IBM RACF Global Access Checking must be restricted to appropriate classes and resources.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-223665	RACF-ES-000170	SV-223665r868800_rule		Medium

Description
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.

Description

To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement.

STIG	Date
IBM z/OS RACF Security Technical Implementation Guide	2022-12-14

Details

Check Text ( C-25338r868798_chk )
From a command input screen enter: RL Global * If Global * is specified in SETROPTS, this is a finding. The following entries may be allowed with the approval of the ISSM: Dataset Class - ALTER access level to &RACUID.** (Allows users all access to their own datasets) OPERCMDS Class - READ access to MVS.MCSOPER.&RACUID (Allows users access to console for their jobs) JESJOBS Class - ALTER access to CANCEL...&RACUID (Allows users to cancel their own jobs) JESJOBS Class - ALTER access to SUBMIT...&RACUID (Allows users to submit their own jobs) The ISSM may allow other classes to be included after evaluation with the system programmer. If any other members are included for Global Access Checking, this is a finding. If written approval by the ISSM is not provided, this is a finding.

Check Text ( C-25338r868798_chk )

From a command input screen enter:
RL Global *

If Global * is specified in SETROPTS, this is a finding.

The following entries may be allowed with the approval of the ISSM:
Dataset Class - ALTER access level to &RACUID.** (Allows users all access to their own datasets)
OPERCMDS Class - READ access to MVS.MCSOPER.&RACUID (Allows users access to console for their jobs)
JESJOBS Class - ALTER access to CANCEL.*.*.&RACUID (Allows users to cancel their own jobs)
JESJOBS Class - ALTER access to SUBMIT.*.*.&RACUID (Allows users to submit their own jobs)

The ISSM may allow other classes to be included after evaluation with the system programmer.

If any other members are included for Global Access Checking, this is a finding.

If written approval by the ISSM is not provided, this is a finding.

Fix Text (F-25326r868799_fix)
Configure Global Access Checking to be appropriately administered. Evaluate the impact associated with implementation of the control option. Develop approval documentation and a plan of action to implement the control option as specified in the example below: RALT GLOBAL class-name ADDMEM (resourcename)/accesslevel)