevent unauthorized access by a person who knows the default group for a new userid.
STIG Date
IBM z/OS RACF Security Technical Implementation Guide 2021-07-05

Details

Check Text ( C-25390r514839_chk )
From a z/OS command screen enter:
ListUser *

Examine each user entry verify every user is fully identified with all of the following conditions:
-A completed NAME field that can either be traced back to a current DD2875 or a Vendor Requirement (example: A Started Task).
-The presence of the DEFAULT-GROUP and OWNER fields.
-The PASSDATE field or the PHRASEDATE field accordingly is not set to N/A excluding users with the PROTECTED attribute.

If all of the above are true, this is not a finding.

If any of above is untrue, this is a finding.
Fix Text (F-25378r514840_fix)
Review all USERID definitions to ensure required information is provided. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes listed in this PDI. The following are sample commands to correct this vulnerability.

-To Add a NAME to a userid with the command ALU NAME('lastname, firstname').
-Every user will be assigned a default group by default. A sample command to reassign a default group is shown here: ALU DFLTGRP(). You must first be connected to a group via the RACF CONNECT command before making it a default group.
-A PASSDATE field or a PHRASEDATE field showing 00.000 indicates that a temporary password or password phrase has been assigned but the user has not logged in and set a permanent value. This could indicate that a new userid was recently added or that a userid previously added is unused and should be considered for deletion. The ISSO should investigate and determine if the userid should be deleted or that the new user should be contacted and told to login to set a permanent value.